Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Siemens SCADA Flaws To Be Disclosed At Black Hat

timothy posted more than 3 years ago | from the infra-infrastructure dept.

Security 101

itwbennett writes "In May, NSS Labs Researcher Dillon Beresford pulled out of a Dallas hacking conference at the last minute when Siemens was unable to fix problems he'd found in the firmware of its S7 programmable logic controller. Now NSS Labs CEO Rick Moy says Beresford is rescheduled to deliver his talk at Black Hat, which runs Aug. 2-3. Beresford has discovered six vulnerabilities in the S7 that 'allow an attacker to have complete control of the device,' Moy said. Devices like the S7 do things such as control how fast a turbine spins or open gates on dams."

cancel ×

101 comments

Sorry! There are no comments related to the filter you selected.

Hmm... (3, Funny)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36361012)

Does Mr. Beresford realize that, in the blasted wasteland that follows the fall of industrial civilization, pasty computer experts are relegated to the status of "slave" or "food source" by psychotic warlords wearing football/BDSM themed armor?

Make sure that Lord Humongous owes you some favors before Blackhat rolls around, everyone!

Re:Hmm... (1)

dintech (998802) | more than 3 years ago | (#36361192)

pasty computer experts are relegated to the status of "slave"

How is that different from now? Now get on with it, those pyramids aka 'code releases' aren't going to build themselves.

psychotic warlords wearing football/BDSM themed armor

You know, there was this one boss I was always suspicious about...

Re:Hmm... (0)

Anonymous Coward | more than 3 years ago | (#36361216)

My bet is he'll never deliver that speech. Either a lawsuit will squash it or suits with government ID badges muttering something about National Security will.

Re:Hmm... (1)

cavreader (1903280) | more than 3 years ago | (#36361406)

Sounds to me like he was working with Siemans and cancelled his first talk until they were able to fix the things he was going to disclose.

Re:Hmm... (0)

couchslug (175151) | more than 3 years ago | (#36361414)

"in the blasted wasteland that follows the fall of industrial civilization, pasty computer experts are relegated to the status of "slave" or "food source" by psychotic warlords wearing football/BDSM themed armor?"

I, for one, find the idea vaguely arousing.

Re:Hmm... (0)

elfprince13 (1521333) | more than 3 years ago | (#36361832)

But...do you, for one, welcome your new football/BDSM themed overlords?

Re:Hmm... (0)

Anonymous Coward | more than 3 years ago | (#36361540)

Does Mr. Beresford realize that, in the blasted wasteland that follows the fall of industrial civilization, pasty computer experts are relegated to the status of "slave" or "food source" by psychotic warlords wearing football/BDSM themed armor?
  Make sure that Lord Humongous owes you some favors before Blackhat rolls around, everyone!

This pasty computer expert has been arming himself to the teeth expecting this very outcome...

Football shoulder pads and spikes won't stop rounds from an AK-74. Neither will police or military grade body armor at less than 20 meters. Fun facts for everyone.

Re:Hmm... (0)

Anonymous Coward | more than 3 years ago | (#36361758)

And if you go for AKM (aka AK47), it's even better!

Re:Hmm... (1)

PPH (736903) | more than 3 years ago | (#36361878)

Sounds like a typical day at the office.

Re:Hmm... (0)

Anonymous Coward | more than 3 years ago | (#36362776)

I don't know, don't future warlords need somebody to maintain the auto-turrets and death-bots?

... or open gates... (3, Interesting)

c0lo (1497653) | more than 3 years ago | (#36361016)

Devices like the S7 do things such as control how fast a turbine spins or open gates of doom.

FTFY

Re:... or open gates... (4, Funny)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36361040)

The various fissures of Mt. Doom are SCADA controlled; but the consequences of merely possessing one of the interface controllers needed to communicate on the.. er.. somewhat sinister legacy ring bus that Sauron uses are so horrific that security through obscurity has proven more than adequate.

Re:... or open gates... (0)

Anonymous Coward | more than 3 years ago | (#36361368)

Oh, also, our network security guys aren't just called "The Nazgûl"...

-Sauron

Re:... or open gates... (1)

sean.peters (568334) | more than 3 years ago | (#36363096)

In Mordor, Token Ring of Power controls You!

Re:... or open gates... (2)

gratuitous_arp (1650741) | more than 3 years ago | (#36368834)

but the consequences of merely possessing one of the interface controllers needed to communicate on the.. er.. somewhat sinister legacy ring bus that Sauron uses are so horrific that security through obscurity has proven more than adequate.

Is that Tolkien Ring?

I have Siemens (1)

SJHillman (1966756) | more than 3 years ago | (#36361028)

I have Siemens hearing aids... does that mean someone is going to hack my head through the aids' wireless (used mostly to communicate between the two)?

Re:I have Siemens (1)

maxwell demon (590494) | more than 3 years ago | (#36361222)

I have Siemens hearing aids... does that mean someone is going to hack my head through the aids' wireless (used mostly to communicate between the two)?

Well, if you start hearing mysterious voices, you know that before seeing a psychiatrist, you might first want to check your hearing aid.

Re:I have Siemens (0)

Anonymous Coward | more than 3 years ago | (#36361608)

If you talk with a psychiatrist that you're hearing voices because your brain has been hacked through your hearing aid then you're going to win a free vacation to the padded room!

Re:I have Siemens (1)

budgenator (254554) | more than 3 years ago | (#36362436)

No they'll just reboot your brain by applying a type of external EMF, called electro-convulsive therapy. After a few reboots, you'll come to understand that the overlord's messages to you are for you and only you, if he wants someone else to know the message or even of his existence, he'll tell them.

Re:I have Siemens (0)

Anonymous Coward | more than 3 years ago | (#36361316)

someone is going to hack my head through the aids

hahahahahaha.


AIDS.

Re:I have Siemens (1)

munozdj (1787326) | more than 3 years ago | (#36362962)

I think you need another special kind of help

Re:I have Siemens (1)

GameboyRMH (1153867) | more than 3 years ago | (#36362970)

If you suddenly hear Never Gonna Give You Up playing in your head, you know they've been pwned.

Re:I have Siemens (1)

arth1 (260657) | more than 3 years ago | (#36363750)

I have Siemens hearing aids... does that mean someone is going to hack my head through the aids' wireless (used mostly to communicate between the two)?

