Siemens SCADA Flaws To Be Disclosed At Black Hat 101
itwbennett writes "In May, NSS Labs Researcher Dillon Beresford pulled out of a Dallas hacking conference at the last minute when Siemens was unable to fix problems he'd found in the firmware of its S7 programmable logic controller. Now NSS Labs CEO Rick Moy says Beresford is rescheduled to deliver his talk at Black Hat, which runs Aug. 2-3. Beresford has discovered six vulnerabilities in the S7 that 'allow an attacker to have complete control of the device,' Moy said. Devices like the S7 do things such as control how fast a turbine spins or open gates on dams."
Hmm... (Score:4, Funny)
Make sure that Lord Humongous owes you some favors before Blackhat rolls around, everyone!
Re: (Score:2)
How is that different from now? Now get on with it, those pyramids aka 'code releases' aren't going to build themselves.
You know, there was this one boss I was always suspicious about...
Re: (Score:1)
Re: (Score:1)
"in the blasted wasteland that follows the fall of industrial civilization, pasty computer experts are relegated to the status of "slave" or "food source" by psychotic warlords wearing football/BDSM themed armor?"
I, for one, find the idea vaguely arousing.
Re: (Score:1)
Re: (Score:2)
Sounds like a typical day at the office.
... or open gates... (Score:4, Interesting)
Devices like the S7 do things such as control how fast a turbine spins or open gates of doom.
FTFY
Re:... or open gates... (Score:5, Funny)
Re: (Score:2)
Re: (Score:3)
but the consequences of merely possessing one of the interface controllers needed to communicate on the.. er.. somewhat sinister legacy ring bus that Sauron uses are so horrific that security through obscurity has proven more than adequate.
Is that Tolkien Ring?
I have Siemens (Score:1)
Re: (Score:1)
I have Siemens hearing aids... does that mean someone is going to hack my head through the aids' wireless (used mostly to communicate between the two)?
Well, if you start hearing mysterious voices, you know that before seeing a psychiatrist, you might first want to check your hearing aid.
Re: (Score:2)
No they'll just reboot your brain by applying a type of external EMF, called electro-convulsive therapy. After a few reboots, you'll come to understand that the overlord's messages to you are for you and only you, if he wants someone else to know the message or even of his existence, he'll tell them.
Re: (Score:1)
Re: (Score:2)
If you suddenly hear Never Gonna Give You Up playing in your head, you know they've been pwned.
Re: (Score:1)
I have Siemens hearing aids... does that mean someone is going to hack my head through the aids' wireless (used mostly to communicate between the two)?
What do you mean "is going to"? That you posted exactly what I wanted you to is proof that the hack already works.
Is is settled this time? (Score:3)
NSS Labs expects Siemens to issue a patch in the next few weeks, well ahead of the August presentation. "They didn't give any firm timelines," he said. "They said unofficially that they were pretty confident that they'll be able to get their stuff out before then."
Beresford wasn't impressed with that comment. [...]. "Now that they're trying to minimize the impact and do PR damage control, I feel that they're not servicing the public's interest," he said. "I'm not pleased with their response... They didn't provide enough information to the public."
What if Siemens confidence evaporates and, August time, some of these vulns are not yet patched? Will they allow the presentation?
Re: (Score:2)
Allow? Why would or should they have a say?
It's in the interest of We, the People, to learn this, so we can take the necessary precautions. It's far more dangerous if we have a false sense of security.
Our potential future adversaries are bound to study these devices now, in order to find flaws. And they won't let us know. How many severe faults have they found already?
Yes, reactionaries are going to say that it's in the interest of national security to keep this under a lid, but in reality, that's the m
Re: (Score:2)
Allow? Why would or should they have a say?
I agree. However, there is a question missing from your list: why did they have a say?
In May, NSS Labs Researcher Dillon Beresford pulled out of a Dallas hacking conference at the last minute when Siemens was unable to fix problems he'd found in the firmware of its S7 programmable logic controller. After consulting with Siemens and the U.S. Department of Homeland security, NSS decided that it was simply too dangerous to go public with its information before a patch could be fully developed.
