There’s nothing in this article indicating the operator has a recovery plan in place involving restoring backups to get these systems online. Seems grossly negligent on their behalf, and made almost satiric by the fact that Fireye can be mentioned without reference to their own massive security lapses.
Too much focus always on the “hackers” and never the obvious security lapses solved by diverting executive pay to more bodies and training to cover them, but oh well right?
You think Fireeye had massive security lapses because they reported they were hacked. Everyone else was also hacked and FireEye was the only one that figured it out and blew the whole thing wide open. Now if the best incident responders in the world can’t always prevent malicious activity on their network, how is an oil company going to do that? Or utilities, transporters, hospitals, defense contractors, or universities? The truth is everything is vulnerable, and what you think is the stability and security of all the other organizations you don’t hear about getting hacked, is just the current set of hackers working hard to be discreet. I think if war was to break out with certain other nations we’d find it in a hurry how much our infrastructure has already been compromised.
IT is typically grossly understaffed and underfunded in these businesses. At the site-level, you'll see some very out of date tech running critical systems. IT is a cost-center to be reduced as much as possible, oversight is non-existent.
Its difficult to chastise a country that misses the forest for the trees, when that country has spent sixty years formenting a culture of blind consumption and wilful ignorance of anything STEM. instead of a flourishing culture of hacking and computing, the united states through DMCA and law relegated the notion to comic books and hollywood fiction. most of the public war drumming for 'hacking' (if it could be said to exist at all in 2021) is a thinly veiled surrogate of consumerism.
What reason would we have to blame the company for poor security hygene? what possible outcome could we hope for when in 2021 nearly every Solarwinds customer renewed their license after the hack.
The reason country is has spent so much time on “STEM” is not that there is a labor shortage but that salaries of “STEM” people are too high and business owners need more people not to fill shortages but to overflow the system such that salaries go down significantly.
There is no shortage of labor for jobs paying high 6-figures … :-)
The problem is our government. There is no shortage of STEM graduates -- we have the best and brightest. Our government has failed to set the right incentives for the private market to innovate on critical infrastructure... so naturally the smartest STEM grads end up building Netflix or Facebook.
I'm here to bring a message from the future: they did have usable backups, according to a news article published just a few days after this one:[0]
> Once they received the payment, the hackers provided the operator with a decrypting tool to restore its disabled computer network. The tool was so slow that the company continued using its own backups to help restore the system, one of the people familiar with the company’s efforts said.
It's hard to get the full story from a single article, and larger publications like the Washington Post tend to focus on the most recent statements from federal agencies and corporations rather than details that you and I find more interesting. Sometimes I wish that newspapers would do more of a synopsis of news stories a month or so after the fact to give more context and "lessons learned" or "what impact has this had?". I would prefer that much more to the "breaking news" approach.
Executives are rewarded extremely handsomely for short-term returns. Even if the company goes under, they've long ago accumulated enough wealth to live out their lives fabulously. The incentives to invest in security are weak.
In a twisted sort of way I am happy to see these types of ransomware attacks making headlines. Before it was much harder to quantify how much a breach might cost but with ransomeware you get a fuzzy lower bound. Also the prevalence of these attacks might actually make us all safer in the long run.
This is interesting. Ransomware authors may be protecting their targets against destructive attacks since this would reduce their profits. In the same way that botnets attempt to protect their host from being infected by competing malware.
Agreed. It also tells us where bug bounty rewards should be in value. As the structure of bug bounty programs are completely wrong and the rewards are undervalued.
The market is literally saying they are undervalued.
The flogging will continue until bug bounties improve.
I think I understand your POV and can see why one might find some peace in it, but I don't. More crime, or I suppose mroe news about it, so we know how much crime costs? More attacks make us safer? It's a means justify the ends argument, but it doesn't hold water.
I infer your point to be that more attacks might cause the victims to step up their defenses. It's a cat and mouse game. Always has been in all realms.
"It'll get worse before it gets better." I've been hearing that for decades. I'm starting to wonder, due to what appears to be a decline in civility. Following the rules only works if we all do. Those who eschew the rules have an obvious advantage.
Where has integrity gone? We are tearing ourselves apart and justifying it ... or coming to terms with it I suppose, by saying it'll be better some day.
Well... when... exactly? By what measure will we know?
