Sophos Cloud Optix
Right back to the 1980s, when computer viruses first appeared in any number, people have been asking, “Can malware and hackers cause giant physical disasters?”
As if draining your bank account, “borrowing” your network connection to send 5,500,000 spams a week, or blowing away all your data and offering to sell it back for $300 were not enough…
…there has long been an understandable fascination with whether computer malfeasance alone – let’s call it hacking, in the pejorative sense of the word – can, in three not entirely precise words, “blow stuff up.”
There’s a lot of well-meaning concern at the moment that such an outcome might very well be possible, at least figuratively, thanks to buzzwords such as SCADA and IoT.
SCADA is a handy acronym, because it’s short for the rather clumsy-sounding supervisory control and data acquisition.
→ Treated as a word in its own right, SCADA is pronounced skay’der to rhyme with raider, or, less frequently, scad’der to rhyme with ladder. Don’t say scar’der to rhyme with larder. Lengthening the first -A- in SCADA doesn’t make sense, considering that it stands for “and”.
SCADA refers to the interfaces, sometimes proprietary, sometimes open, that allow industrial equipment to be connected to, programmed by, and controlled from regular computers, like PCs or Macs.
Of course, that raises the questions, “Could that industrial equipment end up on the public internet? How safe would that be?”
The answers, loosely speaking, are, “Yes,” and, “Are you sitting comfortably?”
And IoT is short of Internet of Things, which is another way of saying SCADA for sub-industrial devices, such as home thermostats, remote-control garage doors and even individual light bulbs around your house.
Of course, that raises the questions, “Could those light bulbs end up on the public internet? How safe would that be?”
The answers, loosely speaking, are, “Yes,” and, “Are you sitting comfortably?”
In short, you might well assume that hacker-driven disasters, featuring heavy-duty equipment such as power stations, water purification plants and aluminium smelters, would be reported all the time.
Malware-initiated meltdown
Fortunately, there aren’t actually many known examples of malware-initiated meltdown.
In fact, there’s Stuxnet, and…so far, that’s about it.
Stuxnet, in case you’ve forgotten, is a virus that is said to have been designed to infiltrate Iran’s uranium enrichment facilities, using .EXE files on USB keys to jump between electrically-disjoint networks, and then to reprogram the centrifuges to wobble themselves into dysfunction.
It’s not literally “blowing stuff up,” nor yet “melting something down,” but you could be forgiven for referring to it metaphorically in either of those ways.
We’ll probably never know for sure whether Stuxnet actually reached its intended targets and genuinely worked (indeed, it would be a handy scapegoat if Iran’s centrifuges broke for other more pedestrian reasons, such as overuse), but we’ll pretend that it did, and chalk it up as our first example.
But in 2014, according to the Federal Office for Information Security in Germany, which just published its annual IT Security Report, we had the dubious honour of a second “meltdown” example for the history books.
→ The Federal Office for Information Security is officially known in German as the BSI, short for Bundesamt für Sicherheit in der Informationstechnik.
Actually, this one was more of a smeltdown, following a targeted attack on a German steelworks.
The report suggests that the crooks got in by the tried-and-trusted mechanism of spear-phishing and social engineering.
Thereafter, they worked their way from the business network into the production network (what is known in the penetration testing industry by the gymnastic-sounding jargon pivoting and moving laterally, as one might in a tricky rock climb), and messed up the control of various equipment.
In particular, the failures meant that:
[E]in Hochofen nicht geregelt heruntergefahren werden konnte und sich in einem undefinierten Zustand befand. Die Folge waren massive Beschädigungen der Anlage.
A blast furnace could not be correctly shut down and ended up in an undefined state. The result was massive damage to the system.
According to the BSI:
Das Know-how der Angreifer war nicht nur im Bereich der klassischen IT-Sicherheit sehr ausgeprägt, sondern erstreckte sich auch auf detailliertes Fachwissen zu den eingesetztenIndustriesteuerungen und Produktionsprozessen.
The attackers not only had highly developed skills in conventional IT security, but also possessed detailed practical knowledge about industrial control and production processes.
The bottom line
We’ll ignore the intricacies of, and advice for, securing your SCADA systems until another time, and focus here on the spear-phishing angle.
As we explained in Sophos Security Chet Chat 178, spear-phishing is surprisingly similar to regular phishing, where bogus emails urge or pressurise you to visit a website or open an attachment that you would usually ignore.
