Category Archives: IoT

IoT, Potential Risk of CVE

What is a smart city from an security point of view?

 

Preface

The objective of the smart city is design to incorporates information and communication technologies (ICT) to enhance the quality of life. The Smart City derivatives the cost effective solution. As a result, it benefits to urban services such as energy, transportation and utilities in order to reduce resource consumption, wastage and overall costs.

2 Common Focus (Shared Data and Open Data)

People concerning the personal privacy and therefore the key words data sharing make them scare.As a matter of fact the data breach incidents happened so far let people focus their defense idea on how to protect their personal data. And therefore whatever sharing concept will trigger their defense idea. Meanwhile this is the bottleneck to slow down smart city development.

About public data – Public data is information that can be freely used, reused and redistributed by anyone with no existing local, national or international legal restrictions on access or usage.

Understanding of data classification

Classifying data is the process of categorizing data assets based on nominal values according to its sensitivity.

The data classification scheme – definition table shown as below:

If we all agree on above data classification labels definitions. And do not have concerns (hiccups) for the terms of use set up. So do we have any other concern of smart City?

Hidden item – Technology Risk management – Whether follow the regular software patch cycle (zero day) to smart city?

From technical point of view, government facilities must follow the best practice to fulfill the patch management. However hardware manufacturer not guarantee they can remedy the vulnerability in quick manner. From some circumstances, smart city not only covered the fundemental infrastructure operation. It involves AI integration. That is business facilities join venture with government facilities. So how to maintain a secure environment? It is one of key element in smart City.

REAL-TIME OPERATING SYSTEMS (RTOS)

Internet of Things is growing rapidly, the common standard of smart devices will be designed with Embedded Systems (ESs). Real Time Operating Systems (RTOS) are used in ESs development due to RTOS added important features as RTOS simplifies development and makes systems more reliable. A real-time operating system (RTOS) is an operating system (OS) intended to serve real-time applications that process data as it comes in, typically without buffer delays. Most RTOS applications fall into two broad classifications. They are event response and closed-loop control.

Reference: A closed loop system is one where the output is feed back into the the system as an input in some way. For instance a thermostat.

Continuous closed-loop control

WHILE (Y <> specified_condition) 
    take_action(X) 
    measure(Y) 
    wait(Z)
REPEAT

Event response applications, such as automated visual inspection of assembly line parts, require a response to a stimulus in a certain amount of time. In this visual inspection system, for example, each part must be photographed and analyzed before the assembly line moves.

Reference: A closed loop system is one where the output is fed back into the the system as an input in some way. For instance a thermostat.

List Of Real Time Operating System in the market

IoT devices potential risk

Threat actors exploit IoT device weakness conduct cyber attack. As a result cyber security guru summarizes the following design weakness of IoT devices. Those devices are heavy deployed in smart city. For instance survillance web cam, sensor, motion detector, … etc. The design weakness are shown as below:

6 Big Security Concerns About IoT For Business

  • Default ‘Raw Data’ Storage
  • Insecure Devices.
  • Lack Of Updates
  • Hard to avoid Data Breaches
  • Difficult to compliant Data Storage policy
  • High hit rate to become a DDoS Attacks tool.

Vulnerabilities & Exposure (recently) – FreeRTOS vulnerabilities awake IoT technology weakness. Vulnerabilities discovered in the FreeRTOS operating system can expose a wide range of systems to attacks, including smart home devices and critical infrastructure.

Risk factor: FreeRTOS TCP/IP Stack Vulnerabilities put a wide range of devices at risk of compromise. Researchers from Zimperium’s zLabs have analyzed FreeRTOS’s TCP/IP stack and AWS secure connectivity modules, and discovered vulnerabilities that also impact OpenRTOS and SafeRTOS.

