Comments on: Hackers Extort Utility Companies http://cubist.cs.washington.edu/Security/2008/01/19/hackers-extort-utility-companies/ Mon, 06 Oct 2008 14:09:14 +0000 http://wordpress.org/?v=2.6.2 By: David St. Hilaire http://cubist.cs.washington.edu/Security/2008/01/19/hackers-extort-utility-companies/#comment-60 David St. Hilaire Mon, 21 Jan 2008 06:11:50 +0000 http://cubist.cs.washington.edu/Security/2008/01/19/hackers-extort-utility-companies/#comment-60 Having worked with SCADA systems (water/wastewater) before, I have definitely seen the trend towards remote access capabilities. As some systems are widely distributed geographically, it is convenient for employees to be able to configure settings, acknowledge alarms, and view system wide status while at remote sites. It is also sometimes requested that laptops be configured so that on call employees can access the system from home, providing them with a way to instantly deal with alarms and other issues as they drive to the plant before anything becomes critical. However this also provides a huge security concern. If the laptop is stolen or infected with the right malware, an adversary could potentially remotely connect to the master SCADA computer. Though if the adversary desires to avoid alerting the employees that his attacks were being/had been implemented or if the computer itself does not provide control decisions for the system, he would need to be able to log into the SCADA software itself. Yet if he was lucky and had access to the application directory, under a certain security configuration one industrially used SCADA software’s system’s security can be easily bypassed in seconds, granting full administrator access to the controls. As systems are becoming more automated, more control and tweaking capabilities for the employees are being provided at the computer, giving adversaries even more potential to create havoc. Having worked with SCADA systems (water/wastewater) before, I have definitely seen the trend towards remote access capabilities. As some systems are widely distributed geographically, it is convenient for employees to be able to configure settings, acknowledge alarms, and view system wide status while at remote sites. It is also sometimes requested that laptops be configured so that on call employees can access the system from home, providing them with a way to instantly deal with alarms and other issues as they drive to the plant before anything becomes critical.

However this also provides a huge security concern. If the laptop is stolen or infected with the right malware, an adversary could potentially remotely connect to the master SCADA computer. Though if the adversary desires to avoid alerting the employees that his attacks were being/had been implemented or if the computer itself does not provide control decisions for the system, he would need to be able to log into the SCADA software itself. Yet if he was lucky and had access to the application directory, under a certain security configuration one industrially used SCADA software’s system’s security can be easily bypassed in seconds, granting full administrator access to the controls.

As systems are becoming more automated, more control and tweaking capabilities for the employees are being provided at the computer, giving adversaries even more potential to create havoc.

]]> By: sky http://cubist.cs.washington.edu/Security/2008/01/19/hackers-extort-utility-companies/#comment-57 sky Mon, 21 Jan 2008 04:31:05 +0000 http://cubist.cs.washington.edu/Security/2008/01/19/hackers-extort-utility-companies/#comment-57 Reading Robert's summary here got me thinking that is is good that companies are getting forced to become wise to e-terrorism when only money and continence are involved, and before hackers could really physically harm anyone. But then i realized that it might already be possible to kill someone by hacking into a hospital's network. Threatening to make lifesupport machines go haywire would be much more scary. Also, being able knock out power grids at will would be a very nice trick to do, right before an invasion. Reading Robert’s summary here got me thinking that is is good that companies are getting forced to become wise to e-terrorism when only money and continence are involved, and before hackers could really physically harm anyone. But then i realized that it might already be possible to kill someone by hacking into a hospital’s network. Threatening to make lifesupport machines go haywire would be much more scary.

Also, being able knock out power grids at will would be a very nice trick to do, right before an invasion.

]]>