What do you mean "is going to"? That you posted exactly what I wanted you to is proof that the hack already works.

Is is settled this time? (2)

c0lo (1497653) | more than 3 years ago | (#36361054)

NSS Labs expects Siemens to issue a patch in the next few weeks, well ahead of the August presentation. "They didn't give any firm timelines," he said. "They said unofficially that they were pretty confident that they'll be able to get their stuff out before then."

Beresford wasn't impressed with that comment. [...]. "Now that they're trying to minimize the impact and do PR damage control, I feel that they're not servicing the public's interest," he said. "I'm not pleased with their response... They didn't provide enough information to the public."

What if Siemens confidence evaporates and, August time, some of these vulns are not yet patched? Will they allow the presentation?

Re:Is is settled this time? (1)

arth1 (260657) | more than 3 years ago | (#36361098)

Allow? Why would or should they have a say?
It's in the interest of We, the People, to learn this, so we can take the necessary precautions. It's far more dangerous if we have a false sense of security.
Our potential future adversaries are bound to study these devices now, in order to find flaws. And they won't let us know. How many severe faults have they found already?

Yes, reactionaries are going to say that it's in the interest of national security to keep this under a lid, but in reality, that's the most damaging thing you can do to to national security. Get it out in the open, so it can be understood and fixed. Don't hand potential adversaries a weapon they can use against us, please.

Re:Is is settled this time? (1)

c0lo (1497653) | more than 3 years ago | (#36361120)

Allow? Why would or should they have a say?

I agree. However, there is a question missing from your list: why did they have a say?

In May, NSS Labs Researcher Dillon Beresford pulled out of a Dallas hacking conference at the last minute when Siemens was unable to fix problems he'd found in the firmware of its S7 programmable logic controller. After consulting with Siemens and the U.S. Department of Homeland security, NSS decided that it was simply too dangerous to go public with its information before a patch could be fully developed.

Re:Is is settled this time? (1)

L4t3r4lu5 (1216702) | more than 3 years ago | (#36361186)

Siemens didn't have a say; If you actually read the quotation, you'll note that NSS Labs decided the information was too dangerous to present. Siemens saying "We've not patched it yet! We'll be OMGPOWNIES if you tell everyone!" affected their decision, but it doesn't seem they were strong-armed by Siemens.

If anything, I'd say it would be more likely the DHS muscled NSS out of the conference, if there was any of that kind of play involved. If not, then they did what any reasonable researcher, and in fact person, should do; Assess the danger to society caused by withholding the information against the damage done by releasing it.

Re:Is is settled this time? (1)

c0lo (1497653) | more than 3 years ago | (#36361334)

Siemens didn't have a say; If you actually read the quotation, ...

If you actually read my post, you'll note that I didn't say "will Siemens allow the presentation" but "will they allow the presentation". I was thinking to the same DHS.

Security through obscurity never works (1)

mangu (126918) | more than 3 years ago | (#36361336)

it would be more likely the DHS muscled NSS out of the conference, if there was any of that kind of play involved. If not, then they did what any reasonable researcher, and in fact person, should do; Assess the danger to society caused by withholding the information against the damage done by releasing it.

This kind of information should always be released. The problem is that people in the DHS think the movie "War Games" is a documentary.

The real danger is not a random script kiddie connecting to the system to play games. Danger comes from people who have inside knowledge of the system, people who know things like network addresses, which machine does what. There's no way to be obscure here, because the enemy already knows what he needs to enter. Remember stuxnet, everyone seems to agree that it was the work of experts.

Sharing the information about vulnerabilities is what allows people to take precautions. Of course, the correct procedure would be to first inform the manufacturer and let them contact the system users before publishing the data, but what if the manufacturer is not doing their part? Better let the users know, through whatever means are available.

Re:Security through obscurity never works (2)

dkf (304284) | more than 3 years ago | (#36361734)

The real danger is not a random script kiddie connecting to the system to play games. Danger comes from people who have inside knowledge of the system, people who know things like network addresses, which machine does what. There's no way to be obscure here, because the enemy already knows what he needs to enter. Remember stuxnet, everyone seems to agree that it was the work of experts.

The real problem is that security by obscurity does work, but only for a little while. As soon as someone inside blows the whistle, or someone outside just stumbles over the secret, the security from the obscurity is gone. Anything just protected by just obscurity will appear to be nice and secure, but will not be secure at all, and the people who want it secured won't know the difference until its too late. Real effective security is in depth. Obscurity can be used in the mix, but may only ever be a small part of it; cryptography, key management, port monitoring, downright suspiciousness: these are all necessarily larger parts of the whole...

Re:Security through obscurity never works (1)

cusco (717999) | more than 3 years ago | (#36364954)

Doesn't need to be from someone inside, most of these types of devices, including access control panels, DVRs, PLCs, alarm panels, fire panels, and the like communicate on their own specific port. I can go into any large company, plug into a random network port in a random meeting room, scan the local subnets and figure out 1) what access control program they use, 2) what the address of the local ISC (intelligent system controller) is, 3) what the address of the local DVR/NVR is, 4) what the address of the local burglar/alarm panel is. At this point in over 90 percent of the cases I can take over the ISC and probably the DVR/NVR, substitute my own server for theirs, and leave the doors functional but with whatever settings I choose. The guard staff just see the panel go offline for some unknown reason, so they'll call the IT staff or the VAR, who will be around to check it some time in the next day or two or (in the case of some VARs) never.

It's very lucky for big businesses that almost all installers are either honest or stupid, because anyone who has worked in the physical security field for a couple of years could do the same thing.

Re:Security through obscurity never works (1)

budgenator (254554) | more than 3 years ago | (#36365070)

Security through obscurity, you say that like the backdoors weren't put there on purpose.

Re:Security through obscurity never works (1)

The Moof (859402) | more than 3 years ago | (#36361762)

Responsible full disclosure is a good thing. However, based on the "control how fast a turbine spins" part of the summary, this sounds like the type of software that needs to have rigorous testing and regulations enforced before pushing out to the public. Siemens was notified of the vulnerabilities on May 8th. 3 months might not be enough time to fix, test, and deploy the new firmware (not to mention the testing on the deployment side).

