Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Hackers Gain "Full Control" of Critical SCADA Systems

samzenpus posted about 9 months ago | from the protect-ya-neck dept.

Security 195

mask.of.sanity writes "Researchers have found holes in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. They also identified more than 150 zero day vulnerabilities of varying degrees of severity affecting the control systems and some 60,000 industrial control system devices exposed to the public internet."

cancel ×

195 comments

Sorry! There are no comments related to the filter you selected.

frosty (-1, Offtopic)

Hognoxious (631665) | about 9 months ago | (#45932087)

Hope they're not in Australia, or the wallopers will be kicking in the door right about n.;l@~@@*&*
no carrier

Note the mention of insufficient entropy (1)

davecb (6526) | about 9 months ago | (#45932089)

I suspect the Siemens and Sietec people are now on a wide-ranging entropy hunt, probably along with the German Federal Security Service (:-))

These systems are a product liability nightmare (5, Interesting)

danheskett (178529) | about 9 months ago | (#45932101)

I've seen these some of these systems and they are a total nightmare. Of course the worst are running Windows - totally unpatched, unmanaged, and out of control stock Windows desktop builds. The "best" of breed use Windows Embedded (or CE for older devices), but in general they are all still unpatched and unmanaged.

Another problem is that manufacturers don't really provide for on going maintenance. And of course they go out of business.

Re:These systems are a product liability nightmare (1)

Anonymous Coward | about 9 months ago | (#45932289)

True - However, most (I would hope, ours is at least) are behind a hardware firewall / VPN with pretty restrictive rules (no connecting backwards from the remote system into the central office, for example). That means that, barring some unknown remote exploit in the VPN box, the big bad 'internet' can't contact the unpatched systems..

Re:These systems are a product liability nightmare (0)

Anonymous Coward | about 9 months ago | (#45932505)

Updating them breaks things. Not updating them breaks things.

Re:These systems are a product liability nightmare (5, Insightful)

Anonymous Coward | about 9 months ago | (#45932999)

Updating breaks now with near certainty. Not updating breaks later with a lower probability. Easy choice,

Sad, but true.

Re:These systems are a product liability nightmare (2, Interesting)

Anonymous Coward | about 9 months ago | (#45932525)

The best thousand+ ton machinery I've seen, were running haskell code on the latest linux kernel. So cool and up to date.

Re:These systems are a product liability nightmare (2)

Z00L00K (682162) | about 9 months ago | (#45932559)

In that case I wouldn't call it a zero day vulnerability, I would call it vulnerability due to incompetence.

Hack the systems and make them go down permanently by a hard disk low level format or corresponding. That would raise the security awareness more than a slashdot article.

Only case to have an unpatched server is when you are running it standalone with no possibility to install anything new on it without opening a padlock.

Re:These systems are a product liability nightmare (5, Interesting)

I_have_a_life (1582721) | about 9 months ago | (#45932937)

The problem isn't Windows (not sure if you are implying this or not). It's a convergence of factors which make patching systems a veritable nightmare in the process control systems.

1. The people who run the plant are trying to squeeze the maximum amount of yield from their plant. Shutting down a SCADA system so that it can be patched and tested may literally cost them millions of dollars per hour. Furthermore, the cost of upgrading is not looked upon kindly unless it's going to help you create more of product X at a lower price. You may argue that the greater good is more important than money but these guys aren't listening to that.

2. These industries are rife with rules and regulations that further inflate the cost of patching systems. In the pharmaceutical industry the cost of applying a single patch may run well into the millions of dollars because every change has to be meticulously audited.

3. IT is often outsourced to third parties in order to control costs. The downside of ceding control of your own infrastructure is that even something mundane like changing a firewall rule has a process which costs money and resources.

4. There is an old-school engineering mentality that is pervasive based on the old adage "if it ain't broke don't fix it". No person involved in the industry wants to find problems. They want the plant to produce and they expect the hardware and software they buy to produce - untouched - for 20-30 years.

I have seen crazy things at plant floors. Control systems still running on Windows NT, operators sharing credentials, copying files from one system to another using thumb drives because the network does not allow files-haring.

Re:These systems are a product liability nightmare (5, Insightful)

dkf (304284) | about 9 months ago | (#45933325)

There is an old-school engineering mentality that is pervasive based on the old adage "if it ain't broke don't fix it".

