Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Modify Water Treatment Parameters By Accident (softpedia.com)

Posted by msmash on from the water-getting-hack-treatment dept.

An anonymous reader writes: Verizon's RISK security team has revealed details on a data breach they investigated where some hackers (previously tied to hacktivism campaigns) breached a payments application from an unnamed water treatment and supply company [PDF, page 38], and also escalated their access to reach SCADA equipment responsible for the water treatment process. The hackers modified water treatment chemical levels four different times. The cause of this intrusion seems to be bad network design, since all equipment was interconnected with each other in a star network design, and the payments app contained an INI file with the administrative password for the central router, from where the hackers reached the water treatment SCADA equipment. Of course, the hackers had no clue what they were modifying. Nobody got poisoned or sick in the end.

24 of 139 comments (clear)

  1. And the worst of it? by wardrich86 · · Score: 5, Insightful

    If somebody had have died or gotten sick, the hacking party would be the ones to get in shit, not the asshat that put the admin password in a text file...

    1. Re:And the worst of it? by Anonymous Coward · · Score: 2, Insightful

      I just don't get this. I feel bad putting the admin password in a file on our demo VM that runs on a local workstation.

      I can't imagine sleeping at night putting it on an actual system somewhere.

    2. Re:And the worst of it? by Pascoea · · Score: 4, Funny

      Come on. Give them a little credit, it was an INI file, not a TXT file. They probably even named it this_isnt_the_network_password.ini

    3. Re:And the worst of it? by tnk1 · · Score: 5, Insightful

      If somebody had have died or gotten sick, the hacking party would be the ones to get in shit, not the asshat that put the admin password in a text file...

      They both should get in deep shit for it. Yes, the asshole who left the admin password in a text file should get fired.

      However, you should be able to leave an admin password posted on a banner on a 24 hr news station and a good person wouldn't use the password to get in and fuck with a water treatment plant. That's like saying that anyone who leaves their door unlocked deserves to have their house broken into and accidentally burned down while people are trying to steal shit.

      So, yeah, the both hackers and the admin should be dealt with severely. This isn't an either/or situation.

    4. Re:And the worst of it? by Ungrounded+Lightning · · Score: 3, Insightful

      ... you could open the valves to their greatest extent without jumping the chlorine content up from the usual part-per-million to more than a couple of parts per million...that is, still way less chlorine than your average municipal pool needs to combat all those filthy kids.

      But what if the bad guys CLOSE the valves? Then live pathogens go straight from the water source into the no-longer-purified water supply. Several million customers are exposed. Many are sickened. Some take permanent damage. Some die. Even after the issue is fixed the whole water system needs decontamination. And the whole set of cities fed by the plant are disrupted (which is what they're really after).

      It gets even nastier if the bad guys up the ante by dumping a bit of some particularly virulent bugs upstream of the intakes, during the period where they won't be killed off by the shut-down disinfectant injection.

      They use chlorine because its a heck of a lot less damaging to people than the things it is used to kill off.

      --
      Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
    5. Re:And the worst of it? by NatasRevol · · Score: 2

      Management very rarely properly estimates damage assessments from IT.

      --
      There are two types of people in the world: Those who crave closure
    6. Re:And the worst of it? by phantomfive · · Score: 3, Informative

      They had their water treatment plant connected to the internet. That's like putting a banner with the root password, plus leaving the door open with a sign that says, "PLEASE COME IN."

      The incompetence here went very deep. If only the NSA were doing something useful like trying to defend this stuff against foreign hostile hackers, instead of trying to spy on citizens.

      --
      "First they came for the slanderers and i said nothing."
    7. Re:And the worst of it? by flopsquad · · Score: 2

      Um. Can I give you "-1: I Don't Want Anybody to See This" ?

      --
      Nothing posted to /. has ever been legal advice, including this.
    8. Re:And the worst of it? by Monoman · · Score: 2

      Or if the IT guy/department protested but was told to "do it anyway". Get that stuff in writing folks!

      --
      Keep the Classic Slashdot.
  2. I disagree by liqu1d · · Score: 4, Funny

    I got rather sick when I read that the admin password was in the ini file.

