> As an example, Hypponen said he had recently spoken to a European aircraft maker that said it cleans the cockpits of its planes every week of malware designed for Android phones. The malware spread to the planes only because factory employees were charging their phones with the USB port in the cockpit.
Or alternatively, how about WTF are you doing plugging your phone into this fucking cockpit? You're here to do your job and if you want to carry your phone around with you in the factory all day that's up to you, but plugging your phone into the fucking cockpit you're meant to be working on will result in demotions, suspensions and unemployment all round.
More politely put, I see no obligation on employers to provide employees with the means to recharge their personal phones :)
> More politely put, I see no obligation on employers to provide employees with the means to recharge their personal phones :)
This is a classic "design a better human" problem - sure, you can try to 'persuade' people by threatening them with demotions, suspensions and unemployment. And then you can hope that this will work in every single instance. Or ... you can provide a few usb ports in a convenient location, so people use these instead of the usb port in your multi million dollar cockpit to charge their phones. Take your pick.
For another example decide if it's easier to provide waste bins or to threaten people who litter streets.
They were working in a cockpit factory. They had many other options for charging their phone in a USB socket, and they still chose to charge it by plugging it into the cockpit. Your solution, in this situation, already existed and people still plugged phones into the cockpit.
Why would they NOT do this, under your system? If I can plug my phone in right where I am, in the cockpit, or somewhere less convenient for me, why would I not just do it where I am, in the cockpit? There are no penalties for it, so why wouldn't I do it?
Following the what, 11 different plug standards commonly in use for power internationally? Or provide a USB port that every phone in the world can use, and is smaller and more efficient to boot. I know which I'd pick.
The next sentence pretty much confirms my impression that this claim is almost certainly bullshit:
> Because the plane runs a different operating system, nothing would befall it. But it would pass the virus on to other devices that plugged into the charger.
I could maybe understand it if it was a USB hub, and the phones all had a defect that meant rogue USB signals could infect them. So if 2 people plugged into the same hub at the same time, it could spread.
But if the claim is that the virus lie 'dormant' in the uninfectable plane OS, then I can't understand that.
nice catch. can't help but think of Independence Day when Jeff Goldblum and Will Smith infect alien mothership with a mac virus from a 3.5 floppy which specifically disabled its protective shield. "will give it a cold"
There's a deleted scene that explains that all of our computer technology has been covertly based on the results of the Area 51 research into the crashed ship. It makes that bit a little less silly.
They almost certainly aren't USB chargers. Probably USB ports for inserting thumb drives to update the navigational charts. These kinds of USB ports are [mis]used for charging phones all the time, and the phone can end up being mounted as a mass-storage device.
No idea how the rest of the exploit would work in this scenario though, I have a hard time believing it.
It's true that that scenario is not relevant, but the fact that there is a direct connection between the usb ports for charging stuff and the planes' computer is obviously a point of intrusion for attacks like Stuxnet.
I think the sentence "But it would pass the virus on to other devices that plugged into the charger." comes from the reporter, showing that he does not understand computers. It is plausible that malwares were copied without being executed.
Not at all, that's like saying floppy disk viruses happened because both PCs and floppy disks were vulnerable. Just imagine the cockpit to be a floppy disk. You plug your phone in, and your infected phone puts a file in the cockpit. Then someone with a vulnerable phone plugs into the cockpit, reads the file and is infected.
Not saying that's how it happened, just that it's possible.
I think they mean "because the computers that fly the plane run a different OS than the computers that control the in-flight entertainment". The malware isn't going to cause the plane to crash, but it could still execute and spread itself via those little seat-back touch screens with their USB ports.
Boeing's new 787 Dreamliner passenger jet may have a
serious security vulnerability in its onboard computer networks that could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration.
The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals.
Boeing spokeswoman Lori Gunter wouldn't go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as "air gaps," and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn't want to discuss in public.
"There are places where the networks are not touching, and there are places where they are," she said.
It'll be EADS - I've experienced their infosec first hand. Heavy on process and inquisatorial panels - yet they do stuff like emailing parts lists and schematics over the Internet, no protection.
