[ale] [OT]USB Storage Drive Loaded With Malware Shuts Down Power Plant

JD jdp at algoloma.com
Sat Jan 19 14:15:55 EST 2013 

I held a position about 15 yrs ago that included introducing application software into secure environments. These environments were not patched unless a specific problem was experienced or was likely to seen. The networks were not connected to the outside world for inbound traffic. Outbound real-time data traffic was constantly streamed on the campus network, controlled by the TTL. It was also streamed over private WANs to locations around the world.

* Absolutely no Windows PCs were allowed on the network. Mostly UNIX systems plus a mainframe running MVS, a Novell Netware file server and a few Windows Servers.
* No methods to physically touch the computers on the network were easily available. The end-user systems were all inside consoles to help prevent controller tampering.
* Servers were on a secure floor with elevator and doorway controls, as you'd expect.
* USB connectors were physically glued. No way to plug anything in. Fortunately, almost none of the systems had USB.
* Optical drives were disconnected internally, as were floppies.
* Almost all software development was performed inside this environment. If the developer didn't type in the code, it didn't get into the machine. No internet.
* My group did software development in an internet connected lab elsewhere. Our program and data was treated like a commercial vendor. To bring the software into the secure environment, I had ...
** training to use the "software introduction systems"
** delivered the new software releases, via tape, to a system that was disconnected from every network, copied all the software off the tape to a local disk, scanned using 3 different commercial anti-virus tools. If no issues were found, another person would validate the result, physically connect it to an intermediate network, and copy the files to a network storage area. 
** I'd have to physically go up 2 floors, behind more security (card and pin access required), login to an different network, locate my files on the storage, sftp them to our server inside the control center network. Then physically move to a different network to do the setup and configuration.

The required process was clearly documented. People who performed it were few and accountable. The idea of taking any shortcuts never crossed my mind.

Basically, there were 2 hops to get programs inside the control center network. Everything that i took into the secured environment was scanned and copied with a tag showing my name and backed up to tape. Should anything go wrong later, it could be traced back to me and the system logs would show whether I followed the procedures or not. It wasn't foolproof, but it did provide traceability. 

Every 28 days, I'd spend 4 hours walking around all the different networks changing passwords. Only 1 expired every 28 days, but there were so many accounts on disconnected networks that I wasn't allowed to write down, so it was just easier for me to change them all. It also assured that my access card(s) still worked at each location. 

Cumbersome, definitely.

There were about 20 servers and 400+ workstations on that network for this single location. Approximately 5-10 other locations around the world were setup, but much smaller with about 5 workstations at those locations. I had direct access to their internal networks through a private WAN connection from a specific workstation in a secure room.  I installed any updates for our program on all these networks, sometimes 2 times a week, but usually once a month as development slowed.

We've known for years how to do this stuff. It is just the lack of convenience that makes managers choose to allow short cuts.  If a worker can take a shortcut, then they will. Don't allow it by removing physical port access.  Make the only way to get software onto these machines via a process that forces them to do the "right things."

I've read about control systems being accessible over the internet with trivial passwords. Convenience or security, that is the choice that we all have to balance. 

Brian Stanaland <brian at stanaland.org> wrote:

