US passes emergency waiver over fuel pipeline cyber-attack (opens in new tab)

I reckon air-gapped networks are a valid defense. If something needn't be connected, why let it? It mitigates so many threats.

> Attach a fine to the discovery and disclosure and you disincentivise that prudence.

Sue them. Failure to disclose key documents in the discovery phase of a trial carries hefty fines and jailtime. And quadruple the fine for misrepresenting the cause.

People act like the government doesn't have the power of subpoena. They can absolutely compel you to tell the truth.

Security through obscurity is almost always a bad idea. There are exceptions: namely nuclear missiles.

There are counterarguments to this, but they're mostly academic: https://core.ac.uk/download/pdf/228618432.pdf.

Stuxnet, by contrast is very real

"If the product is bungled, the company is not likely to get the next contract."

Indeed the best evidence supporting this view is that Natanz was fully air-gapped and still got destroyed by the Stuxnet hack.

That said I have heard of customers expressing desire to control valves and pumps using iPhones, and believe there are several initiatives at SCADA/PLC/DCS/System Integrator companies to provide this.

However I've seen as many of those in practice as I have data-diodes, which is to say, none/never.

This question of missing cyber security audits came up for me in discussion of the Verkada hack. That’s the startup providing security cameras inside hospitals, prisons and schools.

It seems like cybersecurity and audits of security readiness need to be demanded from any authority over companies operating in sensitive areas.

Is that like how the banks all got serious about evaluating their risk carefully after the first time [1] they saw their models, and consequently their liquidity, evaporate?

Obviously I agree about your dissatisfaction with the other proposed solution: that just lets corporate entities put a low (10%) ceiling on what should be unlimited liability, allowing them to say that failing catastrophically by utter neglect to security is reliably a survivable offense (I recognize that in reality the liability of course ends at the dissolution of the corporation.)

I don't know what the actual answer is.

[1] https://en.m.wikipedia.org/wiki/List_of_economic_crises

I don’t think the analogy applies. We are humans, capable of observing the failures of others and making rational decisions to avoid those same failures. The immune system is programmed to react one specific way. For example, we can choose or choose not to go out of our way to get vaccinated. If someone doesn’t get vaccinated and infects a dozen other people and then get really sick themselves, it’s hard for me to have sympathy. Unfortunately here, when there’s an illness, millions of people have private information leaked. This should simply be an unacceptable.

Without the overhead of reaching many locations, fewer engineers/technicians can more efficiently operate the whole thing remotely.

Those remote workers wouldn’t have to be ‘remote’ if there were other workers hired on site.

So fast food workers were “essential workers” but oil pipeline control system engineers aren’t?

Projects that require a security clearance have to be done from inside of a secure facility. This clearly needs to be the same level.

Maybe that'd make sense if it was the encryption that was broken. I wouldn't suggest a one-time pad for anything where modern encryption works just fine.

Make it a crime to possess, consume, or distribute substances that are bad for people.

Make it a crime for people to knowingly withhold information about such activities from the authorities.

Abuse of substances, trafficking, and associated criminality will go away.

But seriously...

> Make it a crime to pay the ransom in a ransomware attack.

Ok, so ... what should a company do? File a report with some government agency or with an insurance company and wait until the bureaucratic process maybe results in being able to pay the ransom to resume business operations? Punishing the victim of a crime? Really?

> Make it a crime to fail to report a ransomware attack in a timely manner.

Further punishing the victim of a crime? Really?

> Ransomware attacks (and companies with poor security practices) will go away.

lol

>Make it a crime to fail to report a ransomware attack in a timely manner.

You mean like "18 U.S. Code § 4 - Misprision of felony" [0]?

[0] https://www.law.cornell.edu/uscode/text/18/4

Just like all other laws that companies break, they'll just get a slap on the wrist and continue their ways

When the Feds catch up to them, Dennis and Mac are loading frozen beef in to the back of his car and are legitimately confused by what the cops are saying. They moved past the virus several weeks ago and have had literally dozens of plans since then.

The Gang "Solves" the Gas Crisis (2021)

If I were running the Russian hacking center in charge of pwning US infrastructure, I'd be pissed as hell. This is like getting vaccinated -- all of a sudden we're going to take this seriously and patch a bunch of exploits that they've had ready to go.

"nation-state" is not just a fancy infosec word for country, and there's some debate as to whether the USA constitutes an actual nation state, rather than a state.

