Foreign cyber attack hits US infrastructure: expert

Why would these local critical systems be made accessible in any way from beyond small closed networks?

Any theories, dogbert?

Obviously, security is being discarded in favor of convenience.

Recovering Human's question remains valid. Why would you sacrifice security on critical systems?

Why would you sacrifice security on critical systems?

"Hey bro would you pass me that wireless keyboard? and a budwieser?"
"what do you want the keyboard for?"
"well my boss says i gotta turn the pump off at 2am. Like I'm gonna stay there til 2am. As If!"
"no but so whats they keyboard for, dude?"
"Remote desktop, homie!"
*high fives*

@dogbert -- because you dont have the money to hire one controller for each station, workforce dictates remote control. They absolutely should NOT be on the internet, but instead on a closed network -- again costs money to build a fully independent network. In an economic climate with anemic tax revenues, no level of government has the extra money to spend.

The vast majority of all government spending, at all levels, goes to payroll one way or another. In an age of massive budget cuts where should we get the money to fix these problems?

I dont have a solution and dont pretend to, but I think we need to start owning up to seriousness of our situation.

Good point Hyonqx - the great majority of all hacks require someone to be careless, not all of this needs to fall on faulty procedures or systems.

Any theories, dogbert?

Obviously, security is being discarded in favor of convenience.

Recovering Human's question remains valid. Why would you sacrifice security on critical systems?

Nice dodge. I'll ask again. Any theories dogbert?

Is it my imagination, or has PhysOrg recycled that same photo for several other stories?

Those of you suggesting that these systems should be offline or only on small local networks:

The fact is, they're not. We live in a complex, global economy where systems of all kinds are interconnected and where the technical expertise needed to implement and maintain systems is not readily available at all times at all locations on the planet. This doesn't appear to be a problem that will be solved any time soon.

So, can we move past that?

Another win for libertarian robber-barron wannabies who outsource their security to third-world street urchin posers on freelancer.com. Ryggesogn2 should be livid with excitement!

fmfbrestal,

...because you dont have the money to hire one controller for each station, workforce dictates remote control. They absolutely should NOT be on the internet, but instead on a closed network -- again costs money to build a fully independent network. In an economic climate with anemic tax revenues, no level of government has the extra money to spend.

I think it can be argued that the small expenditures to create a closed network is justified when compared to the costs of open access to critical systems, but you can create virtual private networks over a public network for essentially zero extra cost.

There is really no excuse to providing open access to critical systems.

Right: no excuse. It is due to the laziness of the companies and gov't departments involved that allow open access.

If these systems were on closed networks, there would be no need to hire "emergency cyber security consultants" at some exorbitant rate. Allowing the attack to occur FIRST not only "justifies" the added expenditure but also further justifies "homeland security" type measures.
How much simpler it would be to fire those responsible for securing these critical applications for not doing their jobs in the first place. But then, that would be like demanding accountability in government. How crazy is THAT!

Our fancy new state-of-the-art city library in Eugene, Oregon has all its lighting and heating controlled from the other side of the country; pretty stupid, I would say. This is a trend, and should be stopped before it gets out of hand.

Another win for libertarian robber-barron wannabies who outsource their security to third-world street urchin posers on freelancer.com. Ryggesogn2 should be livid with excitement!

Actually, this is a standard operating procedure in IT departments around the world. Please take your political views elsewhere.

I think it can be argued that the small expenditures to create a closed network is justified when compared to the costs of open access to critical systems, but you can create virtual private networks over a public network for essentially zero extra cost.

There is really no excuse to providing open access to critical systems.

You are truly out of your element here and stating misinformation. There is nothing "small" about the expenditures. There is no possible way to fix this with a closed, off-limits system.

This is not the CIA we're talking about. It's municipal water depts. and they barely have the cash to keep the water pumping.

This can not -- and will not -- be fixed in this manner.

Please move on.