Yeah, it's sad that so many people actually use USB ports at airports to charge their devices, without knowing what they are connecting their devices to. I don't expect them to know better, but all their data could be copied, stuff could be modified. Isn't there an adapter which limits the active lines to just what's needed to pass power, no data, or is charging without some data exchange impossible?
The data lines are used for signalling which charging speed the device supports. You can cut them, but then you get the lowest denominator charging specs, which is quite slow.
I wonder what scale of disaster will have to occur before information security is placed under the same legal and regulatory scrutiny as physical security?
The number of people who have no idea how their car works, despite them being fairly ubiquitous for nearly 100 years makes be think that that will never happen. There will always be people who know only just enough about the technology around them to get by.
That's not a reasonable requirement, it's just that there is no consequence for people administrating (installing, maintaining) systems and the software writers. If fines were involved, how long do you guess would it take for people to stop writing in C or system integrator setting up random software. Critical systems may only use software written and certified years ago, not be constantly updated.
Developing and maintaining software with a sufficiently large focus on information security will almost certainly cost so much money, that people will reconsider whether the investment is worth it.
It probably takes several relatively large and frequent disasters not just to put the issue on the map politically but also to show that it's worth investing in information security besides the cost.
No disaster necessary. NERC CIP regulations have been in place (and enforced) at electric utilities since 2007:
"In 2007, FERC designated NERC the ERO in accordance with Section 215 of the Federal Power Act, enacted by the Energy Policy Act of 2005. Upon FERC’s approval, NERC’s Reliability Standards became mandatory within the United States. These mandatory Reliability Standards include CIP standards 001 through 009, which address the security of cyber assets essential to the reliable operation of the electric grid."
Possibly important to note the timing of this admission right on the heels of the announcement of our defense minister that she wants to build a 'cyber' division in the army with 13500 people working there. Thats almost 10% of our armed forces.
Here in Germany that only means that 13000 people print out reports for the minister, while 500 people look at screens. 10 of them program the stuff that happens on the screens.
Yeah, totally agree. They also have aggressive print advertising everywhere (here in Munich) for this campaign.
I wonder if they can attract any real talent though? Only people I know willingly wanted to work for the Bundeswehr eiter did not have the grades to study elsewhere or went to Afghanistan for the money.
They have pamphlets that pretty much say "hey, you could earn more money and have better working conditions from a real employer but that would be boring right?". So I guess not.
I'm glad somebody joins them, though, or they would make up a law to legalize what drug cartels are doing with IT (and other) talent. Laws can be passed in parliament and be in use and need to go through trial at supreme court to be ruled invalid. I really wish passing laws was super had, super laborious, and took a very long time (at least 5 years). Then, the government, which needs to be reelected every 4 years, cannot pass all kinds of stupidity.
That program is completely misguided. You don't need thousands of "cyber soldiers", just a few good computer scientists, mathematicians and engineers. Because a system built from trusted and provably correct components (hardware and software) is infinitely better than a swiss cheese with dozens of people attempting to keep it from falling apart. And from that point on, you only need to teach soldiers to operate their equipment correctly.
The challenges of information technology w.r.t. warfare are fundamentally different from usual war tactics. You can't solve them by throwing lots of personel or big guns at them. If midst-fight your equipment or infrastructure fails because of security flaws, it's not because there's no personel to deal with it (for that it's already too late): it's because its designers failed at the drawing board.
It'd be better they concentrated on quality instead of quantity and the resignative "anything can be hacked" myth a lot of popular media is putting forward, as if information technology operated according to the same rules the physical battlefield does. These analogies only go so far...
(of course the same applies to non-military contexts as well)
Yes, I was focussing more on the defensive aspect. In offense the situation may be different, but in that case, if your enemy is in large-scale possession of technology that would make it susceptible to this in the first place, bad things have happened...
As someone who works in security operations, there is absolutely a need for people. Yes, a small number of experts could, given enough time, produce some small amount of thoroughly secure components. But that's not the situation we're facing.