I'm all for full disclosure, but this still seems too soon. Then again the guy already submitted the info to Metasploit on May 23rd, so his course of actions is already questionable (why not wait until there's fixed firmware before this?). I think the better method of disclosing this would have been to do a partial disclosure so customers could protect themselves, then do the full disclosure after a reasonable amount of time for Siemens to deploy new firmware.

Re:Security through obscurity never works (1)

cusco (717999) | more than 3 years ago | (#36365004)

Seimens PLCs also run a LOT of medical equipment, and the testing program for that stuff can stretch into (literally) years. What's a "reasonable amount of time" for a device that can control a baby incubator or MRI?

Re:Security through obscurity never works (1)

jd (1658) | more than 3 years ago | (#36364264)

Based on the Sony experience and the fact that the lab Manning was working on had passwords to secure accounts stuck on the monitors, War Games *WAS* a documentary...

Seriously (1)

uninformedLuddite (1334899) | more than 3 years ago | (#36381672)

Fsck society! What's it really done for us lately?

Re:Is is settled this time? (1)

nedlohs (1335013) | more than 3 years ago | (#36361190)

Because the researcher in question agreed with them.

Re:Is is settled this time? (0)

Anonymous Coward | more than 3 years ago | (#36361364)

The researchers voluntarily pulled the presentation, they were not forced. It was the right decision, most security vulnerabilities are embarrassing, this one is physically dangerous. This is not a hack that would merely allow you to get root on a system or allow you to deface a website or even give you access to dangerous information. This is a hack that could directly kill many people - these controllers are connected to industrial machinery. Turning everything up to maximum or shutting everything off at a chemical plant could turn into a major disaster. Same with dams. These controls are used at both. Giving this power to the world at large would be recklessly dangerous. Personally, I'd be more worried about angry, depressed teenage script kiddies or Unabomber types using this than terrorists or foreign nations, but the possibilities are all there.

They pulled the talk because they are rational human beings with at least a tiny bit of morality.

Re:Is is settled this time? (1)

arth1 (260657) | more than 3 years ago | (#36363594)

You forget that the knowledge that weaknesses exist is already disclosed. Hiding the details of the weaknesses is only going to stop script kiddies, not someone looking for the flaws. When you open a can of worms, you can't get them back in.

The imminent danger by not disclosing is that the managers in charge of the affected systems will do absolutely nothing, waiting for a vendor patch. During which time the systems will continue to be highly vulnerable, and every unabomber and foreign cracker with a grudge knows that. This is exactly what's happening right now. In effect, you've handed the black hats a grace period.

Disclosing not only puts the onus on the people in charge of the installations to tighten security now, but also provides them with details on what, exactly, is vulnerable, so they may not have to cut all cables and post the national guard around their dam, but can implement local necessary restrictions and workarounds until the vendor gets his finger out.

No, they are not "rational human beings with at least a tiny bit of morality". (Never mind that your appeal to morality and emotions is at odds with rational behaviour.)
It's a typical irrational non-sequitur, where the belief is that disclosure of a technical flaw would be the cause of it being exploited. The flaw is the cause, and not disclosing it doesn't change the cause nor the exploitability.

Non-disclosure may stop script kiddies, but worsens the overall security effect, because (again due to human irrational nature) it will stop precautions to stop the real threats from being taken.
How DHS acts here scares me, to be honest. But it doesn't surprise me. Humans think with their guts more than their heads, and DHS is no exception. That it's also based on and encompass several agencies that live and breathe secrecy makes it even more understandable, but no less scary.

Re:Is is settled this time? (1)

fast turtle (1118037) | more than 3 years ago | (#36361688)

The question then becomes "Who's National Security? as these controllers are deployed around the world.

Re:Is is settled this time? (0)

Anonymous Coward | more than 3 years ago | (#36362604)

Or "Whose National Security?" if you're not an idiot.

Re:Is is settled this time? (1)

chemicaldave (1776600) | more than 3 years ago | (#36361952)

Allow? Why would or should they have a say? It's in the interest of We, the People, to learn this, so we can take the necessary precautions.

I'm all for Us having more information, but it's also in Our best interest to fix things before we disclose those types of vulnerabilities. Who exactly do you think is going to take the "necessary precautions"? The manufacturer is the best party to fix the problems, so why release the information into the open before then? Your logic doesn't make sense. If you went on vacation and your house was unlocked and I knew about it, wouldn't you appreciate it if I let you secure the doors before I tell the public?

Re:Is is settled this time? (1)

arth1 (260657) | more than 3 years ago | (#36363712)

Who exactly do you think is going to take the "necessary precautions"?

Whoever is in charge of a dam with one of these faulty devices should take every step necessary to prevent it from being exploited.
They won't, because there is no one demanding it from them. Disclosure would force their hands.

If you went on vacation and your house was unlocked and I knew about it, wouldn't you appreciate it if I let you secure the doors before I tell the public?

I would appreciate it if you told my neighbours and the police, which would make it a public record.
I would definitely not appreciate it if I learned that you knew about it, and I had a burglar visit before I came home because you decided to not tell anyone until I could do something about it.

Re:Is is settled this time? (1)

chemicaldave (1776600) | more than 3 years ago | (#36364330)

Who exactly do you think is going to take the "necessary precautions"?

Whoever is in charge of a dam with one of these faulty devices should take every step necessary to prevent it from being exploited. They won't, because there is no one demanding it from them. Disclosure would force their hands.

The operators of equipment using the controllers can't do anything about it. Siemens has to fix the issues, and fixes like these take time. It's not as simple as applying an OS update. That seems to be something people aren't realizing.

Re:Is is settled this time? (1)

arth1 (260657) | more than 3 years ago | (#36368618)

The operators of equipment using the controllers can't do anything about it

They can, and they should. For example, they can limit the access to the devices, or the protocols that have problems, or disable parts that are vulnerable. And plan for what to do if they all fail.

Knowing how and why they can fail would help, but Siemens and DHS don't want to tell. Siemens because they naturally want to hush it up, and DHS because they don't realise that they only succeed in keeping the info from those who need it - those with an interest in finding out WILL find out, and now have a respite where they can attack the vulnerability knowing that no-one is taking precautions.