Right: no excuse. It is due to the laziness of the companies and gov't departments involved that allow open access.

Wrong. Read my posts for some enlightenment.

Our fancy new state-of-the-art city library in Eugene, Oregon has all its lighting and heating controlled from the other side of the country; pretty stupid, I would say. This is a trend, and should be stopped before it gets out of hand.

Wow, you guys just aren't listening.

This is NOT NEWS.

This is NOT NEW.

This has been going on for about 20 years, and is standard operating procedure for IT departments EVERYWHERE ON THE PLANET.

Other than military, intelligence and other high-security government agencies, NO ONE has all the expertise in-house to do EVERYTHING that might come up.

We need to talk about improving security where and how it is doable, and stop wasting time talking about taking one million or more systems off-line. We are ALL hyper-connected, and it will stay that way.

Now, other than pulling the plug, what ELSE can we do?

If you have ever worked with the typical blue collar employees, they are generally IT illiterate, so this really doesn't surprise me. Especially since I ran into the same types of issues with warehouse automation systems.

So this hack happened because the hackers used months old passwords to gain access? Really? Why is it simple hotels have their network passwords change every month, yet here is a utility company getting hacked by months old stolen passwords. Really? Are the infrastructures in that much of a dark age still?

Nerdyguy,

Wow, you guys just aren't listening.

Are you?

We need to talk about improving security where and how it is doable, and stop wasting time talking about taking one million or more systems off-line. We are ALL hyper-connected, and it will stay that way.

Now, other than pulling the plug, what ELSE can we do?

We can stop saying we cannot do anything.

If remote access is necessary and the network is small, a private network is not prohibitively expensive.

If remote access is necessary and the network much include multiple sites, a virtual private network is not difficult to set up or maintain and is essentially free. That is, since the utility can afford internet access, it can afford a virtual private network.

This story is about a water plant and a burned out water pump. Suppose it was about a dam and gates blocked open?

It is not necessary to subject our critical systems to open access. Criminal incompetence is not excusable.

no level of government has the extra money to spend

Interesting that the US government found hundreds of billions of dollars to bale out crooks in the housing/banking rip-off which of course led to huge bonus payouts for the culprits.
So it's merely a matter of priorities.

no level of government has the extra money to spend

Interesting that the US government found hundreds of billions of dollars to bale out crooks in the housing/banking rip-off which of course led to huge bonus payouts for the culprits.
So it's merely a matter of priorities.

Yes and no. The problem described here was almost unheard of even a few years ago. But, even now, it's not really viewed as something with the potential for disastrous consequences. Incorrectly, IMO, but I don't sit on the appropriate legislative committees either. Also, there have been some dollars designated for this kind of thing. But, the majority are being spent on things like physical security at the big nuke plants.

Cycling passwords to at least a nominal change pattern would reduce if not prevent events like this. Not much, if any money needs to be thrown at such a policy.

If remote access is necessary and the network much include multiple sites, a virtual private network is not difficult to set up or maintain and is essentially free.

True, but that probably wouldn't have helped here. Remember, they got the logins from a previous hack, which might have included the VPN credentials. Rolling VPN is very expensive.

I'm not really arguing; you make a decent point. However, it's much more complicated than simply slapping a VPN on the remote access problem. Only addressing one flaw will just expose the next weakest link. There's almost no point at only addressing one aspect of security.

And anyway, it looks like all they had to do is replace a pump. A pump that almost certainly costs much less than a thorough independent IT security audit and subsequent upgrade(s). We don't know if they had more critical systems exposed or not.

Cycling passwords to at least a nominal change pattern would reduce if not prevent events like this. Not much, if any money needs to be thrown at such a policy.

Can I get a quote for that? Those keychain VPN systems take a lot of manpower to manage and are cost prohibitive if you only have a few remote uses / users, which I assume is the case here.

Maybe they are cheaper now and these yahoos should have known that. I've been out of the security side of IT for a while.

