360 Degree Cyber Security, LLC

Tag Archive:network scanning

Lost control of traffic control systems

March 24, 2018 – In this day and age, we mostly understand the requirement to protect information whether it is personal, or business related.  Positions related to information security can be found around the country typically in organizations larger than a small enterprise.  This included government organizations at all levels; federal, state, county, & municipal.

These organizations not only have the responsibility of protecting personally identifiable information of their citizens, but may also have additional standards/requirements they need to follow such as

  • PCI/DSS
  • HIPAA/HITECH
  • FERPA

If the organization is solely seeking to just meet the requirements, then they may be missing additional areas that need to be protected.  The Information Security Officer needs to transition to being a Security Officer responsible for securing all things digital, especially if they are critical for normal daily life.

Elements of critical infrastructure, such as the water supply and waste water have been in the news.  Some of the other services some municipalities provide and should be concerned with protecting are the transmission of electricity, Cable TV, and Internet services if they are services that they are responsible for providing.

As government agencies increasingly depend on devices that offer some advantage to remotely managing or gathering information from, more are being placed on the Internet.  One such device is the traffic controller.  These devices are found at individual intersections and can be linked together to improve traffic flow.

Traffic control systems are a form of an industrial control system.  They don’t operate at the speeds found in manufacturing systems, but they do operate in a similar manner.  They take inputs from road and optical sensors, adjust as programmed, and trigger events such as changing the lights from red to green.

So, what would happen if those control systems are left open to the world?  Well it could lead to scenes found in such movies as Live Free, Die Hard, or The Italian Job.  Recent research into traffic control systems led to the discovery of over 250 traffic control systems on the Internet in the United States and Canada.  Of those discovered, I was able to locate 25 in Canada and 24 in the United States that were open where the username and password were disabled.

Devices were found that controlled major intersections on a main thoroughfare where a highway intersected the road in two large cities.  Eleven out of 15 traffic control systems were found on a single major road through a city in California.  Several were discovered that belonged to a city in Texas.

What was concerning about the city in Texas, was that the city would not have known if those handful of devices were not open to the Internet.  Based on the IP address, there are assumptions that can be made about other IP addresses in the same address range that are protected by a login prompt.  This may represent all the traffic control systems in the city.

The traffic controls discovered are modular in nature.  Seeing that most of the Texas devices are protected with a username and password, it would seem those that are open to the Internet are that way probably due to maintenance where a module was replaced.

These findings were reported to the U.S. municipalities where these traffic control systems are located.  This was to allow them the opportunity to secure the system.  Hence the lack of specific details in this article.

Protecting traffic control systems from outside access is just as important as protecting all the information that the government organizations are responsible for protecting due to standards and regulation.  Traffic control systems are just as critical as water, sewage, and electricity and should be protected just the same.

Suggestions for organizations that manage traffic control systems:

  • Periodically scan Internet addresses of traffic control systems known to belong to the government organization to identify which ones are open.
  • Add traffic control systems to a security inventory, in addition to the standard information (model, serial number, etc.) annotate the IP address and port of any web portal the system has enabled.
  • Add traffic control systems to a change control process.
  • After any maintenance, remotely test connect to the device to ensure that login is required and that it is not the default login credentials

After all, who likes sitting in in traffic now?  Imaging what would happen if someone wanted to make it worse by remotely controlling the traffic control system from elsewhere in the world?

State of Cyber Security in the First State

delaware-county-map
T
his week ethical and unethical hackers and cyber security professionals from all over the world are gathered in Las Vegas for two of the largest cyber security conventions , DEFCON & Black Hat.  DEFCON attracted nearly 15,000 people in 2014 and Black Hat attracts cybersecurity professionals from different industries.  Attendees to both conferences have differing motives and come from various backgrounds and experience. The attendees represent government, commercial, and criminal entities.