Re:Is is settled this time? (1)

chemicaldave (1776600) | more than 3 years ago | (#36369184)

So instead of waiting for a fix from Siemens before the exploit is revealed, owners should now reconfigure their access to the devices and waste money doing so when they could just wait? And who said no-one is taking precautions? You're assuming Siemens is trying to censor the exploits and not deliver a fix. You're also assuming those with an interest don't already know the exploit, and that merely knowing an vulnerability exists means they will figure it out faster than if it was made public.

Re:Is is settled this time? (1)

budgenator (254554) | more than 3 years ago | (#36364036)

I've been glancing at the S7-1200n easy book and you have too realize this thing has 1 or 2 MB of retentive memory, it's basic idea of digital networking is RS485/RS232 serial lines, ethernet even seems to be an add-on. I'm not sure the concept of security can be applied to a device so simple, I would be surprised if the vectors of attack weren't almost exclusively through windows computers used for running HMI programs. No matter what you do if your firewalls are letting machines talk promiscuously to other machines, your employees are sneaker-netting in viruses and your not scanning for unauthorized equipment, your security is going to suck. Which brings us to the crux of the matter, the real problem is systemic security as an after-thought and mainly as a dog and pony show, which means any security patch from Siemens will be like the dutch boy holding his finger in the leaky dike.

Re:Is is settled this time? (1)

Aldenissin (976329) | more than 3 years ago | (#36361122)

What if Siemens confidence evaporates and, August time, some of these vulns are not yet patched? Will they allow the presentation?

Who is they? If you mean the conference, well then they wouldn't exactly deserve the title "Black Hat", would they?

Re:Is is settled this time? (1)

c0lo (1497653) | more than 3 years ago | (#36361342)

Who is they?

DHS, who else?

Re:Is is settled this time? (1)

jd (1658) | more than 3 years ago | (#36364522)

Certainly it is possible DHS could try and stop the talk. IIRC, US authorities acted against a Russian who broke Adobe Acrobat security and gave a talk at Defcon. Whilst, understandably, copyright laws are a higher priority than national security for the government, it is entirely possible that similar action might be threatened should it look likely the talk would go ahead prior to a fix being distributed. And even then, you never know.

On the other hand, the talk can't be delayed forever. Not necessarily by the experts here, but the fact that people have known about SCADA vulnerabilities existing for decades means it's inevitable the work will be duplicated sooner or later and that means it'll be presented by someone, somewhere, sooner or later. The fuse starts burning the moment a flaw is first introduced, NOT the moment the flaw is first described.

The DHS probably won't do this, but to me the "right thing" is to leverage the talk as pressure on Siemens to put more resources into making the system secure and then use the entire case as leverage on all other vendors of mission-critical systems in the US to secure their systems too. But in order to do that, Siemens would need to believe that the talk will take place, fix or no fix. If they think the DHS is just playing chicken, they'll ignore it. The DHS would HAVE to be serious and therefore HAVE to not only allow the talk to take place but also facilitate it in whatever way they could, whilst also making sure Siemens was commercially in a position to do the kind of fixing and testing needed to produce a rock-solid upgrade that their customers could actually trust in things like nuclear facilities, power grids, etc.

(Fixes are zero-income expenses, which is why companies tend to avoid them.)

Re:Is is settled this time? (0)

Anonymous Coward | more than 3 years ago | (#36363490)

Who is they? If you mean the conference, well then they wouldn't exactly deserve the title "Black Hat", would they?

Agents Smith & Wesson.

Re:Is is settled this time? (2)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36361128)

At some point, unless Siemens has a very nasty legal trump card of some sort, they are going to have to adopt the "fuck it, better that the admins know." approach.

It isn't as though white hats have anything like a monopoly on security/penetration expertise in this world, and the word is already out about what device the vulnerabilities are in, and(since they are working on a new patch) that it exists in the latest available patch level. Presumably, any blackhats who care about access to such devices are already sniffing around. Also, with something like SCADA, where putting it on the public internet has always been seen as a bad idea, the "but if you release the information, even script kiddies will have a working attack toolkit" objection is arguably less serious. For internet-facing stuff, script kiddies with access to tools built by people smarter than they are are a serious hazard, as are low-rent cybercriminals looking for new bots and spam hosts and stuff.

For computationally limited and(hopefully) internal stuff, sophisticated attackers are a serious concern(since they are the ones most likely to perform a focused attack on the outer face of an organization, looking for holes that get them onto theoretically "internal" networks); but the noobs will hopefully never make it past the gates, and the spammers are unlikely to have an economic incentive to compromise something that makes a lousy bot. If the vendor can't get their act together, and fast, it quickly becomes more valuable for the admins to know, so that they can take appropriate measures at whatever points potentially link their internal and external networks.

Re:Is is settled this time? (1)

c0lo (1497653) | more than 3 years ago | (#36361384)

At some point, unless Siemens has a very nasty legal trump card of some sort, they are going to have to adopt the "fuck it, better that the admins know." approach.

Tell this to DHS! Do you expect a rational reaction? (even now, reading Wikileaks put one's security clearance prospects under question - no matter the whole world reads the Cablegate, DHS seems to need uninformed employees. Err... pardon... on a "need to know basis").

Re:Is is settled this time? (1)

Serpents (1831432) | more than 3 years ago | (#36361512)

but the noobs will hopefully never make it past the gates, and the spammers are unlikely to have an economic incentive to compromise something that makes a lousy bot.

I think the noobs are not going for such relatively sophisticated/uncommon systems like PLCs and would rather try to "read your e-mail" instead or get their hands on some sensitive data/information to show off.

Embedded system (1)

currently_awake (1248758) | more than 3 years ago | (#36361804)

Doing security patches on embedded systems takes a lot of time. The code could be running from ROM chips that must be physically replaced, and the code must be audited to ensure no bugs or new security issues- and you might not have a list of who has your device (they might not know either). When your code runs the flood gates on a major dam you must be very sure it works properly.

fearmongering? (2, Informative)

Anonymous Coward | more than 3 years ago | (#36361082)

I've worked with Siemens' S7 and SiMotion systems, and i've never seen a single company attach them to a large computer network inside their company.
The only ways to reprogram S7 or SiMotion is by either connecting to an ethernet / profinet connection the machines are on, or by acquiring physical access and establishing a serial connection.

