Posts Tagged: SCADA


26
Sep 12

Chinese Hackers Blamed for Intrusion at Energy Industry Giant Telvent

A company whose software and services are used to remotely administer and monitor large sections of the energy industry began warning customers last week that it is investigating a sophisticated hacker attack spanning its operations in the United States, Canada and Spain. Experts say digital fingerprints left behind by attackers point to a Chinese hacking group tied to repeated cyber-espionage campaigns against key Western interests.

The attack comes as U.S. policymakers remain gridlocked over legislation designed to beef up the cybersecurity posture of energy companies and other industries that maintain some of the world’s most vital information networks.

In letters sent to customers last week, Telvent Canada Ltd. said that on Sept. 10, 2012 it learned of a breach of its internal firewall and security systems. Telvent said the attacker(s) installed malicious software and stole project files related to one of its core offerings — OASyS SCADA — a product that helps energy firms mesh older IT assets with more advanced “smart grid” technologies.

The firm said it was still investigating the incident, but that as a precautionary measure, it had disconnected the usual data links between clients and affected portions of its internal networks.

“In order to be able to continue to provide remote support services to our customers in a secure manner, we have established new procedures to be followed until such time as we are sure that there are not further intrusions into the Telvent network and that all virus or malware files have been eliminated,” the company said in a letter mailed to customers this week, a copy of which was obtained by KrebsOnSecurity.com. “Although we do not have any reason to believe that the intruder(s) acquired any information that would enable them to gain access to a customer system or that any of the compromised computers have been connected to a customer system, as a further precautionary measure, we indefinitely terminated any customer system access by Telvent.”

The incident is the latest reminder of problems that can occur when corporate computer systems at critical networks are connected to sensitive control systems that were never designed with security in mind. Security experts have long worried about vulnerabilities being introduced into the systems that regulate the electrical grid as power companies transferred control of generation and distribution equipment from internal networks to so-called “supervisory control and data acquisition,” or SCADA, systems that can be accessed through the Internet or by phone lines. The move to SCADA systems boosts efficiency at utilities because it allows workers to operate equipment remotely, but experts say it also exposes these once-closed systems to cyber attacks.

Telvent did not respond to several requests for comment. But in a series of written communications to clients, the company detailed ongoing efforts to ascertain the scope and duration of the breach. In those communications, Telvent said it was working with law enforcement and a task force of representatives from its parent firm, Schneider Electric, a French energy conglomerate that employs 130,000 and has operations across the Americas, Western Europe and Asia. Telvent reportedly employs about 6,000 people in at least 19 countries around the world.

The disclosure comes just days after Telvent announced it was partnering with Foxborough, Mass. based Industrial Defender to expand its cybersecurity capabilities within Telvent’s key utility and critical infrastructure solutions. A spokesperson for Industrial Defender said the company does not comment about existing customers. Continue reading →


22
Nov 11

DHS Blasts Reports of Illinois Water Station Hack

The U.S. Department of Homeland Security today took aim at widespread media reports about a hacking incident that led to an equipment failure at a water system in Illinois, noting there was scant evidence to support any of the key details in those stories — including involvement by Russian hackers or that the outage at the facility was the result of a cyber incident.

Last week, portions of a report titled “Public Water District Cyber Intrusion” assembled by an Illinois terrorism early warning center were published online. Media outlets quickly picked up on the described incident, calling it the “first successful target of a cyber attack on a computer of a public utility.” But in an email dispatch sent to state, local and industry officials late today, DHS’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) said that after detailed analysis, DHS and the FBI “have found no evidence of a cyber intrusion into the SCADA system of the Curran-Gardner Public Water District in Springfield, Illinois.” The ICS-CERT continued:

“There is no evidence to support claims made in the initial Fusion Center report – which was based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant,” the ICS-CERT alert states. “In addition, DHS and FBI have concluded that there was no malicious or unauthorized traffic from Russia or any foreign entities, as previously reported.  Analysis of the incident is ongoing and additional relevant information will be released as it becomes available.”

The statement is the most strongly worded yet from DHS refuting the alleged cyber incident in Illinois. The story broke on Nov. 17, when Joe Weiss, managing partner of Applied Control Solutions, a security consultant for the control systems industry, published a blog post about a disclosure he reported reading from a state terrorism intelligence center about a cyber intrusion into a local water plant that resulted in the burnout of a water pump. The break-in reportedly allowed intruders to manipulate the supervisory control and data acquisition system, or “SCADA” networks that let plant operators manage portions of the facility remotely over the Internet. Within hours of that post, media outlets covering the story had zeroed in on the Curran-Gardner Water District as the source of the report.

Weiss has repeatedly declined to share or publish the report, but he cited large portions of it in my story from last week. The language and details reported in it stand in stark contrast to the DHS’s version of events. According to Weiss, the report, marked sensitive but unclassified, stated:

“Sometime during the day of Nov. 8, 2011, a water district employee noticed problems with a SCADA system. An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia. The SCADA system that was used by the water district was produced by a software company based in the US. It is believed the hackers had acquired unauthorized access to the software company’s database and retrieved the usernames and passwords of various SCADA systems, including the water district systems.”

“Over a period of 2-3 months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”

“This network intrusion is the same method of attack recently used against the MIT Server,” the water district alert stated. “The water district’s attack and the MIT attack both had references to PHPMyAdmin in the log files of the computer systems. It is unknown at this time the number of SCADA usernames and passwords acquired from the software company’s database, and if any additional systems have been attacked as a result of this theft.”