In real life, governments are some of the largest enterprises that exist, and use the same software and systems as everyone else. Complete replacement with provably correct systems is such a large task that it would never be completed, for just the same reasons as in private industry. The attack surface of a government ranges from sophisticated military hardware to mobile apps.
Deterring, detecting, and remediating security incidents is thus done the same way the private sector does it: testing, continuous monitoring, hunting, forensics, etc. All of these activities are person-hour intensive, and I don't think there's a security operations center in the world that wouldn't tell you right now that they are limited by the size of their staff.
That said, full-service security departments will include technical auditing and software security components, and I suspect the German government intends to include this. Of course, these functions are quite limited by being on the client end of the relationship, as I doubt the German government produces any more of its software in-house than the US government does (which is not very much).
These viruses are very serious and should be considered as a "near misses" in terms of critical power plant software malfunctioning.
After the US, Israel is #2 in Cyber security and is very dependent on Germany for military needs such as submarines and engines for their tanks. Since these nuclear power plants have nothing to do with national security directly, Germany should employ Israelis to help them if they have not already done so.
As far as I know there isn't even a single one of those designs which was successfully built somewhere yet (as in: Is able to generate more power than it uses).
The being able to generate more power than it uses is a problem for nuclear fusion reactors.
The problem with modern nuclear reactor designs is that they're just that, designs. Great ideas people in comment sections love to mentally masturbate about. In reality almost all nuclear reactors are decades old.
Politics alone ensure nuclear reactors with the exception of maybe fusion (which will be way too late for climate change) will never get off the ground. In the meantime renewables, solar especially, get cheaper and more efficient every day, not designs but actual installations.
I wouldn't be so sure - you know the joke about fool proof designs and nature inventing bigger fools ;).
Few years ago, Westinghouse tried to kick out Rosatom from VVER power plants in Eastern Europe as a supplier of the fuel. They pulled very heavy levers to do that, but in the end, they were still refused due to their pellets not being up to the task and being a security hazard.
There are Windows computers in there. They are not connected to any outside network "to be safe". Therefore they are protected, even protected from updates. Software that runs on them is validated for that specific OS version with a specific state of updates applied.
Regulations say you can't just ran any random device (including software) there, that's unsafe.
Unfortunately regulations weren't being made with PCs in mind where anybody can plug in an infected USB stick. Or needs to in case he's a service technician. (Yes, those ports are not available for "anybody" who is there, but somebody needs to install software on those machines).
There are things I have seen I wish I could unsee to feel safe.
They shouldn't be using Windows at all. Whoever had that idea should be thrown in jail for attempted mass murder. Keeping Windows off a network doesn't make it safe: Stuxnet proved that.
Windows has no business being used in any application that is life or safety critical. Its license even says so. Doing so should be a crime. There are much better OSes out there for this kind of thing: just ask anyone who builds jet aircraft.
Operators mostly watch the plant during the weekend while the engineers are not there. It is a security job: check if something turns red and pick up the phone if it goes bonkers. The operator has a limited access to the core process. Boring, and they get busy by going to the Internet and downloading random stuff. And yes they do have access to the Internet...
We have to be more concerned about the things that are not reported. And why is it even technically possible to infect the control system of a power plant at all, or was this just a virus in some auxilliary sytem like, say, the machines only connected to another network, totally decoupled from the control system? Without details, this is just fear mongering on the heels of recent media outbreak regarding Belgian reactors.
The article said the virus was on "a computer system retrofitted in 2008 with data visualization software associated with equipment for moving nuclear fuel rods".
Control systems generally have two components; the actual controllers that interface with the machine or equipment and then an HMI for the operator to interface with the controller (ignoring completely hard wired systems consisting of lights, buttons, chart recorders, etc). The majority of the HMI software runs on windows.
Once an attacker is on the HMI system they can probably easily do anything the operator can do, and possibly have full access to the controller and make things happen that Should Never Happen.
A nuclear power plant has computers on its airgapped network infected with a computer virus from 8 years ago for an operating system which expired from support two years ago.
At least the nuclear power plant near me runs on a PDP-11.