In a spear-phishing attack, the emails aren’t entirely untargeted, but instead focus on facts that are apparently relevant and interesting to you.
Those facts could be deduced from your hobbies, your job description, your Facebook profile, or many other sources, both legitimate (e.g. social networks) or underground (e.g. stolen copies of your resume).
As we advised in our recent article about Christmas-time iTunes phishing, try these tips:
- Think before you click. Dodgy emails often sound believable at first, either because the crooks know enough about you to refer to something you are interested in, or because they got lucky and mentioned something you are familiar with.
- Use two-factor authentication (2FA) if you can. 2FA generally relies on one-time login codes, so the crooks can’t simply phish your password and use it over and over.
Image of fireball courtesy of Shutterstock.
Thanks for the informative report! Do you know where one can find a copy of the BSI Annual report in English? thanks!
I couldn’t find an English version. There’s a German-language landing page entitled “Lageberichte” (status reports) here:
https://www.bsi.bund.de/DE/Publikationen/Lageberichte/bsi-lageberichte.html
That includes the reports for 2014, 2013, 2011 and a few earlier ones.
It links across to “Versionen in englischer Sprache”(English-language versions) here:
https://www.bsi.bund.de/EN/Publications/SecuritySituation/SecuritySituation_node.html
But the most recent report on that page is from 2011.
You could try asking someone from here, I suppose:
https://www.bsi.bund.de/EN/TheBSI/Contact/contact_node.html
Here’s an interesting case from the 1980’s of a pipeline suddenly exploding because of deliberate glitches: https://en.wikipedia.org/wiki/Siberian_pipeline_sabotage
Interesting…but….hmmmm. I still don’t call that a “hackers and malware blow stuff up” story.
Two things: [a] it’s unsubstantiated (to me, the whiff of truth is very faint indeed) and [b] even if it’s true and happened as described, it’s more in the realm of “we sent them a booby-trapped product” than “a virus popped the pipeline.”
This one is interesting as well. Very little press. Also, more of a “Close Access”, than a pure remote op.
http://www.bloomberg.com/news/2014-12-10/mysterious-08-turkey-pipeline-blast-opened-new-cyberwar.html
There’s an awful lot of what-if in that story, don’t you think? The closest thing to a primary source is “U.S. intelligence agencies.” There are a *lot* of mays/mights/coulds in there.
Even though the report specifically uses the word “cyberwar” in the headline, it admits that the attack seems to have required attackers to be there in person, though it dresses that up in the high-falutin phrase, “The presence of the attackers at the site could mean the sabotage was a blended attack, using a combination of physical and digital techniques.”
In regular English, that sentence could be written, “The fact that the attackers were there in person could mean that the hacking angle was merely a sideshow in the incident.”
But an interesting story, indeed.
Paul – I 100% agree. Lots of “what-ifs”. The thing I particularly like about this story, though, is the reference to physical access combined with network related pieces. Most tech operators tend to think only in terms of remote penetration. This piece talks about using physical access to enable remote access to affect a physical result. The only close access op mentioned in the press prior to this was Russia in the Ukraine (Ukrtelecom in Crimea, mobile phone blocking), though Snowden mentions US capabilities. Sony Hack may also have a combined element (insider sharing passwords, which are then used by remote attackers…). Regardless – I love the blogs and the info that you share! I’m a huge fan.
Never heard it being pronounced anything other than ScardA. We all know what you mean, so why labour the point?
Standards in communication are handy.
The subject of control system (not just SCADA) cyber security is not hypothetical. I have amassed a database of almost 400 actual cases. In the US alone, there have already been 6 cases that have killed people and 4 major cyber-related electric outages. Unfortunately, very few of the actual cases are public because there is minimal control system cyber forensics and logging.
Is your case database available?
Why are you putting an R in any of the pronunciation options?
As a sort of syllabic marker.
(Most English accents don’t do much with “r” – consider a word like “door” and note that many English speakers never even learn how to rrrrroll their rrrrrs – and I thought “-der” looked better then “duh” 🙂
I am now assuming that scarder rhymes with larder is the same sort of drawled-vowel tendency in Southern English pronunciation that gives us peculiarities like “car-sull” (for “castle”) and “dar-ter” (for “data”).
I’ve worked in SCADA (no “r”) and automation for over 30 years. I agree with Joe Weiss about cyber damage. For examples, see page 20 (which is Page 15 of the printed document) of the US Government Accountability Office (GAO) report
—Curt