Re: (Score:2)
If anything, I'd say it would be more likely the DHS muscled NSS out of the conference, if there was any of that kind of play involved. If not, then they did what any reasonable researcher, and in fact pe
Re: (Score:2)
Siemens didn't have a say; If you actually read the quotation, ...
If you actually read my post, you'll note that I didn't say "will Siemens allow the presentation" but "will they allow the presentation". I was thinking to the same DHS.
Security through obscurity never works (Score:2)
it would be more likely the DHS muscled NSS out of the conference, if there was any of that kind of play involved. If not, then they did what any reasonable researcher, and in fact person, should do; Assess the danger to society caused by withholding the information against the damage done by releasing it.
This kind of information should always be released. The problem is that people in the DHS think the movie "War Games" is a documentary.
The real danger is not a random script kiddie connecting to the system to play games. Danger comes from people who have inside knowledge of the system, people who know things like network addresses, which machine does what. There's no way to be obscure here, because the enemy already knows what he needs to enter. Remember stuxnet, everyone seems to agree that it was the work
Re: (Score:3)
The real danger is not a random script kiddie connecting to the system to play games. Danger comes from people who have inside knowledge of the system, people who know things like network addresses, which machine does what. There's no way to be obscure here, because the enemy already knows what he needs to enter. Remember stuxnet, everyone seems to agree that it was the work of experts.
The real problem is that security by obscurity does work, but only for a little while. As soon as someone inside blows the whistle, or someone outside just stumbles over the secret, the security from the obscurity is gone. Anything just protected by just obscurity will appear to be nice and secure, but will not be secure at all, and the people who want it secured won't know the difference until its too late. Real effective security is in depth. Obscurity can be used in the mix, but may only ever be a small
Re: (Score:2)
Re: (Score:2)
Security through obscurity, you say that like the backdoors weren't put there on purpose.
Re: (Score:2)
I'm all for full disclosure, but this still seems too soon. Then a
Re: (Score:2)
Re: (Score:2)
Based on the Sony experience and the fact that the lab Manning was working on had passwords to secure accounts stuck on the monitors, War Games *WAS* a documentary...
Seriously (Score:1)
Re: (Score:2)
Because the researcher in question agreed with them.
Re: (Score:2)
You forget that the knowledge that weaknesses exist is already disclosed. Hiding the details of the weaknesses is only going to stop script kiddies, not someone looking for the flaws. When you open a can of worms, you can't get them back in.
The imminent danger by not disclosing is that the managers in charge of the affected systems will do absolutely nothing, waiting for a vendor patch. During which time the systems will continue to be highly vulnerable, and every unabomber and foreign cracker with a gru
Re: (Score:2)
The question then becomes "Who's National Security? as these controllers are deployed around the world.
Re: (Score:2)
Allow? Why would or should they have a say? It's in the interest of We, the People, to learn this, so we can take the necessary precautions.
I'm all for Us having more information, but it's also in Our best interest to fix things before we disclose those types of vulnerabilities. Who exactly do you think is going to take the "necessary precautions"? The manufacturer is the best party to fix the problems, so why release the information into the open before then? Your logic doesn't make sense. If you went on vacation and your house was unlocked and I knew about it, wouldn't you appreciate it if I let you secure the doors before I tell the public?
Re: (Score:2)
Who exactly do you think is going to take the "necessary precautions"?
Whoever is in charge of a dam with one of these faulty devices should take every step necessary to prevent it from being exploited.
They won't, because there is no one demanding it from them. Disclosure would force their hands.
If you went on vacation and your house was unlocked and I knew about it, wouldn't you appreciate it if I let you secure the doors before I tell the public?
I would appreciate it if you told my neighbours and the police, which would make it a public record.