CVE-2018-16522 Remote Code Execution
CVE-2018-16525 Remote Code Execution
CVE-2018-16526 Remote Code Eexecution
CVE-2018-16528 Remote Code Execution
CVE-2018-16523 Denial of Service
CVE-2018-16524 Information Leak
CVE-2018-16527 Information Leak
CVE-2018-16599 Information Leak
CVE-2018-16600 Information Leak
CVE-2018-16601 Information Leak
CVE-2018-16602 Information Leak
CVE-2018-16603 Information Leak
CVE-2018-16598 Other

Summary:

In technology world, it is hard to avoid the vulnerability occurs. Perhaps patch management now includes in modern software and system development life cycle. There are two popular ways of disclosing vulnerabilities to software vendors.

  1. The first is called full disclosure – researchers immediately publish their vulnerability to public, giving the vendors absolutely no opportunity to release a fix.
  2. The second is called responsible disclosure, or staggered disclosure. This is where the researcher contacts the vendor before the vulnerability is released. Vendor is given a conventional 30 calendar days to fix vulnerability. Some security holes cannot be fixed easily, and require entire software systems to be rebuilt from scratch.Once both parties are satisfied with the fix that’s been produced, the vulnerability is then disclosed and given a CVE number. Regarding to above FreeRTOS vulnerabilities, Amazon addressed the issues with the release of FreeRTOS 1.3.2.But what is the remedy status of the opensource application? As far as I know, security researcher agree to give another 30 days to allow vendors to deploy the patches. However the potential risks are valid until vendor fix the security hole.

Smart City infrastructure not proprietary for famous vendor. We can use not famous brand name surveillance web cam, senor and motion detector. Could you imagine what is the actual status once the vulnerabilities occurs?

Reference:

Smart City infrastructure work closely with MQTT technology.

Security Alert – Moxa ThingsPro IIoT Gateway and Device Management Software Solutions version 2.1.

Security Alert! Moxa ThingsPro IIoT Gateway and Device Management Software (Oct 2018)

 

 

Data privacy, IoT

The fundamental of data sharing versus data privacy

Preface:

What is “Fair Information Practices,” the principles of privacy protection are internationally recognized and are found in most privacy legislation around the world. These principles inform the way private organizations collect, secure, use and disclose personal information.

What is the bottleneck of data sharing?

Privacy is about respecting individuals. If a person has a reasonable desire to keep something private, it is disrespectful to ignore that person’s wishes without a compelling reason to do so. And therefore this is the fundamental limitation of the data sharing. In the sense that you must consensus the data owner or object before use.

Can we found out the easy way to implement data sharing?

If you agree above standpoint is the bottleneck. I believe that you will continue to read this article. Ok, let’s take a quick way to elaborate.

The successful data analytic technology can tell the truth but not include survillance type. Because survillance program in my view point will categories as monitoring feature instead of data sharing categories. The phenomenon we have seen shown below table:

Above table perhaps not the official survey, it can’t provide the significant and reliable reference. However it shown an hints that the bottleneck of data sharing concept driven by Fair Information Practices.

As a matter of fact, even though the extreme regime governance country also not shown government will lead open his repository including personal information. The realistic so far is the private company collect their customer data for business goal or do a re-engineering of the usage of their customer data.

Potential hidden power

Natural & Non-Human Activities data contain huge potential power build a comprehensive big data infrastructure. We haven’t seen traditional database structure weakness until big data analytic born. As a result even though data sharing not mature in the moment however it can develop a perfect infrastructure waiting for the future.

Global Positioning System pioneer build the data sharing infrastructure

You use Global Positioning System (GPS) on your smartphone for directions to a particular place, or if you ask a search engine for the locations of local famous restaurants near a physical address or landmark, you are using applications relying on spatial data. Therefore spatial databases is the key component of the global positioning system. As time goes by, GPS system build the data sharing architecture established.

Revolution of database technology

Big data is a term used to refer to the study and applications of data sets that are so big and complex that traditional data-processing application software are inadequate to deal with them.

