Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Researcher Claims Siemens Lied About Security Bugs

samzenpus posted more than 2 years ago | from the pants-on-fire dept.

Security 46

chicksdaddy writes "A month after an unknown gray hat hacker calling himself 'pr0f' used a three character password to hack his way onto Siemens software used to manage water treatment equipment in South Houston, Texas, a security researcher working for Google is accusing the company of trying to cover up the existence of other, more serious vulnerabilities in its products. Billy Rios has disclosed a range of vulnerabilities in Siemens SIMATIC software on his blog. The holes could allow a remote attacker to gain access to the Simatic user interface without a user name and password. Rios claims that he has disclosed the hole to Siemens and that the company has acknowledged the problem, only to deny its existence when a reporter asked for more information about the vulnerability."

cancel ×


Sorry! There are no comments related to the filter you selected.

w00t (-1, Flamebait)

omems (1869410) | more than 2 years ago | (#38454414)


Look! (-1)

Anonymous Coward | more than 2 years ago | (#38454416)

Another story! What's going on today?

First pony (-1)

Anonymous Coward | more than 2 years ago | (#38454422)

Woo whooooo ponies!!!111

Re:First pony (-1)

Anonymous Coward | more than 2 years ago | (#38455790)

More like wieners.

Lose the remote... (3, Insightful)

LostCluster (625375) | more than 2 years ago | (#38454440)

The main problem these things have is that there's nothing more than password authentication protecting them from any random user getting in, and sometimes leak or get guessed.

For this kind of access there should be a technician dispatched to the site... no remote login should be allowed. Water control is a lot like Enron's electricity control in that a wipeout of any size can cause a complete mess of a local economy.

Re:Lose the remote... (1, Flamebait)

Endlisnis (208453) | more than 2 years ago | (#38454912)

Welcome to the past, where everything is done manually! People are not interested in doing things in person, even important things. [Americans] want to bank online, have sex online, delouse their children online, purchase a home online, elect their officials online and everything else worth doing. Doing things is for suckers, but clicking a web-page and having something done FOR you is for winners.

Re:Lose the remote... (0)

hairyfeet (841228) | more than 2 years ago | (#38455920)

But you could have your cake and eat it too in this instance can't you? Because at least to me, and I'm not a security expert so I may be missing something, that this would be a perfect use for smartcards or those USB dongles we had to deal with back in the day. Then you can have two factor authentication by having them plug in the smartcard or dongle AND have to input the password so unless someone managed to hack SSL AND the encryption used by the dongle AND get the password it wouldn't work, correct?

Re:Lose the remote... (4, Insightful)

plover (150551) | more than 2 years ago | (#38456206)

I don't know about your community, but mine complains incessantly about taxes. If we had to have full-time SCADA engineers guaranteeing on site support 24x7, we'd have to pay more for water, sewer, gas, electricity, street lights, traffic control signals, and all those other industrial controllers that are hidden under little green boxes on the side of the roads.

And I live in a large, wealthy city that could afford such amenities. I'm picturing the poor bastards in Bumfuck, Idaho*, population 174, located three hours from the nearest grass-strip airport. Who exactly is going to monitor their town water pump and filtration plant? Are you and every other taxpayer going to agree to pony up an extra $500/year to have a SCADA engineer sitting in the town bar all day and night, just waiting for your pump to croak? Or are you going to contract with to remotely monitor and maintain your plant, and possibly fix issues in minutes instead of days?

I'm not saying that they should just plug it into the internet and walk off. But disconnected isn't even an option for a lot of installations.

*My apologies to any fatherless indigents living in or near Bumfuck, Idaho. I'm sure you're all very nice people.

Re:Lose the remote... (0)

Anonymous Coward | more than 2 years ago | (#38457530)

Yeah that or society may wake up and not allow mangers to get rich on stuff the country needs to run.
The bonuses some of the guys get would pay for a handful of engineers, 24/7.

Re:Lose the remote... (0)

Anonymous Coward | more than 2 years ago | (#38457876)

You are right, accessing remote systems is often required if you want to do things in cost efficient manner. Although not is this case, but when you have systems that spread over large areas, such as an electric grid or water pipeline, you just can't afford to get (with a helicopter) someone onsite all the time. But on the other hand skimping on security is not an excuse. Posing anonymously, because I am in the same building and have read access to the code... The good news is that there now is a "task force" to implement security... Let's see how that plays out...

