Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Thousands of SCADA, ICS Devices Exposed Through Serial Ports

samzenpus posted about a year and a half ago | from the protect-ya-neck dept.

Security 66

Trailrunner7 writes "Serial port servers are admittedly old school technology that you might think had been phased out as new IT, SCADA and industrial control system equipment has been phased in. Metasploit creator HD Moore cautions you to think again. Moore recently revealed that through his Critical IO project research, he discovered 114,000 such devices connected to the Internet, many with little in the way of authentication standing between an attacker and a piece of critical infrastructure or a connection onto a corporate network. More than 95,000 of those devices were exposed over mobile connections such as 3G or GPRS. 'The thing that opened my eyes was looking into common configurations; even if it required authentication to manage the device itself, it often didn't require any authentication to talk to the serial port which is part of the device,' Moore told Threatpost. 'At the end of the day, it became a backdoor to huge separate systems that shouldn't be online anyway. Even though these devices do support authentication at various levels, most of the time it wasn't configured for the serial port.'"

Sorry! There are no comments related to the filter you selected.

How is this news? (1)

Anonymous Coward | about a year and a half ago | (#43541567)

News Flash: If you have physical access to hardware, you can hack it!

*yawn*

Re:How is this news? (2)

The MAZZTer (911996) | about a year and a half ago | (#43541597)

There is hardware called "Remote Access Servers" that allow you to forward serial connections over a network connection via SSH or whatever.

Re:How is this news? (2, Funny)

interval1066 (668936) | about a year and a half ago | (#43541841)

Try to convince an old plant manager he needs vpn. Try to explain to him what one is.

Re:How is this news? (4, Informative)

dreamchaser (49529) | about a year and a half ago | (#43541885)

Try to convince an old plant manager he needs vpn. Try to explain to him what one is.

It isn't as hard as you might think. "Do you lock the door to your house? A VPN is like that for your data."

It isn't a great analogy but trust me, it works. I've used it quite a few times.

Re:How is this news? (2)

jawtheshark (198669) | about a year and a half ago | (#43544281)

I like to use the following comparison: A VPN is like pulling a real cable between two machines that are separated over a large (or even short) distance.

Re:How is this news? (1)

morgauxo (974071) | about a year and a half ago | (#43545105)

I've been doing things this way for 20 years and there has been no problems. I know what I am doing. Stop wasting my time kid.
</old manager simulation>

Re:How is this news? (1)

dreamchaser (49529) | about a year and a half ago | (#43566223)

I've been doing things this way for 20 years and there has been no problems. I know what I am doing. Stop wasting my time kid.
</old manager simulation>

That almost never happens, partially because I'm not a kid (late 40's) and partially because their employer is paying gobs of money for my time as a security engineer/consultant.

Define "old" ... (5, Insightful)

perpenso (1613749) | about a year and a half ago | (#43541981)

Try to convince an old plant manager he needs vpn. Try to explain to him what one is.

Define "old". Some 50 year olds were playing with TRS-80, Commodore PET and Apple II computers when they were kids in high school. I think we are at, or soon will be, past the point where "old" equates to unfamiliarity with digital technology.

Re:Define "old" ... (-1)

Anonymous Coward | about a year and a half ago | (#43543439)

Try to convince an old plant manager he needs vpn. Try to explain to him what one is.

Some 50 year olds were playing with TRS-80, Commodore PET and Apple II computers when they were kids in high school.

Come on. A TRS-80, Commodore PET or Apple II computer compared to today's hardware, the software that runs on them, and their networking capability, is like comparing Stone or Bronze Age tech to 21st Century ICs. The damned things could only do one thing at a time, and "640k ought to be enough for anyone!" It's like comparing T-Rex to birds. Yeah, they're related, but that's all.

Get real.

Re:Define "old" ... (1)

Anonymous Coward | about a year and a half ago | (#43544437)

You see Mr. Anoymous retard, those us who were playing with TRS-80s etc. back in the day *didn't stop there*, we've experienced every generation of hardware and software since then so we know all the old stuff *and the new stuff as well*. Hope that's simple enough for you.

Re:Define "old" ... (1)

hughbar (579555) | about a year and a half ago | (#43544747)

Oh absolutely, at 62, I've seen punched cards, disk drives the size of washing machines, computers the size of a decent sized appartment, compuserve and everything on up to the Raspberry Pi. That included hacking via acoustic couplers, slow modems etc. etc. Old certainly now doesn't mean pre-technology and old tech is tech, usually just slower and bigger.