Big data technologies break the ice, it improve traditional database model fundamental limitation on data access speed and usage efficiency. SQL was originally designed for relatively static data structured as a table. IoT-generated data is the data generated by the sensors fitted into interconnected devices. In the IoT scheme of things, each device will have an IP address so that it is able to communicate with destination peer. The IoT-generated data is a dynamic data because it is not the human input data model. So, a Key-Value Store technology can receive the advantage. In the market do far there were many different types of non-SQL, or non-relational, databases. The high-end system model is the famous IBM mainframe VSAM access method. But low end products can do similar things today. Below top 5 (low end) NoSQL database engines closer look.

IoT data require to do analytic before use. The data analytics focusing process device status data and sensor readings to generate descriptive reports and alarm.

Real-time analytics tools usually support controlling the window of time analysis, and calculating rolling metrics. For example, to track hourly averages over time rather than calculating a single average across an entire dataset. As a result the system require quick reponse and processing power.

Remark: What are rolling metrics good for? Get numbers faster – every day or minute if you want

Speed up an access

A general-purpose distributed memory caching system boost up the data access speed. It is often used to speed up dynamic database-driven websites by caching data and objects in RAM to reduce the number of times an external data source (such as a database or API) must be read. Below architecture can provide hints to you in this regard.

Summary:

So far, not seen any feature will be improved the data security. Since we are focus Natural & Non-Human Activities data. So it did not touch with any confidential data. The key factor of data sharing bottleneck not the limitation of technology. The fact shown that the successful factor to promote data sharing concept depends on you how to treat people with respect.

 

IoT, Under our observation

Are you aware of the need to improve the security of Internet-enabled devices?

Since IoT device only contained limited free space and memory and therefore it is hard to install the defense solution. A concern of the intellectual property right and therefore vendor do not want to disclose the firmware of their products. So it lack of knowledge let 3rd party vendor developer value-add defense solution. IoT looks like a ant in cyber world. In certain point of view, they are nothing in your point of view. However careless mistake especially do not change the default admin password could took the IoT join to criminal cyber army task force. Perhaps some IoT devices do not have instruction for end user how to modify the password. As time goes by they are a potentail dark force.

The following are important steps you should consider to make your Internet of Things secure.

1. Choose the appropriate product – conside the IoT products which can change the default password.

2. Ensure you have up-to-date software install in your IoT device.

3. Consider whether continuous connectivity to the Internet is needed.

Below article is the analytic document issuded by FBI for your perusal.

Subject: Cyber Actors Use Internet of Things Devices as Proxies for Anonymity and Pursuit of Malicious Cyber Activities

https://www.ic3.gov/media/2018/180802.aspx

IoT, Potential Risk of CVE, Under our observation

Jul 2018 – Siemens Security Advisory by Siemens ProductCERT

Selective Availability (SA) was an intentional degradation of public GPS signals implemented for national security reasons. In May 2000, at the direction of President Bill Clinton, the U.S government discontinued its use of Selective Availability in order to make GPS more responsive to civil and commercial users worldwide. And therefore the GPS open to public usage. Measuring distance from a satellite define by the following:

  1. Velocity x time = distance
  2. Three perfect measurements can locate a point in 3-dimensional space, means synchorning the satellite and receiver are based on perfect timing (clock). A major element in GPS system.

But security vulnerabilities occurs on the timing machine. Official announcement shown as below:

Siemens Security Advisory by Siemens ProductCERT SSA-197012: Vulnerabilities in SICLOCK central plant clocks: https://cert-portal.siemens.com/productcert/pdf/ssa-197012.pdf

IoT, System, Under our observation

Easily Bypass iPhone Encryption – Apr 2018

Headline news report that law enforcement agencies across the country have purchased GrayKey, a relatively cheap tool for bypassing the encryption on iPhones, while the FBI pushes again for encryption backdoors. It looks that a great opportunities for technology firm. It can receive rewards. It is indeed a win win situation. Tech firm can earn money. The court is able to collect the evidences to do the right judgement. Meanwhile, I was wonder whether this is the only way to open the backdoor? As we know, jailbreak the iPhone not a secret. The default password looks easily to collect. So far, the cheap tool to do the magic are available. Perhaps you cannot unlock the phone directly. However you are able to get in (see attached diagram for reference). I beleive that there are more possible way and idea will be coming soon.