I would definitely not appreciate it if I learned that you knew about it, and I had a burglar visit before I came home because you decided to not tell anyone until I could do something
Re: (Score:2)
Who exactly do you think is going to take the "necessary precautions"?
Whoever is in charge of a dam with one of these faulty devices should take every step necessary to prevent it from being exploited. They won't, because there is no one demanding it from them. Disclosure would force their hands.
The operators of equipment using the controllers can't do anything about it. Siemens has to fix the issues, and fixes like these take time. It's not as simple as applying an OS update. That seems to be something people aren't realizing.
Re: (Score:2)
The operators of equipment using the controllers can't do anything about it
They can, and they should. For example, they can limit the access to the devices, or the protocols that have problems, or disable parts that are vulnerable. And plan for what to do if they all fail.
Knowing how and why they can fail would help, but Siemens and DHS don't want to tell. Siemens because they naturally want to hush it up, and DHS because they don't realise that they only succeed in keeping the info from those who need it - those with an interest in finding out WILL find out, and now have a res
Re: (Score:2)
Re: (Score:2)
I've been glancing at the S7-1200n easy book and you have too realize this thing has 1 or 2 MB of retentive memory, it's basic idea of digital networking is RS485/RS232 serial lines, ethernet even seems to be an add-on. I'm not sure the concept of security can be applied to a device so simple, I would be surprised if the vectors of attack weren't almost exclusively through windows computers used for running HMI programs. No matter what you do if your firewalls are letting machines talk promiscuously to oth
Re: (Score:2)
What if Siemens confidence evaporates and, August time, some of these vulns are not yet patched? Will they allow the presentation?
Who is they? If you mean the conference, well then they wouldn't exactly deserve the title "Black Hat", would they?
Re: (Score:2)
Who is they?
DHS, who else?
Re: (Score:2)
Certainly it is possible DHS could try and stop the talk. IIRC, US authorities acted against a Russian who broke Adobe Acrobat security and gave a talk at Defcon. Whilst, understandably, copyright laws are a higher priority than national security for the government, it is entirely possible that similar action might be threatened should it look likely the talk would go ahead prior to a fix being distributed. And even then, you never know.
On the other hand, the talk can't be delayed forever. Not necessarily b
Re: (Score:3)
It isn't as though white hats have anything like a monopoly on security/penetration expertise in this world, and the word is already out about what device the vulnerabilities are in, and(since they are working on a new patch) that it exists in the latest available patch level. Presumably, any blackhats who care about access to such devices are
Re: (Score:2)
At some point, unless Siemens has a very nasty legal trump card of some sort, they are going to have to adopt the "fuck it, better that the admins know." approach.
Tell this to DHS! Do you expect a rational reaction? (even now, reading Wikileaks put one's security clearance prospects under question - no matter the whole world reads the Cablegate, DHS seems to need uninformed employees. Err... pardon... on a "need to know basis").
Re: (Score:1)
but the noobs will hopefully never make it past the gates, and the spammers are unlikely to have an economic incentive to compromise something that makes a lousy bot.
I think the noobs are not going for such relatively sophisticated/uncommon systems like PLCs and would rather try to "read your e-mail" instead or get their hands on some sensitive data/information to show off.
Embedded system (Score:2)
fearmongering? (Score:2, Informative)
I've worked with Siemens' S7 and SiMotion systems, and i've never seen a single company attach them to a large computer network inside their company.
The only ways to reprogram S7 or SiMotion is by either connecting to an ethernet / profinet connection the machines are on, or by acquiring physical access and establishing a serial connection.
Analysis is the weak point (Score:2)
In any control system there's data that needs to be analyzed. Someone has to transfer telemetry from the control system to an engineer's workstation. Today this is normally done by an USB stick, if there's no direct network connection, and that's the weak point.
I believe a secure network connection is better than the "sneakernet" approach. It's better to have a good firewall allowing only a limited set of ports than to let people plug things into the computers.
