Cyber Security Nightmare in the Netherlands
The first two weeks of February have been exciting times in the Netherlands, with many cyber security incidents making headlines in the news. One of the most worrisome involved keeping my country, a country that is below sea level, dry. This task is delegated to industrial systems - and one would expect the safety of millions of people properly managed and kept up to the highest standards. But is it?
SCADA Security Vulnerabilities Exposed
Security researcher Oscar Kouroo, working for the Dutch nuclear physics institute NIKHEF, found out that national infrastructural systems were listed on Shodan, (a database of cyber security vulnerabilities) and could be easily accessed remotely. Those systems, controlling pumping stations and sluices, are vital for the water management of a large part of the Netherlands. Because a large part of the country lies below sea-level, those systems keep the Dutch feet dry!
This information couldn't go unnoticed, and it didn't. Experts voiced their opinions about the possibility of collapsing dikes, the country running under water, the sewer systems clogging up, the imminent danger for national health, etc. Additionally, a discussion was started about the lack of protection in systems maintained by counties and municipalities, and the issue was raised in Parliament.
Prominently shown on TV was networking equipment from Moxa. A spokesperson from the company denied that its equipment was improperly protected. The mayor of the involved county of Veere blamed the systems integrator Xylem, who apparently could not fix the issue for 2 weeks (nor could Veere county personnel).
In turn Xylem blamed the county of improper password management, and denied that their systems could be remotely controlled, which was promptly counter-denied by the researcher. The researcher showed that the password of the Veere county system was simply: “Veere”, and that access to water pumps was possible.
National TV prominently covered the breach, where no equipment was actually modified. In order to highlight the real danger, the researcher and the TV station found another user of Moxa equipment: the national headquarters of the Salvation Army. They remotely turned the central heating off. On TV, the Salvation Army spokeswoman commented aloud "Yes, now it’s clear why it got so cold here last week!"
IT Security Breaches add to the Nightmare
These Moxa exploits became public a few days following the publication of the leaks of the database at KPN, the largest Dutch telecom provider, forcing it to shutdown email services to over two million customers. The cause? A server still running (medieval) SunOS 5.8, not having been patched for over 6 years and with (again) an easily guessable password. KPN then mailed all customers a letter with their new account information, containing the username and new password in the SAME letter.
And that's not all for that week! The website databases of electronics company Philips was hacked (exposing 200,000 customer records). Also hacked was beer brewer Bavaria's web host, whose databases (296!) were not protected by a password (again exposing some 200,000 records). And as I was writing this, it became known that records of over 300,000 students were stolen from a publisher, as were the addresses in the database of an arms dealer.
To add insult to injury, the Dutch government unit responsible for the protection of the national infrastructure (NCSC) had to admit (after a FOIA request) that it has lost its database containing information about all the cybersecurity incidents occurring from 2000 to 2009. This time a hacker was not responsible for this! It appeared that since 2009 NCSC could not access that information because the backup tapes could not be read anymore.
As the Chinese proverb goes, "May you live in interesting times". Now that's definitely the case in the Netherlands. It is disturbing to learn that the safety and privacy of millions of people is so badly protected. Luckily my home is above sea level ;-)
This article is a special guest contribution by:
Rob Hulsebos |
Note: Rob is the “Dutch Profibus expert” that identified that frequency converters are the target of Stuxnet.
Practical SCADA Security thanks Rob for this article.
Related Content to Download
Note: you need to be a member of tofinosecurity.com and logged in to have access to the document below. Register here to become a member.
Article - "The Password is Fayleyure" |
Comments
I'd like to have it noted
I'd like to have it noted that Moxa was part of the dataset presented at S4 2012. That data was shared with ICS-CERT in November 2011, who should in turn have offered it to Dutch CERTs.
What they did with it is beyond my control of course.
Following up with these integrators and asset owners as Oscar Kouroo did is exactly the right way to go. I'd love to know 'how much was critical', so we can approach these things quantitatively in the future.
Excellent Summary
Thanks for taking time to provide a clearly written summary of the issues being faced in the Netherlands with some clear delineation of the challenges. This is a report that an executive could read and have a better understanding of the concerns.
Add new comment