Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Support Forums Reveal SCADA Infections

samzenpus posted about 2 years ago | from the patient-zero dept.

Government 66

chicksdaddy writes "We hear a lot about vulnerabilities in industrial control system (ICS) software. But what about real evidence of compromised SCADA and industrial control systems? According to security researcher Michael Toecker, a consultant at the firm Digital Bond, the evidence for infected systems with links to industrial automation and control systems is right under our eyes: buried in public support forums. Toecker audited support sites like bleepingcomputer.com, picking through data dumps from free malware scanning tools like HijackThis and DDS. He found scans of infected systems that were running specialized ICS software like Schweitzer Engineering Labs (SEL) AcSELerator Software and GE Power's EnerVista Software (used to configure GE electric power protection products). The infected end user systems could be the pathway to compromising critical infrastructure, including electrical infrastructure. 'With access to a protection relay through a laptop, a malicious program could alter settings in the configuration file, inject bad data designed to halt the relay, or even send commands directly to the relay when a connection was made,' Toecker wrote."

cancel ×

66 comments

Sorry! There are no comments related to the filter you selected.

wtf... (3, Insightful)

Anonymous Coward | about 2 years ago | (#41951555)

Why are you people posting about your nuclear power plant problems online?

Re:wtf... (5, Funny)

gnarfel (1135055) | about 2 years ago | (#41951571)

'Updated ReactorCoreSafety to 8.34, can't access admin interface. Anyone else having this problem?'

Re:wtf... (1)

PPH (736903) | about 2 years ago | (#41951591)

Don't know about that one. What do all the blinking red light mean?

Re:wtf... (1, Insightful)

girlintraining (1395911) | about 2 years ago | (#41951629)

What do all the blinking red light mean?

Nothing, unless you've tried turning it off and then back on again. In which case, it means I have to refer you to second level support.

Re:wtf... (1)

ColdWetDog (752185) | about 2 years ago | (#41951915)

Just reboot three times.

If that doesn't help, reinstall the operating system.

Where did you say you were calling from again?

Re:wtf... (1)

davester666 (731373) | about 2 years ago | (#41954719)

Oh, you've hooked our hardware up to somebody else's hardware? That light means there is a problem with the other hardware.

We'll have to charge you for this support call and recommend you call the other manufacturer.

Re:wtf... (2)

sr180 (700526) | about 2 years ago | (#41953711)

Second level support here. It means the Radiation Beam has been erroneously set to full power.

(Unfortunately if you think this is a joke, google the Therac 25 accident. This should be compulsory study for all programmers and software engineers.)

Re:wtf... (1)

symbolset (646467) | about 2 years ago | (#41954653)

Mod parent up.

Re:wtf... (1)

TheGratefulNet (143330) | about 2 years ago | (#41951753)

do they still blink even after you've given the box a fonzie?

Re:wtf... (0)

Anonymous Coward | about 2 years ago | (#41952333)

Criminy, just how does one perform a fonzie upon your box?

Re:wtf... (1)

TheGratefulNet (143330) | about 2 years ago | (#41952853)

"man, oh man, I got it made in the shade"

you recite that after striking the juk^H^H^Hbox on the side.

Re:wtf... (1)

fast turtle (1118037) | about 2 years ago | (#41952251)

Core Meltdown Simulation in progress Mr. Simpson.

Re:wtf... (0)

Anonymous Coward | about 2 years ago | (#41953803)

Make sure you didn't let Windows Update auto-install the patch for KB5318008. If you already have, no problem, just uninstall it, reboot, then delete the following Registry keys and reboot again:..

Re:wtf... (2, Insightful)

Anonymous Coward | about 2 years ago | (#41951645)

ICS controls more then just Nuclear Plants. They control a wide range of industry machinery. Think how windows is to desktop, ICS is to the "professional" industry that involves complex machines.

Re:wtf... (0)

Anonymous Coward | about 2 years ago | (#41952255)

Infact SCADA is basically never used in nuclear power plants... it's far far too modern.

Duh? (-1)

Anonymous Coward | about 2 years ago | (#41951573)

Stuxnet et. al. were found trying to spread on the internet, does this really surprise anyone?

