Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researcher Publishes Industrial Complex Hack

samzenpus posted more than 6 years ago | from the who-runs-the-power-plant dept.

Security 190

snydeq writes "Security researcher Kevin Finisterre has published code that could be used to take control of computers used to manage industrial machinery, potentially giving hackers a back door into utility companies, water plants, and even oil and gas refineries. The code exploits a flaw in supervisory control and data acquisition software from Citect. The vendor has released a patch and risk arises only for systems connected directly to the Internet without firewall protection. Finisterre, however, sees the issue as indicative of a 'culture clash' between IT and process control engineers, who are reluctant to bring computers off-line for patching due to the potential havoc wreaked by downtime. 'A lot of the people who run these systems feel that they're not bound by the same rules as traditional IT,' Finisterre said. 'Their industry is not very familiar with hacking and hackers in general.'"

cancel ×

190 comments

Sorry! There are no comments related to the filter you selected.

Well (4, Insightful)

Anonymous Coward | more than 6 years ago | (#24954721)

If you hook up a device to the internet without any firewall protection, you deserve what you get.

Re:Well (4, Insightful)

lysergic.acid (845423) | more than 6 years ago | (#24954819)

what do you get? internet herpes?

a firewall will protect your computer from many exploit attacks, but that's not a reason to rely solely on a firewall for protection.

running a system with a bunch of unpatched security vulnerabilities and simply relying on a firewall to protect you is just as foolish as connecting to the internet without a firewall. after all, what happens if the firewall fails, is bypassed, or has a security vulnerability of its own?

Re:Well (1)

Enderandrew (866215) | more than 6 years ago | (#24955013)

I'm sitting at work, where our firewall restricts internet access. Yet here I am, posting on Slashdot.

Firewalls are amazingly easy to bypass.

Re:Well (4, Funny)

Solra Bizna (716281) | more than 6 years ago | (#24955217)

Firewalls are amazingly easy to bypass.

From the inside, certainly.

-:sigma.SB

Re:Well (1)

Enderandrew (866215) | more than 6 years ago | (#24955299)

They are much easier to circumvent from the inside, but I've yet to see a firewall that can't be breached.

Re:Well (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24955281)

Since when does recommending seatbelts equate to relying solely on seatbelts?

Re:Well (1)

lysergic.acid (845423) | more than 6 years ago | (#24955353)

when the use of seatbelts is brought up in a discussion about running red lights.

saying that someone who doesn't use a firewall when connecting to the internet deserves what they get contributes nothing useful to this discussion, unless you're implying that this vulnerability is moot because we should all be using firewalls.

Re:Well (4, Insightful)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24954853)

If you hook up a device to the internet without any firewall protection, you deserve what you get.

We should be glad that people release these 'bugs' openly - I'm sure that this information would have made Mr. Finisterre a lot of money, if he approached the right (wrong?) person. Imagine what would happen with no firewall AND no public notification?

Re:Well - forget the condom (0)

Anonymous Coward | more than 6 years ago | (#24956021)

If you hook up a device to the internet without any firewall protection, you deserve what you get.

We should be glad that people release these 'bugs' openly - I'm sure that this information would have made Mr. Finisterre a lot of money, if he approached the right (wrong?) person. Imagine what would happen with no firewall AND no public notification?

If you hook up a device to the internet, you deserve what you get. NOTHING long halts the truly determined.

EddieCurrents

Why ... (4, Insightful)

sconeu (64226) | more than 6 years ago | (#24954731)

The vendor has released a patch and risk arises only for systems connected directly to the Internet without firewall protection.

Why would you have critical systems like that directly connected to the 'Net anyways?

Mod parent up. (1)

khasim (1285) | more than 6 years ago | (#24954773)

I don't care WHAT the reasons for connecting them to the Internet are.

The fact that it allows anyone in the world, anywhere, anytime, a chance to attack your systems is the only reason needed to refuse that.

I love you. (-1, Offtopic)

Anonymous Coward | more than 6 years ago | (#24955157)

What you said is absolutely true. This isn't the first time this has happened to me. I just want to give you a hug [truveo.com] for that bit of advice.

Re:Why ... (5, Informative)

phatvw (996438) | more than 6 years ago | (#24954801)

Why would you have critical systems like that directly connected to the 'Net anyways?

To reduce costs. Its cheaper for an engineer to remote-in to check on something than have them physically drag their butt to work. Fewer people are able to monitor more 24/7 systems this way.

And its almost always cheaper to use an Internet connection than a dedicated leased line for this sort of thing.

Re:Why ... (3, Insightful)

geekoid (135745) | more than 6 years ago | (#24954953)

It will only take one incident to loose any cost savings by an order of magnitude.

Seriously, you can't get into any of your machines for an hour, how much does that cost? the machines start doing the wrong thing?

Re:Why ... (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24955733)

It will only take one incident to loose any cost savings by an order of magnitude.

Lose not loose, faggot.

Re:Why ... (1, Funny)

CrazyJim1 (809850) | more than 6 years ago | (#24955485)

And it is cheaper still to have a drinking bird do your remote work.

Re:Why ... (2, Informative)

POTSandPANS (781918) | more than 6 years ago | (#24955655)

The vendor has released a patch and risk arises only for systems connected directly to the Internet without firewall protection.

Seriously? If you can't afford to buy some sort of basic protection for internet connected equipment, you need to re-think your business model. If you can't afford the downtime to install a simple firewall, then you really won't be able to afford the downtime it will cause when somebody breaks in.

Re:Why ... (3, Funny)

LaminatorX (410794) | more than 6 years ago | (#24955905)

If only there were some sort of virtual private network available that could give them a reasonably secure low-cost option for remote access.

Re:Why ... (1)

kesuki (321456) | more than 6 years ago | (#24954809)

imagine you're a multinational oil company with 300 billion dollars worth of oil and gas reserves, and want to know the exact amount of oil and gas coming out of each well every day or even hour by hour...

and you're doing this without the internet because you like rolling out your own private wide area network? much easier to make a WAN that sits on top of the internet.

remote administration is a lot cheaper than flying admins to every site too. so the question really is, why wouldn't these systems be hooked to the internet.