I know Stephen Pinker, Hans Rosling, and various folks say it's the best time to be a human. Okay. Sure. I see the math. I'd like to see them update their charts for data out over the past year.
But ... anecdotally, none of that math seems to percolate down to my community. The people around me are in constant fear. I just saw a woman walking down the road, all by herself, I had clear vision for a mile and so no one else but her... and she was wearing a mask.
She was afraid. She was anxious. Regardless of the relative safety that exists today, or the belief that it'll be safer tomorrow because of the lack of said safety, the people around me aren't feeling it.
They're buying guns because red people are coming for them... or the blue people already are. Or the government will. There is literally no milk at the store because of an HDPE shortage prompting the grocer to put a Force Majeur notice on the dairy fridge door.
Trust has broken down. Fear of our own neighbors is up. Crime is up. Poverty is up. Suicide is up. Cyber crime is up. Inflation is up. The Gini coefficient is up.
I really have trouble believing that making it worse real fast, or even reporting more of it, is going to make it better.
Trust and integrity are irrelevant when it comes to professional cyber criminals who likely live in another country. Continually escalating cyber attacks are our new reality. There is no possible way to prevent the attackers from trying. Thus the only option is to harden our systems.
I expect after a few major crises involving mass casualties or major economic losses the federal government will mandate that private industry completely disconnect certain critical infrastructure control systems from the public Internet. Basically the same approach used by SIPRNet.
letters of marque for the nation-state actors. bounty hunters for the criminals. There's a lot of options, I suspect using the financial systems to stop bad guys is probably going to miss the mark and produce emergent unintended consequences.
While you’re probably right on the zeitgeist aspect of this, I think you’re missing the practical aspects of what OP is talking about. We have major vulnerabilities to key infrastructure components. Publicly exposing these helps harden them. Yes 9-11 added a ton of security theater and fear, but it also resulted in armored doors on airplane cockpits. I’d like to see the armored door of the energy infrastructure implemented.
That's not the society I want. I don't want stronger doors everywhere. Tougher locks everywhere. Onerous security everywhere.
I prefer a society where passengers are free to chit chat with the pilots when they aren't busy. Where children who might be interested in being a pilot can see a cockpit in the air and how it's done.
I remember reading about the history of security in ancient Rome. The lengths to which normal citizens had to go to to protect their homes. I don't want that. No one wants that. No one wanted that then either.
It's a distraction from productivity. It's a constant worry factor that consumes brain waves that could be spent making all our lives better.
Instead, we have to divert our attention to those who want to make it worse.
Do I want security cameras/metal detectors/metal doors and other <s>police state</s> security measures everywhere? No.
Do I want to have all that in electrical plants/pipelines/nuclear reactors and other objects of critical infrastructure - yes.
If that means employees there would need to spend more time for annoying security checks(additional password prompts, 2FA, metal detectors, etc) - sure, I did all of that when working for one of British banks, mildly annoying but feasible. If that means more taxes - I'm ready to pay.
One can't just tell russians/chinese/iranians "we have open and free society do please don't hack into our electric grid" and expect it to work.
Those things already exist in electrical plants/pipelines/nuclear reactors and other objects of critical infrastructure. Eliminating the ability of people to casually enter and access/alter/destroy this infrastructure isn't the issue.
And yeah... we exactly can say that. We do it all the time. We almost blew up the world because Russia sent some missiles to Cuba.
There's no reason the digital war can't have physical repercussions. If a foreign nation invades our digital properties, we drop a bomb on their electric plant.
While I wholeheartedly agree with what you're saying for the physical world, the digital world is completely different. In the physical world, the scope of any action is inherently localized. But with digital systems it takes just one person out of seven billion (or even just the right software bug) to create a global scale problem. The Internet is best treated as a source of malicious noise.
Let's see if 15+ years of security people getting after critical infrastructure asset owners like this has made any difference. At least they detected something and shut it down to control the response. They also know the costs to repair and replace things. I don't suspect the pipeline uses a federation of heterogeneous systems to operate its SCADA actuators, so I would speculate it is likely a single firmware vulnerability facilitating it.
The global chip shortage for replacement parts if they are needed seems like a strategic coincidence. Definitely an evolving story.
I work in control systems OT space. A lot of distributed control systems and scada systems interface with the business layer in some fashion to provide access to time series and event data and to allow for alerts via email/mobile. Some people do this properly with good network segmentation, firewalls, A/V and patching, etc (there are several standards that dictate best practice). That said, even when doing it properly you're introducing attack vectors. I don't think it would be a firmware vulnerability, but instead something malicious affecting the computers they use to control the process.