Is this one of these support groups ... (1)

PPH (736903) | about 2 years ago | (#41951633)

... where they take you through the seven stages of grief? Twelve steps to living a sober life?

Will we have to go up in front of a group and say, "Hi. My name is PPH and I plugged a thumb drive into my SCADA controller. I've been doing Windows for years and I guess it just caught up with me one day."

Re:Is this one of these support groups ... (0)

girlintraining (1395911) | about 2 years ago | (#41951747)

"Hi. My name is PPH and I plugged a thumb drive into my SCADA controller. I've been doing Windows for years and I guess it just caught up with me one day."

"Hi, PPH. This is the support group for information security professionals." (lights go out) "Alright guys, group therapy time has been rescheduled in favor of physical therapy. GET HIM!"

it will never heal.. (4, Funny)

TheGratefulNet (143330) | about 2 years ago | (#41951653)

if you keep picking on the SCADA, it will never heal!

of course it gets infected.

Re:it will never heal.. (0)

girlintraining (1395911) | about 2 years ago | (#41951767)

if you keep picking on the SCADA, it will never heal!

Also, you're hurting its feelings.

I'm confused.. (0)

Anonymous Coward | about 2 years ago | (#41951729)

Why would anyone responsible for these computers (running devices whose operation is dangerous to human life) ever connect them to the internet?? Are they complete morons? Why would they be able to keep their jobs? Are they all idiot sons of rich people and therefore can't be fired or something? I don't get it? What am I missing?

Re:I'm confused.. (5, Insightful)

Gorobei (127755) | about 2 years ago | (#41951827)

Why would anyone responsible for these computers (running devices whose operation is dangerous to human life) ever connect them to the internet?? Are they complete morons? Why would they be able to keep their jobs? Are they all idiot sons of rich people and therefore can't be fired or something? I don't get it? What am I missing?

How many millions of dollars a year do you want to spend to maintain that isolation? You can do it, it's just really expensive.

1. Lock down/destroy all wireless comm on all hardware
2. Make entire network visible - all cable runs visible in clear conduits.
3. No software installs without full audit (sorry, no commercial installs allowed, no audit software allowed on the gold network)
4. Destroy all hardware leaving the building (and yes, that includes guests' cellphones.)
5. No windows, line of sight, radio leakage, etc.
6. Fab your own chips. Even a 555 timer can hold a rogue 8086.
7. No interns. Assume every Chinese grad is a malware vector (and everyone else, too.)
8. Assume you still have a 1 bit per second channel to the outside world (power draw, sound, etc.)

Re:I'm confused.. (1)

Nyder (754090) | about 2 years ago | (#41951961)

...
6. Fab your own chips. Even a 555 timer can hold a rogue 8086. ...

Unless you provide proof, I call bullshit.

Re:I'm confused.. (3, Interesting)

Gorobei (127755) | about 2 years ago | (#41952221)

I was not completely clear, but even if you opt for even a simple DIP-8 555, current tech lets us embed a side-saddle microprocessor (4004, 6502, 8086) easily. Unless you pry the top off and scan it, you can't be sure you don't have a trojan horse. It's only a few thousand lines of code for the chip to decide it's in the right place for its payload (running a centrifuge, controlling a missile fin, etc) and then to fail nastily.

We've been doing targeted component sabotage for decades (Russian gas pipelines, Stuxnet, xerox tricks.) Don't trust integrated circuits to be what they claim to be.

Use a PIC (1)

mangu (126918) | about 2 years ago | (#41955395)

If it weren't for the fact that Vdd and Vss are reversed, a properly programmed PIC 12f675 could be a pin-for-pin replacement for a 555. As a matter of fact, I've stopped using 555s entirely, since a 12f675 provides the same functionality, and more, with NO external parts.

Installing a trojan would be as easy as inverting the 1 and 8 pins inside the package.

Re:I'm confused.. (1)

Johann Lau (1040920) | about 2 years ago | (#41952085)

Why would anyone responsible for these computers (running devices whose operation is dangerous to human life) ever connect them to the internet??

How many millions of dollars a year do you want to spend to maintain that isolation? [proceeds to list a lot of stuff that goes WAY beyond the requirement of "don't connect it to the internet"]

What the fuck did I just read?