    1. Re:I disagree by MobyDisk · · Score: 4, Funny

      Yeah, they should have put the admin password in an XML file!

    2. Re:I disagree by tnk1 · · Score: 2

      XML is so 2000's. We put our admin passwords and SQL connection strings in JSON configuration files now.

      This. You pretty much need to ensure that your hosts are not able to be accessed because there's still the stupid plain text or MD5 hashed password in an unencrypted text file somewhere in order to connect your app to your database.

      Not that encryption would matter. If someone breaks into a host that has a public key for a database server, then someone can use that same public key for access to the database server as long as they were doing it from the host that they just broke into. Actually securing connections where access is done automatically really requires a lot of thought and not just one encrypted file somewhere.

    3. Re:I disagree by dcooper_db9 · · Score: 2

      Put it in a readme file. Nobody would ever find it there.

      --
      I do not block ads. I do block third party scripts.
  3. "Nobody got poisoned or sick in the end." by jeffb+(2.718) · · Score: 4, Insightful

    Problem is, this is a lot more "just the beginning" than "in the end".

    How many such systems do you suppose have been penetrated by folks who do know what they're doing, and are just sitting on their access until the next political party convention, or major sporting event, or...?

  4. sounds like classic industrial control networks by dot_bull · · Score: 3, Interesting

    I've rarely seen a classic "control system" (HVAC, security, wet and dry lab systems, anything with modems and 9600kbps transmission, ANSI screens, etc) be configured in anything BUT 1980's architecture. These industrial control systems are so old and embedded no one has the money or incentive to remove them and install modern tech. And most of them are archaic, and so incredibly vulnerable it can make a person lose sleep. Think yet another "tip of the iceberg"moment. Think water control, sewage control, electrical control, alarms control, traffic light control. NOT ALL, but the majority are hopelessly insecure and controlled by people who use FAX machines. Anything installed before 2000 or so (the majority) are childlike in design and harbor absolutely no notion of security.

  5. Holy crap ... by gstoddart · · Score: 4, Insightful

    and the payments app contained an INI file with the administrative password for the central router

    You know, every time I have encountered anything this moronic I've raised bloody hell over it.

    Why the hell would a fscking payment app need the administrative password for the damned router, and what idiot allowed this on their network. On at least three occasions I've said "no way in hell I'm going to put a plaintext password into an INI file, and if you want me to do it you're going to have to send me an email and CC a lot of other people demanding it". (Reading TFA, it wasn't the actual payment app, but they got it off a web server they compromised which had it in an INI file, so bad job in the summary).

    I swear, security is often either non-existent or written by idiots.

    And that's before you even get to the epic stupidity of having your SCADA stuff to your normal network. I've been in places that had SCADA stuff, and NOTHING was on that network which wasn't fully vetted.

    This whole article reads like "what happens when unqualified people run critical systems" -- right down to the fact that they also had access to "2.5 million customer and financial records".

    I'd like to say I'm astonished, but that would imply that I keep being surprised at just how bad companies suck at fairly basic security.

    --
    Lost at C:>. Found at C.
    1. Re: Holy crap ... by bill_mcgonigle · · Score: 2

      >Why the hell would a fscking payment app need the administrative password for the damned router,

      It's such a pain to have different passwords for everything.

      --
      My God, it's Full of Source!
      OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
  6. Airgap by Moof123 · · Score: 4, Insightful

    Equipment of this sort should be air gapped from the wild wild west of the internet. Frankly anything that is safety related (hospital equipment, elevators, and even HVAC systems) should be unreachable without badging into a building. While there are still ways to propagate things in via USB stick, it would keep clowns from pulling this kind of stuff.

    1. Re:Airgap by rbrander · · Score: 2

      Bingo. Air gap AND the machines that are on that network should have the USB ports filled with epoxy. When updates are needed, the vendor plugs in a special laptop for the purpose.
      It's extremely useful for SCADA to use Wi-Fi, of course; nothing beats being able to haul a tablet right down under the floor where you've just unstuck a valve and then cycle the valve without running up to the console.
      But the Wi-Fi of course needs to be locked down to a specific set of MAC addresses, not just with passwords. SCADA has to have a whole different approach to security than general-purpose computing. Big and distributed as it is, the SCADA system has to be an appliance, like a Blu-Ray player, only able to run the system programs and no others. But all the OS-level protection against that doesn't touch Air Gap; no-connectivity has to be sacred no matter how tempting.