Yes, because the Russian state has nothing better to do then inconvenience the operation of a foreign fuel pipeline for a few days.

That would work against network tracking of the actual connection, but that is not the main means of attribution and tracking culprits.

One way is to look at any tools and artifacts used/deployed - it's not common that only "off-shelf" tools are used, and as soon as there's anything custom, most likely it's not a one-off thing that never ever appears anywhere else; if you got it from someone, that's a potential lead; if you wrote it yourself, you're likely to use it (or a modified version) elsewhere, so if you make a mistake in one "gig" then it can relate to all your other activities as well.

Another is people - those things are often not done alone, and people talk, especially if they get detained for something else. And last but not least, the money trail sometimes leads to results as well.

But the key thing is that even if you do everything securely enough, it can work once or a couple times if you're careful enough, but nobody is careful enough to sustain proper opsec all the time, everyone makes mistakes every now and then. These things often take years to resolve, but the legal system has sufficient patience to link something done five years ago to a mistake you'll make next year.

There's sort of an asymmetry for an attack - that if the defender closes 99 vulnerabilities but leaves one, that one is enough for an attacker to get in; but there's a similar asymmetry for detection; if the attacker hides their trail in 99 ways but leaves one, that one is enough to find them afterwards.

> I'm not super-knowledgable about cybersecurity, but shouldn't simply using TOR make it nearly impossible for the US government to track them down?

PSA: There are known traffic correlation attacks against Tor. It's not magic security dust you can sprinkle on a system. If you're doing thoughtcrimes, assume any G10 intelligence service can track you down. (If you're into extortion, human trafficking/exploiting children, or financing/advocating violence against civilians, then Tor is totally magic and is 100% guaranteed to make you invincible. Tor is all you need a-hole.)

Tor intentionally makes latency-privacy tradeoffs to make web browsing usable. I'm not familiar enough with Tor internals, but I believe applications have no control over these tradeoffs.

Anyone know if I2P allows applications to adjust latency/privacy tradeoffs? (Conceptually, you want your store-and-forward mixnet to use a priority queue for each hop, setting a deadline when each message arrives, and filling the pipe with expired messages first, and then non-expired messages in uniform random order. Applications more tolerant of latency get their traffic spread over a longer window. Per-hop latency targets should allow applications to avoid hop-to-hop correlations in latency targets.)

Getting operational security right is surprisingly hard.

The really hard part is that you need to have gotten it right some years ago already.

I remember that I read that other day that a bitcoin tumbler operator was charged for money laundering. The way they got to him was tracking initial funds that started the tumbler, which was purchased from an exchanged and not obfuscated.

There are all kinds of things you can get wrong: your build tools could accidentally store compromising meta data in your malware; payments from previous campaigns could be tracked, a single non-TOR access to the command&control infrastructure could get you busted, as could a single login to an email provider you used to communicate with somebody related to the ransomware operation.

All in all, if you have a larger team, the chances of at least one person messing up aren't too small, and then it's a matter of the investigators pouring enough money and attention into the case to find it.

As a rule, there is no off-the-shelf software solution that you can simply use to avoid being detected by the NSA or other powerful nation intelligence services. Even if there were, they are not limited to tracking you through technological means - they very much know how to find people the old-fashioned way as well.

That's not to say that it is impossible to hide from them, but it's never simple, when they're actively looking for you.

No - Running enough TOR entry and exit nodes allows one to unmask initial connections[1].

One can suspect a healthy percentage of Tor nodes are operated by Governments as TOR was developed and released by the US Navy[2].

[1] https://www.theregister.com/2015/05/30/researchers_claim_tra...

[2] https://www.torproject.org/about/history/

Tor isn't perfect. Government agencies like to create TOR endpoints/nodes that allows collection of bulk traffic data. They can't see exactlt who sent specific packets or their exact contents by looking at them individually, but they can see which mode it just came from and where it's going next. By watching traffic to entry and exit points they can create probablist models based on traffic volume that can allow them to identify where large volumes of packets most likely came from when they're already watching the destination. This is how they tend to catch drug dealers and similar illegal transactions using TOR and a similar setup that monitors crypto currency transactions that simply monitors either known bad agents (criminals, dark web sites selling illegal goods, suspects, etc) or suspected targets. By combining the two data sets they've even identified who certain crypto currency wallets belong to. The main thing to be aware of is that it's extremely difficult for them to identify anyone with low traffic levels, or that do not interact with actively monitored actors/targets.