Re:Lose the remote... (1)

inhuman_4 (1294516) | more than 2 years ago | (#38459110)

The problem is not that they allow remote access. That is obviously useful. The problem is that they rig the thing up on the internet, sans firewall, where anyone can hammer away at it.

I don't see any reason why a company cannot run all of these systems through a a VPN where only the only people allowed on the VPN is the engineers who need to be. I suspect they they don't do this simply because they are lazy or incompetent.

Re:Lose the remote... (1)

LostCluster (625375) | more than 2 years ago | (#38460760)

A VPN is usually only protected by a password or maybe a stored secret which is just a more complex password. There needs to be better authentication such as calling headquarters, being recognized by voice, location, and password and then having them agree your move makes sense before it's put into play.

Re:Lose the remote... (0)

Anonymous Coward | more than 2 years ago | (#38462758)

My VPN is protected by exchanging a pass phrase protected public key held by the client. I'm not sure how easy it would be to get this, and even if you had it you'd need to use the pass phrase.

Re:Lose the remote... (1)

gl4ss (559668) | more than 2 years ago | (#38459958)

if you don't even need a password, there's no password authentication on the actions taken on the server even..

Siemens sucks (0)

Anonymous Coward | more than 2 years ago | (#38454464)

Iff the rest of their company sucks as badly as their professional services group, color me unsurprised.

Re:Siemens sucks (1)

thsths (31372) | more than 2 years ago | (#38457614)

You misunderstand Siemens. It used to be a great electrical company, but nowadays it is an investment bank. What sets it apart from other investments banks is that they deal in technology (and foreign exchange), and they have a very good understanding of technology. The production/engineering/service segments are really just used for better investment leverage. That does not necessarily mean that the engineering sucks, actually some of it is brilliant. But either way it is not as relevant as it may seem.

Re:Siemens sucks (2)

Almost-Retired (637760) | more than 2 years ago | (#38458784)

No, I don't think they "have a very good understanding of technology"

Many moons ago, when I setup my first NATed local network here, I bought a Siemans router. I set it up with a 12 character PW for admin purposes, the maximum it would allow. It was rooted and bricked 3 days later. If it was that easily attacked, I sure as hell didn't want it and took it back to Circuit City. They agreed, and weren't surprised that it came back.

So I next brought home a Linksys BESFR41, which in a pinch I can still use. But it was eventually replaced with dd-wrt running on an old x86 box, whose radio never worked despite registering it, so now I have a netgear something or other whose radio used wpa2 with about a 120 char passphrase, and Just Works(TM).

Maybe things have changed in the last decade, but I personally don't use the word Siemans and technology in the same sentence.

Now, for the person who used Bumfuck, Utah as an example, what makes you think they would have anything more sophisticated than a pressure switch, adjusted for the height of the water storage tank, to control their water pumps?

Sheesh, that ain't high tech, needing a computerized system to run it. The town clerk probably goes around reading the meters & sending out the bills on an old pentium powered box running winderz 3.1 from floppies, likely without any connection except the printers parport cable.

So Bumfuck, Utah's water supply is not subject to a terrorists attack via this here intertubes, and far safer than any bigger towns that is all "modern & computerized".

Cheers & a merry Christmas to all, Gene

Huh. (3, Insightful)

jd (1658) | more than 2 years ago | (#38454502)

I seem to remember seeing SCADA vulnerabilities being added to vulnerability testing tools and IDS systems recently -- anyone know if this is related (ie: the tools now check for these non-existent flaws) or if the additions were to cover previously-reported bugs?

If the former, Siemens had best fix this damn fast. Infrastructure companies are in a corner - they don't have the cash for a major migration and alternative vendors are hardly thick on the ground. Some will be unable to afford decent security and others will be too politicized to secure their networks. Much of the infrastructure is too big and/or too expensive to duplicate, so the market is useless. The only place this can be fixed is at Siemens itself. The others that technically could won't and the rest can't.