Re:Why ... (5, Insightful)

dave562 (969951) | more than 6 years ago | (#24954903)

You download the data to a historian server and reference that. There is no reason to ever remotely connect to the actual hardware that is controlling the valves and actually running the plant. I'm not sure what kind of sites you'd need to fly an admin out to, but odds are that there are already people there. I don't know too many power plants, electrical generation facilities, or oil/gas operations that are 100% automated and don't have any people around.

Re:Why ... (1)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24954943)

I don't know too many power plants, electrical generation facilities, or oil/gas operations that are 100% automated and don't have any people around.

yes, but are there qualified people available to do the adjustments on site? What about those un-manned off shore oil rigs? I bet the engineers were pushing HARD for remote access there..

Re:Why ... (1)

dave562 (969951) | more than 6 years ago | (#24955457)

I'm not all that qualified to comment on the dynamics of off-shore oil rigs. If they are truly 100% unmanned then they are probably already remotely controlled. But remotely controlled is not the same as connected directly to the internet. They're probably running an IP VPN across a satellite link or something similar.

Re:Why ... (2, Interesting)

Fulcrum of Evil (560260) | more than 6 years ago | (#24955685)

that's why we have these things called vpns.

Re:Why ... (1)

GNUALMAFUERTE (697061) | more than 6 years ago | (#24955933)

Agreed. But you code your systems properly, and only openup through an IPSec tunnel. Then you drop any traffic that is not coming from one of the authorized IPSec endpoints. Period.

And, obviously, you don't run your system on top of Windows.

OpenBSD looks like a good choice.

And you give any employee that needs to connect to the system dedicated machines with fixed IP Addresses, and this machines run Unix and are locked down, just terminals, with no other access than to this system. And you audit this ttys from time to time and change keys and passwords every 30 days.

It's not about cutting functionality, it's about doing things properly.

Re:Why ... (4, Insightful)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24954827)

Keeping critical systems offline sounds smart, until you realize that

a) What is critical to you may not be critical to me
b) Keeping them offline might make sense for security, but it makes servicing them more difficult, and so more people need to be hired, and so it is more expensive (which is bad, apparently)
c) Sometimes, critical systems need to be online, and widespread. For example, if banking wasn't networked, then ATMs wouldn't work. If you had your license suspended, it would take hours to get that information to all the other cops, and you could keep driving without penalty. Also, work-from-home wouldn't 'work', and corporate VPNs would be pointless.

Critical systems *should* be connected to the 'net, so we can have access to them. But, they should also be better protected, and backed up offline.

Re:Why ... (1)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24954885)

Imagine if I could go online and check my power consumption against that of my neighbours? Or see the average power usage in a neighbourhood before buying a house in the area? Or being able to do that for any utility? ... These should be connected online!

Not to mention the cost savings that come with remote management... I'm happy with anything that keeps the cost of living down.

Re:Why ... (1)

kesuki (321456) | more than 6 years ago | (#24954999)

not all firewalls are made of the same stuff. especially consumer grade firewalls, and any unmanaged firewalls. if ports inbound can be opened by spoofing a 'return' packet (full open firewall) then hackers can get inside it.

but yeah, there are reasons to put systems on the internet, and there are reasons to not skimp on it, and get admins who have a clue about security and what hackers can really do.

as for banking networks, they kind of evolved before the internet evolved, so it's possible that banks ATMs aren't on the internet. it's pretty easy for an atm to do everything over a telephone/modem and even come credit card point of sale units were using telephone networks. and a lot of medical equipment to this day uses telephone networks. for instance, if you have a routine scan of your brain waves, chances are it's going over modem to a place in Tennessee to be evaluated, and not over the internet.

Re:Why ... (1)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24955073)

for instance, if you have a routine scan of your brain waves, chances are it's going over modem to a place in Tennessee to be evaluated, and not over the internet.

Well, it will be sent over the phone/modem for now. Until some bean-counter realizes that it is cheaper to use the 'net...

By the numbers. (4, Insightful)

khasim (1285) | more than 6 years ago | (#24955105)

a) What is critical to you may not be critical to me

And who are you? Seriously. Why is your opinion of what is "critical" worth anything in this discussion?

b) Keeping them offline might make sense for security, but it makes servicing them more difficult, and so more people need to be hired, and so it is more expensive (which is bad, apparently)

And the cost of hiring those people vs the cost of cleaning up after an attack? Skipping security is ALWAYS cheaper. As long as you never consider the cost of an attack.

c) Sometimes, critical systems need to be online, and widespread. For example, if banking wasn't networked, then ATMs wouldn't work. If you had your license suspended, it would take hours to get that information to all the other cops, and you could keep driving without penalty. Also, work-from-home wouldn't 'work', and corporate VPNs would be pointless.

#1. ATM's. No. They were not originally connected to the Internet.

#2. Driving license. So what? That would catch up to you after the traffic tickets were entered into their system.

#3. Corporate VPN's. We're talking critical systems here.

Critical systems *should* be connected to the 'net, so we can have access to them. But, they should also be better protected, and backed up offline.

Wrong. There is access to them without having them connected to the Internet. Just as it was back in 1990.

All of your reasons come down to "cheaper".

"Cheaper" should not have more weight than "secure".

Re:By the numbers. (1)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24955437)

I never said cheaper should have more weight than secure. But, if you havn't noticed, people prefer to save money. Corporations prefer to make money. Stockholders perfer to have increases in their investments. So, even though I agree with you - all signs point to 'cheaper' winning out over 'better'.

As for my opinion of critical? Well, if I owned a large, multi million dollar company, then I would consider anything that had a major impact in my ability to make money AS CRITICAL.

To be even more callous, if you can't pay for your mortgage, and I have no debt, then your inability to make payments are a critical issue to you - but I couldn't care less.

Critical systems are defined by those who rely on them - therefore, the definition of critical is largely subjective. As for my 'reasons', well - they're not just MY reasons, they're almost universal. You might be the exception - but if everyone was like you, then there wouldn't be wal-marts...

Re:By the numbers. (1)

db32 (862117) | more than 6 years ago | (#24955523)

Just to play devils advocate a bit. "Cheaper should not have more weight than secure" is not true. Think about space travel. "Secure" would involve thicker shells to protect better from debris and more lead to protect against radiation and so on and so forth. The "Cheaper" in this case allows it to happen at all because all of that extra layering would make the whole thing pretty cost prohibitive.