My friend posted the official post provided by motherboard and awaken my imagination.

Yes, information technology and cyber technology relies on people imagination. And such a way let your dream come ture.

Official articles in below url for your reference:

https://motherboard.vice.com/en_us/article/vbxxxd/unlock-iphone-ios11-graykey-grayshift-police

IoT, Potential Risk of CVE, Under our observation

IoT World and Smart City must staying wide-awake!

3 Comments

SmartCity project wide spreading implement in the world. The framework transform existing IT world domain includes Cloud computing, virtual machine, router and network infrastructure. Meanwhile it carry the design flaw so called vulnerability simultaneously. As we know, Microsoft product has famous activities patch Tuesday to do the mitigation of critical risk occurs on their product. Since IoT technology cope with smartCity project.  It is hard to avoid to evade not to chosen a product which must doing the patching in frequent way. Even though you make use of a proprietary product it was hard to evade vulnerabilities occurs. Even though you make use of a proprietary product it was hard to evade vulnerabilities occurs. A question has been queries to the world. SmartCity items involves public safety regulations. If the smartCity facilities become the main trend of the society. However the major facilities encountered denial of service through heap corruption. Do you think how worst is the situation will be?

CVE-2017-18187
In ARM mbed TLS before 2.7.0, there is a bounds-check bypass through an integer overflow in PSK identity parsing in the ssl_parse_client_psk_identity() function in library/ssl_srv.c.

CVE-2018-0488
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0, when the truncated HMAC extension and CBC are used, allows remote attackers to execute arbitrary code or cause a denial of service (heap corruption) via a crafted application packet within a TLS or DTLS session.

CVE-2018-0487
ARM mbed TLS before 1.3.22, before 2.1.10, and before 2.7.0 allows remote attackers to execute arbitrary code or cause a denial of service (buffer overflow) via a crafted certificate chain that is mishandled during RSASSA-PSS signature verification within a TLS or DTLS session.

Official announcement for reference.

https://tls.mbed.org/tech-updates/security-advisories/mbedtls-security-advisory-2018-01

 

 

Data privacy, IoT

Smart City & IoT -Mandatory 3 principles for working with Big data

2 Comments

We frequently heard smartcity project and usage of big data. Such key terms for the 1st impression to people is that it is a advanced technique and techology trend in future. In fact it was not possible to say we are keen to enjoy the benefits of smart city and big data analytic but we just ignore the peripherals. How does a city approiate to do such setup on start from strach situation. For example HKSAR issued the smart City blue print mid of last year. But it got whole bunch of unkown answer waiting for queries(public or quires with industries)? Perhaps the objectives of smart city goal to ehance public safty and governance of the city. The career oppuntunities is the side products which carry by this project. If the key items of city not been resolve yet. For instance: population, immigation policy and land use. Even though you enforce this project it may far away from their original design objectives.

Below url is the smart city blueprint for HKSAR for your reference.

https://www.smartcity.gov.hk/blueprint/HongKongSmartCityBlueprint_e-flipbook_EN/mobile/index.html#p=30

Blockchain, IoT

Reveal block chain technology secret – he is the Genesis-of-Bible

8 Comments

Preface

Blockchain technology is the hottest topic last few years. Actually a similar of block technology already infiltrate into our world since genesis of the world. Do you still remember that in your student age attend chemistry lesson. A boring subject introduce the four principle orbitals (s, p, d, and f) which are filled according to the energy level and valence electrons of the element (see below for reference).  They are the block chain fundamental concept.

The genesis did not mentioned in high profile until blockchain technology do the renovation!

We are easy to find out the key elements of blockchain on internet. According to my observation so far, the result might not similar. My observation summary are function, element and the lifetime (life cycle). See below details for reference (another boring diagram)

The blockchain technology reveal those three items of key element since Bitcoin currency concept found 90’s. Bitcoin was invented by an unknown person or group of people under the name Satoshi Nakamoto and released as open-source software in 2009. The first impression of blockchain to the world is crypto currency (Bitcoin) until ENIGMA found another new idea of concept and announced to public in 2017.