The reason I'm going for firmware is while the HMIs could have had a solarwinds style exposure, but that's just any generically wormable OS vulnerability, and not something that should cause a physical shutdown.
To shutdown a pipeline, it's not a management console issue, hence why I'd speculate it's in the ICS devices themselves, which probably use uClinux toolchains on SoCs from one or two large vendors. I did some smart meter and ICS security work in the 00's, and there were a few vendors who would be strategic targets. The attack tools available now are unbelievably better, while the attack surface is pretty much the same due to the long lifecycles of ICS components, and considering today we've got cheap SDRs and gnuradio blocks for most wireless protocols, AVR tools, buspirate and the good/greatfet, ghidra/ida, and python for reverse engineering, the vulnerability research on this stuff moves way faster than the industry ability to respond.
If this is a serious attack, the only way to respond will be if they are very lucky, it's a worm and they can stand up a honeynet with spare gear to catch a sample and any good infosec firm can pull it apart. But if it's an active APT group, there's probably a political solution, as given what's possible, this would seem to be just a shot over the bow.
I get what you're saying and that could very well be the case, but I think the 'pipeline' as a whole requires a lot of handshaking between the different stations. They would not be able to do this without their supervisory control later (or at least it would be particularly difficult). That alone could have caused them to shut it down.
Additionally, if there was a whiff of malicious software or unintended access I would imagine they would want to make sure it didn't get into other systems. That would involve isolating and possibly shutting down machines and equipment.
I guess we'll see when they release more information. I would imagine that we'll get more details since this is critical infrastructure.
If the management console has a button or controls that would allow the person sitting at the management console to shut down the pipeline, which systems usually do have an emergency stop button in case there is an accident, then all you need is access to the management console to write one bit to the controller that says “operator pressed estop”
No need for firmware vulnerabilities in VxWorks when there are internet connected windows pcs.
Peer-to-peer threats from a world power perspective seem to be less bullets and more code. Any cyber warfare would just end in both parties destroying critical infrastructure until there's none left. War of attrition, skipping completely past the military and affecting the civilian population directly.
>> but instead something malicious affecting the computers they use to control the process.
I bet there is a layer of windows XP machines involved in a legacy control system. XP machines that weren't supposed to connect to the internet somehow have malware on them. It doesn't even have to do anything. Simply the detection of anything in such circumstances is enough to warrant them being shut down.
Totally agree, see it all the time. I even know of a few NT systems floating around out there. At least most companies are getting their IT involved to mitigate (usually they work with the vendor because they know nothing about control systems). They usually provide funding to the automation groups. People are starting to take it seriously.
Why wouldn't you use a unidirectional connection for time series and event data? I understand why you might want to send things out to the rest of the world, I can't fathom why you wouldn't require physical access to have write access.
Some time series data interfaces only work with tcp comms, which means you can’t always rely on unidirectional networks. I agree you should use them where possible though.
I replied to a comment on a dupe post regarding PAT, in which analysis is done on process data and fed back into the process to increase efficiency or yield. Obviously there are varying levels of criticality where the risk vs the business reward might not be worth it though.
Genuine question (that I've been seriously wondering about for a long time): how do you implement validated attestation that a piece of log data has reached nonvolatile storage, triggered appropriate alarms, and that those alarm events have been acknowledged, while using a data diode type setup?
I've said it a thousand times, all the security in the world will not defend a SCADA system if someone left TeamViewer running somewhere.
Don't mean to pick on TeamViewer. It could be any number of packages, but I think security minded people get an idea of the type of attack vectors I'm talking about.
It is mind boggling the lack of basic security principles some people have. I won't just put that on the plants and their IT/OT, or lack thereof. I've seen plenty of vendors and integrators do some cringe worthy stuff too.
The whole automation industry is a security disaster but it is because security isn’t part of the deliverables for any party. It isn’t in the specs, civil, mechanical, electrical engineers it isn’t their responsibility.
If the owner has an IT department they usually don’t want to be responsible for it either since locking things down leads to weird issues with legacy proprietary SCADA systems.
There is no out of the box secure solution available yet. Rockwell certainly makes an attempt with their factory talk directory but I highly doubt that isn’t easily worked around somehow.