>The US Army encrypts drives too. How strictly that is enforced is, of
>course, dependent on the data. I've taken apart and sanded down my
>share of
>hard drive platters. There were no USB drives allowed in offices I
>worked
>at. Neither were cell phones or even calculator watches. lol
>
>-- Brian
>
>
>On Sat, Jan 19, 2013 at 12:00 AM, Matthew <simontek at gmail.com> wrote:
>
>> How? The US Navy prohibits USB drives. For This Reason, figured it
>went
>> through all of the gov't. So I guess we are the only ones encrypting
>drives
>> too?
>>
>>
>> On Fri, Jan 18, 2013 at 11:06 PM, David Tomaschik <
>> david at systemoverlord.com> wrote:
>>
>>> Hi Ron,
>>>
>>> You're making a big assumption here -- that the software on the
>computer
>>> can be updated.  Many SCADA applications are only validated on VERY
>>> specific configurations and aren't updated to every new version. 
>SCADA
>>> really shouldn't be on the internet, and workers really shouldn't be
>>> plugging flash drives into SCADA.
>>>
>>> David
>>>
>>>
>>> On Fri, Jan 18, 2013 at 5:27 PM, Ron Frazier (ALE) <
>>> atllinuxenthinfo at techstarship.com> wrote:
>>>
>>>> Hi all,
>>>>
>>>> Step 1 - configure basic os and operational software from trusted
>sources
>>>> Step 2 - configure av, but it has to be updated, which could be a
>problem
>>>> Step 3 - scan the machine
>>>> Step 4 - TURN AUTOPLAY OFF - applies to Linux too
>>>> Step 5 - backup the machine locally
>>>> Step 6 - backup the machine offsite, or at least in a second
>location in
>>>> a fireproof bunker
>>>> Step 7 -maybe make a master backup on an mdisc or something so it's
>>>> permanent
>>>> Step 8 - when the machine must be updated, scan the update media
>first
>>>> on a separate system with autoplay off
>>>> Step 9 - do the update and create a second set of backups
>>>> Step 10 - repeat until 3 - 6 entire sets of backups are in place
>>>>
>>>> OK I'm not a security guru and there are many variations on this
>theme.
>>>>  But, that wasn't TOO hard to figure out.  It wouldn't necessarily
>protect
>>>> too well against zero day exploits.  But, since I solved their
>problem, I
>>>> want their salary.
>>>>
>>>> Ron
>>>>
>>>>
>>>> Sergio Chaves <sergio.chaves at gmail.com> wrote:
>>>>
>>>> >
>>>>
>http://www.eweek.com/security/usb-storage-drive-loaded-with-malware-shuts-down-power-plant/?kc=EWKNLNAV01182013STR1
>>>> >
>>>> >Sometimes you just gotta say, WTF???
>>>> >
>>>> >"US-CERT, which is part of the U.S. Department of Homeland
>Security,
>>>> >declined to identify which power plant was affected, and did not
>say
>>>> >whether the facility was operating on nuclear or conventional
>power.
>>>> >Industrial control systems frequently use Windows-based computers
>to
>>>> >run their specialized software, but they rarely run antivirus
>software
>>>> >because these computers aren’t connected to outside networks.
>However,
>>>> >using a USB drive to perform updates is common on these systems."
>>>> >"US-CERT, which is part of the U.S. Department of Homeland
>Security,
>>>> >declined to identify which power plant was affected, and did not
>say
>>>> >whether the facility was operating on nuclear or conventional
>power.
>>>> >Industrial control systems frequently use Windows-based computers
>to
>>>> >run their specialized software, but they rarely run antivirus
>software
>>>> >because these computers aren’t connected to outside networks.
>However,
>>>> >using a USB drive to perform updates is common on these systems."
>>>> >
>>>> >_______________________________________________
>>>> >Ale mailing list
>>>> >Ale at ale.org
>>>> >http://mail.ale.org/mailman/listinfo/ale
>>>> >See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> >http://mail.ale.org/mailman/listinfo
>>>>
>>>>
>>>> --
>>>>
>>>> Sent from my Android Acer A500 tablet with bluetooth keyboard and
>K-9
>>>> Mail.
>>>> Please excuse my potential brevity.
>>>>
>>>> (To whom it may concern.  My email address has changed.  Replying
>to
>>>> former
>>>> messages prior to 03/31/12 with my personal address will go to the
>wrong
>>>> address.  Please send all personal correspondence to the new
>address.)
>>>>
>>>> (PS - If you email me and don't get a quick response, you might
>want to
>>>> call on the phone.  I get about 300 emails per day from alternate
>energy
>>>> mailing lists and such.  I don't always see new email messages very
>>>> quickly.)
>>>>
>>>> Ron Frazier
>>>> 770-205-9422 (O)   Leave a message.
>>>> linuxdude AT techstarship.com
>>>>
>>>>
>>>> _______________________________________________
>>>> Ale mailing list
>>>> Ale at ale.org
>>>> http://mail.ale.org/mailman/listinfo/ale
>>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>>> http://mail.ale.org/mailman/listinfo
>>>>
>>>
>>>
>>>
>>> --
>>> David Tomaschik
>>> OpenPGP: 0x5DEA789B
>>> http://systemoverlord.com
>>> david at systemoverlord.com
>>>
>>> _______________________________________________
>>> Ale mailing list
>>> Ale at ale.org
>>> http://mail.ale.org/mailman/listinfo/ale
>>> See JOBS, ANNOUNCE and SCHOOLS lists at
>>> http://mail.ale.org/mailman/listinfo
>>>
>>>
>>
>>
>> --
>> SimonTek
>> 912-398-6704
>>
>> _______________________________________________
>> Ale mailing list
>> Ale at ale.org
>> http://mail.ale.org/mailman/listinfo/ale
>> See JOBS, ANNOUNCE and SCHOOLS lists at
>> http://mail.ale.org/mailman/listinfo
>>
>>

-- 
Sent from a Linux system.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.ale.org/pipermail/ale/attachments/20130119/9516d4a1/attachment.html>

More information about the Ale mailing list