Schneier on Security

Clive Robinson • February 23, 2023 3:38 PM

@ Bruce, ALL,

Re : Lessons that should be learned.

These cyber-attacks as we now call them have a long history of institutional failure for profit behind them going back oh four decades or so to my certain knowledge.

This is a little long, but hopefully worth the read by most people as it has important lessons from repeated failings in it.

Long term readers will know that I think using the Internet to carry critical infrastructure “command and control” to save a few pennies is not at all wise because it makes attacking that much easier thus cranks up, or should crank up the costs of defence (but usually does not… due to short term thinking for profit).

In essence the “no free lunch” maxim applies.

I’ve been saying this since before the Oil Industry unwisely started connecting SCADA systems via the Internet over three decades ago before most readers here even knew what “Supervisory contnol and data acquisition”(SCADA)[1] ment, let alone how they functioned and could be so easily attacked[2] due to the way they were designed so “openly”[3]. Worse and what that means for the personal security of private citizens now and in the near future[4].

ICS-SCADA can be found both as little RTU-MTU and plant or country/state wide systems (think Colonial Pipeline disaster).

But worse further cutting back of manpower costs in the Utility Infrastructure Industry in an aim to improve shareholder dividends ment it was not just “up stream supplier” ICS that got ridiculous cut backs it’s now down stream individual customers like you me and everyone else that leads a grid connected life, and generally has no choice to do otherwise.

As I’ve mentioned before the utility infrustructure industry has implemented “Drive-by Control” of consumer end systems that control valves and plant in peoples roads. Many of these use PMR and plaintext protocols with near zero security of any kind. Some even use 2G SMS messaging from inside consumers homes.

The industry having failed to learn any lessons are pushing such insecure systems into “Smart-Meters” with the ultimate aim of “Smart-Grids” where they control your home heating, air conditioning, hot water, food storage and preperation by controling freezers and cookers. Which is obviously wonderfull news for attackers at the communications level as modern “Software Defined Radio”(SDR) and extramly low cost VHF/UHF radio equipment are now ay “Pocket Change Pricing” and “Single Board Computers”(SBC) to control them sub 100USD and in some cases sub 5USD.

Worse for privacy the current crop of Smart-Meters can do “power envelop analysis” that has two significant consumer disadvantages,

1, They can freely control “power factor” control charging so you pay oh anything above ten times the price per unit for real energy usage.

2, All electrical and nearly all electronic equipment, especially the more energy efficient types, have “power signitures” that enable anyone with control of your Smart-Meter to know what you have powered up. But worse can tell when you have a shower, open your fridge door, or what you watch or listen too on your entertainment systems[4].

[1] A “Supervisory Control And Data Acquisition”(SCADA) system, is comprised of software, hardware, and importantly communications elements that form part of an “Industrial Control System”(ICS) that organizations can use to Control industrial processes both at local and or remote locations of any size and value. By Monitoring / gathering, instrument and physical control data and in real-time process and display the data so that supervisory control can be carried out by just one or two people in control centers often well away from the actual physical process. Part of this is predicting when operating states are heading out of the green operating zone, such that remedial action can be taken in a timely fashion.

[2] The desire of attackers is to get into the ICS communications from the physical plant such that they can hi-jack control without operators or the alert systems becoming aware of their activities, then push the plant systems out of the green zone so that actual physical harm to the plant or plant products happens (think dumping excess lye into drinking water that happened not long ago).

[3] Contrary to what many think actually getting into the ICS SCADA communications has historically always been near trivial and still is though slightly more techbical sophistication is needed than four decades ago. As they are engineered to be easy to diagnose and interface to, almost at an RS232 terminal level (which is how many ICS developments started in the late 1970’s early 1980’s). The hard part for an attacker back then was “getting physical access” to the communications nodes or cables to “croc-clip in”. As the push to “Private Mobile Radio”(PMR) systems started in the 1980’s to reduce cabling costs and alow remote control at greater distances (think platforms in mid UK North Sea back to land then on to London). The physical access over alarmed fences etc ceased to be an issue. All that apparently happened was 4wire modems were introduced, that worked as well over radio links as their predecessors had over leased-lines. Of course there was no coresponding increase in security (remember WEP in local area networks? that happened in part because of these early failings). This carried on into the early 1990’s when the cost of radio licences quickly rose above the then falling cost of the nascent Internet. So ICS-SCADA operators accountants and managment shifted it over. More importantly for them it enabled them to shift from expensive “shift operators” to much lower cost “on call operators” who could access from any Internet connected point. Security was thus at the lowest and several people myself included started realy agitating for an increase in security. Seeing the level of push back resistance by “managers” supposadly driven by share holders, that included destroying peoples careers “I got the heck out of dodge” in the 1990’s before it happened to me. Since then there have been a lot of incidents that were “sat on” but a few made it sufficiently public that the UK Government were forced into taking “regulatory acction” around “critical infrustructure” especially nuclear power plants that had more than a couple of illicit “no-knock”, “no-alarm” entries around their physically well armed doors and alarmed fences… (Terry Pratchett had one or two “hair-whitening stories from his time working Press-Office in the industry).