The problem with the current paranoia over security is that you can't fix a fault you won't admit exists, companies won't deploy a fix if you tell them it's not needed, and so what you're ultimately left with is not security, merely obscurity.

Re:Huh. (1)

Anonymous Coward | more than 2 years ago | (#38454806)

ISS started adding SCADA checks to it's Proventia line and it's scanner right around the Stuxnet publications. But, it's hard to test or verify the information. So, they basically have to fake it. Which sucks, because often how they claim something works is not how it really works. And, the only way to verify a problem with a related-check is when a customer files a report. Which again, they'll probably only bother in the event of a false-positive (they won't even look further if it's a false-negative). Basically, those checks are mostly worthless and I'm sure it's the same with their competitors.

Re:Huh. (2)

rahvin112 (446269) | more than 2 years ago | (#38455268)

The solution given the reality of Siemens is to simply disconnect these SCADA systems from the internet. Why anyone would hook up industrial controls to the wider network. And yes I mean every single workstation that has access to the SCADA machinery should be disconnected from the broader internet. If that means people need two computers on their desk that's the solution. If that means you have to dispatch someone to the office to fix things, that's better than some hacker causing a massive failure by mis-configuring valves intentionally or through ignorance.

I'll tell you something, these local municipalities can afford a little overtime and computers far more than destroyed infrastructure.

Re:Huh. (1)

Anonymous Coward | more than 2 years ago | (#38455360)

That works - right up until somebody hooks up a cross-over cable between two networks, or management says "It takes too long that way, just get it working, we'll fix it up when we get the budget."

You're absolutely correct that these systems shouldn't be on the Internet - shouldn't be reachable from the 'net, shouldn't even let workers plug in USB keys (or hard drives, or CDs, or ...). But unless and until there is criminal liability put in place for this sort of thing, it's just going to keep happening. Basic human nature. Security gets in the way, so security goes out the window, until something goes wrong ... and then security comes back in for six months (or the auditors go away), at which time it goes out the window again. (Or the auditors don't give a damn, they just want to check the box on their report. "Are backups being done?" "Yes, they're being sent to /dev/null." "Great! *tick*.")

The short of it is: every proposal to fix this must take human nature into account. Until that's done, we're pissing into the wind.

Re:Huh. (1)

jd (1658) | more than 2 years ago | (#38455422)

Precisely, and trying to shape human nature through regulation is where you run into the politicized nature of these environments. Yes, these systems should never be connected to the Internet (even by indirect means such as sneaker net) and yes fixing the problem must take human nature into account, but it must do so cleverly because applying the fix also involves human nature. That's a tough one.

Re:Huh. (1)

Kyusaku Natsume (1098) | more than 2 years ago | (#38457102)

The easier fix would be to provide a nice machine with almost fully open access to the web and/or internet, and a good enough machine to keep control of the SCADA system, that way you have your system operators happy, alert all the time and without any need to break security procedures.

Um, no, that's a BAD idea (4, Insightful)

gerf (532474) | more than 2 years ago | (#38455428)

The problem is not necessarily with Siemens. Industrial controls in general are not inherently meant to be accessible over large networks. They're designed to run reliably as they are, not with patches and updates. This applies to anything from Siemens/Fanux/Rexroth/Allen-Bradley/Mitsubishi to Cognex cameras to ABB/Fanuc/Kuka robots, or any little bastardized system in between.

Why not? Well, there is a ton of weird, unique software that runs on industrial controllers. They run some really embedded HMI (Human Machine Interface) software on top of, say, XP Embedded, or even NT4 or Win2k or some Linux flavor, or WinCE. If you start throwing out patches to those systems, there is a very very good probability that at some point, the system that you are updating will fail due to the update. Heck, Siemens updates regularly break its own software, much less Windows patches. If you try, and screw things up, you're forced to revert to some old dated backup or Ghost image stored in a filing cabinet on a CD-R or server if you're lucky. If you're not lucky, you call the vendor in to fix your broken system. Hopefully they are competent enough to have a backup from their last visit 6 years ago, and work from there, losing all your work in the meantime. So, you have machine downtime of hours, days, or even weeks if you're not lucky. How much does downtime cost? It depends on how many systems you took down, and the product. Conservatively, anywhere from $5,000 to $1,000,000 per hour.

