The short post ‘New Ransomware Crippling Chernobyl Sensors’ published on 28 June 2017 by Jack Laidlaw at HACKADAY deeply frightened me. I was relieved to read, that no Industrial Control Systems (ICS) were affected.
ICS at the Chernobyl Power Plant. Picture Credits: Chernobyl NPP Press Center, chnpp.gov.ua
The following press statement was published at the Power Plant’s homepage:
As of 27.06.2017 due to the cyber attack: the SSE ChNPP’s official website was not accessible, servers for controlling the local area network and auxiliary systems of SSE ChNPP information resources (mail server, file-sharing servers, Internet resources’ access server, electronic document flow system server) were switched off. There was partial failure in operation of personal computers of workplaces of operators of individual radiation monitoring systems without loss of the control function as a whole.
From the recent cyber-attacks on industrial systems we know, that the attacks always start in the office network of a production site. Once an office computer is hijacked, the cyber criminals use it as a base to further probing the network until they find a weakness in the network configuration which allows them to attack the production network.
Thus, we should not take this matter lightly. In my opinion, the production network of nuclear power plants must be fully isolated from the office network, and the internet. Period.
Ethan Zonca’s report ‘Hacking the Nike+ Fuelband‘ published on HACKADAY some days ago is somewhat alarming, although the device is just an electronic gadget that makes our daily life hopefully not more complex.
But this hack should make us really worried, if we consider devices in safety relevant systems or devices connected to critical infrastructure.
Consider a mobile phone that connects via Bluetooth to your CAR’s audio system. Today, a car is a computer on 4 wheels, and the audio system is an interface to this computer. Now think about a malware on your phone that shuts down this computer at 200 km/h.
Ok, only crazy guys drive at this speed, and only in Germany. But the impact of a completely uncontrolled crash on other road users and the environment might be catastrophic.
The Internet of Things offers us sheer unlimited opportunities. But IT security comes first, because it’s the basis for safety. The developers of this fuel band didn’t waste a thought on IT security. I bet threat modeling is completely unknown to them. Hopefully they tried harder in the case of your car’s computer, or in the case of sensors controlling the temperature in power plants…
A keystroke sniffer that records and decrypts keystrokes sent from wireless keyboard – simply brilliant, and truly frightening. In offices where business critical information is processed, wireless keyboards should be banned as soon as possible.
What really worries me is that, in the fight against the omnipresent danger from the Internet, we miss the obvious under our fingers.