Thursday, December 24, 2015

Iran Charged with Hacking a Dam in 2013, A 2015 Report Says

Iran Charged with Hacking a Dam in 2013, Report Says

This could be another throwback to the probable USA/Israel attack on the Nuclear development plant in Iran.  Using the fairly sophisticated Stuxnet carrier a small simple malware was inserted into the Iran system.  It controls a very unsophisticated Programmable controller that told the centrifuges used to make military grade nuclear material for bombs to speed up or stop randomly.  The Controller made in the US and other places in the world, has a limited command structure and speed up, slow down, start, and stop are among them.   With timing added, so that intermittently systems using this type of controller would start  or stop, or in the case of the Iran systems change speeds on the centrifuges damaging them beyond repair, even making clean up of the systems a real danger to the operating staff, they are hard to find, and very effective.

The attack was developed so that all it needed was for a small bit of code to be inserted into the Iranian Nuclear system, and it would replicate till in made it to the Programmable controller.   It apparently worked very well, and beat the sort of demarcation line that most of the power grid, water filtration, waste water, and yes our dams use.  That is if you can keep the system off the Internet so no one has a chance to insert the code, that would keep a system safe.  By the way this is the same first or last line of defense all countries, including the USA, use to secure their critical infrastructure.  But the stuxnet could be inserted in to flash drives or even CD's used to maintain these critical systems.  Once in the system it went wild, and there is part of the crux of our problem.    

To insure the bad code got into the Iranian system, a lot of devices like Flash drives where corrupted, and finally one made it into the Iranian system.  It could have been on a flash drive some worker had made to hold MP-3 files so he or she could listen to music while working.  Once plugged into the computer at their work desk the bad code was off and running.  The code could have made it into the system during an update, much harder since many companies will analyse the code before inserting it into the system.   But if after being analysed, the code was put on to a new empty flash drive, the flash drive could have had the bad code on it.  The paths into a system are almost endless.

Now these Programmable Controllers are use all over the world in all sorts of systems.  There is a rumor that the Stuxnet was tested by USA experts on a system very similar to the Iranian Nuclear system in the USA just prior to being used in the attack on the Iran Nuclear  Development system.

Access control systems use them for opening and closing gates to an airport. or prison cell doors, or the on off valves to a water treatment system, or , yes, even a small dam in a small village town near New York City.  The intermittent part of the attack is part of it's danger.    If a gate opens out of the blue to a major airport, and then later closes, most of the investigation will center around who could have done it, or was it just a glitch in the system, if it does not happen very often or regularly, then it will probably be written off as a glitch to the system.   They happen all the time.

Now take a power grid, if a programmable controller is infected by this code, it could shut down parts of the grid, causing spikes and other problems up and down the grid, if two or more would happen, our grid could be in real danger.   This is the same with waste water treatment systems, or a small dam.  Say a prison door(s) opened up and prisoners were let loose, or even a traffic light system on a major intersection started going from red to green at times.   Can you think of how you would explain that to the Police that wrote up the accident or the insurance company.  Small time but a real problem.  Here is part of the problem.

When the Stuxnet was released, it went wild like it was supposed to, it did, it is rumored have some direction to it at some point, but it either migrated on its own, or with the help of some hackers, like the Chinese to a very wild child, that would attack any system it could and try and find a Programmable Controller it could release the code to.  So if some experts are right it is flowing around the world now, looking for a system it can work with.  Most of the major systems in most countries, now have a way to delete the system and most of the programmable controllers it could work on have been removed from service.  Still there are systems out there, and even flash drives that have the code on them.  Small dams like this are just the targets this attack may still work on, and many more sophisticated attacks have been developed off the original Stuxnet.  Once hackers saw the elegance of the small code attack and the carrier system used, it is a main development point for them.

Many people coming back from the mid east would find they had picked up a version of the code in their travels.   It is rumored that a similar carrier, a code that just sits and waits for a signal to turn on is in over 80% of the computers in the world, at this point, for what reason, experts can not seem to make up their minds on.   It is now I understand tagged, since removing it is almost impossible, since it will show up again almost immediately.

Remember the first or last line of defense against an attack like this is to keep your system off the internet at all times.   One of the first tests we do is bring up the browser on computers used in these critical systems and try to get on the internet, over 80% of the time we can, meaning the system can be attacked at any time, or could already have malicious code inserted.  Next we look at the browser logs, even it the system is not on the internet when we check, the browser will almost always show, "controlled access" were a vendor has been allowed on the system to enter updates or even security patches to the system.  Once again this is just the attack point the bad guys are looking for, or even just a way word piece of code floating around the internet, perhaps residing in a local router, or even not local to your system router, has the code waiting to be inserted.

Cyber attacks are the wave of the 2016 future, and may already reside on your systems waiting to pounce.  Hmm that printer that just starts up and prints garbage sometimes, is it infected, or those surveillance cameras that turn on and off on their own, or it is all just in your mind.  Have a great new year, it should be interesting. .

No comments:

Post a Comment