What to do? You obviously can't push out patches. But, there is a lot of good that comes from monitoring machines, their productivity, uptime, faults, etc, remotely. By taking these systems off of an internal network, you also lose productivity in efficiency losses. So, you're forced to be the High Priest of IT and lock down a network like no other. No outside USB sticks, manufacturing firewalled off from the rest of the plant, and all kinds of restrictions that make users angry. It sucks, but it's possible. Unfortunately, small time manufacturers with their one part time learn-on-the-fly IT guy probably won't do it right. Perhaps this is where the DHS can come in to help, in the name of national security?

Re:Um, no, that's a BAD idea (1)

plover (150551) | more than 2 years ago | (#38456002)

The problem is not necessarily with Siemens.

The problem lies squarely with Siemens. They made the choice to build systems with expected design lifetimes of more than 20 years on top of platforms that have a known support lifetime of less than that.

Their needs for OS services are not great. They could have developed their own operating system. They could have bought a small embedded operating system that they would then support in-house. They could have licensed an open source OS such as FreeBSD. They don't need a GUI. They don't need audio support. They don't need to support eSATA drives or Bluetooth or mice or USB or nVidia or any of the thousands of drivers that Windows ships with by default.

Everything about these systems needing to be super-long-term stable has been known in this industry since the early 1980s. Their engineers have understood these principles for as long as SCADA has existed. They knew better than to pick a flavor-of-the-month consumer OS. And they still did it. I don't care if it was a manager who thought "Microsoft Windows programmers are a dime a dozen so we can do this on the cheap," or if the CEO was photographed in bed with a Microsoft swallow [] , they were responsible for the choice.

Siemens knowingly chose to build their entire SCADA empire on top of an insecure platform. And that is entirely their fault.

Re:Um, no, that's a BAD idea (1)

thsths (31372) | more than 2 years ago | (#38457640)

> The problem lies squarely with Siemens.

> They don't need a GUI.

Actually both is wrong. They need a GUI, and the problem is with the customers. The customers chose Siemens over some other SCADA solution exactly because it runs on Windows. Siemens made this decision very early on (I think in the NT4.0 days), and from a business perspective it is more successful then they could have imagined.

Technically it was wrong, I agree there, but would you rather go bust with the right technology or prosper with the wrong one? Because there were other big players in the market, using HP, Solaris etc. And they are all in trouble now both with the technology and with the business.

And to be honest, if you have an incompetent IT department, do you think they can secure an old version of HP/UX?

Re:Um, no, that's a BAD idea (3, Informative)

Twylite (234238) | more than 2 years ago | (#38457782)

You are ignoring the essential role of HMI in SCADA systems. A SCADA can acquire data and coordinate components without a UI, but operators cannot monitor a plant or take corrective action without an HMI.

The HMI is graphical and allows the operator to override normal operation in order to respond to abnormal situations. It needs all the input and output devices a normal workstation requires.

You are also ignoring the issue of data storage by SCADA systems, and the generation of reports on that data which are used by various business departments in real-time. A Manufacturing Execution System may provide real-time reports for sales staff so that they can give customers accurate estimates of completion/delivery dates. Orders are added to a queue and will be automatically executed by the SCADA. Stores will receive low-stock notices for just-in-time ordering. Line stops exceeding 2 hours will result in automatic escalation to the COO.

This level of automation brings huge business benefits. The business is more responsive to customer needs, and there are fewer manual steps involved in completing an order (leading to fewer mistakes, less waste, fewer unsatisfied customers). The downside is that the business network is directly connected to the MES and the SCADA in a manner that allows at least some commands to be issued (as opposed to having read-only access to a database). An air-wall is not possible.

So now you have PCs on the business network able to interact with a MES which is necessarily able to access the network with the SCADA and HMI. And there's a 100% chance that the business PCs have e-mail access, which means that somewhere there is a physical cable to the outside world.

They could have developed their own operating system

Yeah, because they have extensive expertise in OS development and oodles of cash to throw at the problem, and as we well know the available commercial and free embedded OSes never have bugs.