I can think of tons of reasons these things should be networked. I am having a hard time with why they should not be part of a closed network. But being networked most certainly does not simply boil down to simply being "cheaper". With industrial systems like this, being able to NOT be in the room where it is operating is a tremendous boost to safety in many cases.

The ONLY thing I can really come up with for having these accessible outside of a closed network is faster emergency access. And lets face the music here, the probability that you would need to access something like this quickly to avert/recover from a normal possible failure is FAR higher than the risk posed by evil haxors. So, still not simply a case of cheaper.

And actually...to be fair in the case of space travel secure most certainly does carry more weight than cheaper, but not exactly in the way you were describing. :)

Re:Why ... (0, Troll)

fishbowl (7759) | more than 6 years ago | (#24955589)

>b) Keeping them offline might make sense for security, but it makes servicing them more difficult, >and so more people need to be hired, and so it is more expensive (which is bad, apparently)

Yes, some CEO might only get $16,935,000 in their bonus instead of the full $17,000,000. And if that happens, apparently the economy will collapse.

Re:Why ... (1)

Fulcrum of Evil (560260) | more than 6 years ago | (#24955727)

If you had your license suspended, it would take hours to get that information to all the other cops, and you could keep driving without penalty.

You can anyway - they need PC in order to pull you over and run your license. Anyway, all of your examples miss the mark; your ATM doesn't need to be sitting on the internet (probably doesn't). It needs a network connection, but that's covered with VPN type tech or a private network. The cost angle needs to be weighed against the risk of doing things on the cheap - no need for direct access, at least not naked access.

Re:Why ... (3, Insightful)

Cornwallis (1188489) | more than 6 years ago | (#24954837)

Why would you have critical systems like that directly connected to the 'Net anyways?

Because a project manager, working under pressure from his/her boss says "Get it done" and the poor shmoe tasked with installing it doesn't probably know what a firewall is. He is simply following the instruction manual. So many bosses turn a blind eye to this stuff you end up with serious vulnerabilities. I've seen them.

Re:Why ... (1, Funny)

Anonymous Coward | more than 6 years ago | (#24955297)

pretty scary - did u see the latest die hard? sounds like it can actually happen! (firesale!)

Re:Why ... (1)

zappepcs (820751) | more than 6 years ago | (#24955335)

Here is the thing, do you remember all those stories about the NSA working with OS vendors to secure them? Some thought that was good, others (like me) thought it a bit dubious. Well, all that work was for nothing, as evidenced here in this story. No matter what they did, no federal governmental department did anything to secure our IT infrastructure. Now, I'm not going to mention 9/11 conspiracies, but you can just imagine how all this plays out. can't you?

They have those systems connected to the Internet because of several factors:
1 - They don't know how to secure their network
2 - Nobody in the govmint told them to do different
3 - No business covers their mistakes until they are exposed by being p0wn3d

It costs money to do those security things and our IT guy says it isn't necessary because we have a Cisco firewall.

This, my friends and freaks, is the true cost of outsourcing IT functions. Get used to it.

Yes, I just included as many tin foil hat ideals as I could... is it working for you?

Re:Why ... (2, Insightful)

HikingStick (878216) | more than 6 years ago | (#24955619)

Because the people who implemented these solutions were not IT people. They're skilled in their fields, but usually have only a marginal understanding on contemporary issues in networking and network security. To them, having the machines net-facing is just a convenience so that they can connect and address issues without dispatching someone to the location.

Re:Why ... (1)

arth1 (260657) | more than 6 years ago | (#24955757)

The biggest problem with "[...] and risk arises only for systems connected directly to the Internet without firewall protection" is the assumption that all the bad guys are on the other side of the firewall. In reality, a very large portion of penetrated systems are penetrated from the inside.

If you don't see inside penetration as a problem, why not run all your machines inside the firewall without passwords?

Re:Why ... (0)

Anonymous Coward | more than 6 years ago | (#24955971)

because the management at most places are too stupid to understand that.

Well according to Die Hard... (4, Funny)

Enderandrew (866215) | more than 6 years ago | (#24954779)

...a standard cell phone will let you pretty much instantly hack and control anything in the country except for the utilities. For those, you need to go to 2 different locations that control all the utilities in the country.

That movie had the "Mac guy" so I totally trust it.

Re:Well according to Die Hard... (1)

moniker127 (1290002) | more than 6 years ago | (#24954805)

Spot on. Where DO they get their information?

Re:Well according to Die Hard... (1)

Enderandrew (866215) | more than 6 years ago | (#24954829)

Dvorak?

Even better, Dr. Steve Brule. (0)

Anonymous Coward | more than 6 years ago | (#24955323)

Dr. Steve Brule gave me a second start on life.

He can do it for you too! [truveo.com]

Re:Well according to Die Hard... (2, Funny)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24954907)

That movie had the "Mac guy" so I totally trust it.

that movie had bruce willis, so I totally trust it.

oh, and I love macs. [fireball20xl.com]

Re:Well according to Die Hard... (0)

Anonymous Coward | more than 6 years ago | (#24955029)

My cellphone runs linux, so if it's on milw0rm and gcc likes it...

I hope he had clearance (1)

Apple Acolyte (517892) | more than 6 years ago | (#24954787)

or has good lawyers, because I assume releasing such a tool to the public could get Finisterre into a lot of legal trouble. I've read that utility companies don't really like being screwed with.

Re:I hope he had clearance (1)

tsa (15680) | more than 6 years ago | (#24954911)

That was the first thing I thought. I hope for his sake that the guy is European, but he has a very American-sounding name.

Re:I hope he had clearance (2, Funny)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24954955)

he has a very American-sounding name.

... where do you think most americans came from?



... besides mexico ...

We don't need to be (1)

dj245 (732906) | more than 6 years ago | (#24954793)

" 'Their industry is not very familiar with hacking and hackers in general."

The policy of most utility plants is to never connect any type of machinery control to the internet. If you have left yourself open like this, you are not following industry practices.