The problem with that is, by putting it on the internet, they've broken it (even if the breakage hasn't hit home yet). Nobody wants to admit that they've done that, but it's their own damn fault. A good start to fixing things would be to airgap the SCADA network from the internet, and if connecting is necessary at all, to use a good double firewall with hardened DMZ machine in between. The DMZ can be locked down hard and updated carefully, and it doesn't need to ever hold systems that need careful certifying as it should never be in the control loop; just out of band monitoring.

Re:These systems are a product liability nightmare (4, Insightful)

cusco (717999) | about 9 months ago | (#45933617)

Normally the SCADA systems **ARE** air-gapped from the corporate backbone, but until we start breeding better managers some idiot will occasionally pull a cable across that gap in order to produce a report or something.

Re:These systems are a product liability nightmare (3, Insightful)

frisket (149522) | about 9 months ago | (#45933507)

This is by no means unique to SCADA systems: I think most people here recognise the symptoms in many fields.

The people who run the plant are trying to squeeze the maximum amount of yield from their plant.

Very laudable. That's their job.

Shutting down a SCADA system so that it can be patched and tested may literally cost them millions of dollars per hour.

That cost should have been factored into the financials from Day 1. It's usually omitted by managers and accountants because with it, their projections wouldn't look as good.

Furthermore, the cost of upgrading is not looked upon kindly unless it's going to help you create more of product X at a lower price.

Bear in mind that the cost of not upgrading may be the end of the company.

In Economics 1.0, business students get taught that the primary objective of the corporation is to make a profit. Most managers believe this. Wrong. The primary objective of the corporation is to assure continuance, even if that means a couple of years of losses from time to time.

Failing to recognise this is usually among the early symptoms of eventual failure.

Re:These systems are a product liability nightmare (1)

cusco (717999) | about 9 months ago | (#45933539)

Most of the endpoint devices that I've seen use either Linux (old, unpatched versions) or something akin to Tron or DOS. Management clients are often Windows, and they're unpatched and unmanaged because they're not on the normal Corp network so IT doesn't have access to them. The actual SCADA management system is normally hosted on some flavor of Unix, at least in the power and water industries.

i hope people with SCADA systems learned. (5, Informative)

Gravis Zero (934156) | about 9 months ago | (#45932107)

do NOT connect SCADA systems to the internet.

Re: i hope people with SCADA systems learned. (4, Funny)

paugq (443696) | about 9 months ago | (#45932145)

The air gap is not the solution. Proper isolation, firewalling and virus/malware is.

Re: i hope people with SCADA systems learned. (0)

Gravis Zero (934156) | about 9 months ago | (#45932217)

The air gap is not the solution. Proper isolation, firewalling and virus/malware is.

wrong. if you dont want someone from altering your system, you make it completely inaccessible. in the age of compromised security systems, firewalls and "proper isolation" are just pesky things to slow down/dissuade most hackers. if it's a state sponsored hack attack (NSA or China), then you are going to get slammed until they find a way in.

Re: i hope people with SCADA systems learned. (4, Funny)

Billly Gates (198444) | about 9 months ago | (#45932303)

To prevent piracy and sales of used Scada these require internet access to stay activated. We wouldn't want to deprive income now would we

Re: i hope people with SCADA systems learned. (0)

Anonymous Coward | about 9 months ago | (#45932405)

Why not just use a cryptographic dongle? And when the company goes under talk to these guys [endlessvisions.com] to have the need to have a dongle removed.

As an aside, this *appears* to be the same guy that wrote Raw Copy for the Amiga back in the day.

Re: i hope people with SCADA systems learned. (5, Interesting)

aaarrrgggh (9205) | about 9 months ago | (#45932365)

The problem with making some of these systems inaccessible means they have almost no real functionality at that point. Using the tritium JACEs as an example, the whole point of them is the network, and to exchange information in higher level protocols.

In the old days we separated systems and interfaces between systems with relays and analog i/o. While it worked then, now we have 100x points (many diagnostic rather than control) and it just isn't practical. Today's practical solution would be the SCADA as primary, with a lot of hard-wired safety interlocks. The problem is there really is a shortage of people that can troubleshoot those things, so it is likely to be disabled within 5-10 years, or once needs change.

Proper security is hard, and when 80% of it is in a black box provided by a (adversarial) third party, this is what you get.

Re: i hope people with SCADA systems learned. (1)

pacman on prozac (448607) | about 9 months ago | (#45932853)

You can make it accessible without putting it on the public Internet.

A lot of the companies who run SCADA devices will already have some form of MPLS WAN, most providers can give you DSL links onto that network rather than Internet. Lets you reach the device but doesn't let the rest of the world.

