On an Illinois water utility:
http://www.msnbc.msn.com/id/45359594/ns/technology_and_science-security
Cheers,
-- jra
I wonder if they are using private IP addresses.
-as
LOL. I see what you did there.....
-Hammer-
"I was a normal American nerd"
-Jack Herer
I checked the SCADA boxes used in our "smart" building. They are all using 127.0.0.1
Is that a security risk?
Might I suggest using 127.0.0.2 if you want less spam 
Pretty scary that folks have
1. Their scada gear on public networks, not behind vpns and firewalls.
2. Allow their hardware vendor to keep a list of usernames / passwords.
2b. Obviously don't change these so often. Whens the last time they really "called support" and refreshed the password with the hw vendor.... Probably when they installed the gear... Sheesh..
Perhaps the laws people suggest we need to protect ourselves should be added to. If you are the operator of a network and due to complete insanity leave yourself wide open to attack, you are just as guilty as the bad guys... But then again I don't want to goto jail for leaving my car door open and having someone steal my car, so nix that idea.
Ryan Pavely
Director Research And Development
Net Access Corporation
http://www.nac.net/
There is a difference, there, Ryan, both in degree of danger, and in duty of
care. If you leave your car open, the odds that someone will steal it *and
use it to plow into a crowd of people* are pretty low; the odds that someone
breaking into a SCADA network mean to cause harm to the unsuspecting public
are probably a bit higher.
Also, the people running that SCADA network *get paid* to do so in a fashion
which does not cause undue risk to the general public be they customers of the
utility or not; this is also not true of your stolen car.
So I don't think there's all that much danger of "making laws to protect
the public from attacked SCADA networks not secured in accordance with
generally accepted best practices" being generalized into "you're going to
jail if someone steals your car, even if they *do* use it as a weapon".
Even as stupid and grandstander as our Congress is.
Cheers,
-- jra
Oh, but you are. (Not sure about criminal liability, but definitely civil.)
From: "Mark Foster" <blakjak@blakjak.net>
"First"
Hey; I don't write em; I just quote em. 
https://ciip.wordpress.com/2009/06/21/a-list-of-reported-scada-incidents/
The Willows CA is the only one in the first part of that list that was a)
an actual attack, b) that actually had results c) in the US, but yeah; I was
unsurprised to find out they were wrong in their characterization.
Cheers,
- jra
Might I suggest using 127.0.0.2 if you want less spam
Pretty scary that folks have
1. Their scada gear on public networks, not behind vpns and firewalls.
Do people really do that? Just dump a /24 of routable space on a network and use it?
Fifteen years ago perhaps, but now, really? Or are these legacy installations with Cisco routers that don't do 'ip classless' and that everybody has forgotten about?
2. Allow their hardware vendor to keep a list of usernames / passwords.
Yeah I can believe this. That's if they bothered changing the passwords at all.
2b. Obviously don't change these so often. Whens the last time they really "called support" and refreshed the password with the hw vendor.... Probably when they installed the gear... Sheesh..
I am curious now as to what you would find port scanning for port 23 on some space owned by utility companies. Now, I'm not about to do this, but it would be interesting.
Does anybody know what really happened here? We're they just using some ancient VHF radio link to an unmanned pumping station that somebody hacked with an old TCM3105 or AM2911 modem chip and a ham radio?
Probably nowhere near that sophisticated. More like somebody owned the PC running Windows 98 being used as an operator interface to the control system. Then they started poking buttons on the pretty screen.
Somewhere there is a terrified 12 year old.
Please don't think I am saying infrastructure security should not be improved - it really does need help. But I really doubt this was anything truly interesting.
Having worked on plenty of industrial and other control systems I can safely say security on the systems is generally very poor. The vulnerabilities have existed for years but are just now getting attention. This is a problem that doesn't really need a bunch of new legislation. It's an education / resource issue. The existing methods that have been used for years with reasonable success in the IT industry can 'fix' this problem.
Industrial Controls systems are normally only replaced when they are so old that parts can no longer be obtained. PC's started to be widely used as operator interfaces about the time Windows 95 came out. A lot of those Win95 boxes are still running and have been connected to the network over the years.
And... if you can destroy a pump by turning it off and on too often then somebody engineered the control and drive system incorrectly. Operators (and processes) do stupid things all the time. As the control systems engineer your supposed to deal with that so that things don't go boom.
Having worked on plenty of industrial and other control systems I can
safely say security on the systems is generally very poor. The
vulnerabilities have existed for years but are just now getting attention.
This is a problem that doesn't really need a bunch of new legislation.
It's an education / resource issue. The existing methods that have been
used for years with reasonable success in the IT industry can 'fix' this
problem.
Industrial Controls systems are normally only replaced when they are so
old that parts can no longer be obtained. PC's started to be widely used
as operator interfaces about the time Windows 95 came out. A lot of those
Win95 boxes are still running and have been connected to the network over
the years.And... if you can destroy a pump by turning it off and on too often then
somebody engineered the control and drive system incorrectly. Operators
(and processes) do stupid things all the time. As the control systems
engineer your supposed to deal with that so that things don't go boom.--
Mark Radabaugh
Amplexmark@amplex.net 419.837.5015
===============================================
There are still industrial control machines out there running MS-DOS.
As you said not replaced until you can't get parts anymore.
Chuck
Oh yeah.... just not too many of those MS-DOS machines have TCP stacks 
I still get calls to work on machines I designed in 1999. It's a real pain finding a computer that can run the programming software. A lot of the software was written for 386 or slower machines and used timing loops to control the RS-232 ports. Modern processors really screw that software up.
Having worked on plenty of industrial and other control systems I can
safely say security on the systems is generally very poor. The
vulnerabilities have existed for years but are just now getting
attention.
+1
Just for context, let me tell everyone about an operational characteristic
of one such system (Sold by a Fortune 10 (almost Fortune 5 
company for
not a small amt. of $) that might be surprising; the hostname of the
server system cannot be longer than eight characters.
The software gets so many things so very very wrong I wonder how it is
there are not more exploits!
~JasonG
I can say from experience working on one rural sewage treatment plant
that IT security is not even in their consciousness. I have also seen
major medical software companies that have the same admin password on
all install sites and don't see a problem with it. Trying to explain
the consequence of this is almost impossible. It's very very scary.
siemens, honeywell... essentially all of the large named folks have
just horrendous security postures when it comes to any
facilities/scada-type systems. they all believe that their systems are
deployed on stand-alone networks, and that in the worst case there is
a firewall/vpn between their 'management' site and the actually
deployed system(s).
You think your SCADA network is "secure", what about your management
company's network? What about actual AAA for any of the changes made?
Can you patch the servers/software on-demand? or must you wait for the
vendor to supply you with the patch set?
folks running scada systems (this includes alarm systems for
buildings, or access systems! HVAC in larger complexes, etc) really,
really ought to start with RFC requirements that include strong
security measures, before outfitting a building you'll be in for
'years'.
-chris
If NSA had no signals information prior to the attack, this should be a wake up call for the industry.
Andrew
That's precisely the problem: it does appear to have been an easy attack.
(My thoughts are at https://www.cs.columbia.edu/~smb/blog/2011-11/2011-11-18.html)
--Steve Bellovin, https://www.cs.columbia.edu/~smb
Subject: First real-world SCADA attack in US
On an Illinois water utility:
http://www.msnbc.msn.com/id/45359594/ns/technology_and_science-security
"that which does not kill us makes us stronger" --Friedrich Nietzsche