Disconnected from reality (5, Informative)

dave562 (969951) | more than 6 years ago | (#24954823)

I've done a little bit of work with control systems (Honeywell) that are used to run a power plant. The author of the article is a bit disconnected from reality. You can't exactly just take one of those systems offline to patch it. Shutting the powerplant down is a complex operation that takes time. Starting it back up takes time. Things need to get up to temperature. Pressures need to build up. Fuel needs to be loaded. It's not just as simple as, "Email is going to be down for 15 minutes while we reboot the Exchange server."

At the place I did the work for, the control systems were completely isolated from the internet. They sit on their own network and only talk to each other. They are all running Windows Server 2003 on HP Proliant ML370s with redundant everything (RAID drives, power supplies, UPSes, etc). The closest those things get to communicating with the outside world is when they download their data to a historian server on the other side of a DMZ link. It is a one way connection to the historian server. The historian is then referenced when people offsite need to know what is going on at the plant. The only way to connect to the historian is with VNC from one specific IP/MAC.

Enough of the security tangent. The point I was originally trying to make is that most industrial machinery doesn't need to be patched. It runs one or two software applications that do a specific thing. There is absolutely no reason to touch the box once it is up and running. Security in an industrial environment needs to be handled at the physical/network layer, not at the box. Why does the hardware running your valves need internet access? Why does a box running a CNC machine need internet access?

Re:Disconnected from reality (1)

UncleTogie (1004853) | more than 6 years ago | (#24954913)

It is a one way connection to the historian server.

Truly one-way? Not even ONE packet is sent from the historian to ACK receipt?

Re:Disconnected from reality (1)

Creepy Crawler (680178) | more than 6 years ago | (#24955025)

Obviously not.

Like I commented on his thread, I do the same thing with my security camera recording point. All of it's over wifi with 1 sending, the other receiving.

It's completely 1 way. Radio-direction-finding proves I'm not emanating signal on that rf card.

Re:Disconnected from reality (0)

Anonymous Coward | more than 6 years ago | (#24955675)

You are assuming TCP. UDP with error correcting codes would work just as well if all you're doing is dumping data from one place to another. You don't need to ACK then. If any packets are dropped you just rebuild them from the ECC.

Re:Disconnected from reality (0)

Anonymous Coward | more than 6 years ago | (#24955857)

I would think it's pretty easy to isolate ACKs from the firewall from one source.

Even if it is forged your just saying you got "something" and would just reveal mostly how much traffic.

If they don't do that i'll write it for them!!! :)

More important is what do they use for encryption!!!

Re:Disconnected from reality (4, Interesting)

Vancorps (746090) | more than 6 years ago | (#24954917)

You make a fair point but what happens if one of those machines does fail? Believe me, I've had triple redundant power supplies fail on me before it will happen.

The IT world believe in redundancy and so too I would have thought does the industrial world where uptime has to be 100%. Rebooting your Exchange server should not result in any downtime if email is considered mission critical.

So if there are redundant control systems in place why can't individual machines be brought offline and patched as necessary?

The only argument I can see that holds water here is that an update could theoretically break the tool but if it is properly redundant then it won't come back online when you're done and the problem stops there until the node can be replaced or updated.

Re:Disconnected from reality (1)

dave562 (969951) | more than 6 years ago | (#24955017)

The servers themselves are physically mirrored. It takes two computers to run the plant and there are four of them.

Re:Disconnected from reality (0)

Anonymous Coward | more than 6 years ago | (#24955023)

So if there are redundant control systems in place why can't individual machines be brought offline and patched as necessary?

That was my first thought.

Re:Disconnected from reality (1)

geekoid (135745) | more than 6 years ago | (#24954929)

So if someone gets a bot onto that computer to access it remotly, then they can compromise the entire system.
In the system I worked at, if you want to know what is going on, you called. If you need history you called and we burned you a disk. If you brought a computer device(PDA, Smart Phone, laptop) into the control room, you were reprimanded. do it again and you got the opportunity to work for someone else.

"Why does a box running a CNC machine need internet access?"
Porn~

Re:Disconnected from reality (1)

dave562 (969951) | more than 6 years ago | (#24955051)

If the remote access computer gets compromised then they can remote into the historian. The historian is not the control system. For the longest time the owner of the company called all the time. He's such a control freak that he wanted to see things in real time. He wouldn't take no for an answer so we secured it as much as possible while mitigating the potential for disaster. Sure it would suck to have the historian go down but it is physically mirrored so it's not the end of the world.

Re:Disconnected from reality (1)

Creepy Crawler (680178) | more than 6 years ago | (#24954961)

I have a server at home set up like that.

my camera hooked up feeds data to a wifi channel 1 on an unspecified ssid. Data is sent essentially to the aether.

I have another hidden box with wifi receiving only recording all udp packets with certain parameters. My recording server. There's no way to probe it, no way to attack it, no way to know it even exists.

no way to know it even exists (1)

maxume (22995) | more than 6 years ago | (#24955753)

That must get tricky when you talk about it.

Re:Disconnected from reality (0)

Anonymous Coward | more than 6 years ago | (#24955887)

I have another hidden box with wifi receiving only recording all udp packets with certain parameters. My recording server. There's no way to probe it, no way to attack it, no way to know it even exists.

Someone could send it a huge UDP packet which causes a buffer overflow, etc. Sure it would be hard, but it's not impossible.

Re:Disconnected from reality (2, Interesting)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24955009)

Why does a box running a CNC machine need internet access?

After I was caught playing solitaire on a CNC lathe (working one summer in a factory), the engineers thought it would be a good idea to network all the windows controlled CNC machines so they could do remote monitoring and updates. They were mechanical engineers, not IT guys ... and They didn't bother with any security, and so I could browse their 'mshome' workgroup with read/write access. I always wondered what sorts of havok I could have caused ...

Re:Disconnected from reality (0, Flamebait)

timmarhy (659436) | more than 6 years ago | (#24955041)

agreed. the author is just another jerk off attempting to gain some attention by making wild claims about technology he clearly doesn't grasp. most of these control systems are isolated from any network. I think your email example is apt, this isn't a case of process engineers not understanding IT, it's IT that doesn't understand the processes behind the computer systems.

we get it here all the time at work, IT will apply some patch to our systems that wrecks havco on our production and they give some lame justification like "it's needed to protect us from the latest shady website plugin hack" as if the DCS control pc is going to be browsing the fucking web....

