Sunday, February 19, 2017

ECS-CERT Describes Safety System Malware

Washington, DC

The ECS-CERT today announced that they had discovered a new cybersecurity worm that specifically targets safety control systems. The newly discovered UNSICHER worm was discovered during an ECS-CERT investigation of a control system incident at a chemical plant in the mid-west, according to Immanuel C. Securitage, an ECS-CERT spokesman.

Securitage reported that an ECS-CERT team was called to the facility when the safety systems started shutting down chemical manufacturing systems operating under safe conditions. The investigators quickly isolated the malware. Working with Robotron, the company that sells the SicherheitsKontrolle safety control system, ECS-CERT was able to identify how the isolated safety system was infected.

Erich Mielke, the Robotron spokesman, explained that the SicherheitsKontrolle was a completely air-gapped safety system. Technicians from the company are the only ones that are able to connect to the system as they are the only ones that have both the physical and software keys to access the firewire port on the system that is used for installing updates and patches.

Securitage reported that apparently the Robotron technician that installed the latest update had picked up the worm on his laptop when he plugged into an airport charging port in route to install the latest update. UNSICHER was found both on the technician’s laptop and all of the Robotron systems that he updated on that particular trip.

When the SicherheitsKontrolle system is infected, Mielke explained, it attempted to establish a communication link between one of the Robotron PLCs connected to the safety system using the wireless communications link Robotron uses to allow wireless connections to sensors used in the process. Once the connection link between the normally isolated safety system and the facility control system is made, the worm tries to establish a communications link to a command and control computer under the control of the attacker.

Securitage suggested that anyone using the Robotron PLCs as part of a safety system lock-out the wireless ports by setting the DIP switches provided for that purpose as the UNSICHER worm is able to bypass the software locks on those ports.


ECS-CERT reports that there was no physical damage caused at the facility where the worm was discovered, but that the company suffered almost $1 million in losses due to lost production and rework disposal costs.

Wednesday, February 8, 2017

FEC Fines Robotron for Control System Tracking

This afternoon the Federal Electronics Commission announced a $1.2 million fine was levied against Robotron, the German electronic control system manufacturer, for the exfiltration and sale of manufacturing data from hundreds of US companies. David Weeb, the FEC spokesman, reported that this is the first fine the Commission has levied for industrial data exfiltration.

The FEC notice explained that the Robotron had used its MotorSteuerung software to collect data from electric motors in thousands of facilities around the world. While the data collection was originally designed to provide preventive maintenance information to customers, Robotron has admitted that they have been selling the data to electric motor manufacturers around the world.

Robotron President Erich Mielke said in a prepared statement that Robotron had initially started using the data for marketing their variable speed motors. When the Electric Motors Division was sold off as part of a restructuring move three years ago, Robotron decided to start selling the data to other electric motor manufacturers.

Mielke explained that the detail performance data helped to provide important sales leads and data to enable motor sales people to make the case for switching to more expensive variable speed motors.

This practice came to the FEC’s notice recently when a terrorism investigation by the Federal Bureau of Inquiry discovered that sophisticated knowledge of the operation of a motor in an HVAC system allowed hackers from the Stasi Ehemalige hacking collective to start the recent fire in a synagogue near Houston, TX.


Johnathan Quest, an FBI spokesman, told reporters that Robotron was probably not the direct source of the information used by the Stasi group. He said that the FBI believes that an insider at an unnamed electric motor manufacturer with close ties to Stasi Ehemalige provided the Robotron information to the group. The FBI hopes to make arrests soon in that case where two people were killed and hundreds injured in the synagogue fire.

Thursday, January 26, 2017

Homeland Security Confirms Chemical Facility Attack

This morning the Agency for Chemical and Environmental Security (ACES) confirmed during a press conference in Atlanta that yesterday’s chlorine release at a water treatment plant outside of Atlanta, GA was apparently the result of a terrorist attack. The release of about 2,000 pounds of chlorine gas killed one employee at the facility, but the local community was not affected.

