What Infrastructure Do You Depend On? - Jan 14th - 20th, 2023, F5 SIRT - This Week in Security



This Week in Security
Jan 14th - 20th, 2023
What Infrastructure Do You Depend On?


This week seems to be filled with infrastructure news, or more accurately, I am full of infrastructure security concerns.    From new books on the topic of infrastructure to federal bills to fix and enhance it,  to attack and disruptions to it, detailed below, infrastructure has been on the forefront of the civic zeitgeist.  This week we tour some infrastructure failures, providing evidence that security and infrastructure resilience go hand in hand.    Some of these infrastructure issues are in information infrastructure, such as the NOTAM outage that grounded flights around the United States, the leak of the No Fly List, or tales of Southwest Airlines mishap.  And others are in traditional infrastructure such as the power grid.  Ultimately I hope you go away with dueling questions:  What infrastructure does my security posture depend on, and what happens when that infrastructure goes away.

0wn an Airline and get the No Fly List.

One day maia crimew was browsing through open Jenkins servers and discovered something interesting, seeing words like "ACARS" and "crew" they had discovered an open Jenkins server belonging to the airline CommuteAir.
CommuteAir is a regional airline that flies Embraer ERJ-145 jets under the brand United Express, being one of United Airlines contract carriers for its feeder service.   Reginal airlines operate in the United States based on either contracting with major airlines to provide feeder service using aircraft seating 50~100 people from low volume airports to the major's hubs, or by providing subsidized service, often with even smaller aircraft to even smaller airports.
maia had noticed references in the code they uncovered to the fabled TSA No Fly list, and after some days searching for it after uncovering more and more files left around that included AWS credentials and the likes, they found it.   And well, it was subsequently leaked.    Analysis of the list reveals many things, including that 10% of the entries on the list have Muhammad in the first or last name fields.
Of course, this is the problem, as Bruce Schneier puts it, with having to give a copy of your secret list to lots of people.  There are hundreds of scheduled airlines that are based in the US or fly to the US, so each of these airlines needs the list and its updates to check against passenger booking data to flag passengers, either denying them a ticket or as part of the process of giving their boarding pass the dreaded SSSS mark.   While an airline may spend a lot of security effort on securing systems handling passenger and crew data, the leaked list was not found in those systems, but in testing infrastructure being used to develop those systems, and as happens time and again, real data is being used to test.
This all speaks to having robust and well defined data security policies, if real data needs to be used to test systems, those systems should have the same or more protection than the production systems working with the same data.    I am a firm advocate of placing more protections around testing infrastructure than production infrastructure, because sometimes testing infrastructure needs to go without a WAF or other protections while the WAF policies are being developed or adapted to the new updates, or protections built in the application are unfinished or unused in testing.

Power Substation Attacks

A series of power substation attacks has plunged parts of the United States in to darkness.    The first series of attacks were in North Carolina, where two substations in Moore County were attacked by currently unknown assailants.  Analysis of the attack by Grady Hillhouse of Practical Engineering reveals potentially some inside knowledge by the attackers, having specifically attacked step-down transformers that serve as a link to Moore County with rifles.  The resultant damage required several days of work to temporarily restore power while inspection of the damaged transformers and subsequent repair took quite a bit longer.    The incident and subsequent incidents detailed below are under investigation by the FBI.
In the days following the South Carolina attacks, attacks on substations owned by Portland General Electric, Bonneville Power Administration,  Cowlitz County PUD and Puget Sound Energy occurred, the motive for many of these attacks is not known, so these may be copycat attacks or a coordinated effort.    These initial attacks in Oregon and Washington remain unsolved and the FBI has warned of possible plots by radical right-wing groups to continue disrupting power infrastructure in furtherance of a "accelerationist" plot.
Later that month, during Christmas, four more substations were taken offline in a series of attacksAfter intense investigation with the assistance of the FBI, two men were arrested for attacks on four of the Pacific Northwest substations, offering a explanation that they were trying to disrupt power in furtherance of a robbery.
Some may remember an incident in 2013 where a sniper attacked a PG&E substation on the outskirts of San Jose, California.   The sophistication of that previous attack has lead investigators to believe that the attackers had specific inside knowledge of both the power infrastructure and substation design, how that infrastructure connected to the wider grid and use of high powered rifles.
All of these attacks reveal the potential vulnerability of the United States power infrastructure to sophisticated attacks.   Following similar incidents in the past, utilities have started installing concrete walls to protect transformers from gunfire and have upped their CCTV game to include more cameras and hardened storage and transmission of CCTV video.    After a number of fiber cuts that occurred before the San Jose incident and that incident, fiber optic providers have upgraded security on fiber vaults and cabinets.    But even with all of these upgrades some facilities may still consist of an unlocked cabinet or a substation with just a chain-link fence and a sign warning of deadly voltages inside.
As Grady noted in the his analysis linked above, the massive size and spread of the US power infrastructure prevents any substantial preventative measures from being used, but also provides for its resilience.  Despite these attacks spanning three states and a dozen power providers, the relative impact was small, only disrupting power for a fraction of those states' residents and businesses and restoration in some cases took mere hours.  
So, what does this mean for your infrastructure?   Time and again I have seen larger disasters turn a well planned disaster response plan into a mess, as the scope of the disaster exceeds what was planned for.   In this case we can see an obvious issue right away:   While you may have power protections in place, how long are they designed to last?    You have diesel generators, but how many days or weeks of fuel do you have onsite?    Do you have a plan for getting more?   How long can your generators run without maintenance, do you have a plan for when you have to take them offline for planned or unplanned maintenance?   Do you have a plan for your people's needs during a disaster? 


Updated Jan 27, 2023
Version 2.0

Was this article helpful?


  • Brilliant issue, Kyle - and a nice shout out to one of my favourite YouTube channels near the end there (Technology Connections) 

  • AaronJB Technology Connections is great, one of my favorites.  Practical Engineering, which he mentioned earlier, is also a good channel to check out.

  • thank you for the information and links, I am interested in this topic myself, I was especially interested in point about the power substation attack