[This message has been edited by blackrams (edited 05-12-2021).]

quote Originally posted by williegoat: I would like to hear from IT people, the cyber security cognoscente on how this fell apart, what could we, should we have done differently. I know it's not an easy answer, a constant cat and mouse game. But how do we change the game?

Stop hooking ICS and SCADA systems up to the internet.

Every SCADA and ICS system usually is an "air gapped" network, supposedly. There are usually three tiers... you have the business network, which is ALWAYS connected to the internet... these are the computers of all the people working there, exchange server, domain controllers, payroll, wahtever. Then you have the second level down which is usually firewalled off. They call this an "air gapped" network generally, but it is not. There are still connections to the business network and they use things like ACLs and VLANs to segment the network from the business network. This second layer of the network has things such as the Historian, HMI (Human to Machine Interface) and other servers that manage the manufacturing and industry systems. Further still is the control layer, which is the third layer down, and that's where all the PLCs (Programmable Logic Boards) are located which actually interface with the machinery. These PLCs and such interface with the HMI in the network above it through (hopefully) specifically configured whitelisted routers that only allow specific traffic.

What happens most often is that someone on the business network is surfing the internet... maybe p0rn , sometimes Facebook. They go to a website that's not blocked and it causes a "trojan dropper" which exploits the machine in some way. It then does a call-back to what's called a "listening post" which retrieves more malware and usually something like a RAT (remote access tool) or an implant, or whatever it might be. In this case, cryptoware software which propagates through network and file shares encrypting anything it can find of any importance. This can all be fixed with the encryption key. Since it's usually encrypted with 256 AES or something of the sort, there's just not enough years in a lifetime to crack it with today's processors... so the business either has to start over, or pay the ransom.

Now, when these hackers get onto the business network, the very first thing they try to do is get onto an administrator's box... usually someone with high-level creds which they can capture using some other mechanism or software that they find. Since most people are morons, they save passwords in text files or Excel spreadsheets... so the credentials for all the routers and switches are probably saved locally on the admin's box, or on coprporate shares. Sometimes it's quite literally saved as passwords.txt. If not, it will routinely show up in the MRU (most recently used), journal, SuperFetch, or a bunch of other forensic artifacts that the hacker can easily search for. The hacker gets a hold of this, and then is able to get through the firewall between the business network and the operations network that has the HMI, Historian, etc. From there, the crypto worm, can spread through the Operations Network, basically encrypting everything on that network and effectively halting operations.

What companies need to do is STOP connecting the Operations Network to the Business network. They do this for ease of data transfer and for business metrics and other things. They sell "one-way" data-diods that allow you to transfer data from one network to another, and literally no way possible in the opposite direction. This is what they need, and ALL they need... and all that should be connecting between the Operations and Business network.

Often times, they still connect the networks though things like dial up modems (yep) so people can remotely monitor the industrial / operations network from home... or gasp, they just hook the internet right up to the operations network.

Bottom line... people HAVE GOT TO STOP hooking up their SCADA and ICS networks up to the internet... period. There's no excuse... none whatsoever. Pay someone to monitor the facility 24/7... do it in shifts... problem solved. If you want to know what's going on, set up a phone so the CEO, CIO, or any dick and jane in the company can call and find out. Use a data-diod to transmit data to the business network for metrics... stop connecting the operations network to the internet... and people need to stop looking at p0rn and sports information on their work computers.


Just go to http://shodan.io and you can do a search for literally thousands of exposed SCADA and ICS networks that you can freely hack right now if you want to. A good portion of these are fake honeypots that are either part of the HoneyNet project, or foreign governments looking to see where attacks are coming from. But many of them are still legitimate... and completely exposed.


.


EDIT: Fun fact, shodan.IO was named after "Shodan," the evil AI computer character from the late 1990s computer game, System Shock... she looks like this in digital form...