> shouldn't simply using TOR make it nearly impossible for the US government to track them down?

Not even close. Tor kinda secures one aspect of very many, but kinda doesn't.

It attracts attention: Governments actively try to defeat Tor. And if they are looking for a criminal, they might look first at Tor users. In fact, they collect data on Tor use before a crime is committed.

Not this kind of attention. Oil pipelines are considered critical energy infrastructure. This will likely be viewed as a national security threat.

The US government will have to respond to deter others. They have "poked the bear".

Yes, in the sense that it gets reported to law enforcement and investigative agencies. Without being specific, I was a victim of identity theft and cybercrime. My incident was “reported to the FBI” but I’ve literally never heard anything back from them.

In practical terms there needs to be something special about the cyberattack for the government to devote any resources towards it.

How could it? There are thousands of cyberattacks against US companies and infrastructure every day.

There are cyberattacks and then there's going after the most important domestic energy line of a superpower.

This is quite different from your run of the mill cyberattack, they're not all created equal.

The difference between "the FBI will look into it if they find some spare time" and "you've made the top 10 target list of the NSA".

I'm going to link this here: https://attack.mitre.org/ Those are only the reported attacks. You could check groups as well, and their TTPs.

Could be, but ransomware gangs are a dime a dozen, and many are simply financialy motivated.

It's just a very profitable business model.

maybe it's the CIA, trying to increase hostilities between the united states and some other country.

Their approach makes a lot of sense. Corp network hacked - so to be careful shut down pipeline until you've really made sure that you are fully safe pipeline side as there now may be more attack vectors.

Dan Kaminsky spent an enormous amount of time and effort on creating a secure hardware framework 10 years ago. It went nowhere for a lot of the same reasons you discuss in this comment.

The government and industry are all talk. Until we see actual enforcement / incentives for secure hardware, just assume everything (and I mean everything) can get shut down at any time. The only people who think this is an exaggeration are those who haven’t seen what things actually look like on the inside.

I’m curious — how would something like a data-diode work in real life? It makes sense, but what about something like TCP where the sending side needs the ability to receive ACK messages? Is a firewall (dedicated, if need be) enough?

Or would this be some other kind of physical interface that took some kind of read-only data (serial?) and sent it up the layers using TCP/IP, where only this box would be at risk?

Edit: looks like you answered part of this below — you suggest switching to UDP protocols.

Excellent info, thanks.

"OT" vs "IT":

"Operational Tech" (pipeline and safety-critical monitor and control)

and

"Information Tech" (payroll, email, other business stuff)

?

I could only imagine trying to tell a large corporation that their "IT" authentication system can't be linked to the access card keys for the front gate, or whatever other physical security they might have in place.

It doesn't matter if we can formally prove that a remote access system is sufficiently secure as to aloow engineers to operate valves and pumps from home... For inevitably, some months from now, a wildly insecure utility will be connected to that, and you lose the ability to reason about how to keep the streams from crossing.

Easiest opto-isolator is to epoxy the sfp into the socket, and then fill the rx port on the critical side with epoxy, and then just run one fiber. The epoxy may seem excessive, especially if the sfp dies and you have to swap a whole nic, but it makes people stop and think.

Do you think Colonial identified some "physical world" risk, as in the possibility of a pressure overload or pipeline leak? I imagine that verifying the integrity of these SCADA systems is a very complex task, so I'm wondering if they've already identified a possible attack vector/entry point or if this was entirely preventative.

> I personally believe that DHS should make this sort of thing illegal for critical infrastructure.

I can't speak to non-electrical infrastructure, but the NERC CIP "high impact" standards already make it largely impossible to operate critical electrical infrastructure from anywhere other than a secured control centre. Operating from your laptop or iPhone from the kitchen table is however allowed for "low impact" assets like small power plants.

I also wonder why nobody who has secure computing issues demands physical write-enable switches for ROM, rather than using software switches that are inevitably corrupted.

is there evidence of suspicion the Ransomeware is on the controller HMI's, infected from Enterprise connections

is there indication of speculation the Ransomeware is on the Contoller HMI's or is it Enterprise

Flash drives.

I used to work in fabs and every couple of years some tool or other would get a virus, sometimes it spread through the network.