    2. Re:Airgap by lgw · · Score: 2

      the SCADA system has to be an appliance, like a Blu-Ray player, only able to run the system programs and no others

      Did you know BluRay players will execute arbitrary Java code off of BluRay discs, as part of normal operation? I'm hoping you didn't. BluRay is specifically designed to allow a disc to damage the function of the device (by invalidating keys needed to play other discs).

      --
      Socialism: a lie told by totalitarians and believed by fools.
  7. All the security stuff is off-topic by rbrander · · Score: 2

    There's only one security that counts with a SCADA system: air gap. Plant-controlling systems must not talk to any other network.
    I recently retired from a much-larger utility and we did struggle with the human factor. The plant guys heard all the lectures from their design consultants that put in the system and the IT people who checked the design over. They understand that they must not interconnect. ...and then a year or two later you find them trying to quietly slip two network cards into the same machine so they don't have to change chairs to go from corporate-network-with-Internet-access to SCADA.
    Emotionally, it's hard to believe anybody would *want* to break in; it's not like there's money to be made. Hollywood-movie scenarios where "hackers take over" are ludicrous; every device in the plant has an "On/Off/Auto" switch where only "Auto" leaves SCADA in control at all; the most junior operator could run around the plant hitting those switches in five minutes, restoring manual control. (Then we'd have to bring in a dozen folks with cell phones to run the plant manually; no sweat).
    And as I posted above, it's not like you can kill anybody with a water treatment plant: the worst water you could put out would either be untreated (please boil water) or absolute max chlorine the system could insert (still less than a swimming pool).
    It's going to be the same as "safety"; you can pound safety lectures into people's heads all day, but it seems to take a generation or two for the message to really sink in; hard hats and visibility vests were strenuously avoided as well. We're just going to have to make it a standard, like safety standards: firing for disobedience, regardless of whether anything went wrong.

    1. Re:All the security stuff is off-topic by thegarbz · · Score: 2

      There's only one security that counts with a SCADA system: air gap. Plant-controlling systems must not talk to any other network.

      And you instantly fail all sorts of control, maintenance, reliability analysis, regulatory requirements for data, optimisation, etc tasks as a result.
      Admittedly a water treatment plant is simple and probably should get away with air-gaps, but the words air-gap are the first words that everyone utters when they talk about control systems. This causes two problems.

      1. Air-gaps need to be breached to enable a whole world of optimisation and value improving abilities in control systems these days. An air-gapped plant will be a plant shutdown for financial reasons permanently, though not by hackers.

      2. well I'll quote you for number 2:

      and then a year or two later you find them trying to quietly slip two network cards into the same machine

      To quote the Goldblum "Life finds a way". There is far better security in designing a system with a well thought through network configuration that offers the complete set of capabilities a plant requires than to assume someone incomitent in network security will not figure out a way to do what they want to do.

      It reminds me of a question I had from a plant in Australia where they discovered an operator had plugged a 3G modem into the control system and was watching youtube on panel. They asked how I would train the operators not to do that. My answer was: "Our operators don't do that not because of some training but because we gave them a computer to surf the internet on and watch youtube videos without leaving the board." Don't cut them off and they won't try bypassing things.

      Air-gaps are a dangerous form of security. It's security by network engineer, not security as a culture.

  8. Your hands were on the wheel. by westlake · · Score: 2

    If somebody had have died or gotten sick, the hacking party would be the ones to get in shit, not the asshat that put the admin password in a text file...

    The rules are no different than if you and your gang of adolescent thrill seekers climbed over the fence or found an unlocked gate and began flipping exposed switches or opening valves just for the hell of it.

  9. Re:cleartext passwords by NatasRevol · · Score: 3, Interesting

    4) IT management rarely has any understanding of risks associated with IT designs/constraints. Even when explained to them.

    --
    There are two types of people in the world: Those who crave closure