Re:Define "old" ... (1)

aaronb1138 (2035478) | about a year and a half ago | (#43543479)

Perhaps not with "old," but "MBA" still will We'll call 50/50 odds on an exception applying to MBAs in IT/IS from major universities, though the community colleges teach that stuff better at the associates level.

Re:Define "old" ... (1)

perpenso (1613749) | about a year and a half ago | (#43544285)

Perhaps not with "old," but "MBA" still will We'll call 50/50 odds on an exception applying to MBAs in IT/IS from major universities, though the community colleges teach that stuff better at the associates level.

That doesn't seem to work either. 8 years ago 1/3 of the class in my MBA program were coming from engineering backgrounds. Those that did not seemed to have no problem dealing with technology. 100% used a VPN regularly to access campus resources when off campus.

I get your sentiment, I used to share it. One of the things that made business school so much fun was to learn how wrong I was and laugh at myself. Seriously, an MBA program is nothing like you think it is. The execs you see on the nightly news are pretty much examples of what they tell you not to do in business school. Its not unlike what I saw in computer science. We were all taught how to write well designed, maintainable and reliable code; yet after entering industry so few actually practiced what they were taught and just slapped crap together as fast as they could with no thought beyond immediate rewards.

Re:Define "old" ... (2, Insightful)

Anonymous Coward | about a year and a half ago | (#43543529)

Some day you'll be at the point where you don't equate 50 with "old."

Re:Define "old" ... (1)

perpenso (1613749) | about a year and a half ago | (#43548025)

Some day you'll be at the point where you don't equate 50 with "old."

I don't now, but when I was learning to program on my Apple II I did. ;-)

Re: How is this news? (3, Informative)

dogsbreath (730413) | about a year and a half ago | (#43542055)

er. . . Typically these are tied to dial up modems or to IP port servers. They are used to access systems when the secure front door is unavailable due to Internet outages, firewall problems or the access gateway being unavailable.

You would not think anyone would be so dumb to set these up but sone may be legacy, or put in place by a local hero sysadmin.

It may even be, get this, a contractually required remote support access point. Many vendors have a very limited concept of what is required to prevent unauthorized access. One vendor sales guy told me that it was secure because no one would know about the dial up number and they had no reported break ins at other installations.

Sigh.

Of course there are ways of providing secure alternative access paths but there are a lot of folk who are under the impression that obscurity is sufficient.

Another issue besides the lack of authentication is the lack of logging and activity reporting. One outfit I did some work for spent a dinghy full of large bills on an IPS for the network side but would not pay for caller ID on their dial-up access point. Against their financial responsibility policy to pay for frivilous monthly charges.

Re: How is this news? (2)

skids (119237) | about a year and a half ago | (#43542961)

You would not think anyone would be so dumb to set these up but some may be legacy, or put in place by a local hero sysadmin.

A lot of these are spare aux or console ports on Cisco routers. The actual syntax used to set one up is a bit contorted, so it's possible for someone inexperienced who is following crib notes to think they are just enabling access to the serial port from the router commandline when in fact they are also enabling an alternate telnet/ssh port.

Also a few of the newer platforms coming out from Cisco include the ability to run a linux server on the second core ("embedded service module") and the default configuration has a rather permissive "transport output" statement on the emulated serial port joining the IOS to the ESM.

LOM has mitigated the need for most of these setups, but there is still gear where the only reliable rescue console is on the serial port.

Re: How is this news? (1)

fast turtle (1118037) | about a year and a half ago | (#43545005)

and with caller id being regullarly spoofed, they were correct. I get calls supposedly coming from the State Senate Building, the God Damn White House, Washington Monument and other locations so caller ID has become damn near useless unless you know the phone number they're calling from. For a company with dial in accounts, Caller ID is damn near useless because it's simply more data to either look at or to keep.

Dupe (4, Informative)

hackshack (218460) | about a year and a half ago | (#43541577)

Jan 10: Thousands of SCADA Devices Discovered on the Open Internet [slashdot.org]

Best part is, it's the same submitter. And y'all wonder why /. is dying.

Re:Dupe (5, Informative)

Anonymous Coward | about a year and a half ago | (#43542119)

Not a dupe. The SCADA segment bit is overlap, but the access method is different. This issue applies to more than SCADA, some thousands of unsecured serial port proxies were actually modern Linux and FreeBSD serial consoles, conveniently preauthenticated as root.