Re:Disconnected from reality (1)

QuantumG (50515) | more than 6 years ago | (#24955411)

You're wrong. Most of these systems are on networks and they're wide open for precisely the reasons cited in the article.

Re:Disconnected from reality (1)

DevConcepts (1194347) | more than 6 years ago | (#24955525)

Why does a box running a CNC machine need internet access?

Have you ever seen porn on a green screen? What else would someone running a CNC do while it's running?

A CNC machine may need network access and the net (1)

Joe The Dragon (967727) | more than 6 years ago | (#24955539)

A CNC machine may need network access and the net work may hooked to the internet.

Re:Disconnected from reality (3, Interesting)

WillRobinson (159226) | more than 6 years ago | (#24955637)

I have done quite a bit of work in the scada area in the past. What we had was the machine network physical separated from everything.

A serial link was used to query the scada system and recorded all the interesting points.

There was no way to write to the scada system via the serial link. That system then dumped the data to sql databases, where it was then queried by the internal web server and provided lookups and pretty pictures for those that dont really need to know, but want to.

The webserver was then on the office network, but could also be accessed by dialup, the office network was not internet facing.

  Think that is a bit more secure due to the fact that we actually took 10 minutes to think of a method that would be

Re:Disconnected from reality (1)

HikingStick (878216) | more than 6 years ago | (#24955679)

These machines need to be patched because, ultimately, they will get connected to a network (whether local or Internet). Then, when the unpatched, unprotected systems are exposed they can catch bugs.

They end up with Internet access for ease of troubleshooting and remote support.

Likely an even greater risk to the security of most such machines is that they are likely using the same passwords today that were being used when the machines were first deployed. Even if they were switched from the default values, any employee exposed to these machines could still have record of the passwords. I worked in a bookstore 19 years ago. I was a co-manager and I had the combination to the safe. I remember the combination, and know someone else who ended up working there. It's the same safe and the same combination after all these years.

Re:Disconnected from reality (0)

Anonymous Coward | more than 6 years ago | (#24955917)

You wouldn't happen to recall the name and/or address of that bookstore by any chance would you? :-)

Re:Disconnected from reality (0)

Anonymous Coward | more than 6 years ago | (#24955699)

Why does a box running a CNC machine need internet access?

Because dweeb, command and conquer sucks without the internet!

Re:Disconnected from reality (0)

Anonymous Coward | more than 6 years ago | (#24955721)

You can't exactly just take one of those systems offline to patch it. Shutting the powerplant down is a complex operation that takes time. Starting it back up takes time.

Explain something to me. Why do you have to shut down the entire powerplant to patch a control system? Why not instead design the control system so you have two or three systems, each capable of driving the plant. At any given point in time, one of those systems is active. Need to upgrade the software? No problem. Upgrade the inactive system(s), fail over, let them take the load then upgrade the system that was active.

If you're relying upon a single server being up and running to control a critical process, and you don't have redundancy in there, you will be bitten sooner or later.

This is well understood in IT circles. Do it right, and you don't have to bring the plant down. Do it wrong, on the other hand, and you're in for a world of pain, security patches or no.

CNC machines and network connections.... (1)

Ellis D. Tripp (755736) | more than 6 years ago | (#24955983)

Some vendors of CAD/CAM software require each machine running their software to be able to communicate with a "license server" on your network before the software will run. If you buy a sitewide license for say, GibbsCAM, you need to designate a single box on your network as the "license server", and each workstation or machine running the package will "phone home" to the license server periodically to make sure that you have a valid license.

Re:Disconnected from reality (1)

Lumpy (12016) | more than 6 years ago | (#24956007)

are you high?

you CAN take the SCADA system offline without affecting the plant. They continue operation just fine with the SCADA pc's offline.

I suggest you learn about modern (1990-now) SCADA it's very different now and relies on the AB systems more than the PC running the crappy software.

IT needs to serve the customers needs. (1, Troll)

geekoid (135745) | more than 6 years ago | (#24954871)

"who are reluctant to bring computers off-line for patching due to the potential"

no shit? of course they are, an and industrial machine should ahve to come down for patching.
This is why Windows should not be used in 24/7 industrial work.

Computers need to live up to the needs of the industrial machines they serve, not the other way around.

Re:IT needs to serve the customers needs. (1)

dave562 (969951) | more than 6 years ago | (#24954995)

They don't need to come down for patching. That is the point. Show me an unpatched Linux box that can live on the internet without getting owned. I think the important point is that if you have a critical control system, no matter what it is running, don't put it on the internet. At some point companies need to do a risk analysis and figure out if the "cost savings" of being able to remotely manage something outweigh the potential liabilities of having it compromised. There is a reason that banks use armored cars to move money around and not the US Postal Service, or even FedEx for that matter.

Re:IT needs to serve the customers needs. (1)

Solra Bizna (716281) | more than 6 years ago | (#24955315)

Show me an unpatched Linux box that can live on the internet without getting owned.

http://www.linuxdevices.com/articles/AT8574944925.html

Unfortunately, it seems to have died before I could get my hands on one. :(

-:sigma.SB

Re:IT needs to serve the customers needs. (1)

PC and Sony Fanboy (1248258) | more than 6 years ago | (#24955049)

This is why Windows should not be used in 24/7 industrial work.

I worked in a factory that used completely unpatched XP (sp1) for everything. Time clocks, CNC control, Quality control records and monitoring... Whenever I had a bad day in production with out of spec parts, I'd just unplug the ethernet cable a little bit, so they wouldn't receive any of my readings (but I could see them). About half an hour later, someone from QA would come by, examine my gauges, and tell me to make SURE I was measuring things properly. At that point, I'd stop measuring, because any parts that were bad would now be QAs fault for not stopping production to fix the gauges. And because I was no longer measuring parts, I could work 2-3x faster, and finish my quota early and go relax in the breakroom.

Re:IT needs to serve the customers needs. (1)

ksd1337 (1029386) | more than 6 years ago | (#24955129)

They shouldn't be using any consumer-grade operating system. They should be using a custom-written OS for their operation. It might cost more, but it becomes easier to implement security directly into the OS that way.