Daniel Varg, the ACES Director, reported that the secondary containment system at the facility stopped the release from spreading. The affected employee, whose name has not yet been released, was doing routine work in the containment building when the release occurred. The release occurred when the automated vent valve on the chlorine storage tank was remotely opened.

A private chemical response company is on-site remediating the chlorine released into the containment building. They are expected to complete their work this afternoon and the facility should be operational shortly thereafter. There was no effect on the quality of the drinking water produced by the facility.

Immanuel C. Securitage from ECS-CERT reported that they also have a team on-site looking at how the valve could have been tampered with. Initial reports are that the valve was provided by Robotron and that a variant of the GUMMI BAREN worm was responsible for allowing a terrorist group to gain access to operational control of the valve.

Securitage reported that his agency had received reports about the variant from an unnamed security researcher and that it apparently targeted the particular type of valve used in chlorine storage facilities. He explained that a classified report on the GUMMI BAREN CL had been posted to the ECS-CERT secure web site last month.

When asked if the facility was aware of the GUMMI BARREN CL report, Varg explained that the security contractor for the site did not have the necessary security clearance to be able to read the report. Only the facility manager had the appropriate clearance, but he was not aware of the ECS-CERT report. Varg admitted that his agency had not notified facilities of the report, noting that that was an ECS-CERT responsibility. Securitage responded that his agency did not know what facilities were using the affected valves. That was why ECS-CERT published the report on their secure web site; facility managers should be periodically checking that web site for reports affecting their facility.

Johnathan Quest of the Federal Bureau of Inquiry told the same news conference that his agency was investigating the apparent terrorist attack on the facility. He reported that they had been working with ECS-CERT on tracking down the group behind the GUMMI BARREN CL malware. Currently the FBI believes that Students for Immediate Neutralization of Chlorine Technology and Energy Reversion (SFINCTER) are responsible.

“We know,” he said “that they have been known to work with elements of Stasi Ehemalige – the radical German hacking collective. That group was responsible for the GUMMI BARREN ransomware and is likely the source of the CL variant.”

SFINCTER has been very vocal in their attempt to stop all uses of chlorine gas. In recent years they have become much more militant and have threatened direct action against facilities using chlorine gas. If this attack was conducted by SFINCTER, it would be the first time that they had moved beyond civil disobedience activities.

During the question and answer portion of the conference Varg was asked whey a remotely accessible valve was used in the safety system. Varg explained that the valve was the same one that was used in all chlorine contact systems at the plant. The safety system controlling the operation of that valve is a stand-alone system, but the valve was connected to the facility control system human-machine interface (HMI) for alerting purposes. That was supposed to be a one-way communication process, but a default maintenance setting on the valve allowed two-way communication over that port.

Saturday, January 14, 2017

Students at Cybersecurity Lab Report Congressional Data Breach

Today George E.E. Kilgore from Ronald Reagan High School told a press conference that school’s Cybersecurity Investigation (CSI) class had found large amounts of sensitive data on computers donated to the school by the office of Congresswoman Dana Miller. Kilgore explained that while he had been assured that all data had been removed from the computers prior to the donation, the students in his CSI class had used the tools and techniques that they had been studying for the last six months to do a deep dive into the memory of the six computers to find information that had been missed when the drives had been sanitized.

Dana Miller explained that the computers had been donated to the Ronald Reagan High School as part of a new program recently signed into law by the President. Miller had been one of the cosponsors of the bill that allowed Congressional offices to donate their used computers to primary and secondary schools. Miller told the press conference that she was proud of the abilities that the students demonstrated in finding the data. She also expressed some concern that the Congressional Data Protection Office (CDPO) had not been able to find the data before the computers were sent to the school.

Kilgore’s presentation at the press conference included a number of slides that showed what types of information were found. The information included:

Copies of documents found in various application directories;
Web browsing histories;
Email contact lists; and
Account information for the Congressional Cloud.