"Shouldn't be online" (1)

girlintraining (1395911) | about a year and a half ago | (#43541601)

At the end of the day, it became a backdoor to huge separate systems that shouldn't be online anyway.

Well, duh. There's about a million tons worth of devices that shouldn't be on the internet, but they are. Rather than bemoan something we've known since the internet was first turned into a public network... why not ask ourselves some more probing questions, like why they're on the internet?

I'll give you a hint: Because auto-configuration (DHCP!) and gateways that allow anything hitting them from the inside to freely traverse are the norm. And it's easier to fix a single gateway than a hundred devices.

Re: "Shouldn't be online" (0)

Anonymous Coward | about a year and a half ago | (#43543223)

What if the gateway is the problem? I was looking at my company's network config, noticed how old the firmware was and decided to google an updated rom.

My jaw dropped when I saw that 2 or 3 results per page on google were for gateways that were completely open to the Internet. Not sure how many were honeypots but I did poke around a few and noticed security camera systems on one and servers on another.

Re: "Shouldn't be online" (2)

cusco (717999) | about a year and a half ago | (#43545459)

Just cameras? You should see the physical security forums on LinkedIn. About once a month a person asks how to let his customer access their security system at a remote site and a busload of people immediately spout "DDNS". When I point out that there is no security on that they get all huffy and reply "We always turn on the firewall in Windows!" Feels like 1999 all over again.

I wouldn't worry about serial port servers much, that's really a case where 'security by obscurity' kind of works.

"Hey, a serial port! Let's send it some random ASCII commands!"

"Is it doing anything?"

"I don't know, can't tell. Screw this, let's play some more WoW."

Re: "Shouldn't be online" (0)

Anonymous Coward | about a year and a half ago | (#43563595)

Sounds like you should start a networking consultation business. With linked in, you should know exactly where these unsecured systems are.

Re:"Shouldn't be online" (0)

Anonymous Coward | about a year and a half ago | (#43547227)

Actually that's not why they're on the Internet. I work in the utility industry. They're on the internet because federal regulations require data to be exchanged between partner utilities. Another problem is that everyone in the company seems to think they need access to SCADA. They don't know what it is, they only get into it once every 18 months, but by golly they need it. Those are my two biggest problems here. I sooooo wish I could just pull the plug and tell all of them to go pound sand. Unfortunately I work in the real world.

Di3k (-1)

Anonymous Coward | about a year and a half ago | (#43541623)

company a 2 Volum3 of NetBSD tired arguments FEAR THE REAPER mutated testicle of GNAA on slashdot, And coders well-known feel an obligation GNAA on slashdot, *BSD is dead. FreeBSD core team A PREVIOUSLY Personal rivalries BSD's acclaimed (7000+1400+700)*4 standpoint, I don't bottoms butt. Wipe FreeBSD went out minutes. At home, Lost its earlier the next round of Be on a wrong

Ubiquitous internet actually makes this worse (5, Insightful)

mpoulton (689851) | about a year and a half ago | (#43541655)

Back in the olden days, equipment like this had serial port configuration interfaces which were intended for use by nearby administrators, via terminals and small local networks with no connectivity beyond the local facility. If longer distance administration was required, it was over dedicated copper loops. The internet was simply not used for these kinds of systems, and the idea that those devices would ever end up on a globally-accessible network with millions of untrusted devices was incomprehensible. As technology developed and the internet took over as the primary means of long-distance networked communication, these legacy devices were incorporated into a network environment that their engineers had never even considered. It's just not what they were made for. The devices are not to blame. Engineers and administrators who put them on public networks certainly are.

Re:Ubiquitous internet actually makes this worse (1)

AK Marc (707885) | about a year and a half ago | (#43541767)

That's the issue when people use security by obscurity. The obscurity was the difficulty in networking the serial port. Anything made in the past 20 years should have had an Ethernet port and real security. Yes, even this SCADA stuff.

Re:Ubiquitous internet actually makes this worse (3, Informative)

perpenso (1613749) | about a year and a half ago | (#43542149)

That's the issue when people use security by obscurity. The obscurity was the difficulty in networking the serial port. Anything made in the past 20 years should have had an Ethernet port and real security. Yes, even this SCADA stuff.

Its more security through physical access, not so much obscurity. The original intent was probably to give a tech in the room, or a user in a nearby room, access. Also its the ease of turning a serial port into a remote connection that is at the heart of the problem.