Weiss blogged about the ICS-CERT statement, and said he can’t figure out how the two accounts could be so different. He notes that the day after his blog post, Don Craven, chairman of the Curran-Gardner Water District, was quoted on a local ABC News affiliate television interview saying that there was “some indication that there was a breach of some sort into a software program, a SCADA system, that allows remote access to the wells and the pumps and those sorts of things” (see video below).

Continue reading →


18
Nov 11

Cyber Intrusion Blamed for Hardware Failure at Water Utility

A recent cyber attack on a city water utility in Illinois may have destroyed a pump and appears to be part of a larger intrusion at a U.S. software provider, new information suggests. The incident is the latest to raise alarms about the security protecting  so-called supervisory control and data acquisition system, or “SCADA” networks — increasingly Internet-connected systems designed to monitor and control complex industrial networks.

CNN is reporting that federal officials are investigating the attack, but quoted a Department of Homeland Security official downplaying the incident. Wired.com says the focus of the attack may be the Curran-Gardner Public Water District near Springfield, Ill. The Register quotes DHS’s Peter Boogaard saying the agency and the FBI are gathering facts surrounding the report of a water pump failure, but that “at this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety.”

The incident was first reported in a state cyber fusion notice dated Nov. 10, and soon was summarized on the blog by Joe Weiss, managing partner of Applied Control Solutions, a SCADA systems security firm. Weiss criticized the lack of response and alerting by the US-CERT, Department of Homeland Security, and the information sharing and analysis center (ISAC) run by the water industry.

Weiss read KrebsOnSecurity sections of the report, which traced the origin of the attack to Russian Internet addresses.

“Sometime during the day of Nov. 8, 2011, a water district employee noticed problems with a SCADA system. An information technology service and repair company checked the computer logs of the SCADA system and determined the system had been remotely hacked into from an Internet provider address located in Russia.”

The alert also indicates that this attack may be linked to a SCADA provider that also serves other industries, in addition to the water sector. From the alert:

“The SCADA system that was used by the water district was produced by a software company based in the US. It is believed the hackers had acquired unauthorized access to the software company’s database and retrieved the usernames and passwords of various SCADA systems, including the water district systems.”

The intrusions apparently took place over several months, during which time the attackers remotely logged into the water district’s SCADA networks and toggled systems off and on, eventually causing the failure of a water pump at the facility.

“Over a period of 2-3 months, minor glitches have been observed in remote access to the water district’s SCADA system. Recently, the SCADA system would power on and off, resulting in the burnout of a water pump.”

The notice also stated that the method of attack appears to be similar to the recent compromise of servers at the Massachusetts Institute of Technology (MIT), which involved security weaknesses around phpMyAdmin, a popular Web-based database administration tool.

“This network intrusion is the same method of attack recently used against the MIT Server,” the water district alert stated. “The water district’s attack and the MIT attack both had references to PHPMyAdmin in the log files of the computer systems. It is unknown at this time the number of SCADA usernames and passwords acquired from the software company’s database, and if any additional systems have been attacked as a result of this theft.”

Michael Assante, president and CEO of the National Board of Information Security Examiners and a former chief security officer for the North American Electric Reliability Corporation (NERC), said the attack highlights the potential pitfalls of utilities increasingly turning to off-the-shelf commercial solutions and remote access to trim costs in an era of tight state and local budgets.

Continue reading →


30
Jul 10

Microsoft to Issue Emergency Patch for Critical Windows Bug

Microsoft said Thursday that it will issue an out-of-band security update on Monday to fix a critical, remotely-exploitable security hole present in all versions of Windows, which the software giant says is fueling an increasing number of online attacks.

On July 15, KrebsOnSecurity.com first warned that a flaw in the way Windows processes shortcut files (those ending in “.lnk”) was being exploited by highly targeted malicious software called “Stuxnet”. Researchers learned that Stuxnet was aimed at infiltrating Windows computers running Siemens WinCC SCADA software, or machines responsible for controlling the operations of large, distributed systems, such as manufacturing and power plants.

Since then, experts have found several new variants of Stuxnet, while a growing number of more mainstream attacks have been spotted exploiting the underlying Windows flaw.

“We’re able to confirm that, in the past few days, we’ve seen an increase in attempts to exploit the vulnerability,” wrote Christopher Budd, senior security response communications manager at Microsoft, on one of the company’s TechNet blogs. “We firmly believe that releasing the update out of band is the best thing to do to help protect our customers.”

I’m looking forward to applying this fix: About a week ago, Microsoft provided a stopgap “FixIt” tool that blunts the threat from this vulnerability, but it also changes the appearance of certain icons on the Windows desktop, often making it difficult for users to tell one program from the next. For example, here’s a screen shot of my Windows 7 desktop toolbar after I applied the fix:

I’ve found it fascinating to watch the speculation and hype swirl around this Stuxnet worm: Early on, the news media and pundits fixated on the notion that this was proof that other countries were planning cyber attacks on our power grid and other highly complex networks that rely on the types of SCADA systems targeted by Stuxnet. Then, about a week ago, experts began charting where in the world most victims were based. According to Symantec, roughly 60 percent of the systems infected with this family of malware were based in Iran, while computers in Indonesia and India also were hard-hit.

One equally likely scenario that I haven’t heard suggested much yet is that perhaps we are seeing evidence of our country’s own cyber warriors probing the networks of other nations. It is notable that the first definitions that the major anti-virus firms shipped for the Stuxnet malware were issued on or around the same day as my story, and that this malware was first discovered one month earlier by VirusBlokada, a relatively tiny anti-virus firm in Belarus that said it found the worm on computers belonging to one of its Iranian customers. What’s more, it’s unlikely that a malware threat initially directed at Iran would show up on the radar of U.S.-based anti-virus makers, all of whom are prohibited by U.S. trade sanctions from selling products and services to Iran.