You need the SCADA systems to run the pipeline. They control the pumps, valves, product sequencing, etc. So Colonial purposely shut down the pipeline to prevent the SCADA system from getting affected, which might cause physical damage that truly would be a catastrophe.

Super common. A lot of companies have this hard on the outside gooey on the inside model (aka flat network structure).

Illiquid asset pumping is the best way to launder the money in the crypto space.

AccountA has bought or owns the illiquid asset using clean money, in advance. AccountB has the ransom proceeds in the more liquid digital asset. AccountB eventually buys the illiquid asset and pumps it. All the blockchain detectives are still following AccountB across many more addresses and blockchains, hoping and praying and imagining that one of the touched accounts needs fiat so that a human identity can be assigned to the funds. But that never happens. AccountA has the 8,000% or other arbitrarily high gain and nobody can distinguish them from any other crypto trader, as these kinds of gains are commonplace. All the trading can (and should) occur onchain without any financial intermediary, as there would be no transaction size limits or issue moving the funds, compared to odd activity on a business' centralized custodial exchange.

AccountB connected accounts are saddled with the illiquid asset. Maybe organic growth has occurred from fear of missing out and AccountB can resell, but that is just an embellishment and icing on the cake.

AccountB connected accounts can also create the liquidity pool, or create the yield farming opportunities to incentivize others to join the liquidity pool. And if AccountB really never cares about the funds, they can also burn the bearer liquidity pool share, providing confidence to the market that they can always trade at high volumes onchain.

Only a few universities are teaching this stuff right now. In any case:

EVM is "Ethereum Virtual Machine", a similar concept to the JVM "Java Virtual Machine". EVMs are one the most common technology for deployment of arbitrary execution within distributed networks. These kinds of functions and applications are colloquially called smart contracts. The biggest distributed network with this technology being simply called "Ethereum" or "Ethereum mainnet". But any code deployed on Ethereum mainnet is deployable on any other EVM environment, such as Polygon, Avalanche, Binance Smart Chain, Tron, Ethereum Classic, Hashgraph, or Quorum which was stewarded by JP Morgan for a few years for internal enterprise use.

With the other common smart contract network being Tendermint also colloquially referred to as Cosmos.

There are a couple of standard classes with a certain protocol of functions on all these networks. One standardized class is called ERC20, which is a fungible token standard. Deploying this kind of class ensures that you have created an asset with a name, ticker symbol, quantity, and a transfer function. Therefore ERC20 just is a quick way to refer to an additional asset. Assets that represent something the market wants or is familiar with or is redeemable for something the market likes therefore have certain monetary values associated with them. Some communities representing other networks have different protocol names for the same concept, for example, the Binance Smart Chain community has a token standard called BEP20 which is mostly contrived marketing but it could also have tweaks to the ERC20 standard, you have to read them. No different than reading the IETF's REST protocol standard for each function, and then seeing how it is implemented slightly differently across different browsers, devices and frameworks.

DAI is an ERC20 asset that maintains convertibility with $1 US Dollar. It is collateralized by a basket of assets, some completely digital assets and some that are backed by real world assets from centralized issuers.

When it comes to ERC20 naming styles, the market has resorted to prefixes for now.

So on the Secret Network (which uses Tendermint/Cosmos technology instead of EVM), assets that enter it from bridges are called sAssets. So DAI that enters the Secret Network would be sDAI. Where it will inherit the private nature of the network. Specifically the current state of the functions such as quantity, transfer(to, from) would all be unknown from looking at the blockchain.

It is just too expensive for the Ethereum network and not a large enough mixing set (haven't looked recently though) and nobody accepts it therefore requiring you to exit it if you want anything, but exiting will reveal who you are because there is nobody else it could be.

Privacy on the Ethereum network remains just Ether in Tornado Cash.

edit: oh cool Aztec actually transitioned to the Optimistic Rollup. That is different than their prior smart contract and requires new analysis. I recall their article last year or before about doing a "zk zk rollup" and I didn't keep following.

At least for public services in Canada, it is. Which serves as as a deterrent since attackers are guaranteed to _not_ get money. Also whips management into more than CYA-and-wait IT security.

There is an argument for that. Haven't heard of prosecutions for doing so.

There is a screenshot in the article in the Ransomware as a Service (Raas) section.

Yes, it is nice to see the market adjusting.