The problem is that the environment is not conducive to upgrades/patches and is hard to isolate logically. The economic reality is that for any given SCADA environment the risk* inherent in regular upgrades is larger than the risk of a malicious attack (for now).

* = (likelihood of event) x (cost of event), where cost includes recovery plus the direct and opportunity costs of downtime.

Re:Um, no, that's a BAD idea (1)

plover (150551) | more than 2 years ago | (#38459940)

I saw HMIs back in the early 1980s that were built on dumb terminals, with colored line drawings on a 25x80 screen, and the menu represented by a series of function keys listed across the bottom of the screen. There's even an ancient serial terminal in the North Star Building's elevator lobby in Minneapolis that still displays a curses-drawn picture of the elevator system operating. These screens are certainly adequate to graphically represent the systems they are controlling in a very understandable manner, and if you follow the links in TFA and take a look at those screenshot pictures the guy grabbed, those drawings that South Houston uses were not vastly improved by the addition of clip art pumps. Windows(TM) was not responsible for carrying lots of meaning to the operators.

I completely understand the desire for systems that are easy to access, that integrate better with the business, and the desire to maximize profits by selling cheap, off the shelf solutions. But even back when they were switching to Windows NT in the mid '90s, security was a prominent issue. Viruses were widespread. Engineers were appalled that people were going to use Windows in various real-world system controllers. And Microsoft had long established the practice of periodic upgrade paths, requiring newer and bigger hardware to keep up. Every one of these problems was well known and understood to present a real risk, yet they did it anyway.

Even picking a different commercial graphical OS would have helped somewhat. Heterogeneous systems have an inherent resistance to accidental security problems, and provide a good buffer against stupid malware problems like Windows viruses. Of course, we know heterogeneity did not save Iran from Stuxnet. Stuxnet's Windows payload knew how to cross the boundary and attack their SCADA network, too. But the non-physical attack surfaces of the SCADA controller could have been realistically reduced to almost zero on a proprietary OS. The Windows XP controller they ran was Swiss cheese, and was penetrated by 4 different zero day exploits, including both network and USB vectors. Had that system been running QNX, for example, and loading new configurations via ancient bubble memory cartridges or paper tape (or even a simple serial cable), Iran would probably still have their enrichment plant up and running at full capacity.

Siemens could probably even keep their current sketchy Windows systems as the controlling systems, if they were to be just a tiny bit smarter and place a firmware-based firewall in front of any system updates. A tiny microprocessor program running on an embedded platform could operate the USB port they upload new programs into, then transmit those programs onto the controller via serial cable. One very simple, fully verifiable service could listen on that serial port, and fully validate every byte of input before allowing any of it to be stored. While this wouldn't stop malicious machine code being delivered, it would prevent the real time hijacking of the controller itself.

Re:Um, no, that's a BAD idea (1)

gl4ss (559668) | more than 2 years ago | (#38460010)

embedded operating system wouldn't have helped.. when network was never meant to be attached to public internet in the first place.

Re:Um, no, that's a BAD idea (1)

plover (150551) | more than 2 years ago | (#38464534)

embedded operating system wouldn't have helped.. when network was never meant to be attached to public internet in the first place.

A custom embedded OS, one they could maintain themselves, would have helped tremendously in preserving the longevity of the investment. If the controllers back then had 8MB of RAM, they simply would not have added crap to their OS patches making them require machines larger than 8MB. They had full control of the hardware (they were building it, after all.) An embedded OS could have been maintained for many decades while remaining within the 8MB constraint of their oldest systems. Windows, on the other hand, set the standard for needing ever increasing amounts of RAM on a very short cycle, which no hardware available in 1995 could currently contain.

Building a factory is a giant company-risking investment. It's an all-in bet with the expectation of many years of future sales paying off the mortgage. As such, many of the systems they're built with don't change over a long period of time. I know of a machine shop that is still running equipment originally built to make parts for the second world war. Over the last 15 years the owner has slowly been converting the cam driven equipment to CNC control, but that's a very expensive investment for a small business. When you're creating a system that you know could last 60 years, making a choice of OS that has had no example of support lasting more than a decade is irresponsible. Companies like Siemens are why Microsoft has offered extended XP support all the way until 2014 [] , but that's little consolation to anyone who expects their Siemens equipment to last until 2050.

