1
APRIL 29, 2014 Siemens SCADA hacked again
SCADA is supervisory control and data acquisition used in power generation, energy transmission and grid management, water treatment, civil defense and military
systems operating with coded signals over communication channels to provide control of
remote equipment usually over the internet, employing passwords.
On April 29, 2014 Siemens released a security update to address the “Heartbleed” vulnerability in SIMATIC WinCC Open Architecture, a SCADA system that is used in a large number of industries to operate power grids, processes, machines and production flows. Heartbleed is a critical security flaw in Siemens OpenSSL, the most popular implementation of the TLS (Transport Layer Security) and SSL (Secure Sockets Layer) protocols used in its SCADA products.
Hackers prefer to attack large industrial, military and retail institutions to show potent ia l employers, usual ly governments, that they can do the work, or to sell financial, password or other encrypted data or information to others who use the internet to steal money or disrupt business just for fun. In the case of highly encrypted energy grid software SCADA systems, foreign governments continue to monitor the utility infrastructure of potential adversaries as a matter of national defense. Governments routinely employ hackers to disrupt potential enemy military SCADA systems. The U.S. military server has over 1 million attempted hacks per day. The larger the target, the more hackers tend to concentrate their efforts to “prove” their worth or abilities. Successful hackers then sometimes sell their services to the very entities that they have hacked.
1741 Ala Moana Blvd. Suite 98, Honolulu, Hawaii 96815, [email protected]
2
In the case of the April 2014 Heartbleed Seimens patch, it was just another attempt to close a hole in their SCADA system that was penetrated by a hacker or group of hackers located somewhere in the world, usually not within the j u r i s d i c t i o n o f t h e U . S . government or its allies. T h i s S C A D A
vulnerability can be exploited to extract passwords, encryption keys and other potentially
sensitive information from the memory of TLS servers and clients that rely on OpenSSL for
encrypted communications. It is a fact that most of the utility SCADA systems in America have been hacked and in many cases, these
unsecured portals have not been
exposed but held in secret in the
event a foreign entity might want to
disrupt our national security during
conflict.
Hawaiian Electric Industries (HEI) uses in part, a Siemens SCADA to manage its Hawaii
energy Grids. Since Plug and Play Energy Systems designs its own “patch” to integrate its storage and smart grid management systems into the existing HEI Siemens grid “backbone”; our patch will most likely be outside the sights of mainstream hackers or their groups that tend to attack large, well established SCADA systems like Siemens. Any system can be hacked. It is a matter of being targeted. If our patch is hacked, our software developers will continue to employ all of their knowledge of existing and potential security risk management to employ advanced security for our SCADA systems, independent of the existing backbone..
1741 Ala Moana Blvd. Suite 98, Honolulu, Hawaii 96815, [email protected]
3
Hackers exploit SCADA holes to take full control of critical infrastructureJanuary 15, 2014
Critical infrastructure is a ripe target that is pretty sweet for attackers. "By the end of 2015,
the potential security risks to the smart grid will reach 440 million new hackable points"
According to the Lockheed Martin smart grid expert, there are three worst case scenarios for the 3,200 utilities in the U.S:
1. Someone, a neighborhood kid or a person in another country, might turn off the power to a hospital or neighborhood in the middle of night.
2. Voltage control devices could be hacked, turned up and down so that the voltage zaps computers, high-definition TVs or other voltage-sensitive equipment.
1741 Ala Moana Blvd. Suite 98, Honolulu, Hawaii 96815, [email protected]
4
3. "If you can cause rapid problems in the grid to occur
in the right places at scheduled times, you could destabilize the whole grid, black out whole cities or states and cause massive damage." He added that some replacement devices aren't available in the U.S. and could take two years to get a replacement.
Very small aperture terminals, or VSATs, are small satellite dish-based computer systems,
that provide broadband Internet access to remote locations, or transmit point of sale credit
card transactions, SCADA and other narrowband data. There are over 2.9 million active
VSAT terminals in the world, with two-thirds of those devices the U.S., being used in the
defense sector to transmit government and classified communications, used by financial
industries like banks to transmit sensitive data, and used by the industrial sector such as
energy to transmit from power grid substations, or oil and gas to transmit from oil rigs. Over
10,000 of those VSATs are “open” for targeted cyber attacks.
