Continue to Site

Eng-Tips is the largest engineering community on the Internet

Intelligent Work Forums for Engineering Professionals

Register Log in
  • Congratulations cowski on being selected by the Eng-Tips community for having the most helpful posts in the forums last week. Way to Go!

Water System Hack 14

Status
Not open for further replies.
1503-44

1503-44

Petroleum
Jul 15, 2019
6,673
Florida water supply system hacked. Chemical dosage modified to dangerous levels.
It is OK to monitor systems via Internet, but control via web-connected systems push the risk. Why are controls of critical infrastructure connected to the ^#%#$ internet? Should remote control of critical systems not be limited to private networks with an Internet air gap. IOT is starting to look more like I-DI-OT.

 
Replies continue below

Recommended for you

Sort by date Sort by votes
I think it's unlikely there was any real public health risk. The 'poison' was sodium hydroxide. I doubt that the levels were high enough to have any lasting health effects if it made it out of the plant, but I'm sure there is real-time monitoring and alarming to take place in the event of this kind of trouble. If it was someone who knew how to circumvent these layers of safety, then I'd say it had to be a disgruntled employee or ex employee. Either way, the culprit is likely to be identified quickly.

I do agree that internet-facing process equipment should be avoided whenever possible.

Brad Waybright

The more you know, the more you know you don't know.
 
Upvote 0 Downvote
This time. Wait until they find the Cl2 gas, or control rods. Even if a possibility that it was a disgruntled former employee doesn't help. They have been known to be very dangerous, occasionally murderous, and probably more so than some random Internet nurd that usually just want to break into a system to prove that they can. Plus, disgruntled employees know the soft spots.

The problem with alarms are many and well documented. They are always sounding when something explodes.

 
Upvote 0 Downvote
Stuxnet breached an air gap, so that's no longer a solution by itself. Data diodes (allowing one way direction of data) also have limitations. Clearly they need to up their security, though.
 
Upvote 0 Downvote
That makes me feel worm and cozy. Yeah. Something's gotta be done alright. If it can happen to them ...

 
Upvote 0 Downvote
Most utilities only have relatively smart programmers on the billing side. One wonders if the remote access has a strong password like "password." Organizations can be quite slow to change; even in the face of breeches, it's taken several years for our company to institute mandatory two factor authentication for internal systems.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
Upvote 0 Downvote
Note that the issue was ONLY caught because it happened directly in front of an operator, AND, it does not appear that the bad setting set off any alarms, since you would think they would have mentioned it, even if it wasn't true, to reinforce the notion that everything was safe.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
Upvote 0 Downvote
I was thinking that too. I'll also just bet that it is simply the user's Win10 password, access authenticated via user category permission list, rather than a unique and specific password to access the control system that only a couple of people know. Hackers that gain access as administrators could rewrite the permission list to allow "everyone" and nobody needs to guess any more secure passwords after that.

And it makes me wonder how a supposedly dangerous setting would be accepted by the control software, especially without initiating an immediate alarm if such a value was entered. No data entry verification? Even my sim software alarms when I enter a pipe length that is obviously too long, too short, or a pressure that is obviously too high and the sim won't run until I change the values, or change the default limits.

 
Upvote 0 Downvote
Limits work both ways; we once had a cryocooling configuration for a sensor developed and was asked by some production guys what our secret sauce was; same company so naturally we showed them. Days later, they came back and told us that their systems were still failing, but it was because the systems got TOO cold. And, to top everything off, it turned our secret sauce was actually developed by an earlier set of production guys. It's likely that the operators they have aren't the brightest bulbs, so easy passwords, no two factor, and no setting limits, because the operators enter wrong values all the time, setting off alarms all the time that have to be explained to management.

TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! faq731-376 forum1529 Entire Forum list
 
Upvote 0 Downvote
If you want to get someones attention by a hack; then change the setpoints.
If you want to really wreak havoc, silence or disable the alarms and limits, then change the setpoints.


Bill
--------------------
Ohm's law
Not just a good idea;
It's the LAW!
 
Upvote 0 Downvote
Our distributed system is a separate network isolated from the internet by firewall. Any access requires a firewall rule to allow it. Security accounts on the automation network are managed separately from widows accounts. As of yet, this architecture has proven to be secure.

I have on several occasions tried to point out that our business relies as heavily on our office network as it does on the automation systems. Assuming our ERP was compromised, we can't enter PO numbers, print bills of lading, pay employees, or anything.

If you're worried about a drinking water system being attacked, then just wait until someone successfully shuts down a large bank, Wall Street trading, or the like. That's when REAL chaos will ensue.

Brad Waybright

The more you know, the more you know you don't know.
 