Kilgore explained that the data included in the account information allowed member of his class to access the accounts of Miller and her staff. Asked if the hacking of those accounts was illegal; Miller assured the audience that she had given her permission for the access and that she had confirmed with the local US Attorney that permission ensured that the students had not violated 18 USC 1030.

Also present at the press conference was Larry Ost from the CDPO. When asked why his office had not detected the data breach when they cleared the computers, he replied: “With just two computer technicians in the ten-person office, we only had enough time to check that the standard data files on the computers were erased before the computers were forwarded to the school.”

In apparently related news, Johnathan Quest from the Federal Bureau of Inquiry announced that the FBI had arrested Chester (Moe) Lester, a staffer in Miller’s Washington Office, on child pornography charges. Quest reported that an anonymous tipster had provided the FBI with links to child pornography stored on the Congressional Cloud in Lester’s account.


A statement issued in Washington by Rep. Miller’s office said that the allegations were deplorable and if proven to be true, the alleged behavior was reprehensible. Miller’s office promised full cooperation with the FBI investigation.

Thursday, January 12, 2017

FEGA Announces Cybersecurity Research Grants

Today at a joint news conference the DHS Federal Emergency Grant Administration (FEGA) and the Security and Applied Science (SAS) Directorate announced the funding of Cybersecurity Applied Research (CSAR) program for the coming year. The CSAR program was started in 2016 and Congress has been adding directed research programs to it ever since.

Isham M. Gelt started off the press conference by saying that he was proud to announce that the funding for the CSAR program had once again withstood calls for reducing the amount of money available in the program. He reported that the funding has remained stable over the last five years.

Nelson E. R. Donally then announced that in addition to the funding that the CSAR program had been providing to numerous educational institutions for general cybersecurity research and training, that Congress had added for this fiscal year a number of new research requirements for cybersecurity research specifically addressing electronic control system security (ECSS). He announced that educational institutions could apply for grant money for the following new ECSS programs:

• Encryption for communications in supervisory control and data analysis (SCADA) applications;
• Isolation of ECS from data systems;
• Remote data logging of changes in programable logic controllers (PLC);
• Easing data communication between ECS and enterprise data systems; and
• Providing remote access to ECS operations from smart phones.

Donally remarked that Congress was very clear about the requirements for the encryption programs that would be used by ECS systems. The systems had to be based upon a 125-bit key and copies of all encryption keys for ECS had to be on file with the encryption office of ECS-CERT.

Gelt announced that since this was the first year that FEGA would be issuing ECSS grants under the CSAR program the size of the initial grants had been doubled to $20,000 and a total of ten grants would be made this year. When asked if grants had been larger earlier in the CSAR program, Gelt reminded the reporters that Congress had been adding to the CSAR coverage mandate for some time without any increases in the amount of money in the program. The addition of the ECSS program meant that other CSAR grants had been reduced to $9,000 and the total number of grants provided under the program had been reduced by 10.


Donally also announced that due to the decrease in the number of university programs that had been applying for CSAR grants that SAS was expanding the application pool to two-year technical colleges with computer technology programs. Last year over $100,000 in available grant money had been returned to the federal treasury due to the lack of applications.

Friday, January 6, 2017

Local Company Claims Chinese Hackers Cause of Bankruptcy

New Orleans, LA

Today Isaac B (IB) Kaghun announced that the bankruptcy proceedings completed today meant that the Blew Bayou Chemical Company was not going to re-open its doors. IB reported that Chinese hackers were responsible for the high-rework rate over the last six months that destroyed the profitability of the company. He claimed that hackers supporting Tianjin Chemical, his only competitor in the production of Tetramethyldeath (TMD), the revolutionary plasticizer being used as a replacement for BPA.