Yea, that is correct. I typically put together the solutions for new systems, including security. I give the sales team part numbers and hours for security software and related hardware. They then add that as an option to quotes. No principal automation engineer wants to take that on and no IT want to be involved. Also, when money is tight that’s an easy target for them to pass on.
Luckily I’ve pushed enough over the years that we at least include A/V software as mandatory.
I’ve been able to carve out a nice space within my company bridging the IT/OT divide. It’s been particularly good recently since the bigger companies are dictating good cyber practices, but rely on integrators and vendors to implement.
I don’t think there will ever be an out of the box solution unless a system stands on its own, which is becoming increasingly harder with modernization and reliability efforts. Add on top of that privileged access, remote monitoring and support, automated (kind of) patching, etc. you have to interface with the IT side a bit.
Shutting down pipelines is insanely expensive. Under normal circumstances maintenance work, including welding, is done on live pipelines. The guys that do that job are extremely well compensated, last I knew hundreds an hour, and maybe a little crazy.
A shutdown is a huge deal and means they’re taking this extremely seriously.
The WaPo article itself is much more detailed. The bits about the age and fragility of Colonial's pipelines are far more significant than ransomware. Colonial's continued neglect is more disruptive than any single attack on the pipeline. The persistence of unreliable infrastructure is a more valuable disruptive asset to an organized opponent than a single targeted attack.
Tangent - Also interesting, the WaPo article [0] bears little resemblance to itself from only hours ago [1]. The article has grown by about 50%, while contents have come and gone. That's my favorite application for archive dot is - Seeing the timelapse of iterative releases, watching journalism bend and sway in the current of its own response. I'm not making any judgements, the internet is already sloshing with useless hot takes about journalism and media. It's just fascinating to see the modern editorial process at work, out in the open.
Relates to the Kent Beck "Latency vs Througput" post[1] on here right now... do you post the story immediately, and start getting feedback, or do you wait and do research and get it (more) right before posting it?
Wellll sort of. The "Da Vinci" virus claimed it was going to capsize oil tankers in order to cause an ecological disaster. Not just shut down a pipeline.
Connecting infrastructure to the internet is something that is done for many reasons. It would be a vast improvement of security if most of those connections went through a data diode[1] and only allowed monitoring.
Knowing what is happening now with critical infrastructure, through the internet, can be done in a completely safe manner. It is a solved problem.
What would be the difference between having a data diode between your control and monitoring network and external monitoring systems, versus just splitting the monitoring part off into a completely separate network with ordinary two-way traffic?
What you explained doesn't solve the problem. You still want to have an unidirectional network in place at least between your critical infrastructure to the monitoring systems.
Monitoring systems are usually separate and often have their dedicated network too, but they still need some sort of network connection to your critical infrastructure to do their job (monitoring).
I was trying to explain that having a separate monitoring infra and network group wouldn't work as a replacement for unidirectional network setup, because you sill need to open network access between critical infra and the monitoring system in your design, which will expose it to the internet.
So like you said, you still need to have an unidirectional network in place.
It's only a matter of time, there's gonna be physical casualties at some point in time. We've all seen it in the movies. Experts have warned of the dangers of tethering vital utilities controls to the internet.
Is it not possible to develop protocol or device that operates outside of the web but functions like the'two-man' rule used to launch nuclear bombs?
Those devices don’t work like a nuclear bomb control does - that is adding resistance/controls to taking an action.
The appropriate analogy is more like a nuclear reactor. They require some system controls to stay functional and healthy (water temp increases in loop x, increase motor speed of pump y, if already at or exceeding speed z, set off an alarm).
These controls need constant monitoring in a control station somewhere, sometimes tuning or fixing if there is a bug or issue somewhere, etc.
A lot of the cost of a nuclear plant is trying to cover every possible scenario and being compliant with endless regulations for stuff like this (and everything else).
That most non-nuclear plants don’t want to deal with the hassle and expense shouldn’t surprise anyone. That non-nuclear plants often don’t even TRY to cover basic cases SHOULD dismay and surprise people. These issues have been well known and publicized for literally 30 years.
A reason safety guys in these industries have the saying ‘regulations are written in blood’ is often not because no one sees the danger. Rather, until the body count reaches a certain point, no one can justify the expense to require it be fixed.
Yes. It's called Threshold Cryptography and it generalizes 'two-man' rule to require that N of M authorized users agree to an action.
