
Hackers invade safety system, halt plant operations in ‘watershed’ cyberattack - pmoriarty
https://www.japantimes.co.jp/news/2017/12/15/world/crime-legal-world/hackers-invade-safety-system-halt-mideast-plant-operations-watershed-cyberattack/
======
dwyerm
I got quite a sense of whiplash just in the first page of the article. It is
an article from Japan Times, with a leading photo from California, over a
byline from Toronto, about an attack on equipment from a French firm in a site
in Saudi Arabia.

...just in case you forgot that the internet is international.

------
Hasz
Why are systems like this connected to the internet?

As far as I can see, any safety monitoring system should be air-gapped, or, if
remote control is absolutely needed, be connected via a robust physical
interface, i.e a thick cable.

There is no good reason for any of these devices to have a public IP address.
Physical access should be the only attack vector available when it comes to
industrial sabotage.

~~~
Kurtz79
If I'm not mistaken, there is no mention in the article that the system was
actually connected to the Internet.

The Stuxnet attack (which as another commenter said was the real "watershed"
event) managed to infect the target system even if it was air-gapped, by
infecting the PC of someone that eventually connected to the private network
of the target onsite.

[https://en.wikipedia.org/wiki/Stuxnet#Windows_infection](https://en.wikipedia.org/wiki/Stuxnet#Windows_infection)

~~~
mcgarnagle
Okay, then really the comment should be renamed to why is critical
infrastructure allow to be tampered with. Say this infection was brought in
via hardware or bluetooth exploitation or wifi exploitation. None of those
attack vectors should ever be accessible. No human working there should ever
be able to "by accident" infect the system.

~~~
tueo23094
That's nice in theory, but perhaps you have to change the logic of that SIS.
Perhaps some parts need to be decommissioned, or added to. A security hot
patch is needed or a backup taken.

There are thousands of reasons someone may need to connect to a system

------
joe_the_user
So, a virus-based cyber attack on the computer system of a Saudi Arabian
industrial operation, supposedly by Iran.

If "watershed" mean fundamentally new, this isn't a watershed event since this
event was proceed by the Stuxnet attack on Iran, by many accounted committed
by the US and Israel.

Still, it seems to reinforce the general situation that the gloves are off
between nation states, every cyber avenue of attack that can be pursued, will
be pursued - a war of all against all. Since not only are cyber attacks cheap,
they offer endless plausible deniability.

~~~
willvarfar
"Watershed moments" are those that cause everyone to take something seriously
instead of beliving it couldn't happen to them. It's about people's reactions.

~~~
freehunter
I still think we're a long way out from the real "watershed" moment, and I say
that as a lifelong security engineer.

Nothing fundamental changed after Stuxnet. Nothing fundamental is changing
from this. Nothing fundamental changed after Target, Home Depot, Equifax,
nothing. We're still vulnerable to the exact same types of attacks in the
exact same way, saved only by the fact that easier targets exist to draw away
the attention of attackers. These "watershed" attacks only happen when someone
specifically wants to go after _that_ target as opposed to just any target.

We've been at cyber WWIII for a long time, nation-state attackers are nothing
new. Problem is, loss of life is the only reason we have any reservations at
all about attacking other nations. Until cyber war ends the life of a Western
media-friendly victim, we will continue not caring.

Actual human casualties will be the real watershed moment.

------
DyslexicAtheist
_" The malware, which FireEye has dubbed Triton, is only the third type of
computer virus discovered to date that is capable of disrupting industrial
processes."_

This sounds incorrect ... Wasn't there (at least):

    
    
      1) Stuxnet (2010)
      2) Shamoon (2012)
      3) HAVEX (2013)
      4) BlackEnergy (2015)
      5) Industroyer (CrashOveride) (2016)
      6) Triton (??)
    
    

Naming it Triton is unfortunate since there has been a malware from 2004 with
the same name[¹] that is totally unrelated.

[¹] [https://www.pandasecurity.com/cyprus/homeusers/security-
info...](https://www.pandasecurity.com/cyprus/homeusers/security-
info/43507/information/Triton.A)

------
cordite
One of my relatives is a safety engineer at a plant. Remotely he can connect
to a read only console, if there are any changes he has to call someone on the
inside to make them.

I don’t know how robust that read only aspect is, but it seems like a good
middle ground if faithfully implemented.