Re:I'm confused.. (3, Insightful)

Gorobei (127755) | about 2 years ago | (#41952273)

Why would anyone responsible for these computers (running devices whose operation is dangerous to human life) ever connect them to the internet??

How many millions of dollars a year do you want to spend to maintain that isolation? [proceeds to list a lot of stuff that goes WAY beyond the requirement of "don't connect it to the internet"]

What the fuck did I just read?

Something about actual security issues (like what the article was about,) rather than "system ok, internet link bad, idiot sons of rich people" post.

Re:I'm confused.. (1)

fatphil (181876) | about 2 years ago | (#41954941)

You appear to have a problem with the concept of direction. The problem being addressed was that of stuff with the evil bit set coming *in* from the internet. Moving a PC relative to the windows does not change that at all, for example. Most of your defences seem to *presume* there's a man on the inside, but if you've got a man on the inside, there's no defence if there are *any* input devices at all. And a computer with no input devices can not receive or process any information. And therefore isn't a computer any more. You're just trying to show off that you can think of lots of ways of getting data off a supposedly secure system, which is pointless willy waving, anyone can do that. Why did you mention destroying guests' phones, but not the pad of paper they had in their pocket? Or their memories?

Re:I'm confused.. (1)

tgd (2822) | about 2 years ago | (#41956819)

You appear to have a problem with the concept of direction. The problem being addressed was that of stuff with the evil bit set coming *in* from the internet. Moving a PC relative to the windows does not change that at all, for example. Most of your defences seem to *presume* there's a man on the inside, but if you've got a man on the inside, there's no defence if there are *any* input devices at all. And a computer with no input devices can not receive or process any information. And therefore isn't a computer any more. You're just trying to show off that you can think of lots of ways of getting data off a supposedly secure system, which is pointless willy waving, anyone can do that. Why did you mention destroying guests' phones, but not the pad of paper they had in their pocket? Or their memories?

Its a lot easier to physically secure hardware -- and, more importantly, to know when a physical compromise has happened. These organizations, by and large, already have those provisions in place. I can't speak for the GP, but I would assume that's why he didn't get into those issues. People understand (to some extent) physical security. They don't understand "technical" security.

Re:I'm confused.. (1)

Johann Lau (1040920) | about 2 years ago | (#41958517)

It's still utterly nonsensical in response to what it's a response to -- so yeah, take your sophistry to someone who falls for it because I surely don't. Clown.

Re:I'm confused.. (0)

Anonymous Coward | about 2 years ago | (#41952661)

It's the sales and marketing guys.

We had the same battle when we were developing systems for the semiconductor industry. We refused to make it accessible via Ethernet, used serial ports instead (EIA-485) to prevent just such problems on life safety systems.

Still, some guy will always figure that they can create an interface to tie it to the Internet despite our protests and warnings.

Re:I'm confused.. (0)

Anonymous Coward | about 2 years ago | (#41952879)

I love when a "high ranking guest" doesn't take the warnings seriously. The look on their face when they realize their phone *is* getting confiscated is priceless.

Re:I'm confused.. (0)

Anonymous Coward | about 2 years ago | (#41953607)

4. Destroy all hardware leaving the building (and yes, that includes guests' cellphones.)
5. No windows, line of sight, radio leakage, etc.
8. Assume you still have a 1 bit per second channel to the outside world (power draw, sound, etc.)

These three are more about secrecy than operational safety and assume you have an adversary with the resources and drive of a nation state willing to risk discovery to interfere with your systems. Iran for example needs to worry about all of these, your electric company not so much.

Re:I'm confused.. (1)

symbolset (646467) | about 2 years ago | (#41954685)

Unfortunately even mundane technology companies need to be skilled in the art of keeping stuff private from a determined adversary.

Re:I'm confused.. (1)

symbolset (646467) | about 2 years ago | (#41954679)

  • 1. Do not install Windows on PCs responsible for maintaining human life and health in direct violation of the license terms prohibiting that use.
  • 2. Do not connect essential infrastructure to the Internet. Why do I have to say this?
  • 3. Desolder all the USB ports. USB is a security risk.