Or if that's not an option then stick a cheap VPN endpoint infront of it and run the comms over IPSec.

Re: i hope people with SCADA systems learned. (1)

Z00L00K (682162) | about 9 months ago | (#45932633)

Don't forget that you now and then see ads that are infected.

Makes me wonder how many ad servers that serves ads with a hidden bomb that we haven't seen yet because it waits for the right conditions.

Re: i hope people with SCADA systems learned. (2)

paugq (443696) | about 9 months ago | (#45933863)

It seems you have little knowledge of the SCADA world. The air gap is an illusory security. Iran's nuclear plants had SCADA computers air gapped from the IT network. It did nothing: a USB, a CD, a virus infecting an update to your very SCADA software, etc will bring you back to reality.

Re: i hope people with SCADA systems learned. (4, Interesting)

clovis (4684) | about 9 months ago | (#45932259)

Proper isolation? If by proper isolation you mean an air gap, then OK, I agree.

"Proper firewalling" is a pipe dream. If you have a firewall, then you have external access and a vulnerability right there.
Whatever port you have open is an access point, and thus a vulnerability.
Keep in mind that many of these systems have hidden backdoors or default admin accounts for maintenance.
And the reply "it's OK if it's properly configured" would be true if every system had network admin that was 100% competent. Do you wish to make that claim?

"virus/malware"? I suppose you mean anti-virus/malware. There is no such thing a 100% effective anti-virus/malware software. They are not even close.
Keep in mind that the anti-virus software in itself is a vulnerability.

Re: i hope people with SCADA systems learned. (1)

aaarrrgggh (9205) | about 9 months ago | (#45932379)

An air gap just limits the remote attack capability, and is fairly easy to defeat with local access. At every level you need to limit the attack surface.

Re: i hope people with SCADA systems learned. (1, Insightful)

fisted (2295862) | about 9 months ago | (#45932389)

What use is an air-gapped machine? How do you communicate, how do you control it? Build your own physical network infrastructure (preferrably with blackjack and hookers)?

Re: i hope people with SCADA systems learned. (1)

ebno-10db (1459097) | about 9 months ago | (#45932499)

What use is an air-gapped machine? How do you communicate, how do you control it?

As hard as it may be to remember these days, it is possible to communicate without the Internet (especially when that communication need only be local).

Re: i hope people with SCADA systems learned. (1)

fisted (2295862) | about 9 months ago | (#45932905)

As hard as it may be to remember these days, it is possible to communicate without the Internet

We're talking about systems here, not intersocial communication.
 
If you air-gap a machine, then you need to hire people to maintain the machine locally. This just does not scale.

especially when that communication need only be local

For instance?

Re: i hope people with SCADA systems learned. (0)

Anonymous Coward | about 9 months ago | (#45933097)

If you air-gap a machine, then you need to hire people to maintain the machine locally. This just does not scale.

Sure it does. Just because it doesn't scale the way you think it should, doesn't mean it doesn't scale. It may cost them more to hire more people, but if that cost is less than what it might cost if their system is compromised, then things are good.

Re: i hope people with SCADA systems learned. (3, Insightful)

Ol Olsoc (1175323) | about 9 months ago | (#45932831)

What use is an air-gapped machine? How do you communicate, how do you control it?

So we ran these machines with no control or communication before the interwebz?

If you want to run these things on the internet, they will be hacked.

Re: i hope people with SCADA systems learned. (1)

reboot246 (623534) | about 9 months ago | (#45933663)

You speak the truth. I know a natural gas company right now that is installing a SCADA system. Why do they think they need it? I don't know, but I can tell you that they are a small system and don't need such a system. They operated for decades just fine without it. I think sometimes shiny new technology blinds managers to reality.

Re: i hope people with SCADA systems learned. (4, Informative)

ebno-10db (1459097) | about 9 months ago | (#45932473)

"Proper firewalling" is a pipe dream. ...Keep in mind that many of these systems have hidden backdoors or default admin accounts for maintenance. And the reply "it's OK if it's properly configured" would be true if every system had network admin that was 100% competent. Do you wish to make that claim?

I think some people used to "conventional" IT don't appreciate how unrealistic it is "properly configure" (in terms of security) every box on a SCADA network. A typical network consists of a plethora of different types of boxes, with different OS's (often just RTOS's, which are usually not that security conscious), and all sorts of configuration, testing and latency requirements that go beyond what's needed in normal IT. Think in terms of making sure that robot arm doesn't smash into anything after your latest security update. Also, these boxes aren't, and realistically can't be, monitored all the time by checking log files and so forth.