YMMV but such stuff I worked on in the 90s had multilevel (user, tech, admin, ...) passwords, even on serial port access. Ethernet or serial port, it makes no difference when the site does not change the passwords from their factory settings.

Re:Ubiquitous internet actually makes this worse (1)

Darinbob (1142669) | about a year and a half ago | (#43542605)

A remote access may also mean more than just being able to talk to it from your desk. The machine being talked to may not even be in the building where you work, it may not even be in a building, it could be a hundred miles away on the side of a rural country road, or a tiny substation. You're not going to get an ethernet connection to it, but serial port is doable (though a bit expensive). Some places use a 3G data connection (sim card and all). Ultimately though the end port is very often a serial port because that's what is standard on the machines you're trying to control.

Re:Ubiquitous internet actually makes this worse (2)

AK Marc (707885) | about a year and a half ago | (#43542909)

It was *never* deployed that way. Every single serial port was networked. Run back to a server of some kind. I've never seen a SCADA network that didn't have a central console with miles of copper networking every port. The SCADA console was usually not networked, but was more likely as time went on that it was networked. Then you ended up with serial aggregators being networked, and the SCADA console being networked, and no more direct connection between the master and controlled devices.

Usually, the network was designed by the engineers who operate the equipment, and no IT person knows more about tech than a licensed PE (so the PEs assert), and so it's usually about as bad as possible and still be functional.

YMMV but such stuff I worked on in the 90s had multilevel (user, tech, admin, ...) passwords, even on serial port access. Ethernet or serial port, it makes no difference when the site does not change the passwords from their factory settings.

I don't doubt it, but the last serial port I connected to a computer was hooked up to the Internet. There was no password on the serial port (no password could be added to it), and a misconfiguration could damage a $500,000,000 device. This was 2 years ago on a device that is still available new today.

Re:Ubiquitous internet actually makes this worse (2)

Darinbob (1142669) | about a year and a half ago | (#43542303)

Not necessarily. That ethernet port has no security by default either. All it's going to be on a 20 year old machine is a bare telnet port to the command line, and that's likely what you have on more modern devices too. So identical security issues from a telnet into a server to serial port as opposed to direct telnet into the device (and yes, many serial port interfaces can be configured with passwords and time outs).

Re:Ubiquitous internet actually makes this worse (1)

AK Marc (707885) | about a year and a half ago | (#43542951)

I never said that Ethernet requires security, but rather than assuming secure access by plugging an unsecured serial port into an unknown device. When you toss something onto Ethernet, you are more likely to correctly assume insecurity.

Re:Ubiquitous internet actually makes this worse (1)

BitZtream (692029) | about a year and a half ago | (#43542957)

All security is security through obscurity. What do you think a password is? What do you think a key (digital or physical) is? Obscure patterns that other parties aren't likely to know.

Please don't repeat sayings you've heard until you actually understand them.

Re:Ubiquitous internet actually makes this worse (2)

AK Marc (707885) | about a year and a half ago | (#43542995)

security through obscurity is having a known flaw (And a password isn't a flaw) and the principle security is hiding that flaw. Open access to a serial port "secured" only because the IP isn't known is security through obscurity.

Re:Ubiquitous internet actually makes this worse (1)

aaarrrgggh (9205) | about a year and a half ago | (#43547123)

This is nothing. The fact that all kinds of fun gizmos now have cellular modems makes just about anything you try to do for security futile.

Re:Ubiquitous internet actually makes this worse (1)

AK Marc (707885) | about a year and a half ago | (#43549983)

Most of those are SIM-based. If you remove the SIM, then there's no issue. Others will let you turn the radio off in hardware. I work for a mobile carrier that will let you whitelist a single IP to talk to that cellular modem (usually your GRE/VPN head-end). That, and the radio is mostly useless unless you do something like pay for a plan.

Re:Ubiquitous internet actually makes this worse (5, Insightful)

Darinbob (1142669) | about a year and a half ago | (#43542131)

Don't treat these all as legacy devices either. Brand new devices manufactured today still have serial ports. They're often on protocols other than a simple command line, and an RS232 or RS485 connection are robust and versatile.

The alternative to a serial port with command line? Ethernet with command line, which is every bit as insecure. All the article really points out is that sometimes people forget about security, since there is nothing inherently insecure about a serial port. I just read this as people being surprised that technology from the past is still in use; next up complaints about how we still use archaic concepts like the wheel, inclined plane, and lever.

Ie, get a secure connection to the terminal server, then normal serial port to the actual device. No one is going to be snooping on the serial line itself any more than they'd be snooping on the ethernet cable. The insecure part is the internet.