There are publically available search engines that can locate internet-facing SCADA systems. SCADA security isn't very robust - you can query repeated password attemps. And, on the people side: processor default passwords are often used or replaced with some innane passord like "11111", "12345" or a local zip code.

More than 5 years ago I saw this same type of hack performed by the US's DHS - also burning up a pump motor by the same method. They were tying to prove a point, but the warnings haven't gotten any traction yet. I have no idea other than another darn government mandate what will get federal, state and local governments to wake up and take proactive measures to secure their systems.

Were I an aggressive nation state and wanted to disable another country pre-invasion, I'd shut down their internet & SCADA systems. 90 days in a first-world nation without monetary flow, commerce, electrical or coordinated defences - an army could walk right in with little resistance.

Pumps and the like are relatively easy and cheap to replace, afaik. I'd be more worried about electrical systems' security because of the relatively higher cost and length of production of the high capacity transformers. I don't know how exposed those systems are, however.

I'm mostly just throwing ideas out there, so no need for a heated debate with me. All I'm really saying is that there is a very complicated financial cost/benefit risk analysis that must be done on these systems and budgets, and many posts here are not appreciating that fact.

We need to talk about improving security where and how it is doable, and stop wasting time talking about taking one million or more systems off-line. We are ALL hyper-connected, and it will stay that way.

Now, other than pulling the plug, what ELSE can we do?

Well, obviously, again the best defense is ATTACK.

Why would these local critical systems be made accessible in any way from beyond small closed networks?

-And why would you locate your pacific fleet out in the middle of the pacific where it couldnt be defended? Perhaps you need something which gives you the moral justification to ATTACK.

Defense is useless. The enemy waits like the lion in the grass, looking for weakness, and attacks when IT is ready.

People long ago learned that the only lasting defense against lions is to hunt them. Any gamer will tell you this.

People long ago learned that the only lasting defense against lions is to hunt them. Any gamer will tell you this.

Yep; we've known this for a few years. See Sun Tzu's "The Art of War," or for a more recent example, No Limit Texas Hold'em strategy. Blind attack is usually a high risk. It's better to probe then prepare a crushing counter-attack than to "show your hand" with little intel on the defender's power.

I think it's a bit of a stretch to claim that local municipalities are knowingly giving themselves up as bait. I'm sure Otto has a riveting conspiracy theory at-the-ready, though. :)

Yep; we've known this for a few years. See Sun Tzu's "The Art of War," or for a more recent example, No Limit Texas Hold'em strategy. Blind attack is usually a high risk. It's better to probe then prepare a crushing counter-attack than to "show your hand" with little intel on the defender's power.

Why I was just thinking this myself. One way to gauge an enemy's potential is to present some tempting targets, like water pumps. Anonymous members were probably stung in this way.

I think it's a bit of a stretch to claim that local municipalities are knowingly giving themselves up as bait.

Depends on who Designs their infrastructure for them.

I'm sure Otto has a riveting conspiracy theory at-the-ready, though. :)

EMPIRE owns everything like Joseph and pharaoh. They do whatever They want with Their possessions. Including us. 8-O

So this hack happened because the hackers used months old passwords to gain access? Really? Why is it simple hotels have their network passwords change every month, yet here is a utility company getting hacked by months old stolen passwords. Really? Are the infrastructures in that much of a dark age still?

That was my exact thought as I read the article and the subsequent posts... How much does it cost to change passwords?

See Sun Tzu's "The Art of War," or for a more recent example, No Limit Texas Hold'em strategy.

Kudos to you. That was just damned funny. And that comes from the heart of a Texas Hold'em enthusiast.

So this hack happened because the hackers used months old passwords to gain access? Really? Why is it simple hotels have their network passwords change every month, yet here is a utility company getting hacked by months old stolen passwords. Really? Are the infrastructures in that much of a dark age still?

That was my exact thought as I read the article and the subsequent posts... How much does it cost to change passwords?

The price of unemployment for those who don't.