[This message has been edited by 82-T/A [At Work] (edited 05-12-2021).]

quote Originally posted by maryjane: I'm not the one that started the barking on a red herring. You 2 are. My ? was why. KeystoneXL would have only carried HEAVY crude from Canada and from the oilfields in Montana and the Dakotas. WTI and other Tex/La/Okla crudes are lighter crudes and are usually blended with heavier crudes prior to the refining because they can get a bigger variety of products from the blend than from just the lighter crudes since the cracking chain is longer. (More Olefins is the big advantage they get from the blend) XL would join the existing Keystone in Kansas to carry the heavy crude to the refineries near Houston. Canadian heavy crude is already carried thru the existing Keystone lines, XL was just an extension to enable a different source (Montana/Dakota) Colonial pipeline is actually several pipelines and not all of them run the entire distance from Gulf Coast to the NE. Line 1 is the biggest (40" diameter) beginning in Pasadena Tx and it terminates in North Carolina. It as various injection supply points but the primary point is in Pasadena, but other fairly large injections can be done in Baytown, Beaumont, Port Autho Tx, Lake Charles la, and Collins Mississippi. Line 1 also has various lateral or stub lines, feeding areas as it traverses East and NE. This, is the line carrying most of the gasoline to points East and NE. Line 2 is a 36" line that almost always carries distillates. (low and high sulfur diesel, heating oil, jet fuel, kerosenes, and specialized fuels for the US Military, specifically for the USN) It too begins on the Tx coast and is a 36" line, with it's own stub lines radiating out to different destinations, each with their own number. (Line 20 for instance, carries distillates from near Atlanta to Nashville Tn. Line 2 terminates same place as Line 1, near Greensboro N.C. Different components are pumped in batches and usually don't trans-mix with each other due tolaws of hydrauliics (specific gravity for instance) Line 3 begins in Greensboro N.C. as does Line 4. Line 3 (gasoline) beyond Goldsboro N.C is a 36" line and line 4 (distillate) is a 32" line. Line 4 ends in Woodbine Md at the Dorsey terminal and only Line 3 continues on to Linden N.J. Lne 3 changges from a 36" line to a 30" line in Md.

Yep, you just verified what I thought. I honestly don't understand what about this statement got you like a dog with a bone.

quote Originally posted by blackrams: Willie, most already know this and several won't admit it. Makes ya wonder what the hell they are thinking or, what direction they intend to take us. I don't see this ending well. Rams

You're apparently looking for a contest, I don't care to participate. Have fun. It'll just have to be without me.

Rams

[This message has been edited by blackrams (edited 05-12-2021).]

quote Originally posted by maryjane: I merely asked a simple question; asking you to qualify why you saw fit to help bring KeystoneXL's crude oil pipeline into the discussion of a gasoline and distillate pipeline discussion. You can answer it or play the safe card and pull your dog out of it...again. Your choice.

OK, thanks.

------------------
Rams
Intelligent people speak because they have something to say, fools speak because they have to say something.
Consider that before telling anyone what's on your mind.

<a href="https://m.maploco.com/visited-states/mine.php?states=AL-AR-AZ-CA-CO-DC-FL-GA-IA-ID-IL-IN-KS-KY-LA-MA-MD-MI-MN-MO-MS-MT-NC-ND-NE-NJ-NM-NV-NY-OH-OK-OR-PA-SC-SD-TN-TX-UT-VA-WA-WI-WV-WY&w=ml"><img src="https://map1.maploco.com/visited-states/ml/AL-AR-AZ-CA-CO-DC-FL-GA-IA-ID-IL-IN-KS-KY-LA-MA-MD-MI-MN-MO-MS-MT-NC-ND-NE-NJ-NM-NV-NY-OH-OK-OR-PA-SC-SD-TN-TX-UT-VA-WA-WI-WV-WY.png" border=0><br>Create Your Own Visited States Map</a>
My wife told me to grow up. I told her to get out of my fort!