IB Kaghun, the son of Russian emigres, developed TMD during his graduate studies at LSU. TMD is a monomer that can be added to the polymerization of PVC and other plastics to provide both increased flexibility and strength to those plastics. Tianjin Chemical started production of the chemical after a well-publicized hack of Blew Bayou Chemical computers stole proprietary information about the production of the material. The FBI was never able to find prove that Tianjin Chemical had anything to do with the data theft.

Blew Bayou had been successfully manufacturing TMD for about ten years with multiple expansions of their facility east of New Orleans. Last spring the company started to experience manufacturing problems that resulted in high contamination rates in their product that made the TMD unusable. The costs associated with the lost production and disposal of the flammable chemical quickly ate into the bottom line of Blew Bayou Chemical.

Recent disclosures about vulnerabilities in the Robotron programmable logic controllers (PLC) raised the possibility that a hack of those devices being used in the Blew Bayou manufacturing facility raised the possibility of that being the cause of the manufacturing problems at the plant. IB contacted the Electronic Control System CERT for assistance to determine if a cyber attack had taken place.

Immanuel C. Securitage, a spokesman for ECS-CERT, confirmed that the agency had completed an on-site investigation and did find unauthorized modifications to the programming of some of the PLCs used in the manufacturing process.

“This was a very sophisticated attack,” Securitage said. “There is a critical temperature that must be maintained in the manufacturing process. Any temperature above that critical point causes an increase in the production of undesirable byproducts. The programing of the PLC was modified to change the temperature being reported by two separate temperature probes so that they reported lower temperatures than was actually being experienced in the reaction vessel.”

Kaghun added that whoever was responsible for the hack had very detailed knowledge of the manufacturing process. The revised PLC programming used a complex algorithm so that the rate of change of the reported temperature increased as the temperature approached the critical point. The reported temperature changes then slowly decreased back to actual temperatures above the critical temperature. This was important because at about 15 degrees above the critical point the pressure would have started to rise in the vessel, alerting operators to problems with the reaction.

UPDATE

Houston, TX

Rumors have been confirmed that as part of the bankruptcy settlement, IB Kaghun is providing the details about the manufacturing process for TMD to one of his suppliers, a major chemical company outside of Houston. This is being used in lieu of cash payment for the debts to that company. There are no plans to re-open the facility in Louisiana, according to industry sources.


There are also rumors that the Federal government is considering sanctions against Tianjin Chemical for their alleged part in the hacking of Blew Bayou Chemical.

Monday, January 2, 2017

ECS-CERT Confirms Ransomware Attack

The Chemical Safety Bored (CSB) and the Electronic Control System CERT (ECS-CERT) issue a joint statement today confirming that the recent spate of fires at the Rafael Ravard Refinery south of Baton Rouge were a result of a ransomware attack on the electronic control systems at the refinery. According to the statement, the attack was caused by a new variant of the GUMMI BAREN worm associated with the Stasi Ehemalige, a German criminal syndicate.

Immanuel C. Securitage, the ECS-CERT lead for the refinery investigation, stated that the new variant of GUMMI BAREN has been modified specifically to attack electronic control systems that use the programmable logic controllers manufactured by Robotron, a German electronics company. The Robotron update system has apparently been hacked by Stasi Ehemalige and the GUMMI BAREN launcher included in their latest PLC updates.

Robotron has issued a statement that they are working closely with ECS-CERT to identify the source of the problem with their updater and currently recommend that their customers do not apply the most recent update to their PLC firmware.

Securitage explained that the GUMMI BARREN variant was specifically designed to infect multiple PLCs at a facility through infection via an engineering lap top. The worm includes a delay mechanism so that the encryption of the PLC firmware takes simultaneously across an organization.


Cesar Chavez, a spokesman for the Rafael Ravard Refinery, confirms that a ransom of 1000 bitcoin was demanded by Stasi Ehemalige. They have refused to pay the ransom. Chavez notes that the facility has backups for all firmware for their electronic control system. As soon as the facility has recovered from the uncontrolled shutdown caused by this ransomware attack, they expect that only a short turnaround will be needed to get the facility back into production.