Re:I'm confused.. (1)

lonecrow (931585) | about 2 years ago | (#41958567)

While I agree that you only get as much security as your willing to pay for, you can get a high degree of security with less complication then this. How about air gap and properly paid, highly trained and ful security vetted engineers.

Also, from my own experience working with scada systems most organizations mirror the data over to a decision support service that lacks the control modules. So some of these infections may simply be on the historian not the control system.

Re:I'm confused.. (1)

ozduo (2043408) | about 2 years ago | (#41951849)

Oh so you expect the techies to sit staring at their screen all day without accessing porn or updating their status on Facebook.

Re:I'm confused.. (4, Insightful)

fuzzyfuzzyfungus (1223518) | about 2 years ago | (#41951863)

My impression is that there are two basic schools of problem:

1. The SCADA-related stuff is, in fact, properly air-gapped. Then the contractor who has to update the firmware on widget Z shows up and plugs in or a stupid and/or malicious insider manages to find a working USB port.

2. You install a fancy Supervisory Control and Data Acquisition system. Your Boss says "WTF, why can't I supervise and manage from the comfort of my iPad like in the vendor demo?" You proceed to punch one or more holes in your precious security.

Re:I'm confused.. (2)

sphealey (2855) | about 2 years ago | (#41952023)

- - - - - . The SCADA-related stuff is, in fact, properly air-gapped. - - - - -

Used to be possible through about 2000. Essentially impossible today, since most industrial systems vendors - just like everyone else - provide the vast majority of their support via Internet services. You want assistance debugging that control function giving you problems? Open up a support connection to the vendor. Can't do that? The vendor would be happy to send an on-site support tech at $2000/day, but of course he will need Internet access for his laptop.

And the vendors can't be blamed for this, as their customers will no longer pay the type of prices (first sale and support) that that did in the 80s and 90s [1], so the vendors have had to reduce costs everywhere.

sPh

[1] Before that most control systems were serviceable by a knowledgeable technician with a VTVM, scope, and catalog of discrete parts.

Re:I'm confused.. (0)

Anonymous Coward | about 2 years ago | (#41952397)

Depends I guess on whether you are willing to actually invest in your SCADA system or you just want to treat it like the latest Exchange add-on. Investing in your SCADA system means investing in the training of a team to maintain and support it. This team works with the remote vendor and acts as the "bridge" to the system.

Re:I'm confused.. (3, Informative)

aaarrrgggh (9205) | about 2 years ago | (#41953027)

Almost all situations fall into the first category. The SEL relays have rear ports for permanent connections and a front port for service. Usually they are set up so programming can't be changed over the serial or Ethernet network, but the front port has no ability for lock-down. SEL even has a cute little "data transporter" that has a serial port on it, so you don't have to bring your laptop to the relay.

The attack alluded to should be able to bypass the sneakernet use of the data transporter. Conceivably, if the service tech's laptop is compromised all relays would allow for remote settings change despite the visible settings on the laptop.

But, unless you could crack the relay firmware downloading the settings to another device or viewing from the built-in screen (which is extremely tedious), you would easily identify the problem.

I'm torn on how serious to take this. It isn't like settings are changed often, so practical implications are limited.

Re:I'm confused.. (0)

Anonymous Coward | about 2 years ago | (#41954937)

OS updates happen often enough that you need someone on-site to update SCADA's which gets ignored until a vendor shows up.

In other words, if you think old exploits don't work anymore, you just haven't stumbled across a SCADA. keep in mind that this isn't just limited to Windows based SCADA's - there are plenty of Unix based SCADA's that are neglected and probably even vulnerable to the old Finger exploit...

Re:I'm confused.. (2)

thegarbz (1787294) | about 2 years ago | (#41954609)

You're actually missing quite a lot.

1. Many of these systems are remote and need to be managed remotely. The ability to do this via leased lines through telecoms is greatly diminishing and the result is often even if you do get some kind of leased line it still gets routed through the internet.
2. These systems need to be constantly visible and accessed by a wide variety of non control software to help optimise a process.
3. Legal requirements often force you to physically connect this to some kind of remote network making airgap not an option.
4. The idea that airgap = security is outright dangerous and leads to the idea of "Nothing is foolproof because fools are ingenious."