 

As a cyber security professional, I am always looking for ways to improve the cybersecurity of my clients.  Sometimes, it is just a good idea to take a step back and look at the forest as a whole and develop a general idea of how much cyber security is being addressed.  I recently conducted a survey to determine just how many openly Internet accessible devices there are in the state of Delaware.  I used an online service called Shodan and it revealed that there are nearly 1.2 million devices advertising services that are tagged as being in the state.  This can be deceiving in that some organizations in the state use web service or Internet service providers (ISP) in other states.  Despite that, it provides a decent snapshot of the general security of Internet connected devices.  Let’s put the numbers retrieved from Shodan into perspective, the U.S. Census Bureau estimates that in 2014 there were over 935,000 that call Delaware home.  That roughly equates to 1.3 devices publicly accessible on the Internet for every person in Delaware.  That does not include the number of devices that are not advertising their services even though they are connected to the Internet.


Those that do not advertise their services are safer than those that do.  Of those that are advertising their network services you will find schools (public & private schools, colleges & universities), hotel chains, car dealerships, places of worship, medical and dental treatment facilities, law offices, newspaper agencies, etc.  The services open to the world included printer and file systems.  The file systems exposed employee names, projects and sensitive documents.  such as  financial information.  Without actually entering their system, I was able to observe the filenames and folders that data was stored in.  This enabled me to determine the business’ name and with a simple Google search I learned that this particular business was owned by a politician.  Just think about the ramifications if a hacker with criminal intent had found that open system.  Fortunately for them, as a professional I reached out to the business and they were able to close the hole to the Internet by which their data could have leaked.


In another example an industrial facility, which I was not able to contact, exposed similar information, but had internal machinery exposed to the Internet as well.  It would not have been too difficult to modify the machinery processes by stopping the equipment or preventing it from stopping.  That very scenario played out late last year at a German steel mill in which a blast furnace was damaged.
 
During my survey, I literally found a gas station where I could have changed (if I was a bad guy) the quantity of gasoline in the storage tanks. Just think about it, I could have said the tanks are full and a new supply may have not been delivered and could have led to the station running out of gas. Worse yet, I could have reported the tanks near empty which would lead to them potentially being overfilled. Admittedly, I don’t know if there are any safe guards in place to prevent an overflow situation, but if those failed, the service station could be looking at paying for the clean-up.
 
I saw a number of servers connected to the Internet that would be easy prey for cyber attackers. The information on the server maybe worthless, but to the attacker it can be a way of disguising an attack on larger and more lucrative target. Reminds me of how children say it wasn’t me.


These examples represent how small businesses can potentially become a target for cyber attackers.  Hackers with criminal intent may look at the advertised network services as a potential entry method to get into the business’ network.  This can result in the installation of malware or ransomware which can lead to devastating affects to your data and that of others businesses you connect with.


The most alarming part of the survey was quite a few critical infrastructure related organizations are open to the Internet.  This includes water companies, fire and EMS organizations, and electricity providers.  Of the organizations found, some are subject to compliance reporting due to the data they process or infrastructure they control, yet were found to be open and easily identifiable.  After all the news about BlackEnergy2 and breaches of OPM, Anthem, UCLA Health System and others, basic cyber security is still not being adequately addressed.


Large corporations typically have teams addressing cyber security.  Mid-sized and large small businesses may have assigned staff or dual hat their IT staff with some of the functions.  However it is the truly small business (less than 150 employees) that represents the greatest cyber risk.  This includes everything from the small mom and pop corner store to the businesses that provide mechanical or financial services.  They typically don’t have an IT staff or they contract it out to a managed service provider.  There are well documented examples where businesses thought they had cyber security addressed but in fact were not prepared at all.  Those businesses have the ability to bring corporations to their knees as they spend millions to fix the damage.


The lack of preparation has its costs.  The cost of a breach continues to rise.  The cost is dependant upon the information lost as indicated by the IBM sponsored 2015 Cost of Data Breach Study: Global Analysis by Ponemon Institute, LLC.  In the study, the average cost per stolen record runs about $154, with healthcare related data costing as much as $363 per record.  The cost per record is driven direct and indirect costs.  The direct costs associated include notification (which is required in Delaware), investigation, and remediation of the breach.  Indirect costs have the most substantial effect as it takes into account the potential loss of customers once a breach is made public, often by an external entity.  Cyber insurance MAY help absorb the cost of a breach, but recently, insurance companies have started to decline payment if a business fails to implement any sort of cyber policy or practices.


In the end, it comes down to businesses of all sizes and in all industries in the First State to address cyber security.  Failure to do so can leave us with small businesses that drive the economy failing by not being able to recover from a breach.