Re:fearmongering? (0)

Anonymous Coward | more than 3 years ago | (#36361152)

Stuxnet? Just because you don't have access to a vuln doesn't mean you can't get somebody else to exploit it for you.

Analysis is the weak point (1)

mangu (126918) | more than 3 years ago | (#36361202)

In any control system there's data that needs to be analyzed. Someone has to transfer telemetry from the control system to an engineer's workstation. Today this is normally done by an USB stick, if there's no direct network connection, and that's the weak point.

I believe a secure network connection is better than the "sneakernet" approach. It's better to have a good firewall allowing only a limited set of ports than to let people plug things into the computers.

Another good approach would be to transfer the data through CDs or DVDs, using only new, blank media, but there would always exist the risk that someone would use an old CD containing malware.

Re:Analysis is the weak point (1)

fuzzyfuzzyfungus (1223518) | more than 3 years ago | (#36361260)

If one is feeling really serious, the so-called "data diode" devices can be used to ensure that the data to be analyzed goes out and nothing goes back in. Since they are sort of a niche market, and the problem of making anything remotely resembling a normal network protocol work unidirectionally is a bit tricky, such hardware is Not Cheap; but neither is having hackers all up in your centrifuges...

Re:Analysis is the weak point (0)

c0lo (1497653) | more than 3 years ago | (#36361442)

If one is feeling really serious, the so-called "data diode" devices can be used to ensure that the data to be analyzed goes out and nothing goes back in... such hardware is Not Cheap

I have some WOM [wikipedia.org] with high FINO [wikipedia.org] rates, that I can provide quite cheap. Are they interested?

Re:Analysis is the weak point (1)

Wintermancer (134128) | more than 3 years ago | (#36364214)

The cost of ICS (Industrial Control Systems) and IA (Industrial Automation) equipment is never cheap. When you factor in the cost per hour of downtime (or the risk) of anything of significance (oil refineries, water/waste water, electrical power generation, etc.) it is nothing short of staggering. When you factor in startup time from interrupted process, it can hit stratospheric heights in no time.

Seriously. The last facility where I was working at an interruption to process had a downtime cost of $5M/hour, with a minimum time to restart operations at 6 hours (and that is not a large facility, for what it is worth), up to 12 hours if there were complications. So, something goes "blip" and they lose $30M-60M guaranteed.

If you are a Plant Manager, buying 10 whatsits for $10K a piece isn't a rounding error in your operations budget if your MTBF was reduced by %1 as a result.

Re:Analysis is the weak point (1)

c0lo (1497653) | more than 3 years ago | (#36369032)

The cost of ICS (Industrial Control Systems) and IA (Industrial Automation) equipment is never cheap.

If you are a Plant Manager, buying 10 whatsits for $10K a piece isn't a rounding error in your operations budget if your MTBF was reduced by %1 as a result.

Humor sense is in short supply these days.

The whatsits you mention (and construct your case against cheapness) are: "Write Only Memory" (guaranteed security, nobody can read them) with a high "First In Never Out" rate (performance matched only by /dev/null).

Re:Analysis is the weak point (1)

Wintermancer (134128) | more than 3 years ago | (#36371172)

I was referring more to EAL7 Interactive Link Data Diodes (IL-DD) as the "whatsits", but products meeting that Common Criteria spec are mind-farking expensive.

Doesn't really matter, as Stuxnet showed, sneakernet is still effective as a injection vector. What really matters is having solid incident response, disaster recover and business continuity plans.

Re:Analysis is the weak point (1)

thegarbz (1787294) | more than 3 years ago | (#36361818)

such hardware is Not Cheap;

The cost of such devices often constitutes no more than a rounding error in the case where a SCADA system is critical enough to require online monitoring.

Unfortunately logic is lost on some people. I remember arguing that ADSL was not the right technology for communicating with an RTU for a transfer pump once. The IT boys kept saying that ADSL is $80/month for a business line and SHDSL was $4000/month. They were completely oblivious to the fact that for every hour the pump doesn't run we lose $80000.

Cost of security is not the issue. Convincing idiots of the obvious business case for security is the issue.

Re:Analysis is the weak point (1)

maxwell demon (590494) | more than 3 years ago | (#36361280)

What about a physically one-way data connection? That is, it is enforced by hardware that information flows only one way? (Yes, if you have access to the hardware, then you can circumvent this; but then, in that case you could simply install the malware yourself).

Re:Analysis is the weak point (1)

mangu (126918) | more than 3 years ago | (#36361362)

The simplest way would be an RS-232 line with only the ground and transmit data wires connected. Unfortunately, no one seems to have something like this.

Re:Analysis is the weak point (1)

vlm (69642) | more than 3 years ago | (#36361526)

The simplest way would be an RS-232 line with only the ground and transmit data wires connected. Unfortunately, no one seems to have something like this.

Oh come on, wire cutters / diagonal cutters and some heat shrink tubing later... Or you can needle nose pliers to remove the, uh, male part of the connector.

The expensive way is to buy a managed ethernet switch (not a dumb switch) and set up port mirroring or whatever (tm) (c) name they have for the protocol analyzer port feature where you only get to see not touch the traffic.

The cheap way, is buy a slightly dumber switch, force the port to 10 megs, cut open the ethernet cable, and clip the pair going the wrong direction. 10 megs used separate pairs for each direction, more modern modulation methods or whatever use all the pairs both ways. If you are at a "crimp yer own" facility, not crimping one of the pairs is not all that difficult. Of course your average cable-monkey will probably skip the wrong pair about 3/4 of the time, or split pair them, etc etc.

The in between, completely off the shelf answer is anyone who's ever worked even tangentially in industrial IT or IT at one of our few remaining industries (raises hand) knows that out on the floor you exclusively run ethernet using these ether-fiber transceivers on each end and coincidentally, 15 years ago when I was doing this kind of stuff, all of those devices used two fibers, one for each direction. Since you "need" to use these transceivers anyway to get around interference probs and distance limitations (uh, the cat-5 spec says 100 meters, and the printing press is 300 meters long, yes I know that's a fifth of a mile, no sh!t, wore out a pair of boots at that job...), its not exactly hard to figure out that you just use one strand of fiber instead of two...

