Stories
Slash Boxes
Comments

SoylentNews is people

SoylentNews is powered by your submissions, so send in your scoop. Only 18 submissions in the queue.
posted by janrinok on Saturday March 23 2024, @12:42PM   Printer-friendly
from the weakest-link dept.

https://arstechnica.com/security/2024/03/critical-us-water-systems-face-disabling-cyberattacks-white-house-warns/

The Biden administration on Tuesday warned the nation's governors that drinking water and wastewater utilities in their states are facing "disabling cyberattacks" by hostile foreign nations that are targeting mission-critical plant operations.

"Disabling cyberattacks are striking water and wastewater systems throughout the United States," Jake Sullivan, assistant to the president for National Security Affairs, and Michael S. Regan, administrator of the Environmental Protection Agency, wrote in a letter. "These attacks have the potential to disrupt the critical lifeline of clean and safe drinking water, as well as impose significant costs on affected communities."

[...] The letter extended an invitation for secretaries of each state's governor to attend a meeting to discuss better securing the water sector's critical infrastructure. It also announced that the EPA is forming a Water Sector Cybersecurity Task Force to identify vulnerabilities in water systems. The virtual meeting will take place on Thursday.

"EPA and NSC take these threats very seriously and will continue to partner with state environmental, health, and homeland security leaders to address the pervasive and challenging risk of cyberattacks on water systems," Regan said in a separate statement.

Related stories on SoylentNews:
An Online Dump of Chinese Hacking Documents Offers a Rare Window Into Pervasive State Surveillance - 20240229
US Says China's Volt Typhoon Is Readying Destructive Attacks - 20240216
The Internet Enabled Mass Surveillance. A.I. Will Enable Mass Spying - 20231206
Teens With "Digital Bazookas" Are Winning the Ransomware War, Researcher Laments - 20231116
How China Gets Free Intel on Tech Companies' Vulnerabilities - 20230913
Microsoft Links Russia's Military to Cyberattacks in Poland and Ukraine - 20221113
U.S. Charges Four Russian Government Workers With Hacking Energy Sector - 20220327
Microsoft Warns of Destructive Disk Wiper Targeting Ukraine - 20220118
Breached Water Plant Employees Shared Same Password, No Firewall - 20210211
DOJ: Chinese Hackers Stole "Hundreds of Millions of Dollars" of Secrets - 20200722
Chinese Digital Spying is Becoming More Aggressive, Researchers Say - 20200326
Vietnam's Battalions of 'Cyber-Armies' Silencing Online Dissent - 20200117
A New Hardware Implant Shows How Easy It May be to Hide Malicious Chips - 20191013
Congress Mobilizes on Cyber Threats to Electric Grid - 20190715
How a Hacker Network Turned Stolen Press Releases into $100 Million - 20180826
U.S. State and Local Governments Receive Malware-Containing CDs Mailed from China - 20180731
Ukrainian DNC Hack-Author has Turned Himself in and is Cooperating with FBI - 20170816
FIN7 'Cyber-Mafia' Group Giving Heartburn to the U.S. Restaurant Industry - 20170528
Interview with Cybersecurity Expert Jeffrey Carr about Crowdstrike's Russian Hacking Claims - 20170417
Hacker Rigged Elections in Nine Latin American Countries - 20170308
Chinese Businessman Pleads Guilty to Conspiring to Hack US Defense Contractors - 20160326
China Hacks on US Continue, Facebook to Warn Users About Potential State-sponsored Attacks - 20151019
CIA Officers Pulled from China Because of OPM Breach - 20151002
North Korean Defector Warns that Hackers Could Kill - 20150530


Original Submission

 
This discussion was created by janrinok (52) for logged-in users only, but now has been archived. No new comments can be posted.
Display Options Threshold/Breakthrough Mark All as Read Mark All as Unread
The Fine Print: The following comments are owned by whoever posted them. We are not responsible for them in any way.
  • (Score: 3, Informative) by RS3 on Sunday March 24 2024, @04:39AM (2 children)

    by RS3 (6367) on Sunday March 24 2024, @04:39AM (#1350056)

    Most PLCs, certainly the many brands and models I've worked with, have no UI. They have various digital and analog electrical inputs and outputs, so various switches, indicators (lamps), meters, etc., can be connected. In many applications control by switches, knobs, lights, etc. is good enough.

    But in many cases you need a higher level UI. There are many touchscreen modules on the market which "talk" to a PLC through some kind of data connection, be it serial, including RS485, USB, DeviceNet, several other variations of serial ports, and of course Ethernet has become the mainstay. In fact many sensors and control devices, including motor controllers (sometimes called "drives") are being controlled through Ethernet.

    The touchscreen modules often run Windows CE- the "embedded" versions of Windows, which are really quite stripped down, can be bloated up with stuff if needed, including software with libraries and modules that "talk" to the PLC.

    There exist touchscreen modules that run on other OSes including Linux, and there's pretty strong Linux support for many PLCs.

    In most cases it's somewhere between ignorance and laziness where all the Ethernet ports are all connected to one network segment, which is usually connected to Internet (through router / gateway / firewall).

