Cyberattack on German steel factory causes ‘massive damage’

From IT World:

A German steel factory suffered massive damage after hackers managed to access production networks, allowing them to tamper with the controls of a blast furnace, the government said in its annual IT security report.

The attackers got in through spear phishing, then were able to access the ICS directly.

I’m expecting 2015 to be an interesting year for ICS security.

South Korean Nuclear Plant Hack

From Reuters:

The Korea Hydro and Nuclear Power Co Ltd (KHNP) and the government said only “non-critical” data was stolen by the hackers, and that there was no risk to nuclear installations, including the country’s 23 atomic reactors.

South Korea’s energy ministry said it was confident that its nuclear plants could block any infiltration by cyber attackers that could compromise the safety of the reactors.

“It’s our judgment that the control system itself is designed in such a way and there is no risk whatsoever,” Chung Yang-ho, deputy energy minister, told Reuters by phone.

“It is 100 percent impossible that a hacker can stop nuclear power plants by attacking them because the control monitoring system is totally independent and closed,” the official said.

100% percent impossible? That sounds like a challenge.

I’m willing to wager that “non-critical” data could be a good starting point for crafting a more sophisticated attack. But of course, nothing has ever jumped an air gap…

Very realistic

I’ve been reading through Kim Zetter’s excellent new book, Countdown to Zero Day: Stuxnet and the Launch of the World’s First Digital Weapon and saw this reference to Sandia (and indirectly, to my colleague John Mulder):

“In a 2009 report on 60 Minutes , researchers at Sandia National Lab showed how they could cause components at an oil refinery to overheat by simply changing the settings of a heating element and disabling the recirculation pumps that helped regulate the temperature.”

I found the article at, but haven’t been able to track down the actual video.

“The first thing we had to do was actually gain access to the network and that’s, we just got that as launch attack. And then we turn up the BTUs, and then we’re turning off the re-circulator pump. There we go,” Mulder said.

Mulder said this type is simulation is “very” realistic.

U.S. Blames China’s Military Directly for Cyberattacks

New York Times – U.S. Blames China’s Military Directly for Cyberattacks:

The Obama administration on Monday explicitly accused China’s military of mounting attacks on American government computer systems and defense contractors, saying one motive could be to map “military capabilities that could be exploited during a crisis.”

From the report itself:

In 2012, numerous computer systems around the world, including those owned by the U.S. government, continued to be targeted for intrusions, some of which appear to be attributable directly to the Chinese government and military. These intrusions were focused on exfiltrating information. China is using its computer network exploitation (CNE) capability to support intelligence collection against the U.S. diplomatic, economic, and defense industrial base sectors that support U.S. national defense programs.

Cyber-espionage protections in HR933

Someone snuck some pretty serious restrictions on government purchases of IT from Chinese-owned companies into the recently-approved continuing resolution. (Specifically: HR933, Division B, Title V, Sec. 516.)

Sec. 516. (a) None of the funds appropriated or otherwise made available under this Act may be used by the Departments of Commerce and Justice, the National Aeronautics and Space Administration, or the National Science Foundation to acquire an information technology system unless the head of the entity involved, in consultation with the Federal Bureau of Investigation or other appropriate Federal entity, has made an assessment of any associated risk of cyber-espionage or sabotage associated with the acquisition of such system, including any risk associated with such system being produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China.

(b) None of the funds appropriated or otherwise made available under this Act may be used to acquire an information technology system described in an assessment required by subsection (a) and produced, manufactured or assembled by one or more entities that are owned, directed or subsidized by the People’s Republic of China unless the head of the assessing entity described in subsection (a) determines, and reports that determination to the Committees on Appropriations of the House of Representatives and the Senate, that the acquisition of such system is in the national interest of the United States.

My questions: Why does this only apply to Commerce, Justice, NASA, and NSF? What will the real impact be? Does this only apply to big-A Acquisition programs, or will it impact procurement?

I’m surprised this hasn’t gotten more publicity. I’m going to be very interested to follow how these restrictions are implemented.

Further reading:
U.S. law to restrict government purchases of Chinese IT equipment
Congress Bulls Into China’s Shop
New U.S. Cyber-Security Law May Hinder Lenovo’s Sales Growth

Resilient Military Systems and the Advanced Cyber Threat

The DOD Defense Science Board has just released a task force report, Resilient Military Systems and the Advanced Cyber Threat, and it’s been getting a lot of attention.

From the report:

  • The cyber threat is serious, with potential consequences similar in some ways to the nuclear threat of the Cold War
  • The cyber threat is also insidious, enabling adversaries to access vast new channels of intelligence about critical U.S. enablers (operational and technical; military and industrial) that can threaten our national and economic security
  • Current DoD actions, though numerous, are fragmented. Thus, DoD is not prepared to defend against this threat
  • DoD red teams, using cyber attack tools which can be downloaded from the Internet, are very successful at defeating our systems
  • U.S. networks are built on inherently insecure architectures with increasing use of foreign-built components
  • U.S. intelligence against peer threats targeting DoD systems is inadequate
  • With present capabilities and technology it is not possible to defend with confidence against the most sophisticated cyber attacks
  • It will take years for the Department to build an effective response to the cyber threat to include elements of deterrence, mission assurance and offensive cyber capabilities.

Serious stuff.

Supply Chain Solutions for Smart Grid Security

The US Resilience Project has released the report Supply Chain Solutions for Smart Grid Security: Building on Business Best Practices, based on results from their March 2012 workshop.

I attended the workshop in March and was very impressed at the time. I felt a little bit out of place–one of just a few engineers in a huge room full of executives–but I thought the resulting conversations were good. I’m glad they captured so much of that in this report.

Industrial Control System Field Device Analysis

For anyone interested, here is a soft copy of the presentation John Mulder and myself gave at the IFIP Working Group 11.10 on Critical Infrastructure Protection at National Defense University last Spring: Industrial Control System Field Device Analysis

Control System Devices: Architectures and Supply Channels Overview

There’s been a ton of work on reverse engineering PLC firmware, but not a ton on the hardware or supply chain issues. This is a Sandia technical report I published with John Mulder, Jason Trent, and Will Atkins a couple of years ago.

Control System Devices: Architectures and Supply Channels Overview

This report describes a research project to examine the hardware used in automated control systems like those that control the electric grid. This report provides an overview of the vendors, architectures, and supply channels for a number of control system devices. The research itself represents an attempt to probe more deeply into the area of programmable logic controllers (PLCs)—the specialized digital computers that control individual processes within supervisory control and data acquisition (SCADA) systems. The report (1) provides an overview of control system networks and PLC architecture, (2) furnishes profiles for the top eight vendors in the PLC industry, (3) discusses the communications protocols used in different industries, and (4) analyzes the hardware used in several PLC devices. As part of the project, several PLCs were disassembled to identify constituent components. That information will direct the next step of the research, which will greatly increase our understanding of PLC security in both the hardware and software areas. Such an understanding is vital for discerning the potential national security impact of security flaws in these devices, as well as for developing proactive countermeasures.