Re:Ubiquitous internet actually makes this worse (3, Insightful)

fluffy99 (870997) | about a year and a half ago | (#43542885)

In the systems I've seen, they are using stuff like MoxaPorts for serial to ethernet. It's done as either serial to serial tunneling over ethernet, or one side is a computer with the lantronix serial redirector client installed. The devices require a password to configure, but typically access to the serial port is simply telneting to port 10001 and there is zero security unless the serial port on the device has access controls. Engineers like the simplicity of setting it up and usually don't consider that everyone else on the network can too.

Re:Ubiquitous internet actually makes this worse (1)

rwiggers (1206310) | about a year and a half ago | (#43544631)

Those things are usually installed by engineers with very little knowledge/concern about security. In my field there's an urge for bluetooth connectivity for the industrial equipments, with all the security nightmares bluetooth poses on accessing a device. Wi-fi could be used with a much better security model, but it's considered too complicated...

Re:Ubiquitous internet actually makes this worse (0)

Anonymous Coward | about a year and a half ago | (#43543601)

I'd argue this is an all-too-common weakness in thinking in this field: It's old so it must be bad. Heck no, serial ports rock. They work. Get me a serial port that does a couple megabit and I no longer need to muck about with tftp on a carefully-separated administrative ethernet for maintenance. Just hook up everything to the serial port server. And secure that, sure.

If that serial port concentrator is insecure, that amounts to having a bastion host separating your administrative ethernet from {the rest of the lan,the public internet} yet leaving it insecure. It's not a problem of serial ports any more than insecure bastion hosts are a problem of ethernet.

Focusing on "oh noes! serial ports on the intarwebz!" is just that much more fud, all over again. It's boring, stupid, and the wrong thing to point at. The strength of these things is that they're simple and robust. The problem is with failing to secure the terminal servers.

The problem is also with FUD pieces like this and the way they get propagated around. To wit, two sentences from the "conclusion" of TFA, which is about representative for the "research" in the digital security field:

There are over 114,000 serial port servers accessible from the internet, with over 95,000 connected via mobile providers. These expose over 13,000 serial ports that offer some level of administrative access to any attacker that happens to connect.

That's a whopping 0.114 devices per "accessible" serial port server with "some level of administrative access" (presumably any level not being "none"). A curiously low port utilisation, actually.

This sort of thing still ought to be fixed, of course, but for an internet that's running out of address space because so many things are connected, it's not worth panicking over. But panic makes the digital security industry money, so panicking we must.

Re:Ubiquitous internet actually makes this worse (1)

thegarbz (1787294) | about a year and a half ago | (#43544105)

The alternative to a serial port with command line? Ethernet with command line, which is every bit as insecure.

Not quite true. The article itself is concerned with the fact that serial ports offer little to no authentication on their lines. At least Ethernet there is often a token login/password to get in. Standard practice in the industry for years was to assume that a device connected via Ethernet will not be in the same room, whereas RS232 will be a user with a laptop standing next to the SCADA system and thus is already "authorised".

I don't think I've seen a single SCADA system ask for a login over a serial port. Most SCADA systems I have used require some authentication.

Unfortunately ALL SCADA systems I've used which require authentication had a default username and password set.

Re:Ubiquitous internet actually makes this worse (1)

Darinbob (1142669) | about a year and a half ago | (#43544159)

All the power utility systems I've seen all have a password, though I haven't seen all that many. Though maybe they all have the default password, which I think is just as likely with things like cisco routers from what I've seen.

Re:Ubiquitous internet actually makes this worse (1)

dkf (304284) | about a year and a half ago | (#43544221)

The article itself is concerned with the fact that serial ports offer little to no authentication on their lines.

But is the serial line routed off site? If you have to have physical access to the immediate locale or go through a properly-secured terminal server, the fact that the serial line itself doesn't do a lot of auth doesn't really matter.

The real problem comes when people connect these things to the internet (either directly or indirectly) without thinking about network security. (Security always makes things more difficult, but good security is that which makes things much more difficult for the unauthorized while having little impact on the authorized.)

Unfortunately ALL SCADA systems I've used which require authentication had a default username and password set.

Did I mention that SCADA vendors need introducing to a +3 Blessed Baseball Bat of Cluefulness?

Re:Ubiquitous internet actually makes this worse (1)

thegarbz (1787294) | about a year and a half ago | (#43544787)

Unfortunately ALL SCADA systems I've used which require authentication had a default username and password set.

