
Mysterious safety-tampering malware infects a second site - valiant-comma
https://arstechnica.com/information-technology/2019/04/mysterious-safety-tampering-malware-infects-a-2nd-critical-infrastructure-site/
======
oilman
In a lot of industrial sites software security is a joke. Embedded systems
tend to use very old, well proven technology, which in itself isn't a problem,
it fits the market well, but the side effect is that security isn't always
properly considered as it wasn't a concern when the software/hardware was
developed.

I was involved in a project a few years ago delivering a series of monitoring
systems running Windows XP to a brand new 700 million dollar oil rig. This was
at the request of the client, they had software they needed that would only
run on Windows XP. They had a fit when we had trouble sourcing Windows XP
licenses. The expectation is that these systems will have a 20 - 30 year life.

It used to be that keeping every air gapped was enough, but organizations want
easier monitoring, so more systems are being networked in an ad-hoc way
without a lot of thought about security.

I expect we are going to see more things like this happening in the future
until we start taking security in systems / embedded space more seriously. And
even then there will be exploits of older systems for years afterwords since
the replacement cycle is so long.

I wonder what a secure embedded system even looks like when I think about it.
The environment isn't suitable to the kind of continuous patching that is done
in the web world, but exploits will be found and dependencies will need to be
updated. How do you square keeping things up to date with stringent testing
requirements in systems that can kill people. Many of these systems / plants
are unique, there is only one plant like it in the world, so testing becomes
very hard.

~~~
jonawesomegreen
Seems like there is a huge opportunity here for a startup that can navigate
the industry and manage to solve some of these problems. There are huge
players in the space, but from what I've seen they aren't solving these
problems very effectively.

~~~
pmorici
How are these places insured against industrial accidents?

I wonder if the way to get your foot in the door would be to partner with an
insurer who would provide discounts to the client if they installed security
technology meeting a certain standard. You could come up with some kind of
bump on the wire type Linux device that proxied access to the old insecure
system bringing them up to the standard. Then sell it as a return on
investment through savings on industrial accident insurance premiums.

~~~
anitil
That is a fantastic idea.

------
chelmzy
Here's a Shodan search that will net you 5K+ fuel tank controls.

[https://www.shodan.io/search?query=inventory+port%3A%2210001...](https://www.shodan.io/search?query=inventory+port%3A%2210001%22)

~~~
dev_dull
Where do you get “control” from that? Looks like a web page with a fuel level
status from gas stations.

~~~
chelmzy
[https://www.blackhat.com/docs/us-15/materials/us-15-Wilhoit-...](https://www.blackhat.com/docs/us-15/materials/us-15-Wilhoit-
The-Little-Pump-Gauge-That-Could-Attacks-Against-Gas-Pump-Monitoring-Systems-
wp.pdf)

They take commands to change certain values.

------
sevensor
I once encountered a guy who was setting up systems so that you could control
a water treatment plant from your ipad at home. His attitude was, "Modbus on
one side, ethernet on the other, what could possibly go wrong?" Lots, I told
him. A lot of things could go wrong.

~~~
dustindiamond
Unfortunately, my municipality of 2,200 users is planning to do this.

Also, all water meters are being replaced so they can be read remotely without
a human physically using an electronic meter reader.

~~~
VectorLock
>Also, all water meters are being replaced so they can be read remotely
without a human physically using an electronic meter reader.

Those are extremely widespread already. And they're pretty open. I wouldn't
personally be too worried about any potential exploits since they're simply
broadcast only systems and the worst that could probably happen is your'd get
a jacked up water bill.

~~~
peteradio
Dear Human,

You have unpaid WATER BILL of -2147483648 dollars.

Report immediately to INCINERATOR145 for processing.

Please have a kindly day,

ROBOTOVERLORD69420

------
ccnafr
Here's the direct link to the report: [https://www.fireeye.com/blog/threat-
research/2019/04/triton-...](https://www.fireeye.com/blog/threat-
research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html)

Article spends too much time FUDing "plant explosions" for my taste

~~~
phkahler
>> Article spends too much time FUDing "plant explosions" for my taste

Because hacking systems to cause explosions would be unheard of?

[https://www.telegraph.co.uk/news/worldnews/northamerica/usa/...](https://www.telegraph.co.uk/news/worldnews/northamerica/usa/1455559/CIA-
plot-led-to-huge-blast-in-Siberian-gas-pipeline.html)

------
zaroth
And this is precisely why we can never consider nuclear power to be “safe”.

It’s just not worth the _risk exposure_. The worst case failure modes must be
expected to occur, and they must be economically and ecologically acceptable
when they do.

The idea that “this can theoretically happen but we promise it won’t” is
simply not acceptable. Versus, “this is extremely unlikely to occur because of
these numerous counter-measures, _but when it does_ here’s what we do and what
it will cost us.”

If you can do the later analysis on a nuclear plant and come away satisfied,
then build baby build.

~~~
jakespracher
Yeah I used to work at a nuclear plant. They intentionally use all analog
systems currently for fear of this. Almost nothing digital in the whole plant

------
mirimir
So do they use any code from Stuxnet? That would be ironic.

~~~
stebann
Haha, great point.

------
peppershaker
Aren’t these control systems airgapped ? So does that mean someone had to
physically plant the malware?

~~~
mandevil
Most control systems are not airgapped, because most people don't think of
themselves as targets of that level of attack. Stuxnet was targeting national
security infrastructure, which is much more likely to be airgapped, but your
local powerplant doesn't (at present) think of themselves as national security
infrastructure, so they don't take the same level of precautions.

Note: this only describes cases I'm familiar with, in the US. I bet that some
countries with more experience on the receiving end of cyber-warfare (e.g.
Ukraine) are better.