Another good approach would be to transfer the
Re: (Score:2)
Re: (Score:1)
If one is feeling really serious, the so-called "data diode" devices can be used to ensure that the data to be analyzed goes out and nothing goes back in... such hardware is Not Cheap
I have some WOM [wikipedia.org] with high FINO [wikipedia.org] rates, that I can provide quite cheap. Are they interested?
Re: (Score:2)
The cost of ICS (Industrial Control Systems) and IA (Industrial Automation) equipment is never cheap. When you factor in the cost per hour of downtime (or the risk) of anything of significance (oil refineries, water/waste water, electrical power generation, etc.) it is nothing short of staggering. When you factor in startup time from interrupted process, it can hit stratospheric heights in no time.
Seriously. The last facility where I was working at an interruption to process had a downtime cost of $5M/hour
Re: (Score:2)
The cost of ICS (Industrial Control Systems) and IA (Industrial Automation) equipment is never cheap.
If you are a Plant Manager, buying 10 whatsits for $10K a piece isn't a rounding error in your operations budget if your MTBF was reduced by %1 as a result.
Humor sense is in short supply these days.
The whatsits you mention (and construct your case against cheapness) are: "Write Only Memory" (guaranteed security, nobody can read them) with a high "First In Never Out" rate (performance matched only by /dev/null).
Re: (Score:2)
I was referring more to EAL7 Interactive Link Data Diodes (IL-DD) as the "whatsits", but products meeting that Common Criteria spec are mind-farking expensive.
Doesn't really matter, as Stuxnet showed, sneakernet is still effective as a injection vector. What really matters is having solid incident response, disaster recover and business continuity plans.
Re: (Score:2)
such hardware is Not Cheap;
The cost of such devices often constitutes no more than a rounding error in the case where a SCADA system is critical enough to require online monitoring.
Unfortunately logic is lost on some people. I remember arguing that ADSL was not the right technology for communicating with an RTU for a transfer pump once. The IT boys kept saying that ADSL is $80/month for a business line and SHDSL was $4000/month. They were completely oblivious to the fact that for every hour the pump doesn't run we lose $80000.
Cost of
Re: (Score:1)
What about a physically one-way data connection? That is, it is enforced by hardware that information flows only one way? (Yes, if you have access to the hardware, then you can circumvent this; but then, in that case you could simply install the malware yourself).
Re: (Score:2)
The simplest way would be an RS-232 line with only the ground and transmit data wires connected. Unfortunately, no one seems to have something like this.
Re: (Score:2)
The simplest way would be an RS-232 line with only the ground and transmit data wires connected. Unfortunately, no one seems to have something like this.
Oh come on, wire cutters / diagonal cutters and some heat shrink tubing later... Or you can needle nose pliers to remove the, uh, male part of the connector.
The expensive way is to buy a managed ethernet switch (not a dumb switch) and set up port mirroring or whatever (tm) (c) name they have for the protocol analyzer port feature where you only get to see not touch the traffic.
The cheap way, is buy a slightly dumber switch, force the port to 10 megs, cut open the ethernet cable, and clip the pair going the
Re: (Score:2)
Yes, there are many ways to do it, but the problem is the software.
I use one system where I work in which the operating procedures are implemented, no kidding, in excel spreadsheets. Worse still, the console workstations don't have excel installed. The engineers have to develop the procedures in their desktop computers and then copy the .xls files to the workstations. The two different parts of the system don't mix, each needs a parallel port dongle and cannot be installed both on the same computer.
The only
Re: (Score:2)
10 megs used separate pairs for each direction, more modern modulation methods or whatever use all the pairs both ways.
Some nits picked:
a) Original 10Mb/s was 10base5 or 10base2 which used a single coaxial cable, effectively "one pair". 10baseT uses two pairs.
b) 100baseT (Fast Ethernet), like 10baseT, uses one pair in each direction. It's where you get into 1000baseT that really trick shit is going on with 5 different voltages over all four pairs.
c) IP (TCP/ICMP/UDP) requires bidirectional flow for handsha
Re: (Score:2)
(Yes, if you have access to the hardware, then you can circumvent this; but then, in that case you could simply install the malware yourself).