[4] In the UK we have “Television Licencing” which has a history of using top of the line type “Signals Inteligence” techniques to discover those watching but not paying. As prople have moved from “Broadcast” to “Cable” and now “Internet” catching non payers has got harder. The ability to connect into a “radio enabled” smart meter now alows such information to be all to easily ascertained. The company behind the collecting of non-payment fines has not long ago anounced the use of “new technology” that uses hi-tech “secret methods” to catch non-payers. Now it may just be a “Scare them silly” stunt to make the very thugish collectors lives easier, but the technology is definitely there if they want to use it, and the power utilities alow them access. Now, as readers here know, keeping a secret gets almost impossible after a few low payed low ethic workers get access to it. By definition those thugish collectors are both low payed and compleatly morally and ethically untrustworthy as are their managers all the way upto “Director” and “Board Member” level as they have all either condoned or participated in false applications to courts for “Warrants of Entry”. Which they might “tut-tut” about but grossly profit by (so won’t stop their behaviours).

Clive Robinson • February 23, 2023 5:38 PM

@ Steve, ALL,

Re : First casualty.

“As some anonymous person put it, truth is the first casualty of war.”

Whilst it is a nice sound byte, the anonymous person got it wrong…

In reality the first casualty is always “humanity” and “respect” for others.

Wars are generally not started by what many would consider “ordinary people”, though they might end up being blaimed.

Wars are started by those who suffer from incurable aberrant personality disorders / mental disease. Known in psychology, since a 2015 paper
by Chabrol, et al[1] as the “Dark Tetrad”. It comprises of the aberrant personality traits of

1, Narcissism.
2, Sadism.
3, Psychopathy.
4, Machiavellianism.

In some measure or combination of measures. It once would have contained Sociopathy after Psychopathy, but the view has changed that although the symptoms and diagnosis are different they are effectively the same.

The order indicates overlapping movment from vanity through vicious oppression wielding of power through to puppeteer and chess master control of others and entire societies.

But in all cases people with these aberrent personality traits have no actual humanity or respect for others as the rest of us would consider it. When a person says of their boss “He’s an untrustworth 13astard just out for himself” they are very probably correct. Such aberrant people tend to gravitate by their lack of humanity and respect of others up the managment or political heirarchies,

“To their point of maximum harms.”

With the more “Machiavellian” being some what more intelligent / smarter using those with “narcissism” and “sadism” as their “front men”. So they can slip away behind them when the inevitable happens and people get hung from lamp posts etc. Which alows them to wait a little then they can start back again with their “just your humble servant” routine.

[1] “The Dark Tetrad: Identifying personality profiles in high-school students.”

https://www.sciencedirect.com/science/article/abs/pii/S0191886915002366

Henri Chabrol, Tiffany Melioli, Nikki Van Leeuwen, Rachel Rodgers, and Nelly Goutaudier.

From “Personality and Individual Differences” Vol 83, Sept 2015 pages 97-101

Clive Robinson • February 24, 2023 3:15 AM

@ Winter, Steve, ALL,

“I am willing to ponder the truth of what the Ukrainian side tells us, and I simply ignore what the Russians say”

Whilst I agree that what the Russian’s currently under Putin’s command say, is basically propaganda for “Domestic Consumption” thus near worthless.

I regard the Ukranian comments as likely to be true.

The reason is simple, Ukrainian troops need foregin equipment / amunition support or aid. Which unlike Russia with China / Iran support or aid, comes from nations where the views of the public can strongly effect the giving of aid Ukranians need to defend themselves.

Thus as we know, and Ukraines leadership know, “lies get out” and that they are being 100% watched around the clock by satellites etc of those giving the aid / support as well as Russia and it’s allies. And importantly independent commercial organisations.

With any thing Ukranians say being subject to such scrutiny they know that most forms of lying by them would be detected rapidly and potentially turn public opinion against them in the nations giving them aid and support…

Thus whilst Ukrainians can say little as an option, that won’t get them sympathy they need. Whilst what they chose to say has to be fairly honest and correct (there will always be some “fog of war” issues).

So yes I tend to regard what Ukranian leadership and spokes persons say as probably being accurate within the limits of what can be known at the time it’s said.