Sunday, November 20, 2011

Hacked Water System: Disclose or Not

It has been interesting seeing the reporting this weekend on the disclosure by Joe Weiss (I attributed it to Nancy Bartels because her name was on the original post at that an Illinois water system had been hacked. There has been a little new information released:

• The system hacked belonged to the Curran-Gardner Township Public Water District;

• The hack was discovered during a diagnostic check of system communications logs;

• It was apparently a pump that sucked water out of the ground that was damaged; and

• There was a completely separate ‘hack’ of the South Houston water system control network.  

There has still been no public discussion of what control system was involved, what kind of security measures were in place (it was a small water system, so there probably wasn’t much in the way of security in place) or what other systems might be at risk because of credentials stolen from the vendor.


There has been very little discussion in the mainstream press about whether or not the FBI and DHS (both are investigating this incident) should be sharing more information with the public or control system community about this. The discussion has generally been an obligatory quote from Joe Weiss and an official FBI comment that the case is under investigation.

The law enforcement types are reacting true to form. They are doing there investigation and they generally don’t want to discuss ongoing investigations. It certainly makes it easier for them to make a prosecutable case against the perpetrators if they don’t make public the facts in the case during the investigation. This is good police procedures, but not necessarily good public policy.

The discussion in the ICS security community has been a little more robust, but it has generally followed the lines of the discussion of ‘responsible disclosure’ of vulnerabilities. That has been a long running debate about the pros and cons of security researchers working with vendors to correct identified vulnerabilities before publicly releasing the news of the existence of the vulnerability.

There are some interesting and valuable arguments on both sides of that debate. From an outsider’s perspective (I have never been and will probably never be a vendor or security researcher) it generally seem to come down to the experience the individual researcher has had working with vendors on solving the identified problems; good experience equals pro-RD, bad experience equals anti-RD.

Attack vs Vulnerability

The problem with the ‘disclosure’ debate in the cyber security community is that it misses an important point in this instance. We are no longer just talking about a system vulnerability we are talking about an actual cyber-physical attack; just the second known instance in the world (Stuxnet being the first) and the first against a target in the United States. This takes the discussion to the political level in a way that vulnerabilities never did.

In all of the Congressional and DHS discussion to date the vast bulk of the debate about cybersecurity has centered around data security and protection of personal information. As I have noted in discussion of bill after cyber security bill there has been nothing beyond perfunctory mention of industrial control system security in any of the bills. Even where we have existing cyber security regulations governing critical infrastructure (See RBPS #8 in the CFATS Risk-Based Performance Standards guidance document) the rules clearly address IT security not ICS security.

The reason is clear; IT has been attacked it  must be protected, ICS is too difficult to attack so we won’t worry about it. Stuxnet didn’t do much to change that thinking (no matter how many politicians said that it was a ‘game changer’) because the attack has always been attributed to a nation-state. And no one was going to risk going to war with the US by executing a cyber-attack upon our critical infrastructure.

From the reporting to date (mainly from what Joe Weiss is not saying) this does not appear to be a super-sophisticated attack that would require the resources of a nation-state to execute. It seems likely that this is a relatively simple attack utilizing anyone of a number of publicly-disclosed common vulnerabilities in any number of different SCADA systems. Add to that the apparent theft of access credentials (user names and passwords have been reportedly involved) and you have an attack that could be duplicated in any number of systems supplied by that vendor.

Informed Defense

That is the rub; an undisclosed number of other facilities, and not just water treatment facilities, that may be at risk from an attack from the same source. Disclosing the details of this attack will not make it any more likely that the same attacker will (or won’t) repeat the attack with more serious consequences than a damaged water pump at some other facility(ies).

Informing all of the users systems similar to that used by the Illinois water system of their potential vulnerability to this type of attack is an immediate concern. While enough may not yet be known to correct the specific vulnerability, system administrators (or more likely their consultants) can institute a program of closely monitoring system logs for signs of external communications as a method of early detection of an attack. That would seem to be the simplest and cheapest defensive measure that could immediately be put into place for most systems. Sharing the specific indicators that were used to discover the Illinois hack would be a good first step in allowing that effort to move forward.

Don’t Let Them Know You Hurt

The counter argument has been made that telling people about the details of the attack lets the attack know too much information about how successful his attack has been and could allow him (yes, dear, it could have been a woman who was responsible for this attack) to adjust his attack to improve its effectiveness the next go round. This is the old ‘don’t let em know your hurt’ speech given by just about every coach around the world.

I would be very surprised if that was the case here. If this was the worst-case scenario (I’ll describe that below), then the attacker had watchers in place to determine the effect and response to the attack. Even if this was just a case of criminal mischief (and that is possible) the attacker probably would have been sophisticated enough to monitor the pump speed and then note that it did not start up when told to do so. That would have been sufficient notification of the success of the hack. In either case, not making notifications to potentially affected parties protects nothing except the attacker’s ability to do this somewhere else with a high probability of success.

Worst Case

I’ll call this the Richard Clarke Scenario (cyber security aficionados will be able to figure out the reference). A foreign power is planning on executing a force of arms action somewhere else in the world, some where we might be expected to respond effectively. To prevent us interfering with their foreign policy action they stage a cyber-attack on an important piece of critical infrastructure and via back-channels warn the President that interfering with their actions will result in a whole sale attack on that type CI asset around the US.

To make that type scenario plausible, one would want to try out the cyber weapon against a small, unimportant target. The effectiveness of the trial attack would not be gauged in public response in the press, but rather watching to see if the attack was physically successful and how fast the response mitigated the damage. And a serious attacker would want to have people on the ground to watch for that information.

Do I think this is what is happening? No, I really don’t. First, the United States has made clear that it considers a cyber-attack on critical infrastructure to be the same as a physical military attack on the United States.  Second, any American President that acquiesced to that kind of blackmail would impeached by acclimation. Finally, remember Stuxnet? Most of the world thinks that we were responsible for that, no matter how much we claim otherwise. Would you want to risk out Stuxnet-like retaliation? I think not.

Political Issue

In the end I think that this whole thing is a political issue. If the politicians at DHS or the FBI declare this to be a hack/attack then they will have to declare it a foreign state attack (now considered to be equivalent to a military attack under the Obama doctrine) or a terrorist attack (with all of the frenzy-spending that would entail). There is another alternative that they might want to consider, call it a pre-cursor to an extortion plot or call it interfering with a water treatment system and leave the reaction to the law enforcement types.
In the meantime, let everyone with a SCADA system from the same vendor in on the necessary details so that they can protect themselves from a similar attack. Either that or come up with a way for the Federal government to protect them; and that’s just not going to happen.

1 comment:

Dan said...

FBI and DHS are now saying it wasn't hacked.

/* Use this with templates/template-twocol.html */