NSW open to cyber attack: researcher

The NSW Police Force has tightened up its security over the past decade, decommissioning systems that were linked to other agencies as part of the Sydney Olympics; however, one contractor who worked on the project said NSW infrastructure remains vulnerable to cyber attack.

One of the documents that show Wright's involvement with the various infrastructure groups
(Screenshot by Michael Lee/ZDNet Australia)

In an interview with ZDNet Australia and following a post on his blog, the vice president of the Global Institute for Cybersecurity and Research, Dr Craig Wright, described how the IT systems servicing critical NSW infrastructure like rail and power were often set up with the idea that if no one knew their flaws, they would be reasonably secure — an information security worst-practice often dubbed "security through obscurity".

As a contractor to the now dissolved Olympic Coordination Authority and for several other government organisations, Wright was responsible for linking various systems, including the Supervisory Control And Data Acquisition (SCADA) systems for NSW infrastructure to a central headquarters. These systems included traffic, rail, water, power, emergency response and sewerage systems.

He said that while the police had some very good monitoring systems, including measures to alert its Internal Affairs department if someone had been accessing areas they were not meant to, it didn't stop people from sniffing traffic. He added that the police's system was one of the better examples. For many of the other systems, once someone had gained access, there was little to stop or monitor intruders.

Wright said that after the Olympics, little had been done to secure or maintain these interconnected systems, adding that they continue to become less and less secure over time. Even a decade after their implementation, Wright said that as recent as six months ago, he was still able to access the systems.

Stratsec principal consultant, Sebastien Jeanquier, said that due to the sensitive nature of these systems and the services they maintain, they are often not patched or disconnected for fear of breaking something.

"As a result, there are still many vulnerable SCADA systems connected to the internet today. This is something the security industry has known about for a long time already. Whether or not these systems could realistically be used to cause major damage is usually open for debate," he said.

Sydney Water declined to comment on whether its systems were accessible, Ausgrid and RailCorp did not respond to requests for comment.

NSW Police confirmed that it had physical connections to other agencies to support the Olympic games, and although these had been decommissioned long ago, it stated that it does establish similar connections from time to time to "support operations and emergency response".

"On these occasions, operational policing information, including private information held by police, is not exposed to these connections. Regular penetration testing is conducted to ensure our systems are kept secure and any infrastructure vulnerability is managed in a timely fashion and based on a risk management approach."

The Transport Management Centre (TMC), however, denied the existence of any such project.

"The project referred to by Dr Wright never existed. TMC systems are not connected to any other control systems," the TMC wrote in its response. "There are strong restrictions on all access to the TMC's traffic management systems. TMC systems are tested on a regular basis including by a professional internet security firm. There is no record of any attacks or unauthorised access to traffic management systems."

Wright said it was likely that in TMC's case, it probably simply didn't know that the project existed since it happened so long ago. He said that the systems that had been set up had probably been overlooked or forgotten as staff came and went, and the TMC went through structural change in the past few years. Functional and organisational control of the TMC was transferred from the Roads and Traffic Authority to the NSW director general of Transport on 31 August last year.

However, Wright's claims that he was involved with these organisation are likely to be true. ZDNet Australia has sighted confidential documents including network diagrams, firewall configurations, project emails and review documents dating back to the Sydney Olympics, which show Wright's involvement at least with the OCA, Ausgrid (then EnergyAustralia), Rail Access Corporation (which eventually fell under RailCorp ownership) and NSW Police.

NSW's infrastructure systems are not the only ones that Wright thinks are seriously exposed.

(Seatback TV computer says no image
by Sam, CC2.0)

On a separate job, Wright was contracted to test systems on Boeing's 747. According to Wright, the 747's engine management system runs on a Solaris-based Unix system. In the event of an engine problem mid-flight, aircraft engineers could "fix it in the air", a capability that Wright said would be preferable to finding somewhere to land. However, he said that while the controls were good to have, a lot of them had been implemented without proper security, or with security flaws, since it was thought that no one would know of their existence.

In Wright's case, he hadn't been contracted to test the engine management system — his responsibility lay with the video system — however, he noticed that the only security measures the engine management system had were NAT-based filters.

NAT, or Network Address Translation, works by having a public-facing internet protocol (IP) representing a number of private IP addresses behind the NAT. NAT forwards packets received by the public IP address to computers behind the NAT, without the public knowing the private IP addresses of those computers. Computers behind the NAT have their IP address "translated" to the public IP address when sending packets. According to Wright, they would filter incoming traffic, but allow all outgoing traffic.

Under those circumstances, Wright said it would be possible to make an outgoing connection to an SSL-enabled website, install a backdoor and then access the network from the internet.

He also said that the necessary adoption of IPv6 would remove the very limited security that NAT-based filters provide and make the traditional approach of setting up firewalls for security less effective.

"Firewalls do not really work in a pure IPv6 environment. People will try and say that they can, but they either do not understand the technology or are pushing a vendor solution that cannot work. IPSec is a core component of IPv6. The thing with encrypted communications is that you cannot filter them," he said.

Jeanquier disagreed.

"If designed and configured correctly, it is entirely possible to secure IPv6 to the same extent as IPv4, and in some cases more so thanks to built-in encryption capabilities of IPv6," he said.

In any case, Wright said that with the right knowledge, it would be possible for someone on the ground to hack into the systems on an aircraft in the air. He did clarify his claim by stating that attacks would more likely be state-sponsored or highly sophisticated due to the knowledge an attack would require, but that this could be acquired from someone selling or accidentally disclosing the information.

This meant it wasn't likely that the average bedroom hacker would be able to do so, but when it came to high-end, sponsored or government hackers, Wright said that in many cases, they probably already knew of the holes, but didn't want to do anything about them. He said the disclosure of them would remove a potential tool for them to exploit in the future.

While Jeanquier said it was difficult to know for certain if hijacking a plane over a computer would be possible, he said it wouldn't be the first time systems on a vehicle have been remotely controlled from the internet. Jeanquier referred to a paper by a security researcher who managed to remotely access the live audio and video functions of a US police car (PDF), and how researchers in the US managed to remotely start a car.

ZDNet Australia contacted Boeing for comment, but received no reply at the time of publication.

Wright said his greatest fear wasn't that these vulnerabilities existed, but the possibility that splinter groups like LulzSec would stop hacking for the "lulz" and start intentionally putting people at risk. He suggested this might already be happening with hackers recently leaking the personal details of US law enforcement officials and dubbing it "Shoot the Sheriff Saturday".

While a large-scale incident might provide a wake-up call and draw attention to information security, Wright said that overall, it wouldn't help, citing 9/11 as a perfect example of a knee-jerk over-reaction to security. He said that the likely quick fix-it solution of checklists and equipment would be like the current practice of confiscating screwdrivers at airports, but providing steak knives to business class passengers on aircraft — action that appears to address the problem, but doesn't solve the root cause: people.

Wright said that since people are viewed as the weakest link, then they need to be better educated before a major incident occurs.

"People are going to be people. We need to know that people are going to do silly things and we need to put things in place that allow us to know what's happening," he said.

"Fingers crossed, we'll be educated. It'll take time, [but] we don't want to wait until we've lost lives. We've got to do something before then."

He said that agencies such as the Defence Signals Directorate had some good standards and practices to follow, but people within the Commonwealth Government were only just starting to wake up.

"We need to start taking these things seriously and we cannot wait until LulzSec or some other group decides to do it for us."