The head of the BND, the German equivalent of the American CIA, has been booted out of his job on the orders of chancellor Angela Merkel, two years before he was officially due to retire. No reason for the leadership change was disclosed
Virus claims german nuclear power plant run down by underfunded operators.
"Cant spread, if you are all on old breaking down hardware on outdated systems that nobody bothers to update." says virus.
100 comments
[ 5.8 ms ] story [ 177 ms ] thread> As an example, Hypponen said he had recently spoken to a European aircraft maker that said it cleans the cockpits of its planes every week of malware designed for Android phones. The malware spread to the planes only because factory employees were charging their phones with the USB port in the cockpit.
More politely put, I see no obligation on employers to provide employees with the means to recharge their personal phones :)
What makes you so sure it isn't (also) their work phone? Lots of people I know don't have a personal phone and a work phone, they just have a phone.
This is a classic "design a better human" problem - sure, you can try to 'persuade' people by threatening them with demotions, suspensions and unemployment. And then you can hope that this will work in every single instance. Or ... you can provide a few usb ports in a convenient location, so people use these instead of the usb port in your multi million dollar cockpit to charge their phones. Take your pick.
For another example decide if it's easier to provide waste bins or to threaten people who litter streets.
Why would they NOT do this, under your system? If I can plug my phone in right where I am, in the cockpit, or somewhere less convenient for me, why would I not just do it where I am, in the cockpit? There are no penalties for it, so why wouldn't I do it?
> Because the plane runs a different operating system, nothing would befall it. But it would pass the virus on to other devices that plugged into the charger.
That's just...not how computers work.
But if the claim is that the virus lie 'dormant' in the uninfectable plane OS, then I can't understand that.
Edit: corrected it's its
I think you added an apostrophe by accident, or the poster corrected the mistake.
If the USB chargers in cockpits are any more complex than the above, why?
No idea how the rest of the exploit would work in this scenario though, I have a hard time believing it.
So the virus would have to infect both android and the cockpit to spread from phone to cockpit to phone.
Not saying that's how it happened, just that it's possible.
[1] https://srlabs.de/badusb/ [2] http://www.wired.com/2014/07/usb-security/
They claim it is happening.
Boeing's new 787 Dreamliner passenger jet may have a serious security vulnerability in its onboard computer networks that could allow passengers to access the plane's control systems, according to the U.S. Federal Aviation Administration.
The computer network in the Dreamliner's passenger compartment, designed to give passengers in-flight internet access, is connected to the plane's control, navigation and communication systems, an FAA report reveals.
Boeing spokeswoman Lori Gunter wouldn't go into detail about how Boeing is tackling the issue but says it is employing a combination of solutions that involves some physical separation of the networks, known as "air gaps," and software firewalls. Gunter also mentioned other technical solutions, which she said are proprietary and didn't want to discuss in public.
"There are places where the networks are not touching, and there are places where they are," she said.
http://www.wired.com/2008/01/dreamliner-security/
http://cryptome.info/faa010208.htm
It probably takes several relatively large and frequent disasters not just to put the issue on the map politically but also to show that it's worth investing in information security besides the cost.
"In 2007, FERC designated NERC the ERO in accordance with Section 215 of the Federal Power Act, enacted by the Energy Policy Act of 2005. Upon FERC’s approval, NERC’s Reliability Standards became mandatory within the United States. These mandatory Reliability Standards include CIP standards 001 through 009, which address the security of cyber assets essential to the reliable operation of the electric grid."
Source: http://www.nerc.com/pa/CI/Comp/Pages/default.aspx
(Edit: clarification)
I could only find decent reporting about this in german: http://www.tagesspiegel.de/politik/plaene-der-verteidigungsm...
I wonder if they can attract any real talent though? Only people I know willingly wanted to work for the Bundeswehr eiter did not have the grades to study elsewhere or went to Afghanistan for the money.
http://www.zdnet.com/article/it-myths-colombian-drugs-gangs-...
The challenges of information technology w.r.t. warfare are fundamentally different from usual war tactics. You can't solve them by throwing lots of personel or big guns at them. If midst-fight your equipment or infrastructure fails because of security flaws, it's not because there's no personel to deal with it (for that it's already too late): it's because its designers failed at the drawing board.
