Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Siemens Fixes SCADA Flaws

Soulskill posted more than 3 years ago | from the and-so-soon dept.

Security 36

itwbennett writes "Siemens has fixed a pair of bugs in its S7-1200 controller, which is used to control machines on factory floors, power stations and chemical plants. The bugs were discovered earlier this year by NSS researcher Dillon Beresford, who planned to disclose the bugs at Black Hat in August. The US Department of Homeland Security said that Siemens' patches fix 'a portion' of the problems Beresford has discovered and that it 'continues to work with Siemens and Mr. Beresford on the other reported problems.'"

cancel ×

36 comments

Sorry! There are no comments related to the filter you selected.

Cool (1)

SheeEttin (899897) | more than 3 years ago | (#36408796)

Cool. Glad to see they fixed it in short order. I am anxiously awaiting the time when these fixes are put in place. I'll set my clock for... 7 years. That should be enough.

Re:Cool (1)

jhoegl (638955) | more than 3 years ago | (#36408894)

But... but thats when the 2024 bug scare will start.
No one wants to see robotic arms start killing humans because they think its 1924 and they should exist, thus making them go crazy.

Re:Cool (1)

slashqwerty (1099091) | more than 3 years ago | (#36409060)

I am actually quite surprised. I fully expected Siemens to hand the guy some hush money so he would cancel his presentation. This could be the first time in years that the black hat conference has run without canceling a controversial presentation.

Re:Cool (1)

drinkypoo (153816) | more than 3 years ago | (#36410706)

Cool. Glad to see they fixed it in short order

Do I detect a note of sarcasm? Say, wasn't this talk already delayed to give Siemens time to find their ass with both hands and a map?

drinkypoo we detect cowardice & trolling from (0)

Anonymous Coward | more than 3 years ago | (#36410738)

http://tech.slashdot.org/comments.pl?sid=2225174&cid=36390518 [slashdot.org]

The funniest part is that when you search google for slashdot site queries on drinkypoo, all of these questions drinkypoo runs from show up.

(Hilarious: You're exposing yourself to the planet as a troll, drinkypoo, just by running away from that question in the link above).

Re:drinkypoo we detect cowardice & trolling fr (0)

Anonymous Coward | more than 3 years ago | (#36411360)

Why don't you two get a room?

More fun to watch drinkypoo run (0)

Anonymous Coward | more than 3 years ago | (#36413462)

like the trolling coward he is

Firewalls (1)

IntentionalStance (1197099) | more than 3 years ago | (#36408868)

SCADA networks are usually on a completely separate domain from the corporate network. It'll be behind two sets of firewalls controlled by anal retentive engineers

Re:Firewalls (-1)

Anonymous Coward | more than 3 years ago | (#36408940)

SCADA networks are usually on a completely separate domain from the corporate network. It'll be behind two sets of firewalls controlled by anal retentive engineers

Didn't help the Iranians. Wouldn't help anyone else either.

Re:Firewalls (1)

Anonymous Coward | more than 3 years ago | (#36408992)

so...not an air gap, then.

Re:Firewalls (0, Insightful)

Anonymous Coward | more than 3 years ago | (#36409004)

Don't forget the set of firewall exceptions that allow management to access the controls remotely through Windows Remote Desktop.

If it's not an air gap, it's never good enough.

Re:Firewalls (2)

aix tom (902140) | more than 3 years ago | (#36409898)

Good luck getting Windows to run on 2560k, which is the memory the biggest of those things have.

I also have seen Windows for x86, x86_64, Itanium and in the NT4 days for Alpha processors. Never for, say, 315T-2 DP processors.

The most likely attack vector here would not be a network to the device itself, it would be something that infects the windows (or still DOS in some cases) notebook that is carried around the plant and plugged in the serial port for software updates and maintenance.

Re:Firewalls (1)

sjames (1099) | more than 3 years ago | (#36412104)

The SCADA controllers are managed by software that runs on a Windows box. That box is connected to the SCADA network. Often, that box is also connected to the internet through a firewall. Better hope they don't poke too many holes in the firewall for the convenience of management, such as, allowing remote desktop.