But it's not really necessary here. What's needed for infrastructure is to get it off the internet and to quit using insecure operating systems and languages.
>CIA plot led to huge blast in Siberian gas pipeline
>Thomas Reed, a former US Air Force secretary who was in Ronald Reagan's National Security Council, discloses what he called just one example of the CIA's "cold-eyed economic warfare" against Moscow in a memoir to be published next month.
>Leaked extracts in yesterday's Washington Post describe how the operation caused "the most monumental non-nuclear explosion and fire ever seen from space" in the summer of 1982.
>Mr Reed writes that the software "was programmed to reset pump speeds and valve settings to produce pressures far beyond those acceptable to pipeline joints and welds".
Would be nice to have separate data lines, running fiber optics sealed in pressurized conduits for double tamper detection. The military actually does this for their critical infra.
> Would be nice to have separate data lines, running fiber optics sealed in pressurized conduits for double tamper detection.
At least German Telekom has been doing this for ages for the trunk cables serving entire areas with analog phone service - although not for tamper detection as an anti-spionage measure, but rather to detect and pinpoint damage to the cables, e.g. from excavators, tree growth or splice seals degrading.
A few years back we had two different instances of this pipeline getting shut down from newly-found leaks. While they say it won’t cause gas shortages, these articles tend to drive people to the pumps in droves in the southeastern states served by it (like mine, NC!).
The state of computer security is unacceptable and needs to be fixed. Today its profit-motivated extortionists, but anything they can do is also an option for spy agencies, and is it really that hard to imagine anti-oil activists pulling the same stunt some day?
On the other hand, crypto is the thing behind the profit motive. If crypto is impractical (if there were no way to convert it to real currency), the profit incentives for these attacks (and mining, for that matter) break down.
I realize this isn't a popular opinion around here, but we should probably do both.
Yes, we need to ban math. Math is the root of cryptography; which is the root of cryptocurrency. Ultimately it’s numbers. They are the worst. Everything bad comes from the interaction of points on elliptic curves.
Cryptocurrency is a bunch of people thinking their bets are more important than the government's control levers of monetary and fiscal policy. They'd rather make a quick buck and disregard the fact that this takes away our government's sovereignty. Our government's ability to bail out the economy, protect its most vulnerable.
It's more important that the Winklevosses and early supporters get all the economic upside, and it's just fine if the US dollar slides into the abyss. Lower income folks surely won't get screwed by this.
Nevermind the fact that cryptocurrency is destroying the environment. That's just a minor detail.
Cryptocurrency is selfishness and hubris.
All the smart people working on this insanity would be doing the planet much better if they were working on fixing social media or making tools for cancer researchers. I'm not for telling people what to do with their lives, but this observation seems pretty obvious to me.
> Our government's ability to bail out the economy, protect its most vulnerable.
How did the bailouts in 2008 help the vulnerable people who were subjected to predatory loans and lost their homes?
> Nevermind the fact that cryptocurrency is destroying the environment. That's just a minor detail.
Can you back this up with any data? Just went through a paper published on this topic by a couple of environmental researchers and the methodology was quite awful, and the authors did not understand mining.
I'm happy to discuss any data you have.
I'm a bit pessimistic because you don't sound open to the idea that cryptocurrencies have any value at all.
>How did the bailouts in 2008 help the vulnerable people who were subjected to predatory loans and lost their homes?
They didn't but they kept the banking infrastructure alive. What I never understand however is that the government doesn't give that bailout money in exchange for newly issued shares which they then sell for a profit once the bank is back on its feet.
>They'd rather make a quick buck and disregard the fact that this takes away our government's sovereignty.
This isn't true. For every person buying Bitcoin thinking they are hedging themselves against inflation there is someone who sells Bitcoin because they think the exact opposite. So this doesn't take the government's sovereignty because someone ends up with a lot of USD at the other end and you can still apply things like negative interest rates on accounts with huge balances.
Ironically Bitcoin is a very poor inflation hedge because of its periodic bubbles and extreme volatility. The bubble can pop exactly the moment inflation goes up and ruin the "hedge" until the next bubble exceeds the current all time high again.
It isn’t, and you might be a little misinformed. But it’s ok, you can scream into the abyss as long as you like.
We don’t want to cure cancer (don’t know how). We want to free the world of the tyranny of central banking, debt-based economies and theft of savings through inflation.