Upvote 0 Downvote
Having walked many water plants small and large, the physical and network security systems are relatively lax. Where I live, very lax.
I am surprised that bad actors - the 1% of trouble-makers in our society - don't take better advantage of the collective bliss of public agencies.
Those damn thieves raise my water rates every 2 years, they can do better than a 6 ft chain link fence around treatment facilities and 4-digit passwords to the internet-lined SCADA system.
Seems like basic common sense standards are rarely improved unless something very bad happens. Then there's a predictable over-reaction. Human nature, I guess.
Society won't see real change in network security until hackers shutdown high profile and much needed businesses like Netflix and Amazon Prime Video for more than a few days. Then politicians will get involved. And maybe a small bump up in birthrates the following year.
 
Upvote 0 Downvote
And people complain about our IT, external access via VPN with randomly generated single use passwords, when ultimately every piece of equipment on our floor is tied to the network.

= = = = = = = = = = = = = = = = = = = =
P.E. Metallurgy, consulting work welcomed
 
Upvote 0 Downvote
As someone mentioned recently in another thread;
"The S in IOT stands for security."

Bill
--------------------
Ohm's law
Not just a good idea;
It's the LAW!
 
Upvote 0 Downvote
6349.gif
 
Upvote 0 Downvote
I don't know for sure, but normally a risk assessment or HAZOP should ask if a wrong setpoint for any chemical (by operators error) poses risk for plant staff or the public => if the answer is "yes", there would be a SIL-rated hard limit on the concentration. Unless the hard limit can't be enforced for process reasons (there are conditions where the high dose is neccessary).

This assumes a framework like the EU Machinery Directive and the Seveso-III directive. Not that I'm not an expert in either! Are there similar law/codes in the US?

The German water association, DWA, published guidelines on computer security (DWA-M 1060) for water and wastewater plants. I'm not IT person and havent really read it, appears to be more on the management/systematic approach (risk assessment etc.) side than on concrete technical ideas, though a catalogue of common threats and a catalogue of common threat mitigations are mentioned somewhere. The DWA-M 1060 also ties in with German federal laws regarding security of critical infrastructure.
Does the US have something similar?
 
Upvote 0 Downvote
We use setpoint limits. In this case, as the 'poison' was sodium hydroxide, I would assume the control element was sensing pH. If that were the case, I would be surprised if a setpoint limit was not employed, and also no alarm would be triggered. Even if a hacker got in, placed the output in manual and ran at 100% addition rate, there should still be an alarm related to the process value. There should also be some (obvious) indication of deviation from setpoint to process value. That would be standard engineering practice.

Brad Waybright

The more you know, the more you know you don't know.
 
Upvote 0 Downvote
stevenal said:
Stuxnet breached an air gap
Click to expand...
Well I am not shore that is quit the same, normal hackers and disgruntled former employees does not have the same recourses as the FBI and the Mossad.

I am working from home and through a VCN tunnel, so I am inside the system.
But I could easily shut down the hole factory when ever a felt like it.
I could also find a way of doing it so it would take them a wile to figure it out because they would not expect a "fault" like that.

I always said that when I retire, I'll hack the traffic lights on the main road through the city, a 10 year old could have programmed them better. [pc2]
They complain that CO2 emissions are so high there, but it is completely impossible to get through the city when there is a lot of traffic without having to stop at every traffic light.[auto]

Best Regards A

“Logic will get you from A to Z; imagination will get you everywhere.“
Albert Einstein
 
Upvote 0 Downvote
Here's an idea, program the traffic lights so you must stop at every intersection.

Wate someone's already done that.

Since one of our water plants must take floride out of the water, and the other needs to add floride to the water, what can we do with that?

 
Upvote 0 Downvote
Well maybe I will start a crowdfunding and ask people too pay me for letting them pass without stopping at every traffic light. ;-)

I do not think we have that problem here.

Vakin is responsible for the operation of 18 waterworks, of which the largest is Umeå waterworks.
In the Tap Water Competition 2020, Vindeln's water was named one of Sweden's best and Umeå's water received an honorable mention.

Best Regards A.

“Logic will get you from A to Z; imagination will get you everywhere.“
Albert Einstein
 
Upvote 0 Downvote
Status
Not open for further replies.

Similar threads

RVAmeche
  • Locked
  • Question
Richmond VA Boil Water Advisory
Replies
12
Views
7K
RVAmeche
RVAmeche
ProSafPlant1
  • Locked
  • Question
Calgary 2 m diameter water feeder main break
Replies
3
Views
341
coloeng
coloeng
1503-44
  • Locked
  • Question
Panama Canal Low Water 2
2
Replies
34
Views
845
dik
dik
hacksaw
  • Locked
  • Question
Petrolem Pipeline Hack 7
4 5 6
Replies
106
Views
5K
1503-44
1503-44
hokie66
  • Locked
  • News
Rooftop solar system fires 1
2 3 4
Replies
79
Views
2K
LionelHutz
LionelHutz

Part and Inventory Search

Sponsor

Back
Top Bottom