A similar situation occurs in aircraft, including military aircraft. I assure people there aren't firewalls or other security provisions between various avionics boxes. The big concern is reliable, error free and low latency communications between boxes. It's bad news if an actuator/sensor for a flight control surface has trouble, or takes too long, to talk to the main fly-by-wire system. Security is about "don't let it through unless you're sure", which obviously conflicts with the more important goals.

Want security? Don't connect to the Internet.

Re: i hope people with SCADA systems learned. (1)

Cley Faye (1123605) | about 9 months ago | (#45932319)

The air gap is not the solution. Proper isolation, firewalling and virus/malware is.

No. Firewalling, virus protection, malware detection... all these techniques can be flawed, either by design, because of oversight...
It is acceptable for most system (because these issues get fixed after a while), but for a SCADA system you don't want a zero-day to be exploitable *at all*. Your system can have a ton of backdoor/vulnerabilities/exploits, if it can't be reached by any other mean than physical access they are not an issue.

Re: i hope people with SCADA systems learned. (1)

whoever57 (658626) | about 9 months ago | (#45933805)

if it can't be reached by any other mean than physical access they are not an issue.

Tell that to the people running centrifuges in Iran. Their machines were air-gapped, but they still fell victim to Stuxnet.

Re: i hope people with SCADA systems learned. (0)

Anonymous Coward | about 9 months ago | (#45932747)

Why does a SCADA system need access to the interwebs?

Re: i hope people with SCADA systems learned. (1)

Ol Olsoc (1175323) | about 9 months ago | (#45932835)

Why does a SCADA system need access to the interwebs?

So they can update their Facebook pages?

Re: i hope people with SCADA systems learned. (1)

sumdumass (711423) | about 9 months ago | (#45933123)

So they can be monitored and administered from a central office 2000 miles away by a few employees at a location which houses all the accountants, sales reps, and so forth that the companies rely on in order to maintain production levels. This allows them to drastically reduce costs of administering them as a t1 connection is about 1/10 or less of the cost of one of several IT staffers that would be required to maintain them at local only access. And much more cheaper then travel and housing expenses of transporting central IT employees to the sites.

Another reason is that some SCADA systems aren't actually purchased. They are sort of rented and need to contact a server in order to validate their installs and operate periodically. This happens when there is a yearly or some sort of fee associated with the devices. It seems the more you spend on devices, the more common this seems to be. Even in the software world, I watched a company spend over $20k on a hospitality management suit in order to manage about 100 rentals and they had to purchase a license yearly for around the same amount in order to keep using it. One year, I blocked internet access to it through a change in the firewall rules months before the renewal process and it couldn't update it's license and stopped working for half a day before I figured out what happened. The only reason it ever needed internet access was specifically to update it's license once a year when the contract was renewed. Credit card processing happened on the phone lines using POTS through the PBX until the phone system got replaced and the changed to an entirely different system offering free in country phone calls to all guests.

Re: i hope people with SCADA systems learned. (1)

schwit1 (797399) | about 9 months ago | (#45933197)

Then use a VPN. This allows remote access without internet access.

Re: i hope people with SCADA systems learned. (1)

sumdumass (711423) | about 9 months ago | (#45933293)

As long as the other end you are needing to contact will use one too, this is viable. However, that isn't always the case or possible. VPNs can also be exploited and defeated. If one machine that is allowed in the VPN becomes compromised, the entire security model of a VPN is defeated. It really is a lot more complicated then doing one thing.

Re: i hope people with SCADA systems learned. (1)

frisket (149522) | about 9 months ago | (#45933541)

This allows them to drastically reduce costs of administering them as a t1 connection is about 1/10 or less of the cost of one of several IT staffers that would be required to maintain them at local only access.

Until someone cracks their way in. Then the falsity of this economic model is exposed.

Another reason is that some SCADA systems aren't actually purchased. They are sort of rented and need to contact a server in order to validate their installs and operate periodically.

This can be done over something other than the Internet, as several people have explained.

Re: i hope people with SCADA systems learned. (1)

sumdumass (711423) | about 9 months ago | (#45933603)

Until someone cracks their way in. Then the falsity of this economic model is exposed.

Sure, but when it was developed, this entire threat was pretty much non existent in reality. That has changed but the model hasn't exactly caught up yet. That is why exposure and working on it needs to happen.

This can be done over something other than the Internet, as several people have explained.