It is a noble endeavor. Selfishness is continuing along the old broken road. There are new, better ones.
How do cryptocurrencies save you from a debt based economy or inflation? Don't you still need to pay for goods and services in the same debt-based economy? How does the flavor of money change whether someone needs to go into debt? What would prevent cryptocurrency values from inflating or deflating?
>We want to free the world of the tyranny of central banking
You've been living the last 20 years under the tyranny of lack of fiscal stimulus. The biggest problem with the Fed is that it's the job of the government to distribute the money fairly for everyone and since Obama nobody did the necessary fiscal stimulus but this is changing thanks to Biden.
>debt-based economies
That just means more unemployment than necessary.
> and theft of savings through inflation.
What about theft of future potential through deflation? Does the future generation really owe you more than you worked for yourself?
>It is a noble endeavor.
Noble as in for the aristocracy, who have inherited and did nothing with their wealth but grew it anyway?
>Selfishness is continuing along the old broken road.
(2) isn’t wrong though. Ransom ware dates to 1989 but the uptick goes hand in hand with the rise of crypto currencies for the obvious reason that you don’t steal what you can’t fence and cryptocurrency has changed the risk and feasibility dramatically.
I’m not saying I support government action here but we should be honest about the situation.
How did criminals pull off international blackmail, kidnapping, and extortion before cryptocurrencies? Did it always require a local bagman? Could ransomware criminals not resort to the same tactics?
...which is why these sorts of attacks almost never occur and are always so resource intensive that no criminal would ever think of doing so for ransom?
Is your argument that if there's a problem, the government must not have tried to prevent it? We still have cancer; does the NIH exist? We still have crime, food poisoning, car accidents ...
Should the military be handling domestic cybersecurity? That seems especially perilous to civil liberties, something out of dystopian sci-fi.
The military's role isn't to provide peace and justice for citizens, it's to kill people and destroy things. That's not an insult to the military, that's what soldiers will tell you; we need to be realistic about it. They should not be operating around civilians in peacetime (except in special circumstances).
Not securing cyber and our infrastructure will kill and destroy things.
What would be an example of a civil liberty violated by for instance standing up a large Brigade or service of tech soldiers who secure, patch, work to shore up our critical infra and services? + a lot of funding; we already prop up the lockheads of the country.
I agree that it seems our Gov. can't be trusted not to intrude into our communications and other civil liberties.
But this is more about industrial control, supply chains, the foundation of software etc.
The gov didn't react or try to stop speech attacks on digital platforms even though they knew it was happening. They didn't even report it was happening because of I think naive political concerns.
Personally I liken it to missile defense and other existing programs which we spend a HUGE amount of money on.
Not securing our infrastructure could have even bigger consequences.
We're already in a growing cold war, personally I think decent potential to go hot within a decade.
Even looking at the little publicly reported easy hacks the, let alone the unknown advanced capabilities of state actors, the first salvo attacks will probably wipe out a huge portion of both sides infrastructure and basic digital necessities to function in our society. At least we're getting more serious about defending space because the military has their owned assets up there.
Maybe MAD would focus these attacks on military targets but I don't trust these nation states, or perhaps our own, to limit the radius. And maybe it's not even possible with how inter connected things are.
I completely agree that the infrastructure needs to be secured, and that it requires a lot of funding. I'm saying the military is the wrong organization for domestic operations.
What happens when the military believes an attack is coming from a private citizen? Can they spy on or take action against that person? Can that alleged attacker's computer be seized? On what evidence? What if the military determines that effective security means surveilling a wide area before an attack, or collecting all citizen data to have a source to search for clues in case of an attack? What if they determine, which some already agree, that the best defense is a good offense?
I'm of a mind that the security should be a regulation, and the infrastructure operators have to meet it. The NIST can develop standards and techniques, but the safety of infrastructure is part of the cost of doing business. Your plant can't be a menace to the community due to risk of explosion, pollution, etc. - it seems no different. The operators have gotten away with buying cheap, crappy IT for years. It's time to invest seriously in rigorous, quality engineering.
I've always secretly hoped warfare would move to the digital realm soley.
We have some shades of that happening already, but I imagine a future where instead of sending young people to die,warring nations wreck each others economies remotely... which again isn't too far from current day.
While there'd still be casualties it wouldn't be nearly as barbaric as current wars, more developed nations would finally have as much skin in the game as disadvantaged ones, etc.