Did I mention that SCADA vendors need introducing to a +3 Blessed Baseball Bat of Cluefulness?

Not vendors. System integrators. Changing the password on these systems is often trivial, but then if someone forgets we can't find it in the manual under "Default password" now can we.

Re:Ubiquitous internet actually makes this worse (1)

Rich0 (548339) | about a year and a half ago | (#43546365)

I don't think I've seen a single SCADA system ask for a login over a serial port.

I'm not sure you'd want it to either. If you're going to use a terminal server, then put security on the terminal server (use ssh/etc).

The next thing people will be pointing out that most JTAG ports don't have any authentication either, and that it is possible to wire those up to a terminal server as well.

The problem is with administrators who interface devices on a network without any authentication. My laser printer doesn't require authentication and that isn't a problem, but I'm not going to stick it on the Internet and then wonder why I came home to a stack of black paper and an empty toner cartridge.

Oh shit! Call the security police! (0)

Anonymous Coward | about a year and a half ago | (#43541761)

Physical access is root access.

Seriously, this security bullshit is getting out of hand. "Oh no, I got physical access to the device, and it happened to have a serial port on it that doesn't require any authentication!". Um, maybe that's why it's labeled as a maintenance port, and why the device itself is located in a secured cabinet. The really silly thing about all this is that even if the serial port were locked down, these "security experts" would still complain about the device because you could theoretically pull it apart, desolder the configuration EEPROM, flip a few bits, solder the EEPROM back onto the control PCB, reassemble the device, and then get into it without authentication. They'd do all this, and they'd call it a "vulnerability".

Re:Oh shit! Call the security police! (2)

fuzzyfuzzyfungus (1223518) | about a year and a half ago | (#43541949)

If it weren't relatively common to find some flavor of modem(POTS or cellular) slapped on to the serial port, that might be slightly more comforting...

That's the great thing about serial ports. Thanks to standardization since the 80s sometime, you can make them vulnerable to the outside for under $100, and in way likely to strike users as 'convenient'!

That's the point (0)

Anonymous Coward | about a year and a half ago | (#43541833)

Seriously, that's the point.
If you have physical access to a device you can usually factory default it. Securing a serial port is done by restricting physical access, not by passwords, since it's expected that if you can access the serial port you can just as easily defeat any configuration security.

In other news, HD Moore reports that billions of locks worldwide can be opened by factory-configured "master keys" and people aren't properly securing their devices!

With "smart grid" or "smart cities" coming (2)

presidenteloco (659168) | about a year and a half ago | (#43541851)

Infrastructure devices will have to be internetworked on a large scale.

Just saying "air gap" it is I'm afraid a trite solution that will not meet the "smart grid" requirement to adjust energy flows dynamically based on a mixture of large-area and local algorithms.

So, aside from "air gap", what do people propose for securing widely internetworked smart critical infrastucture?
1. Use a second physically completely separate Internet for infrastructure only?
2. Work harder on secure tunnelling technology, put it on the "real" Internet, and use security management best practices?
3. What else?

Re:With "smart grid" or "smart cities" coming (0)

Anonymous Coward | about a year and a half ago | (#43542227)

1. Use a second physically completely separate Internet for infrastructure only?

It's called a WAN Link, They have been around for quite some time and are a lot cheaper than internet circuits in the same tier class for corporate/industrial.

T1s are cheap (usually under $600/month) and can be deployed anywhere (%90) there is copper phone service. (not as cheap as 'consumer' internet, but you wouldn't be using that anyway for something like this now would you??...) And other connections are usually available in most urban/industrial areas (DS3, Metro-Ethernet over copper/fiber, dark fiber leasing, etc...) and are usually covered with SLAs,

And all the major telcos already have all of the above on a "separate" internet infrastructure and even separate them out by customer so they can't even talk to each other (unless they installed a link between and only when they request it) You can even get WAN links between providers that are P2P (T1 from ATT in one location and a T1 from VZ in another and they will be a direct link as far as your router on each end is concerned.)

This is the proper way to link internal systems that you can not link yourself. And if your really paranoid you can even do VPN encryption over that just in case someone actually takes the time to dig up copper/fiber and splice into after some how knowing which in 1,000 pairs of copper/fiber is actually yours in the middle of a street.