Re:Firewalls (0)

DarthBart (640519) | more than 3 years ago | (#36409016)

That's not "completely separate domain". That's "same domain with some sandboxing".

There's still the chance of some prick tossing sand in from the other box.

Re:Firewalls (3, Interesting)

thegarbz (1787294) | more than 3 years ago | (#36409130)

There's still the chance of some prick tossing sand in from the other box.

If there is then you haven't set it up properly. These aren't enterprise firewalls designed to allow maximum user friendlies while limiting a small set of nasties from entering from the outside. These are default deny all, and on a very select case by case basis allow one way data back out to certain machines on certain ports.

This is several layers deep in a corporate network, the firewall gear is not part of the standard package, the data historian or other products that rely on data from the process networks are not part of a standard package, so you'd need to penetrate in at least that far just to see what you're up against next. To get through something like this you would need to know details beforehand.

For any attack like this to be feasible you would need rather large amounts of inside information. If you're that close to the inside information chances are you're within touching distance of the control system itself, in which case nothing is usually safe

Re:Firewalls (1)

IntentionalStance (1197099) | more than 3 years ago | (#36409176)

Correct

The default position will be that nothing and I mean nothing in the corporate domain will be able to open a TCP connection to anything in the SCADA domain.

and the guys in charge of this will take it all the way to senior management if you even look like you are thinking of breaking this rule.

and you'll have to sign some serious career limiting documents before the guys in suits will sanction this.

or at least that's how it's been at place I have worked where they have SCADA networks and my specialist topic is data integration so I tend to bump into these issues fairly often

Re:Firewalls (1)

jroysdon (201893) | more than 3 years ago | (#36409328)

That's correct. The executives with their neck on the line won't go for it because if it is a misstep NERC/FERC will be all over them with fines and audit spot checks forever.

The best solution is to not connect SCADA systems with IP to any external network, firewall or not. Serial-based RTUs are totally acceptable to pass data and isolate networks from IP and most of the problems there.

The next level of protection needed in SCADA is protocol specific command-by-comamnd firewalling (ICCP, DNP3, etc.) of key hosts. There are a few vendors, but this is a very green, very niche market. However, this would allow for protection of PLCs and "less-smart" devices that are more easily abused (think Stuxnet), even within the secured SCADA networks.

Re:Firewalls (1)

thegarbz (1787294) | more than 3 years ago | (#36410322)

Serial is fine for many smaller projects such as control of a couple of turbines but breaks down quickly as the data points scale up. For a small partial-upgrading refinery you won't have the bandwidth to get the required data out of of the DCS into a historian and a protocol that can run over TCP becomes close to your only option, the most popular being OPC.

Re:Firewalls (0)

Anonymous Coward | more than 3 years ago | (#36413312)

And OPC don't play nicely with firewalls. At least, legacy OPC.

Re:Firewalls (0)

Anonymous Coward | more than 3 years ago | (#36409528)

If it's connected, you're doing it to pass traffic somewhere. If that's the case someone will figure out a way to use it as a communication channel if they think hard enough about it.

Re:Firewalls (2, Interesting)

Anonymous Coward | more than 3 years ago | (#36409200)

In my experience vendors of SCADA management tools are never able to exactly tell me which firewall ports need to be open to enable their applications to work. Most firewalls will end up looking as Swiss cheese (enabling all communications from one IP address to another).

Good luck with your security ... It usually takes about 2 firewall hops to go from the internal Internet connected network to the SCADA network.

Most of those management servers are now web-based (or web services based), but are never tested for web application security.

Re:Firewalls (1)

DerPflanz (525793) | more than 3 years ago | (#36409804)

When we install S7's (with our own SCADA/visualisation solution) we insist that we have VPN access from our offices, to ensure the SLA and reaction time guarantees.

So, yes separate networks, but certainly not completely off the internet. The separation of networks is mostly a performance and reliability measure (you don't want NETBIOS, ERP and webbrowsing trafic on the industrial LAN), not about security.

