Sophos Cloud Optix
Legal threats have silenced security warnings at a recent systems-control conference.
Two talks at a recent US conference on cyber security in critical infrastructure were pulled from the agenda after a supplier of nuclear power plant equipment threatened to sue, worried that open discussion of vulnerabilities would reveal too much – even though the presentations had been approved by the power plant in question.
The conference, the 12th ICS Cyber Security Conference, was held at Old Dominion University’s Virginia Modeling Analysis and Simulation Center 22-25 October.
Participants were told that the security firm that uncovered the thousands of pieces of control equipment that are exposed to online attack demurred from telling US authorities where the equipment is installed, since it feared that the equipment’s owners would sue, according to a Reuters report.
Besides legal threats, security findings were muzzled in other ways.
The US government itself has been keeping potential targets of attack in the dark, the alarmed attendees were told.
From the Reuters article:
"In addition, attendees said they were alarmed to learn that because the government has kept a technique it discovered for attacking electricity generation equipment secret for five years, potential targets had not realized they were vulnerable and therefore did not buy hardware needed to protect themselves."
Joe Weiss, one of the conference’s organizers, said that information-sharing is also being bogged down by vendors who withhold cyber-incident information from their customers—even, in at least one case, to the point of withholding information entirely.
In blogging about the conference, he writes about a project that found more than 500,000 internet-facing control system devices, “all the way to device IP addresses.”
The researcher who discovered the exposure informed the US Department of Homeland Security, Weiss wrote, with ICS-CERT recently issuing a notification.
The researcher actually contacted a vulnerable water utility that had vulnerable components remotely accessible to anyone with an Internet connection, but the end user simply didn’t understand the impact and basically ignored the warning, Weiss says.
As Weiss notes, awareness issues are already a problem in the community responsible for infrastructure systems, even before you add censorship/silence-via-intimidation into the mix.
He cites an international survey performed for CIGRE, a large electrical systems industry group, that showed a “lack of cyber understanding” in the control and protective relay community.
That was apparent at the conference, he said, when it came to Aurora: a vulnerability to cyber attacks that could sabotage systems that provide electricity, including the US’s nationwide power grid.
In 2007, an experimental test of Aurora demonstrated how physical damage to a power plant could be triggered by a cyber attack.
Here is a CNN report which includes footage of the Aurora experiment:
As Digital Bond put it, there’s nothing quite like shaking and smoke to get the point across.
But at the conference, Weiss wrote, more than five years after that Aurora test, few attendees quite understood the vulnerability and why it applied to their facilities.
He wrote:
"A question was asked why the electric industry should care about every substation since there are so many substations - losing some should not be cause for concern. The answer is that Aurora effectively makes the substation an attacker. Consequently, any unsecured (for Aurora) substation can be a threat to any commercial or industrial facility with Alternating Current (AC) rotating equipment served by that substation including power plants, refineries, ships, hospitals, data centers, etc. Since so few utilities are addressing Aurora, DOD was questioning if they should take matters in their own hands by installing the mitigation at their facilities effectively protecting themselves from their own utilities!"
The destruction wrought by natural weather events such as Hurricane Sandy are one thing.
The destruction that could be wrought by withholding information, by silence imposed on researchers by vendors’ legal threats, and by an industry wherein a lack of understanding hampers action, that’s another thing entirely.
Happy, scary, infrastructure meltdown-ish Halloween.
Nuclear power plant image from Shutterstock.
It is very scary that the vendors try to sweep these risks under the carpet. Will it take a major attack to wake them up to the reality, if you work with computers, security should be in the forefront of your mind and built into the system design process by default.
"why the electric industry should care about every substation since there are so many substations – losing some should not be cause for concern."
wow – just, wow. Thats like asking a corporation, why should you care about every computer since there are so many – having some infected should not be a cause for concern.
It seems to me that the only people who truly understand the vulnerability situation are the equipment vendors who knowingly sell the vulnerable equipment to utilities then threaten to sue if the company tries to warn others about the vulnerability.Could it be that these vendors are threatening to sue before they themselves can be sued?
The fact that the usa govt. is keeping the details of Aurora secret leads me to imagine more false flag operations. Usa is famous for false flag operations for over 150 years, both inside and outside the nation.
How much are these guys being paid? Whatever it is it's far too much.
Can you imagine the panic of several power stations going down for an extended period?
We are so reliant on electricity these days the whole country would come to a standstill.
Yet it appears non of those involved seem to have considered cyber security attacks.
Most people don't even own a battery powered radio these days. So they won't even be able to get news as is to what is going on.
I remember the planned power cuts in the 70's and it wasn't good then even though most houses only used light and TV on electricity.
This surely must be a deliberate act for yet more shock politics on the population.
When is the population going to bite back?
"battery powered radio" – in the ute, maybe?
It seems odd that nobody has said, "take them off the Internet!" What would be so tough to just disable the main and go down the line until most are secure.
I will agree with many that a cover up is not the way to go, especially if the companies making the gear won't inform the user about problems with their own equipment. I believe anyone who's seen a computer controlled piece of equipment have a failure that causes it to self destruct would not be surprised by this video. Same occurs when a computer is fried by EMF and the controlling device doesn't have enough mechanical stability to control itself, all attributed to the electronics to control it.
The worst element is that our government is ignoring the problem by putting this on the back burner. I've written our legislative branch many times about the failure of them to make laws to protect out citizens from ISP companies to prevent them from just 'turning us off'. Even some of the European countries have this basic legislation. I really wonder about our officials. I guess many do
"I really wonder about our officials. I guess many do"
No, actually…I don't wonder about them at all. I know exactly what they are. They're power hungry, self-serving, egomaniacal, self-prepossessed twits who are so impressed with how much smarter they are than everyone else that they think they're qualified to make arbitrary rules that tell other people how to live…rules from which they usually exempt themselves.
They're arrogant, and they're hypocrites. And they're all the same, regardless of party affiliation. As far as I'm concerned, their biggest disqualification for public office is that they seek it in the first place.
nice post