There are only a few cryptocurrency networks with robust Tor infrastructure for now. There should be more but the stewards haven't prioritized it, for the most part many nodes and wallets for other networks are UDP, which is a major hurdle as Tor requires TCP exclusively. Bitcoin and Monero do not have this limitation, but Monero is the only private by default one and has a large mixture set to stay easily obfuscated.

Armchair take: The pipelines handle a lot of fuel, and the US needs / uses a lot of fuel; to move the same amount, you need a lot of trucks. And if that need is not met, the economy etc will be disrupted heavily, price of fuel will go up, and the price of fuel going up has caused massive issues in the past.

No, that part of the regulations (the 10 hour break requirement) specifically does not get suspended in an emergency, if I recall correctly, but federal qualifications for new drivers do, so maybe someone otherwise hauling oranges from Florida might drive a tanker while the normal driver has a day off. Plus, this is only federal law; state laws still apply, and it is state troopers who pull you over, not feds.

And I thought we were already facing a nationwide shortage of qualified tanker truck drivers.

On the bright side, these guys will be making mega-bucks on overtime, provided they can stay awake. coffee and no-doz will only take you so far.

Could be that, or the heightened sensitivity to all issues cyber we’re experiencing right now

Will there be enough extra tanker-hours and tired tanker-hours to see a statistically significant upturn in accidents and deaths?

Don't trucks transport fuel like this all the time? Or maybe it's the quantity.

Generally the controls are firewalled from the administrative/business systems, not air-gapped.

Production data (like gallons per minute of flow through the pipeline) must be sent from the controls to the business analytics software. That's generally done through a firewall over TCP/IP.

I've worked on these systems, they are separate.

They likely could have kept running the pipeline without incident.

I imagine when the government stepped in they decided to dial their procedures up to 10 and they plan on making an example out of this incident and the perpetrators.

Yes, but this is not new. Cryptocurrency is.

Also blaming the victim can only go so far

Meanwhile Microsoft and "app" developers are training normal users to avoid updates by continuing to push anti-user updates...

BTC has value because people exchange it for "real" money. If BTC is heavily regulated or outlawed, a whole lot of folks are going to duck out. It's one thing to try and get in on the ground floor of the latest meme stock, it's another thing to buy into a currency/practice that's illegal in your country.

Add onto that making it illegal to pay ransoms in BTC, then there's really no value in using it as a ransomeware currency. No one is buying it so all you are getting are some random digits on a piece of paper.

The US and other government wills outlaw all cryptocurrencies but the ones that they control (“Govcoin,” as The Economist refers to them). Game over.

Blockchain has many uses, including as a record of transaction. Crypto currencies are merely a subset of what might be available using blockchain. Legislation can certainly target that subset.

People that read Hacker News on their work machine: note that if you're on the org VPN (and even if you're not, if your org installs IDS tools or other spyware) many of those tools may flag your visit of such site as "malicious".

Best to use a personal device.

It might help if you format these as "domain[dot]com" to avoid misclicks.

Given that this is preventing them from moving liquids from A to B they should realize that protecting their system isn't a secondary concern.

Constrained supply or higher cost of transportation = higher prices = incentive to consume less.

I'd prefer to see this dynamic produced by carbon taxes so the price difference isn't going back to the fossil fuel companies, but I'll take what I can get.

Also installation of new fossil fuel infrastructure like pipelines implies a long term commitment to the status quo or even increased production which I find unacceptable.

If the neccessary changes were underway there would be zero demand for new pipelines.

It’s really not. SME branch office is dead easy. Multinational corporations virtually impossible.

In the cloud you can stop your whole VM estate, nuke roles and access and pull an audit trail and access logs for everything in a few minutes. Without even getting off your butt. Or having to negotiate with a branch office IT team who disagree with you.

In the 20 or so years I’ve been running ops for corporates, the cloud is the nearest we’ve come to half decent DR and emergency response capability. It has got to the point now where compliance and audit is built in and I can actually write some code here and there rather than arguing about trivial stuff like “what happens if X happens” with people who are only in it for the pension.

Is it though? We have plenty of cases of on-prem and in-cloud going down. And we have also plenty of evidence that some companies do actually manage to do disaster recovery pretty well. Not all, of course, usually those that experience frequent disasters.

Bitcoin's not the problem, America's shitty corporate culture around not treating cybersecurity as a priority is the problem.

Isn’t this already the case? Like SolarWinds?