The way I see it, the best way to discourage war is to make it unprofitable. If war just becomes directly hurting each other's ability to make money I could see war, or erm excuse me armed conflicts, getting a lot more unattractive.
War will always be a bad thing, but putting people on the ground in a foreign land with the mission to kill others has always amplified the horrors of war many many times over.
Taking out power in half the US for a day would kill thousands, but it's the equivalent of an all out attack on the US.
Compare that to if another country were to physically commit to an all out attack and it's easy to see why this would make future wars look like minor skirmishes compared to what's happened in the past
I think you’re going to see this more and more (at least with wealthy nations). And I think the motivation for war has always been primarily about profit.
It's been motivated by profit, but this harms the motivation
Right now it is profitable for us to go to war. Contracts are signed, jobs are created, it is good for powerful wealthy people for the country to be at war. And if you're powerful enough the risk of retaliation is so low that it's all gain and no cost (outside of human cost which is never enough apparently)
With this type of war the equation would be switched. Going to war directly harms wealthy benefactors, who as a result of their wealth hold political influence.
We're already seeing that aren't we? Espionage at companies like Boeing and Lockheed Martin. It's not harming any "normal person" but it's directly hurting the pocketbooks of powerful people. It creates incentive to avoid conflict in a way that (unfortunately) young men and women dying doesn't seem to have done in the past
That a pretty low effort dig at the government. What the hell does that have to do with something that is obviously state sponsored cyber espionage? Go troll somewhere else
One argument you can make is to partly defund the surveillance-based departments and agencies and put together a cybersecurity agency who is tasked with hardening the country's systems. I have no idea how someone would build a legislative and personnel firewall to protect it from the existing need to peep through keyholes, it's probably not possible.
Given Government inaction on climate change, could we begin to see motivated individuals or groups taking matters into their own hands and targeting fossil fuel infrastructure in this manner?
It could do more harm than good, but it remains possible that someone will do it anyway. It's a legitimate scenario for these types of companies to consider in their cyber-security planning and preparation (assuming they have any).
Domestic attacks would be somewhat more difficult to carry out without being detected. It’s much easier for the Government to track domestic actors since there’s so much data collected on them both Nationally and by local law enforcement.
That’s why international attacks are more prevalent and bold: they’re not as easily traceable. However, that also comes with its downsides: if the USG wants, it might just use lethal force against you.
So ultimately the people who tend to do this repeatedly end up being state owned or state protected actors, who are likely offered some sort of protection by their State from retribution by the USG.
1/6 looked pretty easy. It also looked like it was pretty easy to catch the most gods-awfully expensive intelligence agencies in the world completely flat-footed.
I wonder if this has anything to do with the Colonial gas pipeline leak? It's been a problem for over 8 months now. Was in the news recently again. Over a million gallons spilled, but they don't really know how much.
After reading "This Is How They Tell Me the World Ends" [1], I feel the world working normally is rather a sheer luck. (Probably I'm very late to realize this, but anyway )
To me the only reasonable survival strategy is redundancy, but I have no idea how we can reach there.
We need to have military responses to these attacks. Ransomware is running rampant because they don't fear any punishment for attacks. If people attacked our hospitals and pipelines with explosives we wouldn't sit by and do nothing.
To take the last high-profile ransomware gang stopped, if we ignore for a moment that the US didn't find them, you think sending US special forces into Ukraine to arrest or kill some unarmed dudes in a basement would have aided US interests more than just having local law enforcement arrest them? Does this policy of deploying troops expand to gangs in NATO member states and other close allies?
Precisely ascribing the origins of a malware attack, with 100% confidence, to one specific nation state is a very hard problem to solve. The time/effort that it would take for one nation to launch an attack on a 2nd party, seeming to come from a third-party, or one of their own adversaries, is not very great.
At least not with the 100% confidence that politicians would want before the US military starts dropping JDAMs on buildings.
I would give fairly even odds that something like this is the work of an organization nation state, and also even odds that it's the work of some underemployed teenagers in a basement.
lol war machine? what war machine? there's proxy wars and internal civil conflicts happening abroad, and definitely shady profiteering in some places, and definitely refugee crisis many of which are caused by climate change actually...but what war machine are you talking about? there's no real war out there. if there was, most of us wouldn't be here posting anymore. I hope to God there's never actual war out there.