Security is not for the weak. (1)

Anonymous Coward | more than 6 years ago | (#24955005)

Security researcher Kevin Finisterre has published code that could be used to take control of computers used to manage industrial machinery, potentially giving hackers a back door into utility companies, water plants, and even oil and gas refineries.

Thank goodness for this security researcher. I hope that those who have failed to patch their systems will soon realize that they should have spent some consulting money on Kevin Finisterre. That would have been a wise investment. Instead, they were fools, saved some money, and now their nuclear plant leaked shit all over the place.

Dumbasses. Next time, please spend $10,000 on Kevin Finisterre. You'll be happy you did.

Maybe they should look at the CIA hack (1)

mrmeval (662166) | more than 6 years ago | (#24955007)

that blew up a Russian gas facility with the force equal to a small nuke.

SCADA security is a mixed bag. (5, Informative)

Ransak (548582) | more than 6 years ago | (#24955197)

I've done SCADA security audits and managed a variety of environments with SCADA devices (PLCs, HMIs, etc).

It's a mixed bag. Some (older GE Fanuc PLCs for example) have zero security features, and only have a telnet daemon wide open to the world. The obvious answer is to bitch at the vendor and mitigate it with ACLs or some such, but really you'd have to know something about what you're hacking at to force it to do anything more than lock up, which might be bad, but generally is more of an inconvenience to a worker on the floor since all mission critical environments should have people standing by in such a case with the ability to manually override.

To my knowledge there's only been one real targeted SCADA hack that caused damage, [computerworld.com] and he had inside information. Don't get me wrong, I'm all for increasing security in SCADA environments, but the biggest hurdle isn't technical; it's political. Most SCADA environments that I've seen have been set up by electricians that programmed the SCADA devices but know pretty much nothing about IT (FYI, there's a lot of Linksys gear out there). They're usually paid overtime to work on the SCADA network and they see IT personnel as a threat to their livelihood. Someone I know was threatened with a screwdriver for just trying to replace a router.

some threat (2, Funny)

commodoresloat (172735) | more than 6 years ago | (#24955937)

Someone I know was threatened with a screwdriver for just trying to replace a router.

What's the big deal? Drink the screwdriver and then replace the router.

This ain't the IT department people ... (1, Interesting)

Anonymous Coward | more than 6 years ago | (#24955245)

I work in the Industrial Network Security sector.

This guy has not won any favors here.
The Industrial network sector is not like the typical IT department where an exploit is found and a fix can be pushed out within days.

For industrial networks, even if a patch were immediately available, some companies would not be able to fully deploy the patch to all their facilities for 1-2 years.

spectacular remains found in 3000 a.d. (0)

Anonymous Coward | more than 6 years ago | (#24955259)

that could be us? our legacy to our children?

'The current rate of extinction is around 10 to 100 times the usual background level, and has been elevated above the background level since the Pleistocene. The current extinction rate is more rapid than in any other extinction event in earth history, and 50% of species could be extinct by the end of this century. While the role of humans is unclear in the longer-term extinction pattern, it is clear that factors such as deforestation, habitat destruction, hunting, the introduction of non-native species, pollution and climate change have reduced biodiversity profoundly.' (wiki)

greed, fear & ego are unprecedented evile's primary weapons. those, along with deception & coercion, helps most of us remain (unwittingly?) dependent on its' life0cidal hired goons' agenda. most of yOUR dwindling resources are being squandered on the 'wars', & continuation of the billionerrors stock markup FraUD/pyramid schemes. nobody ever mentions the real long term costs of those debacles in both life & the notion of prosperity, not to mention the abuse of the consciences of those of us who still have one. see you on the other side of it. the lights are coming up all over now. conspiracy theorists are being vindicated. some might choose a tin umbrella to go with their hats. the fairytail is winding down now. let your conscience be yOUR guide. you can be more helpful than you might have imagined. there are still some choices. if they do not suit you, consider the likely results of continuing to follow the corepirate nazi hypenosys story LIEn, whereas anything of relevance is replaced almost instantly with pr ?firm? scriptdead mindphuking propaganda or 'celebrity' trivia 'foam'. meanwhile; don't forget to get a little more oxygen on yOUR brain, & look up in the sky from time to time, starting early in the day. there's lots going on up there.

http://news.google.com/?ncl=1216734813&hl=en&topic=n
http://www.nytimes.com/2007/12/31/opinion/31mon1.html?em&ex=1199336400&en=c4b5414371631707&ei=5087%0A
http://www.nytimes.com/2008/05/29/world/29amnesty.html?hp
http://www.cnn.com/2008/US/06/02/nasa.global.warming.ap/index.html
http://www.cnn.com/2008/US/weather/06/05/severe.weather.ap/index.html
http://www.cnn.com/2008/US/weather/06/02/honore.preparedness/index.html
http://www.nytimes.com/2008/06/01/opinion/01dowd.html?em&ex=1212638400&en=744b7cebc86723e5&ei=5087%0A
http://www.cnn.com/2008/POLITICS/06/05/senate.iraq/index.html
http://www.nytimes.com/2008/06/17/washington/17contractor.html?hp
http://www.nytimes.com/2008/07/03/world/middleeast/03kurdistan.html?_r=1&hp&oref=slogin
http://biz.yahoo.com/ap/080708/cheney_climate.html
http://news.yahoo.com/s/politico/20080805/pl_politico/12308;_ylt=A0wNcxTPdJhILAYAVQms0NUE
http://news.yahoo.com/s/nm/20080903/ts_nm/environment_arctic_dc;_ylt=A0wNcwhhcb5It3EBoy2s0NUE

is it time to get real yet? A LOT of energy is being squandered in attempts to keep US in the dark. in the end (give or take a few 1000 years), the creators will prevail (world without end, etc...), as it has always been. the process of gaining yOUR release from the current hostage situation may not be what you might think it is. butt of course, most of US don't know, or care what a precarious/fatal situation we're in. for example; the insidious attempts by the felonious corepirate nazi execrable to block the suns' light, interfering with a requirement (sunlight) for us to stay healthy/alive. it's likely not good for yOUR health/memories 'else they'd be bragging about it? we're intending for the whoreabully deceptive (they'll do ANYTHING for a bit more monIE/power) felons to give up/fail even further, in attempting to control the 'weather', as well as a # of other things/events.