    As you might imagine, those touchscreen modules running Windows CE may want, or need, to connect to the Internet for many reasons. That doesn't mean they open any incoming service ports, but it shows how they could be vulnerable.

    And it comes down to pretty much the main reason we all have and deal with the far too many vulnerabilities: people love to add features and functionality, but deprioritize security, if they consider it at all.

    Remote monitoring and control of industrial processes is a very good useful thing. I think, at the very least, people should use a good VPN if they're going to use the Internet for remote monitoring.

    Starting Score:    1  point
    Moderation   +1  
       Informative=1, Total=1
    Extra 'Informative' Modifier   0  
    Karma-Bonus Modifier   +1  

    Total Score:   3  
  • (Score: 4, Informative) by canopic jug on Sunday March 24 2024, @06:09AM (1 child)

    by canopic jug (3949) Subscriber Badge on Sunday March 24 2024, @06:09AM (#1350072) Journal

    Most PLCs, certainly the many brands and models I've worked with, have no UI. They have various digital and analog electrical inputs and outputs, so various switches, indicators (lamps), meters, etc., can be connected. In many applications control by switches, knobs, lights, etc. is good enough.

    But in many cases you need a higher level UI. There are many touchscreen modules on the market which "talk" to a PLC through some kind of data connection, be it serial, including RS485, USB, DeviceNet, several other variations of serial ports, and of course Ethernet has become the mainstay. In fact many sensors and control devices, including motor controllers (sometimes called "drives") are being controlled through Ethernet.

    I've seen enough evidence, even though looking at it from the outside: The method for controlling water treatment systems which I saw demoed to me used RS485, if I recall correctly, but that was more than 20 years ago. The designer was under increasing management pressure at that time to connect the control systems to the Internet via Windows computers. That was something he refused to do and, as a consultant, was in a position to refuse. Times and situations change. People move on.

    Now components with M$ requirements [epa.gov] are called out by name and are apparently common if not pervasive. Industrial control is serious business (in both meanings) but connecting the industrial control systems to the Internet via infamously insecure products in an even more insecure way is making those serious people look like clowns.

    --
    Money is not free speech. Elections should not be auctions.
    • (Score: 3, Insightful) by RS3 on Sunday March 24 2024, @03:30PM

      by RS3 (6367) on Sunday March 24 2024, @03:30PM (#1350104)

      Yeah, at this point pretty much everyone who isn't super hands-on with details of technology thinks it's just the thing to do to connect everything to the Internet. TBF, subsystem / component designers usually include Internet connectivity in the feature / functionality brag list. Then they pass the buck saying it's someone else's job to secure everything.

      My most recent full-time job was at a small-ish food factory- maybe 200 employees. There was no IT person. They contracted out for IT services (total joke / waste of $). There were several very savvy people who did much IT work. One of the most awesome and smartest people I've ever met was many roles there, including he did much IT work. He had a degree in CS, but wore many hats well. The _only_ thing he was very wrong about: he and others had plugged all PLC / SCADA systems into a building-wide Ethernet. Many times he said the production machines (PLCs) were "air-gapped". Hmmm, then why could I run nmap and see most of the PLCs through WiFi? It's possible someone plugged in an Ethernet jumper between some of the Ethernet switches. Things weren't documented, were somewhat physically locked, and many years of learning the hard way taught me to just leave it alone, play dumb. Normally I'm wired for proactive action, but people always seem to have "reasons" for why I shouldn't touch things (in spite of me alone more than doubling the company's productivity) and I'm conflict-averse so again I've learned to back off and do other things.

      Much bigger-picture problem of non-existing management. IMHO, good management would identify all talents in everyone, and apportion things based on needs, prioritizing, efficiency, productivity, etc. IE, I had, by far, the most general IT / networking talent, but was relegated to other roles. If I had stayed there I would have done more to inventory everything, including Etherenet stuff, then present a comprehensive plan to give everyone a full SCADA system of the entire production.

      Yes, various forms of RS458 have been used for many control and monitoring systems for many many years. There have been many adaptations, including CAN bus [wikipedia.org]. RS485 is the basis for DMX512 which is used to control stage / show lighting systems, pyrotechnics, etc. For years Allen-Bradley (now owned by Rockwell Automation) PLCs used DeviceNet [wikipedia.org] which is based on CAN bus.

      Another angle, or cake layer, is that most people can only handle so much complexity. Most people I've met / worked with in the PLC world are quite intelligent, and dealing with much complexity in the PLC world, struggling to keep up with the ever-changing PLC platforms, and have no bandwidth to deal with increasing IT complexity. IE, IT generalists and IT security specialists are needed to work with PLC people. Of course big corporations can afford such staff, but tiny producers can't afford such staff. 3rd-party providers are very expensive, might do some things well, but maybe won't do a comprehensive design. Someone onsite might make some changes, then expensive contractor gets even more expensive trying to figure out what's happened (and I've seen this many many times). It all starts to get into costs and economics and management and business-speak BS. Meanwhile, as too often, IT and IT security gets ignored until there's a break-in and panic.

      Thanks for that interesting link, btw.