Re:Analysis is the weak point (1)

mangu (126918) | more than 3 years ago | (#36361766)

Yes, there are many ways to do it, but the problem is the software.

I use one system where I work in which the operating procedures are implemented, no kidding, in excel spreadsheets. Worse still, the console workstations don't have excel installed. The engineers have to develop the procedures in their desktop computers and then copy the .xls files to the workstations. The two different parts of the system don't mix, each needs a parallel port dongle and cannot be installed both on the same computer.

The only solution to this hell of a system is to have a set of engineering workstations in a separate network.

Re:Analysis is the weak point (1)

Nethead (1563) | more than 3 years ago | (#36363916)

10 megs used separate pairs for each direction, more modern modulation methods or whatever use all the pairs both ways.

Some nits picked:

a) Original 10Mb/s was 10base5 or 10base2 which used a single coaxial cable, effectively "one pair". 10baseT uses two pairs.

b) 100baseT (Fast Ethernet), like 10baseT, uses one pair in each direction. It's where you get into 1000baseT that really trick shit is going on with 5 different voltages over all four pairs.

c) IP (TCP/ICMP/UDP) requires bidirectional flow for handshaking just to set up the connection.

Re:Analysis is the weak point (0)

Anonymous Coward | more than 3 years ago | (#36373010)

The simplest way would be an RS-232 line with only the ground and transmit data wires connected. Unfortunately, no one seems to have something like this.

Cisco actually *sells* those

Re:Analysis is the weak point (0)

Anonymous Coward | more than 3 years ago | (#36361816)

What about a physically one-way data connection?

That's the only method I've seen usded on control systems I've worked on. Usually it's a one way current loop. Safety and security controls are hardware limited at the controlled device.

The real problem is bad control system design.

Re:Analysis is the weak point (1)

michelcolman (1208008) | more than 3 years ago | (#36362050)

(Yes, if you have access to the hardware, then you can circumvent this; but then, in that case you could simply install the malware yourself).

Or hit the actual turbine with a $5 wrench.

Re:fearmongering? (0)

Anonymous Coward | more than 3 years ago | (#36361208)

Cowardly posting because i'm speaking about a client that really shouldn't be guessed.

I've worked with Siemens' S7 and SiMotion systems, and i've never seen a single company attach them to a large computer network inside their company.

I've seen tenth of S7-based systems connected to the local network. There wasn't any firewall between them. Oh yeah, I nearly forget that some of their routers had public addresses (reachable from internet, of course).
I'll let anyone guess if their industrial PCs, installed with windows XP/2K/CE, had any antiviral or system updates since they've been first plugged. (Did I tell you that until 1 year ago, PCs plugged into this network could surf the Web?)

The only ways to reprogram S7 or SiMotion is by either connecting to an ethernet / profinet connection the machines are on, or by acquiring physical access and establishing a serial connection.

I forgot that there were there's loooooong cables running everywhere in the facility.

Have i said that it was a pharmaceutical company?

Re:fearmongering? (0)

Anonymous Coward | more than 3 years ago | (#36362814)

That sounds like a certain pharmaceutical company I used to work for.

Do they have distribution centers in New Jersey, by chance?

Re:fearmongering? (1)

cusco (717999) | more than 3 years ago | (#36365854)

Long cables indeed. RS-485 can be 4000 feet between nodes. We have a customer who has access control readers on their perimeter fence. The first reader is 1000 feet away, the next 3000, the one after 2000 and then there's another on the dock even further away. Keeping the damn panels online used to be a pain since sometimes the round-trip time for the furthest reader was longer than the application's timeout, but then they ran fiber to the dock for a camera and we piggy backed that reader on it.

Re:fearmongering? (0)

Anonymous Coward | more than 3 years ago | (#36362914)

I would like to know what companies you are working for. Depending on the scale of the system, there exists a need to connect the controllers to a network of some type. Siemens isn't the only controller maker. The makers I am familiar with are: Allen Bradley, Schneider/Modicon, CTC, Koyo/Automationdirect. There are tons more. Early networks consisted of RS422 serial links between the controllers and was commonly used with proprietary protocols or the antiquated MODBUS protocol. Then Profibus (developed by Siemens) and Devicenet (Allen Bradley) came around to relieve some of the speed and protocol issues. But Devicenet tops out at 500Kbps and Profibus at 12Mbps. 100Mb and 1Gb Ethernet blow the two away. Lots of data can be moved around while keeping latency low enabling field IO devices to alleviate I/O wiring headaches and ethernet is leading the way.

Profibus and older field buses like Devicenet may one day fall out of favor for IP/Ethernet based networks that seem to be gaining ground in automation. Just about every IT infrastructure in the world uses IP and programmable controllers are also going that route to bridge the gap between IT and the automation systems.

I just specked out a CTC Blue Fusion controller that will replace an older Koyo which features an integrated web based HMI (human machine interface) that can be used on any web browser. Internally we can replace proprietary HMI's with cheaper touch screen PC's or even a tablet like an iPAD or Chrome based system. And you bet your ass there will be a dedicated firewall between the controllers and the internal network in addition to the firewall for the internet (pfSense).

PLC security? (1, Interesting)

Anonymous Coward | more than 3 years ago | (#36361084)

I work with PLCs (Programmable Logic Controllers like the article mentions) and to be honest it's news to me that they even HAVE security.

Most PLCs will accept any data table read/write, any programming command and any firmware update without any authentication whatsoever. Also the SCADA system (the visualisation system which talks to the plant's PLCs) will typically run on Windows XP, usually without any service packs/patches, no antivirus, and often the Windows firewall disabled. "Security" on a SCADA is typically implemented only by disabling mouse events on the client-side command button if the operator does not have appropriate access level.

runs on rugged Windows CE platform? (0)

Anonymous Coward | more than 3 years ago | (#36361592)

"the SCADA system (the visualisation system which talks to the plant's PLCs) will typically run on Windows XP, usually without any service packs/patches, no antivirus, and often the Windows firewall disabled.

