Beta

×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

ICS-CERT Warns of Serious Flaws In Tridium SCADA Software

timothy posted about 2 years ago | from the their-security-problems-are-scadalous dept.

Bug 34

Trailrunner7 writes "The DHS and ICS-CERT are warning users of some popular Tridium Niagara AX industrial control system software about a series of major vulnerabilities in the applications that are remotely exploitable and could be used to take over vulnerable systems. The bugs, discovered by researchers Billy Rios and Terry McCorkle, are just the latest in a series of vulnerabilities found in the esoteric ICS software packages that control utilities and other critical systems. The string of bugs reported by Rios and McCorkle include a directory traversal issue that gives an attacker the ability to access files that should be restricted. The researchers also discovered that the Niagara software stores user credentials in an insecure manner. There are publicly available exploits for some of the vulnerabilities."

cancel ×

34 comments

Sorry! There are no comments related to the filter you selected.

Of course, since it's SCADA... (1)

Anonymous Coward | about 2 years ago | (#41016309)

...these aren't machines you're hooking to the Internet. Right?

Re:Of course, since it's SCADA... (3, Funny)

Zlotnick (74376) | about 2 years ago | (#41016519)

Of course they aren't connected to the internet. They're connected to each other by unencrypted radio links.

Re:Of course, since it's SCADA... (2)

Sulphur (1548251) | about 2 years ago | (#41016725)

Of course they aren't connected to the internet. They're connected to each other by unencrypted radio links.

They do have checksums on the packets so that someone's garage door opener doesn't open a valve.

Re:Of course, since it's SCADA... (0)

Anonymous Coward | about 2 years ago | (#41018303)

Your valve opened my garage door you insensitive clod

Re:Of course, since it's SCADA... (1)

Sulphur (1548251) | about 2 years ago | (#41020079)

Your valve opened my garage door you insensitive clod

Did they steal your Maserati?

Re:Of course, since it's SCADA... (1)

tibit (1762298) | about 2 years ago | (#41018997)

Yeah, but a bunch of modbus stuff going over a radio link isn't exactly hard to spoof, ya know.

Re:Of course, since it's SCADA... (1)

mcgrew (92797) | about 2 years ago | (#41027299)

Why do I get images of Trinity blowing up a power station in that Matrix movie that sucked so bad?

Re:Of course, since it's SCADA... (2)

Alarash (746254) | about 2 years ago | (#41016701)

In the case of Stuxnet, the hackers aimed to infect all the computers in the Bushehr power plant. Eventually one got connected to a SCADA system and the main part of the virus kicked in (giving false readings while sending commands that'd break the system).

Re:Of course, since it's SCADA... (1)

binarylarry (1338699) | about 2 years ago | (#41016953)

You fool!

This is clearly Doc Ock back in action.

Poor Spiderman is probably too busy formatting his computer after catching a rootkit off Bing. :(

Re:Of course, since it's SCADA... (1, Informative)

wiredmikey (1824622) | about 2 years ago | (#41017005)

It's not really SCADA, it's different. SCADA is from Siemens, this is different and the Niagara Framework is used in places beyond big facilities such as power plants and factories. The Niagra framework reaches offices buildings, hospitals, airports and more.

http://www.securityweek.com/niagara-vulnerabilities-put-office-buildings-airports-hospitals-risk [securityweek.com]

That being said, this warning was originally issued back in July with ICS-CERT not really adding anything new in this warning.

-M

Re:Of course, since it's SCADA... (5, Informative)

superflex (318432) | about 2 years ago | (#41018119)

Sorry, what? It's not really SCADA? No, actually it's exactly SCADA.

SCADA is a general-use acronym, Supervisory Control And Data Acquisition. It has been in common use in the industrial control system world for at least 20 years. It is not a term specific to Siemens or any other control systems vendor. And it is not incorrect to apply the acronym to application areas like building automation; there can be a fair amount of overlap in system architecture, devices, & communication protocols between building automation and industrial manafacturing automation.

Source: 10 years experience as a industrial control systems engineer.

Re:Of course, since it's SCADA... (3, Insightful)

some old guy (674482) | about 2 years ago | (#41019813)

Mod Superflex up = Informative.

Every platform that I've ever worked with in 20+ years of industrial networking (yeah, I remember TISTAR over coax) has demonstrated it's own unique vulnerabilities that the vendors arrogantly ignore. The diligent engineer/integrator must, regardless of platform or deployment, be aware and take reasonable precautions.

Automation as an industry shares the same classic security handicaps as the internet and telecom industries: Careless users, badly written code, and low-budget management. We get paid to try to plug the holes.