These are fundamental things to consider when installing a system. A non-airgapped system with proper security processes and network design in place can be far more secure than a simple "We didn't connect it to the net so it should be fine" system. I've seen Operators adjust settings on carefully setup gear to get it to stop beeping at them on night shift. I've seen people bring in USB sticks and HDDs from their home and plug them into machines on the control network because they couldn't find a CD or company USB stick to use. And more importantly I've seen waaaaaaay too many machines with login "Admin" password "Manager" or "password" to believe that a network connection is the only source of security concerns.

The problem is the people who install these systems are of instrument/electrical engineering backgrounds not network security backgrounds. The problem is these systems were picked by managers who were shown by the vendors how they can view and control live plant running from their mobiles without any thought as to why they would want to do this. The problem is some people think airgaps are the beginning and end of security. And the problem is you should never underestimate how boring night shift at a running plant can be for operators who simply LOVE pressing buttons.

Oh and they aren't idiot sons of rich people, they are short term contractors with a no-liability clause in their contracts. They come in, setup insecure systems without any proper training on how to maintain and operate them securely and then they leave with their payout.

Re:I'm confused.. (1)

symbolset (646467) | about 2 years ago | (#41954667)

Do I need to remind you that they were also running Windows? It was what they knew. No doubt some consultant got paid well for recommending that solution.

Software world (-1)

Anonymous Coward | about 2 years ago | (#41951877)

download free software
http://Arslan8.blogspot.com

First-hand experience (5, Informative)

juventasone (517959) | about 2 years ago | (#41952165)

I'm a sysadmin for a small municipal office with a SCADA system. I manage every computer except the one used for SCADA, which is the responsibility of the vendor. Their only concern is that the computer stays unmodified from their "standard" set up, but it still requires unrestricted Internet access. This means:

*Windows XP SP2
*Automatic Updates turned off
*No third-party software (ex: antivirus)
*No domain/group policy
*Symantec pcAnywhere 11 host (this is the version Symantec admited to being breached and to stop using)

As the sysadmin I can stick it on a VLAN to keep it away from the computers I'm responsible for, but other than that, my hands are tied.

Similar situation. (3, Insightful)

khasim (1285) | about 2 years ago | (#41952371)

The only thing I could do was to log all the traffic to/from those boxes and save it in case anything happened in the future.

I blame whomever negotiated those contracts. There is no reason why those machines cannot be firewalled at the very least.

Re:Similar situation. (1)

aaarrrgggh (9205) | about 2 years ago | (#41953055)

Agree. Bad contract setup and irresponsible vendor. You can have it done better, although that doesn't provide much for guarantees. At least a certificate-based VPN...

Re:Similar situation. (2)

Billly Gates (198444) | about 2 years ago | (#41953183)

How retarded promotional videos like this [youtube.com] geared towards PHBs. The marketing and sales people do not want certificates and security as it would make their products look bad and hard to setup.

Easy access and PHB approved so the IT is ordered to do it or find another job. When shit hits the fan you just fire the IT guy.

Re:Similar situation. (1)

juventasone (517959) | about 2 years ago | (#41978035)

I think if government (ie: DHS in the US) really wants to secure SCADA without overhauling it, they should require and provide site-to-site VPN routers with Internet traffic blocked minus a few things. Just plug them into a modem or switch and 99% of the problem is taken care of. I think it would cost pennies compared to things like the backscatter scanners.

Re:First-hand experience (3, Informative)

Billly Gates (198444) | about 2 years ago | (#41952691)

As the sysadmin I can stick it on a VLAN to keep it away from the computers I'm responsible for, but other than that, my hands are tied.

Until your boss calls and asks why can't he view setup on his phone from the internet like was shown in the promotion video? Please unblock internet access. ... then an employee who is trying to get around the facebook firewalling software uses it to browse the internet. Oh, yeah fun times.

Re:First-hand experience (1)

aurashift (2037038) | about 2 years ago | (#41952895)

Holy mother of god.

