
Hackers shut down plant by targeting its safety system - jbuzbee
https://www.engadget.com/2017/12/17/hackers-shut-down-plant-by-targeting-safety-system/
======
jbarciauskas
The article confirmed my suspicion from the headline, that this was a
"failsafe" and on some level at least working as intended. I'm sure there are
lots of lessons to learn here, but at least one to be reinforced is the
concept and proper implementation of defensive failsafes is critical to
overall system safety.

~~~
askvictor
Perhaps it's slightly better than the plant keeping running with incorrect
parameters, but not by much. This approach just leads to DoS for industrial
equipment.

~~~
crocal
Indeed. There are 3 criteria studied to classify cyber threats:
Confidentiality, Integrity, Availability. While it is possible, an integrity
attack on safety related systems is very difficult to achieve, while an
availability attack is much easier to obtain due to the failsafe nature of
such systems. It is totally not better. Worse. If you shutdown power & light
of a city, you can probably hurt or kill even more people than by making the
plant work improperly.

~~~
toast0
I would bet that running a power plant in wrong ways could cause worse harm in
several ways:

Damaging the plant equipment such that repair takes a long time. Depending on
the control systems available, something like turning off coolant circulation,
and running the engine at high load could cause problems quickly.

Running the equipment to provide out of spec output which could damage things
outside the plant. Possibly transmission lines or other outside equipment or
equipment at other plants. Maybe increasing output voltage could ruin outside
equipment, and altering output frequency could cause problems with other
plants that try to be in frequency lock.

These sorts of things could be much worse than an unscheduled outage; in many
locations the local power grid spans many power plants and can absorb the loss
of one plant, and if not, the local grid is probably fairly unreliable, and
critical loads have local generation available.

------
w8rbt
It seems the malware was installed on an engineering workstation connected to
a SIS (Safety Instrumented System).

    
    
        https://en.wikipedia.org/wiki/Safety_instrumented_system
    

The only purpose of a SIS in a CPS (Cyber Physical System) is to take over and
bring the plant/processes down safely when things go wrong but before they get
out of control.

So it seems it did its job here. The big question is how the malware got onto
the engineering workstation to begin with. These are usually very segmented
(firewalls, data diodes, etc.)

------
gmueckl
Control systems are built for safety, not security. This means that they are
built with the assumption that random equipment failure happens and has to be
caught. There is no regard for security aspects. In particular, there are
typically no safeguards against deliberate malicious intent. For example, in
common field buses, once it is confirmed that a message transmission was free
of errors, the message itself is typically taken at face value and acted upon.
There is no way to verify sender identity.

------
zitterbewegung
Imagine in a world where all of the bad hacker movies all come true :( ....

Maybe things shouldn't be able to be accessed from the internet...

~~~
onion2k
Many things shouldn't accept inbound connections, but outbound is really
useful. A manufacturer being able to collect data from devices to monitor
their health means they can have an engineer onside _before_ a problem takes
the equipment down, and the manufacturer is able to learn what happens in the
lead up to certain problems, and so on.

Most modern industrial equipment has this sort of telemetry data collection.
You don't hear about hacks very often. A lot of manufacturers seem to do a
pretty good job of security (or of covering up hacks).

~~~
tetha
Yeah, outbound connections should be fine. Monitoring data, heartbeats or
alerts especially. It's not too hard to encrypt it securely. And even if it's
leaked, it shouldn't be too critical in general. The sink of this data should
be a regular server, so you can secure and update it properly.

------
mirimir
I wonder if this was based on stolen NSA code.

------
badrabbit
Here is the dragos write up on this (pdf):
[https://dragos.com/blog/trisis/TRISIS-01.pdf](https://dragos.com/blog/trisis/TRISIS-01.pdf)

------
throwawaycanada
When will people learn that industrial control systems can't ever be safely
connected to the internet.

~~~
tluyben2
That barrier should be much higher for networking devices imho; aviation,
container ships, cruise ships, healthcare controller systems, utility
controller systems, factory controller systems, parts of banking, parts of
payments, all of these And More should not be connected to the internet for
their critical operations.

I did a project for an 'embedded' controller software house a long time ago
and asked why they used Windows (which was just quite hackable at the time and
I wouldn't use it today for critical operations but that might just be because
it used to be so bad at a time when I mostly used Solaris which was
unbreakable compared) and why it was connected to the internet; answer was
obvious; software for Win was easier to outsource to far away countries (in NL
you find great engineers but costly and you cannot fire them easily; this
company traded quality to be able to do it cheap and be able to do it project
basis) and networking because it's too expensive to go to the client and
update the software manually. So it was just always connected. The first
versions where directly on the internet, the latter versions via a gateway
computer but it was both pretty easy to get into. Cannot imagine other reasons
to have it open from the outside besides that? Just convenience of
maintenance.

~~~
simcop2387
For industrial machines it's also becoming common to have them networked and
open so that you can gather data about everything. Watch the temperatures of
the injection molding machine and how long it's taking to do it's job. If
things change then you know that parts need replacing or it's getting ready to
fail. This lets you do more runs, faster, without having to take down for
maintenance at intervals rather than when it's needed. That both increases
reliability (early failures can be caught) and how much you can produce before
needing to take it offline (since you can go longer knowing the machine is
performing identically).

~~~
tluyben2
Ofcourse, and that's a good thing, but networked doesn't have to be the
internet. Why have that connected to the internet? And not some setup where it
is physically or at least reasonably physically seperated. Those values would
also be fine on the LAN. Not networked is safer than networked, but connecting
them to the actual internet (via usually not more than some basic router) is
the other extreme.

~~~
simcop2387
Definitely agree, I've never understood why so many seem to end up connected
to the internet at large, or through some easy to pass through gap. Even
before Stuxnet it never quite made sense, and post stuxnet it's hard to argue
that it's not negligent to have a setup like that. The only thing I can assume
is that because having it as a separate lan that's not routed to the internet
(arguments about vlans being sufficient, etc are a different discussion) would
cost more in both hardware and maintenance.

------
gyvastis
Anybody watching Mr. Robot?

------
orliesaurus
Anyone remembers Stuxnet [1]? I wonder what's next ...

[1]
[https://en.wikipedia.org/wiki/Stuxnet](https://en.wikipedia.org/wiki/Stuxnet)