Modern world concerning data privacy blockchain can do it better

In reference to technical article (Decentralized Computation Platform with Guaranteed Privacy) written by Guy Zyskind, Oz Nathan and Alex ’Sandy’ Pentland. It shown that an advanced encryption scheme (secure multi-party computation) provides more advance benefits comparing with key encryption concept.

Blockchain technology shown his expandable feature to the world he is not limit to cryptocurrency.

Enigma technology pioneer to introduce the expandability on blockchain features (see below):

Data marketplace, secure backend, internal compartmentalization, N-Factor authentication, identity,IoT, distrubuted personal data stores, crypto bank, E-Voting and Bitcoin Wallet.

Feature highlight

IoT: A fundamental weakness of IoT technology in regards to storage, manage and use (the highly sensitive) data collected by IoT devices in a decentralized area (trustless cloud). Blockchain technology is able to strengthen design weakness in data security area.

Transport layer security: We know traditional TLS (SSL) technology contained fundamental design weakness. Even though you are now using TLS 1.3, it is hard to guarantee the asymmetric cryptography will be encountered another vulnerability in future.

E-Voting: An data breach occurred last year (2016) on election of US president. Russian hackers targeted 21 US states’ election systems in last year’s presidential race. Blockchains are governed by a set of rules called the consensus protocol. These rules define which changes are allowed to be made to the database, who may make them, when they can be made. There are currently two main types of consensus protocol:

Proof of Work (PoW) and Proof of Stake (PoS)

Build a multi-environment secure infrastructure avoid data breach

We noticed that banking industry have tough and demanding compliance requirements. Some sort of policy they are not able to outsource the hosting facilities to cloud computing environment. As a matter of fact, I totally agree with their auditors concerns of data ownership and governance of data. We heard a data breach on Amazon Simple Storage Service (S3) — Cloud Storage this year. However the on-going technology trend is going to do the system integration to cloud computing. It looks that the IT world no way to escape the cloud technology integrate to their IT infrastructure. Block chain technology itself embedded strong encryption feature which can replace traditional network transport and data protection mechanism. Even though hacker break through the public cloud computing farm, hacker not easy to decrypt the data.

How about ransomware attack?

Blockchain solutions are decentralized – a scenario may happen that ransomware encrypted the data belongs to specifics cyber victim. But another range of clients may not affected.

Who’s is ready to playing this game?

Let’s do a review on current cloud facilities located in APAC country. In the meantime AWS did not install their hosting in China and Hong Kong. But service (blockchain-as-a-service) is available,The nearest zone which have AWS hosting facility installed is Singapore. In such a way bring the advantage to Microsoft Azure cloud became a market leader in this area (see below reference).

According to the blockchain key elements: function, element and life cycle. Blockchain can conduct like a theory apply to technology world without limitation.

Let take a closer look of blockchain processing sequence. The key elements are indicated on the diagram below.

Summary:

For those country who would like to implement the Smart City. Blockchain technology is the key project element which they cannot escape.

A Breakthrough for City Innovation driven by blockchain technology

  1. Single-sign-on facility provides every registered citizen with a free verified login with which they can securely connect and transact both locally and globally across both public and private services.
  2. A secure platform for innovation.
  3. Provides integrated solutions for local commerce across retailers, service providers, dining, and lodging internal system migrate to the cloud (blockchain-as-a-service).

IoT

The art of cyberwar – Internet of things (IoT)

59 Comments

Preface:

The art of war (孫子兵法) written by Sun Tzu. The Art of War is an ancient Chinese military treatise dating from the Spring and Autumn period in 5th century BC. The work, which is attributed to the ancient Chinese military strategist Sun Tzu, is composed of 13 chapters. Perhaps the art of cyberwar do not have author. It is created by Artificial Intelligence.