It'd be better they concentrated on quality instead of quantity and the resignative "anything can be hacked" myth a lot of popular media is putting forward, as if information technology operated according to the same rules the physical battlefield does. These analogies only go so far...
(of course the same applies to non-military contexts as well)
And although the article says only a few of those thousands will be used for offensive ops, I suspect that many more will be.
I think you can make a better effort with more people; the critical thing is the quality of the people.
Of course there's a good chance more will be less valuable!
In real life, governments are some of the largest enterprises that exist, and use the same software and systems as everyone else. Complete replacement with provably correct systems is such a large task that it would never be completed, for just the same reasons as in private industry. The attack surface of a government ranges from sophisticated military hardware to mobile apps.
Deterring, detecting, and remediating security incidents is thus done the same way the private sector does it: testing, continuous monitoring, hunting, forensics, etc. All of these activities are person-hour intensive, and I don't think there's a security operations center in the world that wouldn't tell you right now that they are limited by the size of their staff.
That said, full-service security departments will include technical auditing and software security components, and I suspect the German government intends to include this. Of course, these functions are quite limited by being on the client end of the relationship, as I doubt the German government produces any more of its software in-house than the US government does (which is not very much).
After the US, Israel is #2 in Cyber security and is very dependent on Germany for military needs such as submarines and engines for their tanks. Since these nuclear power plants have nothing to do with national security directly, Germany should employ Israelis to help them if they have not already done so.
Don't worry, the most important parts are running on DOS or OS/2, so we're saved from doom!
I'd rather have my local solar power plant infected with viruses or hit by cyberattacks.
The problem with modern nuclear reactor designs is that they're just that, designs. Great ideas people in comment sections love to mentally masturbate about. In reality almost all nuclear reactors are decades old.
Politics alone ensure nuclear reactors with the exception of maybe fusion (which will be way too late for climate change) will never get off the ground. In the meantime renewables, solar especially, get cheaper and more efficient every day, not designs but actual installations.
Few years ago, Westinghouse tried to kick out Rosatom from VVER power plants in Eastern Europe as a supplier of the fuel. They pulled very heavy levers to do that, but in the end, they were still refused due to their pellets not being up to the task and being a security hazard.
And yet they still try that in Ukraine...
Regulations say you can't just ran any random device (including software) there, that's unsafe.
Unfortunately regulations weren't being made with PCs in mind where anybody can plug in an infected USB stick. Or needs to in case he's a service technician. (Yes, those ports are not available for "anybody" who is there, but somebody needs to install software on those machines).
There are things I have seen I wish I could unsee to feel safe.
Windows has no business being used in any application that is life or safety critical. Its license even says so. Doing so should be a crime. There are much better OSes out there for this kind of thing: just ask anyone who builds jet aircraft.
Operators mostly watch the plant during the weekend while the engineers are not there. It is a security job: check if something turns red and pick up the phone if it goes bonkers. The operator has a limited access to the core process. Boring, and they get busy by going to the Internet and downloading random stuff. And yes they do have access to the Internet...
One thing for sure: you can't infect a PDP11 system with Windows or Dos Virus, nor can one plug in an USB.
Homer: "NUC-U-LAR"! IT'S PRONOUNCED, "NUC-U-LAR."
https://frinkiac.com/meme/S09E19/665197/m/Ik5VQy1VLUxBUiIhCk...
Control systems generally have two components; the actual controllers that interface with the machine or equipment and then an HMI for the operator to interface with the controller (ignoring completely hard wired systems consisting of lights, buttons, chart recorders, etc). The majority of the HMI software runs on windows.
Once an attacker is on the HMI system they can probably easily do anything the operator can do, and possibly have full access to the controller and make things happen that Should Never Happen.
A nuclear power plant has computers on its airgapped network infected with a computer virus from 8 years ago for an operating system which expired from support two years ago.
At least the nuclear power plant near me runs on a PDP-11.
http://qz.com/671383/germany-has-sacked-its-spy-chief-but-ha...