"Security" on a SCADA is typically implemented only by disabling mouse events on the client-side command button if the operator does not have appropriate access level"

"SIMATIC PC-based Controllers use a real-time-capable software controller based on Windows [siemens.com] operating systems .. Software controller for Multi Panels Control, operation and monitoring on a well-proven and extremely rugged Windows CE platform [siemens.com] in real-time"

32 comments and no mention of Stuxnet? (1)

scorp1us (235526) | more than 3 years ago | (#36361602)

Clearly, the real embarrassment here is that the DoD is using these vulnerabilities to kill Iranian centrifuges. I don't have a problem preventing Iran from having nukes, as I think they should not ever have them. However with the recent "cyber security" announcement that digital hacking can be considered an act of war, I wonder if we'd have come to the same conclusion if we were in missile range of Iran.

Releasing these hacks could have unintended consequences. Imagine if some hacker group used them for their own nefarious purposes... There could be floods, explosions. Real-world consequences. Not just some stolen passwords.

Security 101 (2)

currently_awake (1248758) | more than 3 years ago | (#36361752)

A fundamental principle of security: critical infrastructure (flood gates, nuclear power plants...) doesn't connect to the internet. Any design that violates this basic principle of security should be considered proof of criminal negligence. (I'm not a lawyer). You are not responsible for what happens when you release details of serious security vulnerabilities if you've told them about the problem and given a reasonable amount of time given to repair the fault.

Re:Security 101 (2)

Viol8 (599362) | more than 3 years ago | (#36362354)

"You are not responsible for what happens when you release details of serious security vulnerabilities if you've told them about the problem and given a reasonable amount of time given to repair the fault."

I'm sorry , what? Seriously?

So you release details of a vulnerability which you've discovered and its "not your fault" if someone then uses it after you've decided on some arbitrary length of time the manufacturer needs to fix it?

Okay, riiight.

You my friend need to take off your rose coloured teen hacker glasses and wake up to the real world. There may be a lot of reasons that the fault can't be fixed quickly or at all - it may need a hardware upgrade for a start which can't be rolled out to large industrial systems overnight and even if its only a software upgrade are you aware of the hoops software has to jump through during testing in what may be safety critical systems?

No , didn't think so.

When you've finished college and worked in the real world for a while perhaps you might get a clue but I won't hold my breath.

Re:Security 101 (0)

Anonymous Coward | more than 3 years ago | (#36363458)

Not his problem. There's a variety of guidelines for responsible disclosure--but what they all have in common is that at some point--they do disclose. Inevitably.

Bottom line--you need to budget to buy secure systems, budget to upgrade to maintain them, and budget for the rare [but eventually likely] incident where you need to pull an "all hands on" upgrade that blows your division and companies profits for that quarter. Because even if this wasn't released today, it would be.

And YOU are the negligent party if you fail to upgrade a safety system immediately when that news does eventually make it out. It doesn't matter if it gets released today by joe scriptkid as a 0-day, or in six months with vendor cooperation, or a year when the vendor refuses to fix it and they push it out.

The only difference is whether or not the vendor has a fix yet. And that also really isn't the researcher's problem. Get competent staff, process, and testing, get out of my industry, or quit complaining when people use your weaknesses as a profit center.

As long as the vendor has a fix--which they do--You still need to upgrade it ASAP. Stop calling this the guy a kid because you'd rather Ostrich and hide comfortably behind your lousy process and supposed testing.

Furthermore--In terms of your variety of reasons why this might take a long time to update...you're really engaging in speculation as best I can tell. I will admit, there *ARE* PLC's out there that could need hardware updates. I've seen them. But...here's the hard reality of it...

1) The ones that need hardware updates are almost *ALWAYS* a simple matter of replacing a breadboard. This might be damned expensive depending on the vendor. This can be further complicated by reprogramming it...but this isn't an issue for the big people who can keep track of it. The small guys mostly depend on contractors to do all their updates anyway... the big people have software, programs, processes to keep track of it. Although it doesn't change the fact that the service team never wants to understand how it works, so most of those processes tend to be really immature in the ISO sense of the word.

2) Most of these hacks are not against the microcontrollers which are almost all completely unsecured, but against the computers they hook up to--which more often than not in my experience are running WinXP without any service packs or patches at all.

2b) [footnote] BTW, many of these are hooked up to the internet! Or radio links that go to the internet. Or satellite links that go to the internet. Or Cable/DSL modems that.... Windows XP supports PPTP out of the box...that's the security.

In terms of testing and "safety critical"...you're trying to play a trump card you don't have. Anyone who's developed in those industries knows most of that testing is a load of thinly laquered bullshit against a checklist that fails to do anything other than keep safety engineers employed without actually doing anything other than preventing the utterly obvious issues that would be immediately obvious to any remotely competent process engineer utilizing...whatever you're developing. The software is just a "procedural" cost savings point to prevent the physical failsafe measures from having to be engaged and replaced at a cost of downtime.

Of course, instead of process engineers, companies hire the equivalent of 50's style computer "operators" which is why the aforementioned safety measures are necessary. But because they never bother to test for complex failures...it's all a load of BS anyway--because sooner or later somebody will turn off the physical failsafes, run a stress test, disable alarms and forget to turn them on...whatever. But the "safety critical" stuff...it's...a myth caused by most people's cost saving measures and lazyness.

Re:Security 101 (1)

pclminion (145572) | more than 3 years ago | (#36363752)

I wonder if you'd be whistling the same tune when a nuke plant near your home melts down because either A) some jackass told the world how to attack it, or B) the company was forced to rush into deployment of a "fix" that actually contains additional flaws which lead to a system failure. We're not talking about web sites and credit card numbers here, we're talking about big industrial systems that can not only kill people if things go wrong, but render swaths of geography uninhabitable for long periods of time. Your attitude is antisocial bordering on psychopathic.

Re:Security 101 (1)

Viol8 (599362) | more than 3 years ago | (#36372444)

What an utter crock of shit. No wonder you posted AC.

Re:Security 101 (1)

uninformedLuddite (1334899) | more than 3 years ago | (#36381742)

Maybe. he might also be the earlier poster who can take over the whole world just by plugging into some unattended PC in a boardroom and scanning the subnets. He might be a genious. Have you noticed the number of big brains is increasing exponentially on /. these days?

Re:Security 101 (0)

Anonymous Coward | more than 3 years ago | (#36369156)

You my friend need to take off your rose coloured teen hacker glasses and wake up to the real world.