The art of cyberwar first chapter (IoT Operating System)

The foundation of Open Systems Interconnection model strengthen the technology world. A common standard categorized software application, network protocol, network communications and hardware. Perhaps the standard founded in 1983. However it become mature till earlier of 90’s.

Obviously the situation of Internet of things (IoT) have certain similarity comparing with 80’s technology world. Since such period of time the vendor not intend enforce OSI model standard.

The Internet of Things presents a new set of data storage. Meanwhile it create cyber security challenges. First, there is large-file data, such as images and videos captured from smartphones and other devices. The second data type is very small, for example, log-file data generated from sensors. The operation system will be embedded on Flash Drive and SD Ram. Be my guest, let’s take a closer look of popular IoT OS system.

The art of cyberwar 2nd chapter

What are the parameters for selecting a suitable IoT Operating System.

Yes, it is the memory requirement and OS footprint.

The art of cyberwar 3rd chapter

Due to the Design limitation of free disk space and API library. And therefore it limit the types of cyber attack.

The art of cyberwar 4th chapter

IoT Jeopardize the world records (see below):

The art of cyberwar 5th chapter

This chapter looks straight forward. A common standard is waiting for all of you especially software developer and vendor define!

Application Development, Cell Phone (iPhone, Android, windows mobile), IoT, System, Virus & Malware

The other side of the story on cyber attack (Electronic war between countries)

389 Comments

Preface

We heard  that the new age transformation is coming.  As a result it transform the traditional military weapons to electronic codes. The computer  technologies such as DDOS (Distributed denial of services), malware and virus similar a killer. It can disrupt the financial activities,  daily network communication and health care services. An idea bring to our attention on world war II history was that classic military power result destroyed everything (mankind and properties).  But re-built the society and operation after war. It is a harsh and difficult mission! From technical point of view, the victorious might stand on ethics view point to assists defeated side to rebuild the business and economic system. As a matter of fact, the distruction level of war created by military weapon especially missile it is hard to evaluation. And this is the reason let’s cyber warfare appears in coming future! But it started already!

Analytic result on technical articles about cyber warfare

In regards to my study on technical article issued by CSS Eth Zurich (The Center for Security Studies (CSS) at ETH Zurich).The analytic result highlights serveral key factors of Cyber warfare . Cyber warfare was cheaper than traditional military force. It provides a  “cleaner” (with less or no bloodshed) suitation. No doubt that  less risky for an attacker than other forms of armed conflict. The analytic result  defines 5 different types of cyber conflict during their study. They are Cyber War, Cyber Terrorism, Cyber Espionage, internet crime and cyber vandalism.

The specific feature of cyber weapon (in between country to country)

I was sometimes confused with the headline news on prediction on cyber technology war.  The questions on my mind is that how electronic weapon or cyber weapon replacing traditional military facilities? Think it over, the appropriate technique might adopted target into the following criteria (see below):

The capabilities of cyber attack techniques ( A transformation of traditional military force)

Type Attack technology Functional feature – objective Target – Environment Remark:
Cyber Vandalism, Cyber War IOT & BOTNET (DDOS technique) Services suspension – electronic communication services (IP-Telephony) Bank, Fund House , Stock Exchange
Cyber Espionage Malware Information gathering Bank, Fund House, Stock Exchange & government sector
Cyber War, Cyber Vandalism Ransomware Services suspension important facility fucntion nuclear facility , Airlines,TV broadcast station, Radio broadcast station & military facility Ransomware feature contained facility to supspend the computer services. Besides it capable listen to the instruction of C&C server. On the other hand, the attacker can resume the services once they win the battle.
Traditional military force Bomb Services Suspension on important facility function and destroy permanently nuclear facility, military facility, power station, airport & communiation facility (Digital phone system)
Internet Crime, Cyber war Email phishing and Scam email message Carry out  psychological warfare, implant malware activities in order to fulfill their objective nuclear facility, military facility, power station,

Let us dig out one of the attack technique to see how the cyber technology feature fulfill the goal of the cyber warfare features .

