Hackers Are Coming for Your Tap Water
-
Upload
happynako-wholesome -
Category
Documents
-
view
214 -
download
0
Transcript of Hackers Are Coming for Your Tap Water
-
7/27/2019 Hackers Are Coming for Your Tap Water
1/3
Bad News:Hackers AreComing for YourTap Water
Foreign attacks on Kyle Wilhoit's online decoys suggest that municipalpumps are easily violated.
Kyle Wilhoit, a 29-year-old Missourian working for a cybersecurity company called Trend
Micro, has spent the last year building fake water plant control systems that mimic the
online control systems used by real American utilities. Dubbed "honeypots," these sorts of
decoys are deployed to draw in the ill-mannered beasts of the internetmalicious hackers.Wilhoit's traps appear to be working. Hackers employing a software tool used by the
Chinese armyas well as hackers that appear to originate from Russia, Palestine, Germany,
and other countrieshave been breaking into Trend Micro's phony US water systems. In
some cases, they have gone so far as to steal files so they can access the systems again.
They also have gained access to imaginary pumps, which in a real scenario would allow
them to modify water pressure, temperature, purification level, and even shut off the flow
entirely.
"What would the Chinese army want? Do they want to
contaminate US water plants?""Everyone has talked of [these systems] getting attacked, but I wanted true numbers to
prove the attacks were occurring," says Wilhoit, who presented the report of his company's
http://www.trendmicro.com/us/index.htmlhttp://www.trendmicro.com/us/index.htmlhttps://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdfhttps://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdfhttp://www.trendmicro.com/us/index.htmlhttp://www.trendmicro.com/us/index.html -
7/27/2019 Hackers Are Coming for Your Tap Water
2/3
findings at the Black Hat conference in Las Vegas last week. "I was expecting typical drive-
by automated attacks, but never dreamed of having a true targeted attack."Matthew Rhoades, a cybersecurity expert and director of legislative affairs for the Truman
National Security Project, told Mother Jones that he's "not totally surprised" by the report,
given the past allegations of foreign entities attempting to infiltrate America's critical
infrastructure. (In May, for example, theWall Street Journalreported that Iran was hacking
into our oil, gas, and power firms.) "The question is," Rhoades says, "what would the
Chinese army want? Do they want to contaminate US water plants? Are they mapping it out
as a contingency for some sort of future conflict? The latter seems like it's a potential, and
that wouldn't surprise me either."Since late last year, Wilhoit and Trend Micro have deployed 12 honeypots in eight countries,
mimicking servers that control water pumps. (Earlier this year, a study supported by the
Department of Homeland Security found that more than 7,000 industrial control systemsa
broad term encompassing water, gas, and electrical systemswere connected to the
internet in the United States.) The traps feature control toggles for temperature, on/off
functionality, and other password-protected settings. Water systems are easy to imitate
since their cybersecurity is "typically very lax," Wilhoit explains. "Attempting to mimic a
nuclear plant would be very difficult."Trend Micro set up the decoys to draw attention to the state of critical infrastructure
cybersecurity. After the honeypots were deployed in November 2012, it took only 18 hours
for the first hacker to visit. In December, using HACKSFASEthe same tool used by the
Chinese army to attack US government agencies, according to theNew York Timesand a
security company called Mandianta Chinese-based hacker infiltrated one of the US
honeypots and tried to access multiple pages. The person also made a successful spear
phishing attempt, sending a fake email to the owner's account in order to automatically
collect login information. Richard Bejtlich, chief security officer for Mandiant, says that
claiming the Chinese army is attacking water plants because a hacker is using HACKSFASE
is "weak attribution." However, he wasn't aware of other countries using the tool.
Trend Micro also saw attacks of US origin targeting
honeypots in Russia and China.
https://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdfhttp://www.blackhat.com/http://online.wsj.com/article/SB10001424127887323336104578501601108021968.htmlhttp://online.wsj.com/article/SB10001424127887323336104578501601108021968.htmlhttp://online.wsj.com/article/SB10001424127887323336104578501601108021968.htmlhttp://www.informationweek.com/government/security/thousands-of-industrial-control-systems/240146091http://www.scribd.com/doc/126177477/Mandiant-APT1-Reporthttp://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=allhttp://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=allhttp://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=allhttp://www.nytimes.com/2013/02/19/technology/chinas-army-is-seen-as-tied-to-hacking-against-us.html?pagewanted=allhttp://www.scribd.com/doc/126177477/Mandiant-APT1-Reporthttp://www.informationweek.com/government/security/thousands-of-industrial-control-systems/240146091http://online.wsj.com/article/SB10001424127887323336104578501601108021968.htmlhttp://www.blackhat.com/https://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdf -
7/27/2019 Hackers Are Coming for Your Tap Water
3/3
Trend Micro has also traced cyberattacks in the US coming from Russia, Germany, France,
the United Kingdom, and Palestineand attacks originating in the United States that
targeted honeypots in Russia and China. Ten of the cyberattacks, including the Chinese
attack, were deemed "critical"meaning that, in a real-life scenario, a hacker could have
altered or turned off a city's water supply. (None of the attacks originating from the United
States fell into that category.)
Trend Micro also reported that some American water control systems could be found online
using a simple Google search. The cities I contacted were cagey about whether their
systems had online controls and what steps they took to defend them against hackers. But
they all promised that their supplies were secure. For instance, Pamela Mooring, a
spokeswoman for the DC Water and Sewer Authority, writes in an email: "DC Water staff
attend briefings on cyber attacks and other threats to utilities, and the Authority has a
Cyber Response Plan."Alan Roberson, director of federal relations at the American Water Works Association, says
most American utility companies "are aware that they need to separate their control
systems from the internetbut we still don't know how many have done that, and how
many vulnerabilities are left." He adds however, that if a utility company knew it was under
cyberattack, it could manually take control of the system and easily block intruders.Last week, the Senate Committee on Commerce, Science & Transportation cleared
theCybersecurity Act of 2013 (introduced in the wake of President Obama's corresponding
executive order), which addresses vulnerabilities in American infrastructure by encouraging
companies to follow set cybersecurity standards. If it passes, Roberson says, it will help
safeguard water supplies by giving utility companies a way to justify the added cost of
security to their boards and customers.Wilhoit also supports the bill, although he'd like to see the federal government test the
specific software and hardware that utility companies are using. "If my system is a realistic
depiction of a real water pumping system," he says, then "compromising a real water
system would be very easy."
https://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdfhttp://www.awwa.org/http://www.govtrack.us/congress/bills/113/s1353http://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurityhttp://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurityhttp://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurityhttp://www.whitehouse.gov/the-press-office/2013/02/12/executive-order-improving-critical-infrastructure-cybersecurityhttp://www.govtrack.us/congress/bills/113/s1353http://www.awwa.org/https://media.blackhat.com/eu-13/briefings/Wilhoit/bh-eu-13-whose-really-attacking-wilhoit-wp.pdf