http://www.google.com/search?hl=en&q=weather+manipulation&btnG=Search
http://video.google.com/videosearch?hl=en&q=video+cloud+spraying

dictator style micro management has never worked (for very long). it's an illness. tie that with life0cidal aggression & softwar gangster style bullying, & what do we have? a greed/fear/ego based recipe for disaster. meanwhile, you can help to stop the bleeding (loss of life & limb);

http://www.cnn.com/2007/POLITICS/12/28/vermont.banning.bush.ap/index.html

the bleeding must be stopped before any healing can begin. jailing a couple of corepirate nazi hired goons would send a clear message to the rest of the world from US. any truthful look at the 'scorecard' would reveal that we are a society in decline/deep doo-doo, despite all of the scriptdead pr ?firm? generated drum beating & flag waving propaganda that we are constantly bombarded with. is it time to get real yet? please consider carefully ALL of yOUR other 'options'. the creators will prevail. as it has always been.

corepirate nazi execrable costs outweigh benefits
(Score:-)mynuts won, the king is a fink)
by ourselves on everyday 24/7

as there are no benefits, just more&more death/debt & disruption. fortunately there's an 'army' of light bringers, coming yOUR way. the little ones/innocents must/will be protected. after the big flash, ALL of yOUR imaginary 'borders' may blur a bit? for each of the creators' innocents harmed in any way, there is a debt that must/will be repaid by you/us, as the perpetrators/minions of unprecedented evile, will not be available. 'vote' with (what's left in) yOUR wallet, & by your behaviors. help bring an end to unprecedented evile's manifestation through yOUR owned felonious corepirate nazi glowbull warmongering execrable. some of US should consider ourselves somewhat fortunate to be among those scheduled to survive after the big flash/implementation of the creators' wwwildly popular planet/population rescue initiative/mandate. it's right in the manual, 'world without end', etc.... as we all ?know?, change is inevitable, & denying/ignoring gravity, logic, morality, etc..., is only possible, on a temporary basis. concern about the course of events that will occur should the life0cidal execrable fail to be intervened upon is in order. 'do not be dismayed' (also from the manual). however, it's ok/recommended, to not attempt to live under/accept, fauxking nazi felon greed/fear/ego based pr ?firm? scriptdead mindphuking hypenosys.

consult with/trust in yOUR creators. providing more than enough of everything for everyone (without any distracting/spiritdead personal gain motives), whilst badtolling unprecedented evile, using an unlimited supply of newclear power, since/until forever. see you there?

"If my people, which are called by my name, shall humble themselves, and pray, and seek my face, and turn from their wicked ways; then will I hear from heaven, and will forgive their sin, and will heal their land."

meanwhile, the life0cidal philistines continue on their path of death, debt, & disruption for most of US. gov. bush denies health care for the little ones;

http://www.cnn.com/2007/POLITICS/10/03/bush.veto/index.html

whilst demanding/extorting billions to paint more targets on the bigger kids;

http://www.cnn.com/2007/POLITICS/12/12/bush.war.funding/index.html

& pretending that it isn't happening here;

http://www.timesonline.co.uk/tol/news/world/us_and_americas/article3086937.ece
all is not lost/forgotten/forgiven

(yOUR elected) president al gore (deciding not to wait for the much anticipated 'lonesome al answers yOUR questions' interview here on /.) continues to attempt to shed some light on yOUR foibles. talk about reverse polarity;

http://www.timesonline.co.uk/tol/news/environment/article3046116.ece

Reality check needed... (2, Informative)

actionbastard (1206160) | more than 6 years ago | (#24955419)

Citect is not the only SCADA software company out there. They have a large market share, yes, but there are many other companies that author software for this market. This 'buffer overflow' affects only Citect software and none of the other company's offerings are affected. Yes there are some fools out there who will connect their systems directly to the `tubes, but there probably aren't as many as you would think. There are probably some vulnerabilities in other vendor software as well. But you know what, take a deep breath, take a break, and watch the blinking lights.

Firesale (1)

Frankie70 (803801) | more than 6 years ago | (#24955461)

Firesale - call McClane.

thanks douchebag (0)

Anonymous Coward | more than 6 years ago | (#24955479)

management is stupid,

workers are stupid,

government is stupid.

the public is stupid.

now we got security 'researchers' who are stupid.

i think thats about as much stupid as the average industrial computer guy can handle.

why dont you just, while youre at it, make a skeleton key that can get into any industrial facility door, and sell it on ebay for 25 cents?

idiot.

IIAPE (1)

EaglemanBSA (950534) | more than 6 years ago | (#24955505)

I am a process engineer, and this can be a significant problem. I've seen large-scale equipment shut down because of computer viruses, much less full control exploits - the resulting cost to rush in an IT worker (not usually onsite) with a new box, the lost production time and resulting hash-over of the whole plant's network was astronomical, because a floor worker had figured out how to get into IE from the terminal, which was supposed to be disabled.

The implications of this may not be that far-reaching in terms of industrial loss, but with the myriad of different systems that could be conceivably controlled by the same workstation, there are definitely some scary possibilities. Frankly, though, if there were that many computers at risk, the security holes in Windows alone would have likely already resulted in their demise if they weren't behind a good firewall.

This is a lot like the network printers hack story (1)

Joe The Dragon (967727) | more than 6 years ago | (#24955587)

This is a lot like the network printers hack story that they have been used as hack points and the flaw was WITH THE SOFTWARE and not the OS.

Any even if you use Linux you still need to do the updates and update the software.

Air gap (1)

John Hasler (414242) | more than 6 years ago | (#24955595)

> The vendor has released a patch and risk arises only for systems connected directly to
> the Internet without firewall protection.

Such systems should not be connected to the Internet. Full stop.

He doesn't get it ... (3, Interesting)

ScrewMaster (602015) | more than 6 years ago | (#24955677)

'A lot of the people who run these systems feel that they're not bound by the same rules as traditional IT,' Finisterre said. 'Their industry is not very familiar with hacking and hackers in general.'"

