Friday, August 23, 2013
It's Only a Matter of Time
When reports come out about computer hacking they tend to be either espionage or a "denial of service" campaign by activists/radicals to take down some corporate miscreant.
So far no one has been causing our chemical plants to explode or taking down our electrical grid, not yet anyway. Perhaps hackers know they would be hunted down like dogs or hostile nations know it would be an act of war triggering uncontrollable consequences. But that doesn't mean it can't be done. A recent article in the I.T. section of the Brisbane Times warns that "Hacking is Way Too Easy."
Hacking power plants and chemical factories is easy. I learnt just how easy during a five-day workshop at Idaho National Labs last month.
Every month the US Department of Homeland Security trains the nation's asset owners – the people who run so-called Industrial Control Systems at your local wastewater plant, at the electrical power station down the road, or at the refinery in the state next door – to hack and attack their own systems.
The systems, called ICS in the trade, control stuff that moves around, from sewage to trains to oil. They're also alarmingly simply to break into.
ICS-CERT's monthly training sessions in Idaho Falls put 42 operators at a time into an offensive mindset. For the first three days in last June's workshop, we learnt basic hacking techniques: how to spot vulnerabilities, how to use exploits to breach a network, scan it, sniff traffic, analyse it, penetrate deeper into the bowels of the control network, and ultimately to bring down a mock chemical plant's operations. There was something ironic about Department of Homeland Security staff teaching us how to use Wireshark, an open-source packet analyser; Metasploit, a tool for executing exploit code; man-in-the-middle attacks; buffer overflow; and SQL-injection – all common hacking techniques – and then adding, only half-jokingly: ''Don't try this on your hotel's Wi-Fi!''
If it's so easy, why has nobody crashed America's critical infrastructure yet? And why isn't the Defence Department doing more to protect the grid?
The questions only loomed large on the fourth day of the training – a 10-hour exercise. We split into two groups, a large blue team and a small red team. The blue team's task was to defend a fake chemical company, with a life-sized control network complete with large tanks and pumps that would run production batches, a real human-machine interface, a so-called ''demilitarized zone'', even simulated paperwork and a mock management with executives that didn't understand what was really happening on the factory floor – just like in real life. The red team's task was to breach the network and wreak havoc on the production process. By 5pm they got us: toxic chemicals spilled on the floor, panic spread in the control room. Good thing for us this was only an exercise, and the gushing liquid was just water.
Attacking such systems has become easier. Vulnerabilities are easier to spot. The search engine Shodan, dubbed the ''Google for hackers'', has made it easy to find turbines, breweries and large airconditioning systems that shouldn't be connected to the internet but are. One project at the Freie Universitt Berlin has enriched the Shodan data and put them on a map. The rationale of this ''war map'', as project leader Volker Roth called it tongue-in-cheek, is visualising the threat landscape with coloured dots: yellow for building management systems, orange for monitoring systems and so on. The US eastern seaboard looks like a target on a paintball range after a busy shooting session.
So far attackers have lacked either the necessary skill, intelligence or malicious intention to use that map as a shooting range. That may be changing. Mounting sophisticated ICS attacks is more difficult than meets the eye but many countries as well as hackers are honing their skills. Some are also busy gathering intelligence; earlier this year, for example, the US Army Corps of Engineers' National Inventory of Dams was breached, possibly from China. And any political crisis may change an attacker's intention and rationale to strike by cyber attack.
The article is written by Thomas Rid who is pursuing war studies at King's College, London.