Re:First-hand experience (1)

Anonymous Coward | about 2 years ago | (#41953651)

Not to surprising. BTW it worse than that.

These systems were *never* designed with security in mind. They were designed to talk to each other and quickly and then get out of the way. The protocols used do not even have a concept of it. In many cases you are lucky they talk to each other at all.

Then you had a handful of manufactures trying to corner the 'security' (which was a pathetic joke). Which means at a time when it should have been getting traction on 'how to talk to each other securely'. You had a small group making it worse and more expensive. So your 100k project just went to 200k and you now are locked into a particular vendor. Yeah most went screaming in the other direction.

Then smear on a layer of remote com and poof it is just a matter of time before a good disaster strikes.

Re:First-hand experience (1)

myxiplx (906307) | about 2 years ago | (#41954415)

We had a company with those requirements and we refused point blank to allow it Internet access. We allowed them a one day trial to prove it was secure and of course it was riddled with viruses within hours. We then forced them to wipe and reinstall it, and plugged it in to our isolated production network.

The guys designing and working with these systems haven't the first clue about IT, let alone security.

Re:First-hand experience (1)

symbolset (646467) | about 2 years ago | (#41954693)

You're already PWNed. Exposed to the real Internet that rig has a lifespan of three minutes.

SEL 5030 AcSELerator Quickset (1)

Anonymous Coward | about 2 years ago | (#41952671)

I, along with many others at my company, have Quickset loaded on our laptops. It's just configuration software that you use to prepare protective relays (and could use to communicate with them). I suppose the database on it could be hacked (it's a secured pgsql database, but that security can easily be overridden if you know what you're doing). It is *not* a SCADA package. It's on every relay tech's laptop, along with many engineers. I'd not be surprised to see virii on computers with Quickset on it at all, as many of them will be used in the corporate environment, and technician's laptops. I would be surprised to see a virus targeting the package though. Mine gets updated through the SEL Compass application, which downloads directly from their web site, and updates are fairly frequent.

Honestly, I'm not worried about Quickset. That doesn't bother me one bit, and I use it just about every day.

Other Problems (0)

Anonymous Coward | about 2 years ago | (#41952783)

Even with the "perfect" airgap, many protocols are unencrypted and quite vulnerable to a $20 radio from e-bay, a tape recorder and some good timing.

As someone who installs lots of protective relays (3, Informative)

Anonymous Coward | about 2 years ago | (#41952863)

I can tell you that none of the protective relays I've installed, the engineers involved didn't care one bit for security and all the SEL relays, Square D SEPAM relays, GE Relays, they are all installed with the default password with full access to anyone that has a RS-232 or Modbus cable. None of these relays are set correctly and barely anyone knows what setups to use on them. If someone really wanted to create a disaster, these relays are wide open, and someone with a laptop can easily just make a quick script to upload malicious settings and code to these relays very easily and quickly. The ones that are networked via status updates are even worse. As for SCADA systems, the majority of them are running Windows XP with no updates on, no antivirus, no anything and have full unrestricted access to the internet with full access to the PLC's on machines. These vulnerabilities have been known for YEARS by many installers, so I really don't find this article that surprising.

Re:As someone who installs lots of protective rela (1)

Anonymous Coward | about 2 years ago | (#41953193)

If someone has access to the RS232 port on the relay, you have MUCH bigger problems. Heck, they can remove the six screws and set the 'no password' jumper on an SEL relay and not worry about passwords at all.

Once physical security is compromised, electronic security is worthless. Hit the bus diff lockout switch and the station will clear anyway...

Re:As someone who installs lots of protective rela (2)

Anonymous Coward | about 2 years ago | (#41953259)

I currently take care of one the largest SCADA/DCS/PLC systems. I have had numberous discussions about security but our policy seems to be security through obscurity.
Later

Re:As someone who installs lots of protective rela (0)

Anonymous Coward | about 2 years ago | (#41954429)

ALL security is through obscurity.

Re:As someone who installs lots of protective rela (1)

thegarbz (1787294) | about 2 years ago | (#41954635)

Modbus cable? What kind of security are you dealing with here? From what I can gather the only time someone will be able to start messing with this stuff is if they are there, standing right in front of the relay. At this point all bets are off. There are many thousands of things someone could do at a plant to wreak havoc even once you have passworded your modbus interface, and many of them are far less technical than modifying a protective scheme so why bother.