He's attempting to lay blame for these infrastructural issues at the feet of the engineering staff. What he doesn't understand is that engineering systems have very different operational requirements from running a server farm or a few thousand desktops. Engineers avoid IT like the plague, because IT people will come down on engineering systems like a ton of bricks, enforcing arbitrary company-wide standards regardless of the damage they do. For example, if you have a timing-sensitive real time process running on a PC, it may not be wise to put the Symantec Antivirus pig on that particular box. Yet I've seen that happen, usually without the person in charge of that equipment even being notified. Afterwards, everybody wonders what happened with something goes seriously wrong with a production process. IT's attitude in such cases is usually "we followed company policies. Not our fault." The hell it wasn't.

The reality is that IT misguided or ignorant departments are frequently a far bigger danger to process control and real-time data acquisition systems than any number of Chinese crackers. That's because they rarely make the slightest effort to accommodate the needs of the technical staff, and have often gone to extreme lengths to have upper management approve utterly Draconian policies that MUST be applied to ALL computers.

Engineers are often justifiably leery of having IT involvement in any of their projects. The consequence of that, of course, is that now you have people with no specific security training implementing remote communications. Of course, a lot of these problems could be ameliorated with some simple requirements such as "all off-site communications MUST be secured with a VPN" or something similar.

Ultimately, what it comes down to is communications being handled by conscientious, well-trained individuals that are open-minded and willing to accommodate the special needs of engineering systems. I can't tell you how rarely I've seen that happen.

Re:He doesn't get it ... (1)

Creepy Crawler (680178) | more than 6 years ago | (#24955785)

Amd im an EE student that was going into computer and network engineering.

There's a way to introduce engineering methods in IT. I just treat each network as its own system and hook those systems together like black boxes. As long as we diagram the traces (read network connections), we can follow trouble patterns and diagnose problems quickly. We can then map virtual networks above as we would have a 2 layer circuit board. Since we know what goes where, we can easily see why a level 2 network connection would go down.

As for computer security, I see no reason why we need "anti-virus", or any anti-ware at all. Windows can be locked down so that only approved binaries run. Second, scripts can be made that allow read/write to external and plug-in storage. We also control the hardware, so we can do other tricks, such as giving Linux to those that have no reason to use Windows. There, we can disable many functions to a minimum. If a user has no need for 3d graphics, we disable it. If they have no reason to use a webbrowser, they do not have one.

It IS those damned IT guys that insist on keeping everything the same regardless of true consequences. I figure thats why they're paid to be IT: determine true needs per computer/compartment.

Grades of Shay (1)

tulare (244053) | more than 6 years ago | (#24955853)

I work around a number of similar systems, and one trend I see as somewhat alarming is that they're increasingly showing up as Windows boxes with an ethernet port attached. I'm talking about things like industrial x-ray machines, industrial refrigerant control systems, PLC control systems for complex industrial machinery, all sorts of things that can go boom or otherwise cause death and dismemberment if they go sideways. It's not that Windows sucks per se, but rather that many of these systems are sent out by the vendor with documentation on how to set the thing up on the LAN and connect to it remotely, and then when I look at the machine itself, it almost always turns out to be a stock, under-patched Windows XP box with no anti-virus software and the firewall turned off. The software to manage the equipment itself is usually VB.NET (and yes, I do mean usually), and appears amateurish. So I've got this wide-open Windows XP machine that my controls engineers want put on the network so they can VPN in and talk to it remotely. Uh, let me talk to the vendor first. The vendors, if there's anyone there who actually claims to know anything about "computers," typically say don't modify the box or they won't support it, or offer dire warnings about how installing an antivirus package or enabling the firewall or patching the operating system will cause it to malfunction. It really is a clash of cultures, but I don't exactly blame the controls software people. I think they were simply sold a bill of goods: the notion that you can take a general-purpose OS, install it in your touchscreen panel machine, and look how easy .NET is to design and deploy your application! For people used to toggling the "STOR" switch on a PDP, this has got to be a long series of wet dreams come true. Really, the problem (in my mind) lies in the concept of putting these things on a general-purpose operating system. It's designed to be all things to all people, when what is really needed is something that's damn good at doing one thing and doing it without falling over. Sure, air-gapping it from the network is also a good plan, but controls engineers have been so thoroughly inculcated in the notion that they can remote in to their equipment now (and have made that case to the honchos for long enough) that often the idea of disconnecting these systems is a non-starter. That leaves the systems and network people with a few options, none of which really feel sufficient.

Catch 22 (0)

Anonymous Coward | more than 6 years ago | (#24955867)

"Process control engineers, who are reluctant to bring computers off-line for patching due to the potential havoc wreaked by downtime" but if they don't then hackers are going to take over and cause potential havoc anyway. Sounds like catch 22.

I th4nk you for your time (-1, Troll)

Anonymous Coward | more than 6 years ago | (#24955919)

add the SCADA tag (1)

ChrisCampbell47 (181542) | more than 6 years ago | (#24956003)

Someone needs to add the "scada" tag to this story.

Plain fear mongering (2, Interesting)

tsfrankie (1359717) | more than 6 years ago | (#24956031)

Plain Fear mongering at work, nothing more. I have worked in Power Plants for 30 years now, from analog to digital, and he is so full of fear mongering and "what ifs" worse than a Long Island housewife. First, there being no money or "secrets" in hacking a power plant, why bother? If this was such a problem, then why don't we see it happening? Also, there is a huge cost on manpower, material, resources and lost revenue to take a powerplant down on someones fantasy security exploit, and those resources are much better spent on repair, and upgrades for efficiency and emissions. I use these systems daily, and they (unlike most computer systems available) work 24/7/365 going years without problems, quietly doing the job designed for, dumping data for engineers to study and just humming along nicely. Every now and then another fear monger comes along with new fantasy's of death and destruction if we don't drop everything and buy his/her service or patch of whatever snake oil he has for sale. Being engineers (practical, operating, not desk bound) we simply learn to ignore and move on, fixing what is broken and leaving what works alone. Our operating record speaks volumes for our work.

Business (0)

Anonymous Coward | more than 6 years ago | (#24956039)

When you land a big juicy one, splurge a little and hire a couple of eager for work and somewhat experienced lawyers to negotiate the business proposals for disclosure with the affected utility companies. ;)

"Don't just think, think about it."

Proudly,
    An Anonymous Coward

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?