Re:Um, no, that's a BAD idea (1)

catmistake (814204) | more than 2 years ago | (#38458972)

The problem is not necessarily with Siemens

Hackers certainly aren't to blame. Generally ranting here, but what I've seen make headlines is the 'hacker' (definintion in contention) equivalent of waking up one day and finding water all over your bathroom and realizing someone's been in there splashing water everywhere. Besides the overreaction to all it is, which is just annoying and expensive (time) is the overengineering to prevent it from happining again. Serious people seriously doing serious work seriously... we are the easiest marks. These kinds of 'hacks' and interested perpetrators are just as susceptable as the bathroom will always be to breaches using the same bag of tricks against the 'hacker.'

This is why marketing should merge with IT. Using well established PR techniques, and without having to waste time ever expensively fixing code that kind of already works; all that is necessary is to campaign against the personality, individual, group of individuals, activity or even thought of activity that actually utilizing that or any security holes is whatever we say it is. Besides distraction or diversion, another possible stacked method is to draw attention to a scapegoat, and the security researcher (or loosely put, 'hacker') could be used, as could any thing/one. To illustrate an example, if the view of doing anything unorthodox could be coaxed into sharing the reactions to other or all unorthodox activity, then anyone that finds a bug or any activity possible beyond that could share the same public condemnation of the pedophile, date-rapist or whathaveyou. Point being, from a business perspective, manipulating people is far less expensive than manipulating code. IT is all about work smarter not harder. If breaching code can cast a dubious new quality of 'insecure' on a system, then its valid to say that if breaching code were socially uncool enough, individuals wouldn't engage in it anymore. To prevent governments from doing it, the method we know that works involves leaking footage of them relentlessly spying on us [] , which explains all the water everywhere.

Re:Huh. (0)

Anonymous Coward | more than 2 years ago | (#38456774)

The only place this can be fixed is at Siemens itself. The others that technically could won't and the rest can't.

Can't the problem be at least mitigated by inserting a micro-firewall between insecure SCADA and the internet? I'm thinking linux wall-wart or cheap router with open firmware ala dd-wrt to implement key-based encryption, certs, a VPN or something similar. Such units could be banged out by the thousand by third parties. You are left with the whole key maintenance mess, but I think it would, on balance, be a win.

Re:Huh. (0)

rioki (1328185) | more than 2 years ago | (#38457920)

You are totally right. These systems where not designed to be accessible from the internet. They have a bunch of "usability" stuff in there to make configuration easier. As it turns out easier also means unsafe. If you ever read the security recommendations, you will learn that these systems, especially the Ethernet enabled PLCs are to be confined in a closed network. (The non Ethernet PLCs use Profibus and Profinet and you can't hook up that to a simple router.) The remote monitoring systems are also not considered inherently "safe", you are supposed to only use them in a trusted local network. The setup of the plant skimped on that issue (or a sales guy said it was OK).

pr0f exploit a hoax? (1)

Anonymous Coward | more than 2 years ago | (#38454686)

I may misremember things, but wasn't the whole water-treatment plant 'hack' a legitimate worker logging in from his holiday in Russia, and some wannabe hacker claimed responsibility with fake screenshots?

Re:pr0f exploit a hoax? (0)

Anonymous Coward | more than 2 years ago | (#38455084)

That was a mechanical water pump failure in Illinois (Chicago IIRC), this was a water treatment plant (or something) in Texas.

Re:pr0f exploit a hoax? (3, Informative)

Em Adespoton (792954) | more than 2 years ago | (#38455152)

That was a different water-treatment event; in fact, it's the one that prompted pr0f to pull his attack, because nobody was taking the security holes seriously: []

Verticle markets (1)

U8MyData (1281010) | more than 2 years ago | (#38455032)

I has been my expereince that many verticle market applications are poorly written with security being the least of their concerns. Now that *everything* is seemingly connected, extended and exposed to the internet it is only compounding the problem. Security needs to be built in to the core development tools tightly in order to stop these kind of things from happening. The last thing an application developer wants to worry about is security getting in the way of his/her code development. If I see another VB6 app out there I am going to, well, it's not pretty.