You'll find that many of the ongoing/recent conflicts listed on these pages involve bombs/rockets/aircraft/tanks, not to mention soldiers on the ground and in some cases occupation.
There's lots of actual war. Not all wars are world wars.
Edit: it's also not the point of my post. The US invests in its military partially under the pretense of existential threats (basically, commies invading the mainland). That is undermined by having an laughably easy to cripple defense.
I think the issue there is data, even on critical infra. Modernization, reliability and the such require data analysis. There are definitely ‘strong’ ways of protecting the assets and mitigating attack vectors, but almost no way to eliminate them entirely. For example, event if you isolate the process computers you’ll typically have an interface node that presents the data up a level (hopefully to a DMZ). Obviously you can be compromised if that interface node is.
Some critical infra is air gapped though. Other systems implement SIS systems in parallel with general process systems to mitigate catastrophic failure further.
They can gather the data on the infrastructure network and then carry across an air gap on a USB or tape to do their analysis. I don't see the upside of allowing any connectivity to the internet given the danger other than some mechanism for sending an alert. I'm sure creative people can air gap that too (camera on the internet side and some image recognition for example).
That's massively inconvenient, although I'm sure necessary in some cases. Some businesses actually perform analysis in 'real time' so they can adjust the process accordingly, witch requires that data be accessible. This may actually be such a case as I'm sure they have to interface with customers (tank farms) to react to supply/demand on the branches. For all I know Colonial does have a private network for that purpose though. Usually PAT is really for chemical processes where you are looking for a particular yield and those analytical services are located closer to the process (in terms of networks).
There are devices called data diodes that provide unidirectional network topology, but not all time series data interfaces can work with them.
All in all, I agree that total air gap is obviously the best way to mitigate network attack vectors, but sometimes not practical. No controlling device should be at level 3 or 4 though (business or enterprise level).
hmmm...might be time for me to develop a side-expertise in cybersecurity...always kinda scoffed at those electives before, but now I see that there are literal lives at stake if our nation doesn't have excellent talent working in fields like cybersecurity for national defense.
"This is as close as you can get to the jugular of infrastructure in the United States," said Amy Myers Jaffe, research professor and managing director of the Climate Policy Lab. "It's not a major pipeline. It's the pipeline."
About that infrastructure security... this forum has gone over in detail the situation of infrastructure security in quite a bit of detail as other stuff has happened.
It's easy to say "you need to isolate your critical network from your office network" but that costs dollars and time and letting things fall to shit is free 'till the time comes and then other people the price rather than you.
The privately held, Georgia-based company is owned by CDPQ Colonial Partners L.P., IFM (US) Colonial Pipeline 2 LLC, KKR-Keats Pipeline Investors L.P., Koch Capital Investments Company LLC and Shell Midstream Operating LLC.
I'm surprised we don't see more attacks on pipelines - both digital and physical. There are many folks out there who take issue with them or see them as a vulnerable part of our infrastructure.
> Colonial’s pipeline transports 2.5 million barrels each day, taking refined gasoline, diesel fuel and jet fuel from the Gulf Coast up to New York Harbor and New York’s major airports. Most of that goes into major storage tanks, and with energy use depressed by the pandemic, the attack was unlikely to cause any immediate disruptions.
Because there was already a glut, now the places that feed this pipeline have to be backed up. Just because it’s gasoline doesn’t mean it’s not a link in the whole chain.
Any IP packet that is valid on the Internet would be invalid and dropped on the critical infrastructure network. The only packets that could pass between the Internet and the critical infrastructure network would be those that are intentionally bridged by rewriting the CRC-32. This should not be done at the IP level, but only by application level bridges.
It would prevent inadvertent connections between the Internet and the critical infrastructure network.
The usual problem are systems that are intentionally connected to both networks, and after compromise happily serve as points to enter the inner network.
‘Arm Waving’ Response to Hackers Makes Oil Industry Easy Prey
Everyone from the facility managers to the private equity owners assumed that the plant’s computer network was “air-gapped” -- a term referring to computers that aren’t connected to the internet or another unsecured network. But when Mission Secure installed monitoring devices to check, they discovered that a worker on the night shift was connecting his Roku device to the internet to watch episodes of “CSI: Miami.”
Too much focus always on the “hackers” and never the obvious security lapses solved by diverting executive pay to more bodies and training to cover them, but oh well right?