If this is your only remaining concern I would like to hear about their excellent use of physical security (i.e. locking non-authorised people out of the room with the important technical thingies). I would also like to hear how the electricians and engineers can get in and adjust these relays, how long does someone need to work at the plant before being given the password to make changes? If your answer is that they have access to the systems as soon as they've completed training then you're going to fall for the same attack as Stuxnet, an inside job involving a piece of gear plugged directly into system by a trusted worker at the plant.

Also if your answer is anything other than easy and implicit trust I want to know if your plant is actually profitable and if broken stuff ever gets fixed or just sits there as the required approvals for someone to physically touch it work their way through tangled bureaucracy.

Believe me passwords on our protective relays are of major concern, right after we've solved world peace and all the other security issues that plague a typical power distribution system.

Re:As someone who installs lots of protective rela (0)

Anonymous Coward | about 2 years ago | (#41955703)

You failed to account for authorized people having their machines unknowingly infected. Passwords are also moot when exploits are used, which tend to be highly available since SCADA systems tend to use old unpatched versions of Windows. There was nothing in the Stuxnet setup that requires it to be an inside job.

Good Grief ! (1)

dgharmon (2564621) | about 2 years ago | (#41955257)

'First I got infected by "malware protection designed to protect" and "windows xp recovery" I used rkill to fix this. But now any google search gets redirected and I hear commercials even with no browser open. The TDSSKiller won't run even when is renamed. And SAS or malware bytes won't detect anything.' link [bleepingcomputer.com]

Unfortunately in the real world... (1)

some old guy (674482) | about 2 years ago | (#41956031)

Organizations that use SCADA and/or distributed controls, typically the manufacturing and raw materials sectors but also public utilities, very seldom maintain complete on-site in-house support for said systems or their industrial sub-components (proprietary machine programs, frequently written in Step 7 or ControlLogix but locked down by the machine vendor). Neither are most maintenance budgets able to afford frequent on-site vendor visits.

That means off-site tech support, and therefore internet access.

Air walls only work when you have an unlimited budget, a perfect system, or adequate full-time on-site support. I think I saw one of those in a movie once.

We're in a new era. (0)

Anonymous Coward | about 2 years ago | (#41957175)

Besides handling technology strategy for a restaurant business in southern ontario, I also design, build, and maintain industrial control systems. One project I handed in this capacity was building a control network for an industrial plant's ethernet control network, basically from scratch.

One thing that makes the new way of doing things so dangerous is that even the best people at a site usually don't have the first idea that there's even a problem, let alone how to fix it. People in charge (reasonably) want information from the process control systems to be accessible to decision makers, but often they're going to give control to tradesmen.

I have great respect for tradesmen, and I am one myself, but there's a simple fact that their entire lives the technology has been different than today. I'm almost 30, and in a room filled with tradesman, I'm often the youngest by 20 years. That by itself wouldn't be a problem, but even on their best day, these guys don't tend to do computers. They run cables, or troubleshoot ground loops, or rebuild relays, or install gearboxes, or calibrate transmitters, or rebuild fuel injectors. Only very specialised tradesmen are going to have much experience with computers, and even within that specialised group, an even more specialised group is going to be familiar at all with network security to the point that they might be able to lock down their network in such a way that can prevent a hacker or worm attack.

ICS-CERT has been a great resource for me, trying to figure out the best way to implement a long-term control system security strategy that can protect against the next self-propagating worm that catches the world completely off-guard, so there are some resources out there. Besides that, I'm implementing regular penetration testing on any intranet-facing machines to ensure that if the corporate IT lets something pass, it won't make it into control systems, following up by closing any holes we find.

Change is going to have to come from all sides to really make a difference, though. I'm solving the problems of one site of tens, maybe hundreds of thousands. Tradesmen who will maintain and build control infrastructure must be informed of the gravity of their task. Managers must be informed of the dangers of network security, which can literally be life or death. Executives must know about the problems and pass this on down the line as a priority right from the top, as well.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>