Canada says hacktivists breached water and energy facilities:
The Canadian Centre for Cyber Security warned today that hacktivists have breached critical infrastructure systems multiple times across the country, allowing them to modify industrial controls that could have led to dangerous conditions.
The authorities issued the warning to raise awareness of the elevated malicious activity targeting internet-exposed Industrial Control Systems (ICS) and the need to adopt stronger security measures to block the attacks.
The alert shares three recent incidents in which so-called hacktivists tampered with critical systems at a water treatment facility, an oil & gas firm, and an agricultural facility, causing disruptions, false alarms, and a risk of dangerous conditions.
"One incident affected a water facility, tampering with water pressure values and resulting in degraded service for its community," describes the bulletin.
"Another involved a Canadian oil and gas company, where an Automated Tank Gauge (ATG) was manipulated, triggering false alarms."
"A third one involved a grain drying silo on a Canadian farm, where temperature and humidity levels were manipulated, resulting in potentially unsafe conditions if not caught on time."
The Canadian authorities believe that these attacks weren't planned and sophisticated, but rather opportunistic, aimed at causing media stir, undermining trust in the country's authorities, and harming its reputation.
Sowing fear in societies and creating a sense of threat are primary goals for hacktivists, who are often joined by sophisticated APTs in this effort.
The U.S. government has repeatedly confirmed that foreign hacktivists have attempted to manipulate industrial system settings. Earlier this month, a Russian group called TwoNet was caught in the act against a decoy plant.
Although none of the recently targeted entities in Canada suffered catastrophic consequences, the attacks highlight the risk of poorly protected ICS components such as PLCs, SCADA systems, HMIs, and industrial IoTs.
(Score: 2, Insightful) by echostorm on Thursday November 06, @04:50PM (3 children)
you mean domestic terrorists
(Score: 3, Interesting) by HiThere on Thursday November 06, @07:02PM (2 children)
I think they want to avoid specifying the origin of the attacks. But "terrorist" sounds technically correct.
Javascript is what you use to allow unknown third parties to run software you have no idea about on your computer.
(Score: 3, Insightful) by Anonymous Coward on Friday November 07, @03:28AM (1 child)
It's a hopeless quest, but I sure wish that strong words could be saved for things that are truly serious. The actions described in tfa sound more like the work of "annoy-ists". When people start dying, then call them terrorists.
(Score: 2) by JoeMerchant on Friday November 07, @01:32PM
> I sure wish that strong words could be saved for things that are truly serious.
Me too.
People running systems like water and electric utilities computer support still do things like using trivial and widely known passwords as their only defense against high-speed global access to their systems, relying on the idea that nobody in the facility can even remember the address of the service so the password doesn't have to be strong...
"Agents of chaos" who demonstrate the weakness of important security measures without actually causing significant harm are, in my opinion, net good for society - the opposite of terrorists.
If a "hacktivist" breaches the power grid and starts causing endless 20 second rolling blackouts when they could have used that same access to take the system down for weeks, that's a net-good for society. At least it will get the password changed from "pass" to "newpass", and when the 20 second rolling blackouts return two days later because "newpass" wasn't good enough, maybe the sysops will finally demand a real dictionary attack safe password for the system and look into applying more significant security improvements.
Bonus points if the pattern of the rolling blackouts spells the IT manager's name on a map.
🌻🌻🌻🌻 [google.com]
(Score: 5, Insightful) by corey on Thursday November 06, @09:03PM (4 children)
> such as PLCs, SCADA systems, HMIs, and industrial IoTs.
None of which needs connected to the internet. There’s fences and these facilities to keep people out. Do the same for your network.
(Score: 0) by Anonymous Coward on Friday November 07, @01:02AM (2 children)
Makes me wonder what goes on. I don't expect industrial control people to be top IT experts, but you'd think (hope) maybe they'd check with an IT expert?
I've never put a PLC / SCADA system "online". If I did I'd go through some kind of strong authentication mechanism. At the least you'd have to remote desktop with good password. And even then I don't see any reason to allow write privilege, meaning, you can monitor things but not make any changes. Changes should be made by on-site personnel. Certainly I'd require another layer of login to make changes remotely.
(Score: 4, Insightful) by jb on Friday November 07, @08:35AM (1 child)
There's nothing wrong with "remote" or "online" control systems, so long as they remain wholly self-contained.
If you are the operator (public or private) of a major water, gas or electricity network, you can easily afford to build real (not virtual) private WANs ... and in every jurisdiction I know of, those organisations already have the rights-of-way required to be able to do it completely in-house (since they need them anyway to run the pipes, or the poles & wires).
What's more, because you control the entire network, you're not bound by the many compromises that standards bodies have made over the last few decades. So, for example, if you're worried about physical taps, just deploy IPv6 the way it was originally meant to be, with a full mesh of IPsec in transport (not tunnel) mode. What's that you say? Legacy devices don't support v6? No problem at all. Just fill up their ethernet ports with epoxy resin, revert to good old RS485 for that string of devices and stick a gateway in front of it.
Problems only arise when stupid decisions (almost always driven by accountants, rather than engineers) lead to control systems being connected to the Internet instead (or in days gone by, to other public global networks like the X.25 cartel or even the PSTN).
(Score: 2) by JoeMerchant on Friday November 07, @01:49PM
>you can easily afford to build real (not virtual) private WANs
Just because they can doesn't mean they will say no when some fresh MBA points out how much they can save by outsourcing their networking needs to common carriers.
🌻🌻🌻🌻 [google.com]
(Score: 2) by JoeMerchant on Friday November 07, @01:38PM
>None of which needs connected to the internet.
Unless your staff has been cut to the point that the only guys that know how the system works are spread too thin on the ground and they need remote access because they're covering locations too geographically spread out to be physically on-site in time to fix things in a timely manner.
Time was: knowledgeable technicians were on-site with generation and other facilities 24-7, those days are long gone, because the seven figure salaried utility company execs needed to cut costs to give their share-holders more competitive ROI. Then the publicly regulated competitors had to do the same because they looked bad having so many technically competent (relatively highly paid) staff as compared to their private industry counterparts.
🌻🌻🌻🌻 [google.com]
(Score: 2) by Gaaark on Friday November 07, @03:07AM (1 child)
or just hire a guy to monitor these things non-remotely. Problem solved.
Why does EVERYTHING need to be hooked up to the Al Gore. Cereal?
--- Please remind me if I haven't been civil to you: I'm channeling MDC. I have always been here. ---Gaaark 2.0 --
(Score: 3, Funny) by JoeMerchant on Friday November 07, @01:53PM
> just hire a guy to monitor these things non-remotely. Problem solved.
Yeah, that's how they did it back in them days before they had telegraph lines out to the dam, but suggest that today? Boy howdy, we keent get them boys off welfare just to have 'em draw a salary from the power company, next thing ya know they'll be wantin' paid enough to buy them a new car and put their kids through school, and that's gonna drive up the price on my power bill by a whole 0.5%!!!
🌻🌻🌻🌻 [google.com]