Do you think Ransomware is founded by military department?

The first ransomware appear in the world on 1989. A biologist Joseph L. Popp sent 20,000 infected diskettes labeled
“AIDS Information – Introductory Diskettes” to attendees of the World Health Organization’s international AIDS conference.
But after 90 reboots, the Trojan hid directories and encrypted the names of the files on the customer’s computer.
To regain access, the user would have to send $189 to PC Cyborg Corp. at a post office box in Panama.

In 2006, former President George W. Bush was increasingly worried about Iranian efforts at enriching uranium, and ultimately, its hopes to build an atomic bomb. The goal of Stuxnet is going to destroy Iraq nuclear facilities driven by US government. The rumors were told Stuxnet malware destroyed roughly one-fifth of Iran’s centrifuges in 2009.

An unconfirmed  information stated that there is a separate operation called Nitro Zeus, which gave the US access into Iran’s air defense systems so it could not shoot down planes, its command-and-control systems so communications would go dead, and infrastructure like the power grid, transportation, and financial systems.

Speculation:

WannaCry infection using EternalBlue, an exploit of Windows’ Server Message Block (SMB) protocol.  The U.S. National Security Agency (NSA) had discovered the vulnerability in the past, but used it to create an exploit for its own offensive work, rather than report it to Microsoft. As we know nuclear power facilities control system OS platform relies on Microsoft OS system (see below articles). It may causes people think is there any secret action hide by NSA (National Security Agency). He aroused my interest in questioning who is the key figure to spread WannCry ransome? It looks that there is similarity with Stuxnet worm infection in 2009. Since we all fool by NSA at that time let your computer workstation transform to a cyber army then attack USA enemy.  Do you think wanncry is the rehearsal of test or pilot run?

Malware vs. nuclear power: Do you think SCADA system is the culprit of attack on nuclear power system?

Below diagram is my imagination of the modern nuclear facility environment. The SCADA system pay a key role in nuclear power facility. Ransomeware have capabilities to suspend the services of this facilities. It doesn’t need to destroy anything but the services will be totally shut it down the services. We have seen the real example in UK health care services as a reference. I will stop written here. Should you have any queries, I will try my best to written more in future.

Supplement – The other side of the story on cyber attack (Electronic war between countries) – 13th June 2017

As said on above discussion topic, since it looks not interest to visitors on reflection of comments on feedback.  However there is something on my mind need to share.

North Korea President Kim’s intention show to the world of his governance power. He is in frequent to demonstrate his military power cause US government concerns his equalize of military power in the world. To be honest, it is hard to equal the military and economics power as of today. For instance China nearly become the 1st business economic leader. We all know United state is the leader in this moment. However their economic operation chain should have difficulties to do the 2nd round of transformation. Because some of their capital business and business economy contained made in China element.  Since North Korea on finance and business economy are weak. President Kim did such things seems not make sense. I did not visit North Korea however a lot of news on TV might speculate their current situation. I strongly believed that their nuclear facility might operation in 60’s fashion. The SCADA system not possibly supply by Siemens. But learn and develop a windows based SCADA system not difficult.  From information point of view, North Korea nuclear facilities might relies on window for Control Systems instead of Linux for control system.  And therefore Ransomware type attack can specifics shot the target. Meanwhile the business industry from North Korea all work with Microsoft OS  in daily life.

Below are the hints how to eliminate the risks issued by  SCADA system vendor. Any interest?

Process control vendors require:
1. A system with a minimal attack surface, so that biweekly or monthly patches are not required
2. A consistent programming interface that will not change every four to five years, requiring a complete rewrite of their software
3. An environment that can be quickly and safely “locked down” to reduce the risk from hacking
4. A system with limited network access, only through specific ports to reduce the risk of network based attacks
5. Support for priority-based multi-tasking, preferably a real-time operating system (RTOS) that supports hard real-time requirements
6. A robust ecosystem of utilities and tools to make development, installation, debugging, and maintenance as easy as it is on consumer systems.

End of this topic