Re:Of course, since it's SCADA... (0)

Anonymous Coward | about 2 years ago | (#41022335)

Having done a bit of work here myself, I can tell you my impression is this is exactly what you get when you have hardware engineers write code. Having software guys design your hardware is only slightly worse than having hardware guys write software.

Its pretty hard to find competent software engineers. Its far, far harder to find competent hardware engineers who can write production quality software.

As a software engineer, I've seen "production" software which literally turned my stomach. The problem is, most hardware guys tend to waaaay over estimate their coding skills and few seem to be even vaguely aware of anything approaching best practices for software development. Its amazing how much software is developed here without any form of revision control (RC) and/or configuration management (CM). Most of the hardware guys I've worked with, while they are aware of RC, they've almost never heard of CM. Worse, they tend to lack any type of formal process and testing usually equates to their declaration it appears to run.

Seriously hardware guys, hire some qualified software guys to things properly and stop fighting them. You have your discipline which I'm sure you do well. But frankly, your software skills suck. Let a software guy do his part and together you will tramendiously increase the quality of your products.

Re:Of course, since it's SCADA... (1)

inasity_rules (1110095) | about 2 years ago | (#41023999)

Uh, yeah. Not always. The issue is the software guys don't understand how the blasted plant works and tend to come up with unworkable solutions. I have seen this many times. This is why we have automation engineers who understand both. I have seen software engineers produce horrendous quality production software that has people's lives depending on it, simply because they don't understand what they're doing. They don't understand failsafe. To a hardware guy a off signal is no voltage or a broken wire. To a software guy its just a zero. The hardware guy works from failsafe. The software guy (in every case I have seen) assumes the signal is good. I could go on. The issue is the disconnect between software engineers and basic reality.

Then we get pushed complex and legacy solutions by the software guys (DCOM is hell on earth), you're standing in a plant and it has to run NOW!, so whats the easiest way out? Disable the bloody security. Thank goodness for some sanity in the form of OPC UA. No, keep the bloody software engineers out of anything mission critical thank you very much. I don't have time to keep rewriting their code to standard.

Re:Of course, since it's SCADA... (4, Informative)

_0xd0ad (1974778) | about 2 years ago | (#41017687)

Actually, it's designed to be web-facing [tridium.com] .

Niagara^AX is a software framework and development environment that solves the challenges associated with building Internet-enabled products, device-to-enterprise applications and distributed Internet-enabled automation systems.

Worse, this is a laughably simple exploit of the web-facing interface [threatpost.com] :

By default, the Tridium Niagara AX software is not configured to deny access to restricted parent directories... An attacker could exploit this vulnerability by sending a specially crafted request to the Web server running on Port 80/TCP

"The system insecurely stores user authentication credentials, which are susceptible to interception and retrieval. User authentication credentials are stored in the Niagara station configuration file, config.bog, which is located in the root of the station folder"

In other words, it's about as simple as GET /../config.bog HTTP/1.1

Big Suprise (4, Insightful)

Infin1niteX (950492) | about 2 years ago | (#41016465)

All of these SCADA system were using security by obscurity or just no security at all for years. So we're going to keep seeing these alerts and warning for a while. Shoot we still see them with major desktop and server operating systems. If there is a reason to exploit a system, someone will figure out how to.

Re:Big Suprise (0)

Anonymous Coward | about 2 years ago | (#41016629)

You realize that the majority of scada systems operate in the vast hinterland of northern canada. There are barely roads there, much less hackers who want some wellhead telemetry data.

Re:Big Suprise (1)

tibit (1762298) | about 2 years ago | (#41019007)

You're an idiot.

Re:Big Suprise (-1)

Anonymous Coward | about 2 years ago | (#41017141)

That's why I use a Mac; they don't get viruses.

Re:Big Suprise (1)

inasity_rules (1110095) | about 2 years ago | (#41024041)

Not really. They're often designed around OPC which uses DCOM security. It is obsolete, but there is security. It simply gets disabled because DCOM is a disaster to work with. They're pushing OPC UA and OPC Xi now to fix this.

A load of.. (1)

DaRanged (735002) | about 2 years ago | (#41016593)

Errrm... SCADA is 'shit' in Greek.

Re: (1)

Anonymous Coward | about 2 years ago | (#41022591)

SCADA software and POS software has many similarities.

After All (3, Insightful)

TheSpoom (715771) | about 2 years ago | (#41016671)

They would know.

Directory Traversal? Noobs. (1)

VortexCortex (1117377) | about 2 years ago | (#41016685)

chroot

Ta30 (-1)

Anonymous Coward | about 2 years ago | (#41016827)

platform fyor the

Home, Pro or Factory Edition (-1)

Anonymous Coward | about 2 years ago | (#41016865)

...Tridium Niagara AX industrial control system software...