Sometimes it can be and some times it cannot be done. The problem is actually having both sides participate in doing so which isn't always the case or even possible to some degree. Anything can be done if the technology permits it, but if the manufacturer or some piece in the necessary puzzle doesn't participate, then you are screwed into doing something else. And even when it can be done, all it takes is a compromised machine inside the network in order to undo anything related to securing the systems.

Re:i hope people with SCADA systems learned. (1)

StripedCow (776465) | about 9 months ago | (#45932485)

And do not allow USB-sticks or other media to be inserted into these systems.

Re:i hope people with SCADA systems learned. (0)

Anonymous Coward | about 9 months ago | (#45933119)

If someone's dumb enough to have auto-run on USB then I doubt they would do anything else related to the security properly.

Re:i hope people with SCADA systems learned. (2)

Ol Olsoc (1175323) | about 9 months ago | (#45932799)

do NOT connect SCADA systems to the internet.

Not bloody likely. We're expanding, with lot's of home surveillance systems, ans coming soon, the "internetted" automobile.

The great thing is that nothing can go wrong with this sort of stuff.....

Re:i hope people with SCADA systems learned. (1)

satuon (1822492) | about 9 months ago | (#45932983)

Can't they put a computer before them, that requires SSL/TSL connections, and authenticates any socket before forwarding it to the SCADA computer? A proxy, so to speak.

Re:i hope people with SCADA systems learned. (2)

istartedi (132515) | about 9 months ago | (#45933451)

do NOT connect SCADA systems to the internet.

Do have employees running around in trucks to check things, or actively monitoring larger systems that need constant attention. Do charge customers more money to support those extra employees. Do make decisions based on daily dumps from mag tapes somebody drove over to the central office. Note, I'm not saying that's a bad idea. I'm just pointing out the trade. I bet a lot of things were done like that up into the 1980s. I have personally driven mag tapes from one office to another. It helped me earn spending money for when I went back to school. Maybe we fix the employment problem and the security problem by dialing back technology just a bit?

Stuxnet (0)

Anonymous Coward | about 9 months ago | (#45933923)

do NOT connect SCADA systems to the internet.

That didn't help Iran against Stuxnet which jumped the air gap via USB keys. The US DoD got hit in a similar fashion with their air gap.

What you're suggesting helps, but is no guarantee.

These issues have been flagged for 10 years (2, Insightful)

msobkow (48369) | about 9 months ago | (#45932121)

These issues have been flagged for roughly a decade. I have ZERO SYMPATHY for anyone who gets taken over.

Re:These issues have been flagged for 10 years (5, Informative)

Anonymous Coward | about 9 months ago | (#45932201)

It's not about sympathy, it's about the effective destruction of our entire infrastructure without dropping a single bomb. The first sign that China or Russia is at war with us will be all our utilities and factories going dark. This is everyone's concern.

Re:These issues have been flagged for 10 years (1)

M0HCN (2981905) | about 9 months ago | (#45932371)

Most of these things can be taken to at least a semi manual mode of operation (It might require more people out on the floor manually tweaking things) but I suspect that most of these systems are actually simple enough on a local level that a good tech team with screwdrivers and set of schematics can fairly quickly get the PLCs out of circuit and some switches and pots and meters wired in (Most systems have switches on things like pumps and switchgear labelled along the lines of auto-off-manual already), worst case a laptop, a can card and use canoe or canalyser to talk to the valves and inverters directly.

Doing this does of course then depend upon having enough process engineers who really understand the plant to be able to run it with a board full of switches (and few if any interlocks) rather then letting the computer handle the details, this is probably the real issue as keeping such people on staff is expensive and is the reason you went heavily computerised in the first place. Getting management signoff could also be a problem, boards with billion pound assets like to hire consultants before letting the local on site guy fiddle with the flow rates and heat levels on the refinery heavy oil cracker without any interlocks.

There are of course systems that need the computer support, but even things like power stations (yes, even the nuclear ones) actually do not strictly need it, for all that bringing a set on line without it may require getting some people out of retirement to demonstrate the trick to it, and running without the computers would probably require emergency permission to violate all sorts of regs.

Damaging? Of course.
Disaster? Only if you cannot find the people who can deal with the loss of PLC support or if the attack causes the PLCs to damage the plant before the humans can step in.

The other major issue here is that while the scada controls may be more or less homogenous (Lots off Simens stuff out there) the systems they are controlling are anything but so a broad attack would probably be able to take the automation off line or change set points at random, but you could not easily write an attack to say cause the grid frequency to try to rise to 400hz, because there are far too many variations in the physical connections between the PLCs and the rest of the plants out there.