Re:With "smart grid" or "smart cities" coming (1)

shbazjinkens (776313) | about a year and a half ago | (#43542349)

1. Use a second physically completely separate Internet for infrastructure only?

It's called a WAN Link, They have been around for quite some time and are a lot cheaper than internet circuits in the same tier class for corporate/industrial.

T1s are cheap (usually under $600/month) and can be deployed anywhere (%90) there is copper phone service. (not as cheap as 'consumer' internet, but you wouldn't be using that anyway for something like this now would you??...) And other connections are usually available in most urban/industrial areas (DS3, Metro-Ethernet over copper/fiber, dark fiber leasing, etc...) and are usually covered with SLAs,

And all the major telcos already have all of the above on a "separate" internet infrastructure and even separate them out by customer so they can't even talk to each other (unless they installed a link between and only when they request it) You can even get WAN links between providers that are P2P (T1 from ATT in one location and a T1 from VZ in another and they will be a direct link as far as your router on each end is concerned.)

This is the proper way to link internal systems that you can not link yourself. And if your really paranoid you can even do VPN encryption over that just in case someone actually takes the time to dig up copper/fiber and splice into after some how knowing which in 1,000 pairs of copper/fiber is actually yours in the middle of a street.

Respectfully, $600/month is way, way too expensive for most industrial applications. I work in energy, and we use a tunnel to our VPN provided by cellular companies to link our hosting services to customer sites. It's closer to the realm of $40/month depending on the bandwidth of the connection. All of these options, and encryption, are plausible ways to sufficiently separate ones self from the public internet. I won't comment too much on my experiences with unsecured connections except to say that it is much worse than the summary says it is. These are the discovered devices only..

Re:With "smart grid" or "smart cities" coming (1, Informative)

BitZtream (692029) | about a year and a half ago | (#43542965)

T1s are government regulated circuits with federal laws regarding uptime. They are never cheap, anywhere in the US, ever. They are considered vital infrastructure by law. The provider HAS to keep them working.

A T1 worth of bandwidth is cheap. A T1 is not.

No one will sell you an actual T1 local loop for $600 even if the end point is the room next door.

You're slinging around words you clearly don't actually use.

Re:With "smart grid" or "smart cities" coming (1)

Miser (36591) | about a year and a half ago | (#43545171)

Where do you live?

Here in Northern Ohio with ATnT, stay in the same CO and point to point T1's are $350/month at the 5-year contract rate. Month to month and lesser contracts are of course higher. Internet service on top of the T1 is of course, higher. But if you just want 1.5Mbps from here to the other side of town (if the other side of town is served by the same CO, which around here it is) that's all there is to it as far as costs go.

Cheers,

Miser

Re:With "smart grid" or "smart cities" coming (1)

Shatrat (855151) | about a year and a half ago | (#43546475)

Yeah, I work for a telco and your T1 price is pretty high. Local loops are going to be half that, or less, I would say around $200 in most areas.
You're right about the uptime. Outages beyond a certain size or duration have to be reported to the FCC, and may attract a fine.

Re:With "smart grid" or "smart cities" coming (1)

thegarbz (1787294) | about a year and a half ago | (#43545205)

I don't think you're understanding the issue at hand. This isn't just a case of connecting networked devices to the internet it's a whole level more boneheaded than that. The article is talking about putting interfaces designed purely for local physical access over the internet, interfaces often with no authentication which provide root access to the devices.

Any such legacy interface does not have a place in our "smart grid". If companies want to implement smart grid or remote monitoring then they should do it with current SCADA systems and using some approved means of remote access rather than attempt to roll their own... poorly.

Re:With "smart grid" or "smart cities" coming (1)

anorlunda (311253) | about a year and a half ago | (#43546353)

>Just saying "air gap" it is I'm afraid a trite solution that will not meet the "smart grid" requirement to adjust energy flows
      > dynamically based on a mixture of large-area and local algorithms.

Statements like that make me mad. When you turn on a 100 watt light bulb 100 watts of power are dynamically rerouted to your house and the extra power needed is automatically added to the generation schedules of multiple remote power plants using a mixture of large-area and local algorithms. What's more, it has worked like that since the 1880s. How the f did you think it worked all your life?

A few charlatans hoping to pocket $100 billion of government handouts (while sharing none of the accountability for grid reliability) promoted this idea of smart algorithms to reroute power to where its needed most. It's all bullshit.

Re:With "smart grid" or "smart cities" coming (1)

presidenteloco (659168) | about a year and a half ago | (#43557975)

Well, working in a multi-disciplinary smart grid r&d team, I certainly have noticed a culture clash between the traditional power engineers and the software "charlatans".