Tridium - OK company name.

Niagra - product name.

So, industrial software companies are using retail/home user sounding names for their products?

I just need to know if this vulnerability is on all version of Niagara or just the Home version? Or is it also on the Niagara Pro version? Then what about Niagara Big Fucking Mulitnational Corporate edition?

Re:Home, Pro or Factory Edition (1)

OzPeter (195038) | about 2 years ago | (#41017151)

So, industrial software companies are using retail/home user sounding names for their products?

I've always thought of Tridium as a building automation system, not an industrial SCADA system. While I may be wrong in that I have never seen it considered for any large scale industrial plant.

Same Warning Was Issued Back in July (3, Informative)

wiredmikey (1824622) | about 2 years ago | (#41016987)

This alert is actually not very new and dates back to July. ICS-CERT re-releases things all the time in order to update small things and be sre people see an update, no matter how minor. Here is the original that came out in July:

http://www.us-cert.gov/control_systems/pdf/ICS-ALERT-12-195-01.pdf [us-cert.gov] [us-cert.gov] -- It's pretty much identical from what I can see.

It's not a skirt, it's a kil...it's a skirt, nm. (1)

Impy the Impiuos Imp (442658) | about 2 years ago | (#41017961)

I like the descripton: "This system is stuck in the 90s. We didn't even bother looking at the ActiveX stuff."

All I could think of was that Next Gen' episode where an old Klingon ship timewarps from the past:

Picard: Data, is there any way we can see through their cloaking device?
Data: Cloaking devices of the time were leaky in the gamma range.
Picard: Good. Make it our ho.

Java running under Windows (1)

dgharmon (2564621) | about 2 years ago | (#41019821)

'Extract the zip file [niagara-central.com] to the "modules" directory of the Niagara AX installation on your PC or laptop. (Ex. C:\Niagara\Niagara-3.6.47\modules)`.

Java running under Windows .. enough said ...

Don't put your SCADA units on the WEB (0)

Anonymous Coward | about 2 years ago | (#41019969)

Oak Pointe Country Club [69.196.103.45] .. try not to touch anything .. :o

Crime (2)

ThatsNotPudding (1045640) | about 2 years ago | (#41022099)

Running on or exposing industrial software to the Internet in any way, shape, or form should be an automatic 20-year stay in PMITA prison. Stop putting the laziness of PHB ingrates ahead of common sense and safety.

Re:Crime (0)

Anonymous Coward | about 2 years ago | (#41025581)

Commenting on shit that you don't know shit about should be an automatic 20-year stay in PMITA prison too, but hey, who's counting.

Maybe you should start by looking up the definition of 'Internet'. Whilst it is certainly convenient to buy into consumer ISPs assertions that the internet starts at their router, it isn't true. Internet. Interconnected Networks. Your home network is interconnected to your ISPs network which is interconnected to other ISPs and customer networks, ie your PC isn't so much connected to the internet, but part of it. Your phone probably is too. Maybe your car. Your TV might be, your cable box almost certainly is too.

Your local energy grid has some networks. Some of them are control networks that ensure that energy is safely (re-)routed to you home. Some of them are IT networks that handle things like billing. Your grid provider has to buy the electricity from someone too. You probably have a choice of enery providers, and your choice (and those of other customers) reflects in changes that must be made to switchgear on the grid. Your local grid is connected to a larger grid, and eventually to power stations, owned and operated by many other companies. All of those have industrial control systems that have impact on and are impacted by information that must flow on corporate IT networks. Things go bang in very long-outage-producing ways if power flow within the grid isn't well co-ordinated.

Now, much as your computer (part of the internet) is likely protected by anti-virus and a firewall, and your phone (part of the internet) is likely protected by an upstream firewall, and your cable modem (part of the internet) is protected by an upstream firewall too. Guess what! ICS systems are also protected by firewalls, IDS, IPS and so on. They have to be, because at some level, they are part of the internet too, and nothing will work if they are not.

I'm sure that you would much rather have no power at all though, so I'll just go tell everyone to airgap everything. It'll be a pleasure to not have to deal with so many ignorant idiots on the internet.

Yes, I am an internet security engineer. Yes, I play in the ICS space. No, I don't play on on tv, and nor do I work in a trendy cool looking bunker full of hot chicks.

This is why we should only use US vendors! (0)

FhnuZoag (875558) | about 2 years ago | (#41022133)

Well, imagine what this Slashdot article and discussion thread would be like, if Tridium was China based, instead of operating out of Richmond, VA...

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?
or Connect with...

Don't worry, we never post anything without your permission.

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>