Would this be the real world where you can be held legally accountable for someone else's mistakes, if you should happen to derive what those mistakes were and perform the public service of disclosing them? The same world where hardware I purchase has legal frameworks protecting manufacturers from even guessing how I might interface it with my fish tank, and sharing said interface information, should I so choose? The world where if I download a file to my phone and it costs 0.02 cents/MB, but if I connect a laptop to the phone and download the exact same file through the exact same network it has gone up in cost?

Fuck rose-colored glasses, I wear snow goggles. The future is bright and terrible.

Re:Security 101 (2)

Tweezer (83980) | more than 3 years ago | (#36362434)

I hate to break it to you, but that horse left the barn years ago. The data from these systems is much too valuable and companies that would follow your advice would be at a large competitive disadvantage. That being said, these systems should still be protected with multiple layers of security. I work on SCADA systems and there are multiple security measures such as no default gateways and no less than three firewalls between the SCADA system and the Internet, but it is required that it be connected. For example we need to exchange data on 5 min intervals with our energy market that was implemented, because deregulation and public markets are supposedly better. For example if you would like to see near real time energy market data in the Midwest you can look here https://www.midwestiso.org/MarketsOperations/RealTimeMarketData/Pages/LMPContourMap.aspx [midwestiso.org]

Yes, but (1)

sean.peters (568334) | more than 3 years ago | (#36363126)

I think that Stuxnet permanently put the rest the idea that disconnecting your critical systems from the internet was sufficient to secure them. Sure, you need to do it, but you also need to (somehow) prevent your users from moving contaminated media into your secure systems.

Re:Security 101 (2)

cusco (717999) | more than 3 years ago | (#36365956)

doesn't connect to the internet

This statement always annoys me, because people seem to be assuming that the only way into a network is through the web server or something. If I wanted into someone's network I'd plug into the guard shack at the gate, or a meeting room if I could get into the building. To attack a SCADA system all I would need to do is jump a fence into a substation. No one is watching those cameras, they're for forensics to go after copper thieves.

Want to get into most supposedly 'high security' locations? Walk up to the door with a tool bag in one hand, a ladder in the other, and some boxes under one arm around shift change. People will badge you through and even hold the door open for you. This includes military facilities. The biggest security risk is never the hardware or the software, it's **ALWAYS** the wetware.

Re:Security 101 (1)

uninformedLuddite (1334899) | more than 3 years ago | (#36381786)

I have worked in several of these types of facilities in my long and chequered history. Your scenarios are utter complete bullshit. if you really want access you need to find an unattended laptop in an unattended boardroom, switch off the alarm, sneak around and then wake up with sticky sheets. I call shenanigans on you.

hi (1)

formation (2241238) | more than 3 years ago | (#36362054)

Check to see if your Company name is available http://bit.ly/m2IHF4 [bit.ly]

Only Defense Against This = Open Source the world (1)

tomweeks (148410) | more than 3 years ago | (#36362736)

These folks need to go open source.. for the safety of the world!
In fact.. go one step further and have all governments of the world require all public infrastructure to only be run on open source systems. This is our only hope of staying ahead of terrorists. This same type of problem (and need) has also been seen in the problems with US electronic Voting Booth. The recent RSA seed + proprietary algorythm lead has proven that closed source = security risk. Wake up politicians!

Tweeks

Wait for more (0)

Anonymous Coward | more than 3 years ago | (#36363002)

Wait for more of such stuff to come in future. What else do you expect when they hire cheap programmers and overpaid executives ?

What about the others (1)

rongage (237813) | more than 3 years ago | (#36363292)

I am thinking of the Modicons and Allen Bradley PLCs around the world.

On the PLC5 and the SLC-500, security (if set) was generally an afterthought and then normally used to keep factory floor folk out of the PLC. I know because I knew where to find the text-encoded password in the memory dump files.

The ControlLogix was a similar open book - rarely if ever secured. Then again, you could get on the backplane via the ENBT adapter and then talk directly to any card in the system including the SERCOS cards and the ControlNet/DeviceNet/Data Highway cards.

Modicons = what security.

Of course, this was some 10 years ago and things might have improved somewhat since then (not holding my breath though).

And yes, Allen Bradley and Modicon are used in a LOT of critical infrastructure locations.

Re:What about the others (1)

Wintermancer (134128) | more than 3 years ago | (#36364408)

Security in IA (Industrial Automation) land has traditionally been isolation ("We are an island. No data comms in or out.") and physical (To keep out those pesky tool using primates).

It doesn't help that critical infrastructure (CI) is also forklift upgraded anywhere between 10-25 years, depending upon the environment. Infosec was not even on the radar back in the day.

Things are changing for the better, but there is still a significant gap between the current state of affairs and where it should be. The big driver is knowing that CI is now going to be actively targeted in cyberwarfare operations, and governments are starting to put pressure on those companies that have important infrastructure. New controllers that are coming out will have greater security features, lock-out, etc. but it takes time for all pieces to come together (infosec standards and practices, product, regulations, engineering, etc.)

Re:What about the others (1)

cusco (717999) | more than 3 years ago | (#36366018)

Until very recently a former employer used to keep a pile of 386 laptops around because the control software for their half million dollar radio tower wouldn't run on any other CPU and the original manufacturer had been gobbled up. I see the pile is gone now so they must have upgraded in the last year or two.

Re:What about the others (1)

uninformedLuddite (1334899) | more than 3 years ago | (#36381814)

Would that be the radio tower used to communicate with your global network of SCADA spies?

OK, this doesn't make sense. (0)

Anonymous Coward | more than 3 years ago | (#36366122)

A black hat is actually withholding info on how to control a device because he's concerned it will be used for such a thing? HUH?!?!? Who ARE these people?

Arduino option? (1)

aleqi (828032) | more than 3 years ago | (#36372908)

Could Arduino be a "cheap" hardware upgrade from what we are currently using? Would Arduino be more secure? Subquestion... Is there software/firmware upgrades that could be used to fix these flaws? Yesterday?

darktangent (0)

Anonymous Coward | more than 3 years ago | (#36385370)

Oh DarkTangent will save us all from the impending doom.......

daed

Load More Comments
Slashdot Login

Need an Account?

Forgot your password?