Re:Verticle markets (1)

Anonymous Coward | more than 2 years ago | (#38456108)

If I see another VB6 app out there I am going to, well, it's not pretty.

You is go horizontle?

SCADA is internal stuff (0)

Anonymous Coward | more than 2 years ago | (#38455120)

SCADA systems (Simatic or any other) should not be accessible from outside the plant.
Agreed that security needs revamping, but the main point here is that the plant control system is accessible from outside. That's the main problem, it should never be like that. You don't give access to a banks db's from outside its offices, don't allow access to missile launchers from the internet, so why on earth are people connecting a water plant control system to the internet?

Re:SCADA is internal stuff (1)

KXeron (2391788) | more than 2 years ago | (#38456352)

The huge problem is that the CEOs and other management of industries do not understand, nor do they want to understand security. They want the SCADA systems to be online so HQ can check up on them without sending anyone out and without needing to contact any of the operators. They want to be able to audit certain parameters and such however don't want the added expense of running a physically airgapped network, they see the Internet as "convenient" and "cheap", the only things that matter to them.

This problem will not go away until management of these companies are personally held legally (I'd argue even criminally) responsible for malfunctions and intrusions as a result of an internet connected system.

Re:SCADA is internal stuff (1)

rioki (1328185) | more than 2 years ago | (#38457928)

Yes, they want that. But there are technologies to enable this over the network... Just use a VPN and be done with it. The requirement is legin, the execution was lousy.

Is it still lying if you don't know you're lying? (2)

arglebargle_xiv (2212710) | more than 2 years ago | (#38456782)

The OP claimed that Siemens lied about the security of their SIMATIC controllers, but don't you have to know you're lying in order to lie? Having dealt with Siemens over these things in the past (at one point we debated flying someone to Munich to club them repeatedly over the head until they realised there was a serious, showstopper flaw in their control system), it's quite probable that they genuinely believe that they're secure. We ended up using Allen-Bradley gear in the end, which also sucked, but not as much as the Siemens stuff.

Re:Is it still lying if you don't know you're lyin (1)

dropadrop (1057046) | more than 2 years ago | (#38457528)

The OP claimed that Siemens lied about the security of their SIMATIC controllers, but don't you have to know you're lying in order to lie? Having dealt with Siemens over these things in the past (at one point we debated flying someone to Munich to club them repeatedly over the head until they realised there was a serious, showstopper flaw in their control system), it's quite probable that they genuinely believe that they're secure. We ended up using Allen-Bradley gear in the end, which also sucked, but not as much as the Siemens stuff.

That could be used as an explanation to escape just about any lie.. :)

I guess the point is, that if a security researcher sends you detailed information on vulnerabilities in your system, then either don't answer, or give a decent reply. If after 6 months the Siemens guy was not lying it means they are not very competent. It's not like this was a complicated issue...

Re:Is it still lying if you don't know you're lyin (0)

Anonymous Coward | more than 2 years ago | (#38458002)

The OP claimed that Siemens lied about the security of their SIMATIC controllers, but don't you have to know you're lying in order to lie?

.. it's quite probable that they genuinely believe that they're secure.

In case of Siemens, it's security-through-fucking-impossible-to-configure method, also known as "don't touch it, ever, hope it works".

Big companies and lies.. (1)

GEEKS RULE!! (2534236) | more than 2 years ago | (#38456930)

It seem to me that big companies often think that they can get away with lying. And I suppose it's because it's such a big company that they think this.

It's not always the vendor (0)

Anonymous Coward | more than 2 years ago | (#38457160)

You can't blame the vendors as the sole culprit in this. A lot of the protocols that are industry standard, such as modbus, were invented long before security was a concern. They simply cannot stand up against modern hacking techniques. And until the industry catches up this will not change.

However this is a known issue and any competent engineer designing these systems accounts for the insecurities of these systems by requiring that the networks these devices sit on are isolated.

The biggest problem I've seen in the industry is that a lot of the companies that end up using these products go the cheap route whenever possible. So instead of laying down fiber optic cable or a radio link from the local dispatch office to a remote piece of equipment down the road, they opt to connect the remote system over the internet via consumer dsl service. Unbelievable really.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>