1741 Ala Moana Blvd. Suite 98, Honolulu, Hawaii 96815, [email protected]
5
“We found thousands and
thousands of these systems
with what are essentially their digital front doors left wide open,” IntelCrawler’s president Dan
Clements told CS Monitor. “Someone needs to be aware that there are vulnerabilities here
that could affect critical infrastructure, including utilities and financial systems.”
Targeted cyber attacks on the energy sector
Attackers target the energy sector "to steal intellectual property on new technology, like wind
or solar power generators or gas field exploration charts." But “the sector is also a major target for sabotage attacks, which will not generate direct profit for the attacker. Such
disruptive attacks do already happen and may lead to large financial losses. State sponsored agents, competitors,
i n t e r n a l a t t a c k e r s o r hacktivists are the most likely authors of such sabotage attacks.”
Modern energy systems are
increasingly complex. “There are
supervisory control and data
acquisition (SCADA) or industrial
control systems (ICS) that sit
outside of traditional security
walls,” Symantec explained.
“And as smart grid technology
continues to gain momentum, more new energy systems will be connected to the Internet of
Things, which opens up new security vulnerabilities related to having countless connected
devices.” Additionally, “the increasing number of connected systems and centralized control
for ICS and SCADA systems means that the risk of attacks in the future will increase.”
1741 Ala Moana Blvd. Suite 98, Honolulu, Hawaii 96815, [email protected]
6
SCADA & hacking for full remote control (30C3 Convention)
Pike Research estimates that $21 billion will
be spent on smart grid cybersecurity by 2015. Rather than widespread mischief, attacks now are most likely to be targeted at single companies, departments, even at specific individuals – as happened last year during the Aurora attacks, against Google, Target and
other large companies. In January 2014, 60,000 exposed control systems were recently
discovered by Russian security researchers who
found vulnerabilities that could be exploited to
take “full control of systems running energy,
chemical and transportation systems.”
“The vulnerabilities,” according to the Australian IT News, “existed in the way passwords were encrypted and stored in the software's Project database and allowed attackers to gain full access to Programmable Logic Controllers (PLCs) using attacks described as dangerous and easy to launch.” They probed and found holes in “popular and high-end ICS and supervisory control and data acquisition (SCADA) systems used to control everything from home solar panel installations to critical national infrastructure.” The 30C3 SCADA project identified more than 150 zero-day vulnerabilities in SCADA, ICS and PLCs, with five percent of those being “dangerous remote code execution holes.” At 30C3, they released an updated version of THC-Hydra, “a password-cracking tool that targeted the vulnerability in Siemens PLC S-300 devices,” and a “Pretty Shiny Sparkly ICS/SCADA/PLC Cheat Sheet,” identifying almost 600 ICS, PLC and SCADA systems, so you too can “become a real SCADA Hacker.”
1741 Ala Moana Blvd. Suite 98, Honolulu, Hawaii 96815, [email protected]
7
Correlating cyber security with specific communication standards is very complex and is not a one-to-one correlation. Regardless of what communications standards are used, cyber security must address all layers – end-to-end – from the source of the data to the ultimate destination of the data. In addition, cyber security must address many aspects outside of the communications system that typically rely on procedures rather than
t e c h n o l o g i e s , s u c h a s authenticating the users and software applications, and screening personnel.
Cyber security must be viewed as a stack or “profile” o f d i f f e r e n t s e c u r i t y t e c h n o l o g i e s a n d procedures, woven together t o m e e t t h e s e c u r i t y requirements of a particular implementation of a stack of communication standards
designed to provide specific services. Ultimately, cyber security as applied to these stacks of communication standards should be described as profiles of technologies and procedures which can include both “power system” methods (e.g. redundant equipment, analysis of power system data, and validation of power system states) and information technology (IT) methods (e.g. encryption, role-based access control, and intrusion detection).
There also can be a relationship between certain communication standards and correlated
cyber security technologies. Authentication, data integrity, and/or confidentiality are important.
With the advent of the Smart Grid, cyber security has become increasingly important within
the utility sector.
Developing cycles of communication and cyber security standards are best independent of each other. That way if part of the SCADA system is hacked, the balance of the system can operate independently.
1741 Ala Moana Blvd. Suite 98, Honolulu, Hawaii 96815, [email protected]