Your post does nothing to dispel that perception.

One difference between the grid of today and the smart grid is the smart grid will need "distributed intelligence" at the edges, not just the center, of the grid.
To accommodate a significantly larger component of distributed generation and storage, it will need attributes such as:
- bi-directional power flow in the distribution network, with cooperating local decisions as to how best to reroute power,
- control via digital demand-response signals (which are only suggestions, to be implemented with local discretion) to smart buildings / microgrids at the edges of the grid.

There will need to be a distributed orchestration of slow acting energy balancing and optimizing systems (making balance feasible) with fast-acting power protection & control logic (reacting if balance is lost), and this orchestration will have to happen all over the place in the distribution network, not in one centralized distribution control centrer.

ICS? (2)

ArcadeMan (2766669) | about a year and a half ago | (#43542155)

Anyone else read the title as "Thousands of SCADA, Ice Cream Sandwich devices exposed through serial ports"?

Fearmongering at it's best... (0)

Lumpy (12016) | about a year and a half ago | (#43542335)

News flash! if you open the SCADA boxes you have full access to it! That means over 200 Trillion SCADA systems are easily hacked! Al Kidea is just itching to blow up the world due to this huge security breach of using COMMON SCREWS to keep the enclosures closed.

Re:Fearmongering at it's best... (0)

Anonymous Coward | about a year and a half ago | (#43542421)

If you bothered to read the summary you would have seen that you do NOT need physical access to exploit this because the serial port is accessible from the internet.

Re:Fearmongering at it's best... (1)

Lumpy (12016) | about a year and a half ago | (#43560953)

If you bothered to know anything about technology, you would understand that Serial ports are NOT accessible from the internet unless some moron installs a rs232-> ethernet gateway device that is completely and poorly set up.

The problem is NOT serial ports, the problem is completely incompetent IT and CS people that are allowed to design and install SCADA systems.

w00t) fp (-1)

Anonymous Coward | about a year and a half ago | (#43542577)

UsEd to. SHIT ON a full-time GNAA

It's Not the Systems (1)

Anonymous Coward | about a year and a half ago | (#43543995)

Having been an automation engineer since Allen-Bradley invented the PLC, I can tell you that the only wise assumption an integrator could (and still does) make is that all communications are insecure out of the box. Serial, TCP/IP, and the dozens of proprietary protocols all have strengths and weaknesses. The precautions to be applied are situational (risk, cost, flexibility, etc.).

A lot of the bugs and vulnerabilities, that only in recent years have gotten much notice, have been around for since the beginning. Securing legacy automation platforms such as Step 5/7, ControLogix, and MELSEC is different that in the IT world, owing to the limitations of the hardware.

That said, secure remote access to allow SCADA, ERP, and remote service/programming should always be in a diligent integrator's plans. VPN's, public key authentication, and access rights on the local machine all play a part. Some companies/agencies make the necessary investment. Most don't. Engineers and OEMs are not responsible for failure to secure. A Google Smart Car can still kill a pedestrian if it is programmed by an idiot or left open to hacking by incompetent administration.

Business demands remote, real-time management tools. Our job is to make them as secure as possible. The day of the stand-alone work cell air-walled in its little corner of the factory are long gone. We can't blame the hardware for the failure of engineering and management to implement proper security.

Legacy? Think again (2)

benro03 (153441) | about a year and a half ago | (#43545405)

Frequently I am called upon to work on a device remotely and the only way to access it without being constantly disconnected is through a service processor attached to a serial port or a serial port server. Proper troubleshooting involves being able to reboot a device without being disconnected, read the boot messages as they appear, and be able to access a maintenance or BIOS manager to fix it.

The security is there, it has to be properly implemented with a policy to follow and back it up. All of these do have security that at the very least is SSH (Cisco anyone?) and most times behind a firewall that is only accessible through a VPN. And even once you're VPN'd in, there is some form of authentication to go through to get to the serial device.

You can't call something legacy simply because it's been around for a long time. Legacy means that it's dropped out of widespread use and is only used in a few places if at all. Is TCP/IP legacy? It was created in the early 70's, but it's not. Is UNIX legacy? Same thing, only it's older. Floppy disks? Yeah, that's legacy. CD-ROM? Not yet, but getting there. Water cooling? Yep - Nope, it's making a comeback. Serial port? Maybe on a laptop, but every enterprise level device has some way to access the console away from ethernet and that invariably is serial.

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?