Or hit the actual turbine with a $5 wrench.
Re: (Score:2)
PLC security? (Score:1, Interesting)
I work with PLCs (Programmable Logic Controllers like the article mentions) and to be honest it's news to me that they even HAVE security.
Most PLCs will accept any data table read/write, any programming command and any firmware update without any authentication whatsoever. Also the SCADA system (the visualisation system which talks to the plant's PLCs) will typically run on Windows XP, usually without any service packs/patches, no antivirus, and often the Windows firewall disabled. "Security" on a SCADA is
32 comments and no mention of Stuxnet? (Score:2)
Clearly, the real embarrassment here is that the DoD is using these vulnerabilities to kill Iranian centrifuges. I don't have a problem preventing Iran from having nukes, as I think they should not ever have them. However with the recent "cyber security" announcement that digital hacking can be considered an act of war, I wonder if we'd have come to the same conclusion if we were in missile range of Iran.
Releasing these hacks could have unintended consequences. Imagine if some hacker group used them for the
Security 101 (Score:3)
Re: (Score:3)
"You are not responsible for what happens when you release details of serious security vulnerabilities if you've told them about the problem and given a reasonable amount of time given to repair the fault."
I'm sorry , what? Seriously?
So you release details of a vulnerability which you've discovered and its "not your fault" if someone then uses it after you've decided on some arbitrary length of time the manufacturer needs to fix it?
Okay, riiight.
You my friend need to take off your rose coloured teen hacker
Re: (Score:2)
Re: (Score:2)
What an utter crock of shit. No wonder you posted AC.
Re: (Score:1)
Re: (Score:3)
I hate to break it to you, but that horse left the barn years ago. The data from these systems is much too valuable and companies that would follow your advice would be at a large competitive disadvantage. That being said, these systems should still be protected with multiple layers of security. I work on SCADA systems and there are multiple security measures such as no default gateways and no less than three firewalls between the SCADA system and the Internet, but it is required that it be connected. F
Yes, but (Score:2)
Re: (Score:3)
This statement always annoys me, because people seem to be assuming that the only way into a network is through the web server or something. If I wanted into someone's network I'd plug into the guard shack at the gate, or a meeting room if I could get into the building. To attack a SCADA system all I would need to do is jump a fence into a substation. No one is watching those cameras, they're for forensics to go after copper thieves.
Want to get into most supposedly '
Re: (Score:1)
Re: (Score:2)
hi (Score:1)
Only Defense Against This = Open Source the world (Score:1)
These folks need to go open source.. for the safety of the world!
In fact.. go one step further and have all governments of the world require all public infrastructure to only be run on open source systems. This is our only hope of staying ahead of terrorists. This same type of problem (and need) has also been seen in the problems with US electronic Voting Booth. The recent RSA seed + proprietary algorythm lead has proven that closed source = security risk. Wake up politicians!
Tweeks
What about the others (Score:2)
I am thinking of the Modicons and Allen Bradley PLCs around the world.
On the PLC5 and the SLC-500, security (if set) was generally an afterthought and then normally used to keep factory floor folk out of the PLC. I know because I knew where to find the text-encoded password in the memory dump files.
The ControlLogix was a similar open book - rarely if ever secured. Then again, you could get on the backplane via the ENBT adapter and then talk directly to any card in the system including the SERCOS cards an
Re: (Score:2)
Security in IA (Industrial Automation) land has traditionally been isolation ("We are an island. No data comms in or out.") and physical (To keep out those pesky tool using primates).
It doesn't help that critical infrastructure (CI) is also forklift upgraded anywhere between 10-25 years, depending upon the environment. Infosec was not even on the radar back in the day.
Things are changing for the better, but there is still a significant gap between the current state of affairs and where it should be. The big
Re: (Score:2)
Re: (Score:1)
Arduino option? (Score:1)