Re:Firewalls (1)

RobinH (124750) | more than 3 years ago | (#36409912)

SCADA networks are usually on a completely separate domain from the corporate network. It'll be behind two sets of firewalls controlled by anal retentive engineers

Thanks for making me snort my coffee. Two problems: a Siemens S7 PLC is a PLC, not a SCADA system. They are extremely different things. It's like confusing a toaster and a kitchen. Everyone seems to miss this. Problem two: while up until a few years ago, PLC's didn't have network connectivity, so they couldn't be connected to ethernet (they now are routinely), SCADA systems are almost all ethernet capable, and in my experience, they are rarely even put on a separate VLAN, much less behind a firewall. Besides, Stuxnet was designed to transmit via USB thumbdrives and laptops which are used by everyone in industrial control systems. In my experience, control systems are the least secure systems on the planet, which is scary because they control stuff in the real world! If you want to follow the (very sad) security state of industrial control systems, follow ICS-CERT [us-cert.gov] .

It must of been difficult. (1)

iiiears (987462) | more than 3 years ago | (#36408928)

Thousands of lines of code on likely more than one type of hardware. (Did they audit their compiler?) We are obliged to rely on technology from womb to tomb i hope they get better quality assurance in place.

"Some" (4, Insightful)

symbolset (646467) | more than 3 years ago | (#36408962)

The headline is missing the word "some" somewhere in it.

Re:"Some" (1)

iiiears (987462) | more than 3 years ago | (#36408986)

Funny. It escaped me that some flaws are beneficial. This was leveraged to save lives. - Technology is surprises.

Re:"Some" (1)

symbolset (646467) | more than 3 years ago | (#36409014)

Stop that. We like to pretend.

http://www.rakhiworldwide.com (-1, Offtopic)

rakhi11 (2255180) | more than 3 years ago | (#36409196)

Relationship between you and your siblings never gets old, and Raksha Bandhan flags eternity of this emotion filled relation. RakhiWorldwide.Com pays its heartfelt homage to reflect the spirit of this auspicious event. Visit us at www.rakhiworldwide.com to know more.

I hope (0)

Anonymous Coward | more than 3 years ago | (#36409446)

I hope the researcher said:

Sure I'll postpone disclosure. If you pay me what you should have paid someone to do the amount of work I did.

But he probably didn't.

S7-1200 is a very low end plc, and only very new. (1)

Anonymous Coward | more than 3 years ago | (#36409782)

The S7-1200 would never be used in a power station, it's too low end, and very new.
I wouldn't use it anything more that a packaging machine.
It's the model that is less than $1000 US.

Re:S7-1200 is a very low end plc, and only very ne (0)

Anonymous Coward | more than 3 years ago | (#36412430)

The S7-1200 would never be used in a power station, it's too low end, and very new.
I wouldn't use it anything more that a packaging machine.
It's the model that is less than $1000 US.

There are vulnerabilities in the protocol as well which allow an attacker to do the exact same thing to the S7-300 and S7-400 which are used in power stations. The S7-1200 uses the same protocol ( i.e. replay attacks ) as the S7-300 and S7-400. Expect much more... The researcher is sitting on way more than what he disclosed. I saw a presentation he gave at a hacker space in Austin, TX. He was controlling every aspect of the PLC. It was like Stuxnet on steroids! Siemens is obviously trying to keep the issue with the 300/400 quiet so they don't get pwned.

Re:S7-1200 is a very low end plc, and only very ne (0)

Anonymous Coward | more than 3 years ago | (#36417054)

Try $100 with built-in Ethernet
Compared to a S7-400, it is nothing but a smart relay

Siemens... (0)

Anonymous Coward | more than 3 years ago | (#36409840)

...bribing politicians [wikipedia.org] since 1847.

Attacking the Grid (0)

Anonymous Coward | more than 3 years ago | (#36410696)

"For example, in March, Rubén Santamarta notified US ICS-CERT of a vulnerability in BroadWin WebAccess, a web browser-based HMI product. ICS-CERT forwarded the vulnerability information to BroadWin. Unfortunately, BroadWin was not able to validate the vulnerability and said it was false. So Mr. Santamarta publicly released details [reversemode.com] of the vulnerability including exploit code". link [actualsec.com]

Siemens Fixes SCADA Flaws 29 (0)

Anonymous Coward | more than 3 years ago | (#36411490)

This information is really helpful. visit my website" [alljobsbd.com]

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>