The scary thought is that it is not an attack on the SCADA running the pumps and power that would be really damaging so much as one of the machines running say the stock exchanges, repairs to some damaged pipes, boilers and transformers might take a few years and cost a few billion, repairs to the confidence in the financial system after some banker has diddled the risk models to ignore the sub prime lending risks.......

Regards, Dan.

Re:These issues have been flagged for 10 years (1)

ebno-10db (1459097) | about 9 months ago | (#45932527)

repairs to the confidence in the financial system after some banker has diddled the risk models to ignore the sub prime lending risks.......

That confidence was destroyed by the financial system itself several years ago. Considering what the financial scam artists got away with, I don't see how hackers could make it any worse. By contrast, water and power actually work.

Re:These issues have been flagged for 10 years (4, Interesting)

ThreeKelvin (2024342) | about 9 months ago | (#45933273)

I ran a part of the process plant by hand during the commisioning phase for the last automation project I was on. Working together with an operator I could barely keep up with one fifth of full capacity for four hours and we were both completely drained afterwards.

The complexity of modern process plants is mind-bogling to people who haven't seen them - and even when they've seen them they don't understand that all the valves, pumps, heat exchangers, etc., around them are doing a finely choregraphied balet behind the scenes. The manpower needed for running a process plant by hand is in the neighborhood of 10-20 times that of running an automated plant, and even then the throughput will be less and the quality of the resulting product lower.

Re:These issues have been flagged for 10 years (2)

gmuslera (3436) | about 9 months ago | (#45932535)

If you use jelly as the basement of your house is your fault that the house is unstable. Putting and approving to put critical infrastructure directly accesible on the open internet, that can have present or future vulnerabilities is bordering criminal behaviour. That people should be the first on the line to be jailed, and now, not when something bad happens.

And remember, the ones that started with big scale "war" has been the US. Don't start a war of breaking glasses if your entire house is made of (specially fragile) glasses.

Re:These issues have been flagged for 10 years (1)

sumdumass (711423) | about 9 months ago | (#45933247)

Putting and approving to put critical infrastructure directly accesible on the open internet, that can have present or future vulnerabilities is bordering criminal behaviour.

Lets stop being overly dramatic and think about reality. When a lot of these systems were placed in the open, the entire thought of exploiting them was pretty much non existent. It's like the early Microsoft security models that completely missed the communications implications of the internet and the reason why after windows 98, they started- rather unsuccessfully I might add, working on improving the security. Windows XP started getting some of it right with a built in firewall but still had blaring flaws in IE, allowing root log in as a primary desktop and in some cases requiring it for popular software to function correctly, and other portions of it.

The bottom line is that nothing involved with how we got where we are is borderline criminal unless you consider not knowing the future to be criminal. Now that we do know, we have to make a competent cost effective plan to address and limit the implications and bringing the information about the security risks and potentials for exploitation to the front is the start of that plan. If everything was fixed today, in 20 years, something else will crop up and we will be having the same discussions about things that weren't even envisioned at the time we implemented the changes to secure the older systems.

Re:These issues have been flagged for 10 years (1)

gmuslera (3436) | about 9 months ago | (#45933433)

Since the 90's ive seen constantly scanned every internet connection for open ports, vulnerabilities, and common software with flaws. And when something had a known (may not by you, but by the exploiter) vulnerability, and was interesting enough (profit, fun, proof of concept, following political agenda or whatever) it was exploited. It is not the 90's anymore, the whole internet can be scanned in 45 minutes [zmap.io] (and exists scans ready to use [scans.io] if you don't want to spend any time), if something can be used, it will. If you put the key to operate a critical system on a busy street or a shopping mall and a kid turns it causing chaos, it was nenligence from your part or from the one that ordered you to do so.

Too bad NSA is too busy checking what can be exploited by them (and planting backdoors every time they can, specially in foreing critical systems) instead of warning and fixing what can be exploited by others. Can't blame others if do the same as them.

Re:These issues have been flagged for 10 years (1)

sumdumass (711423) | about 9 months ago | (#45933707)

Interesting you mention a kid causing chaos. Ever hear of a molly guard and how it got it's name?

Negligence is not criminal though. That was the point of my comment. Negligence that happened in the past without advanced knowledge of the future cannot be criminal. It can be short sighted, stupid, clumsy and a number of other things, but not criminal. Many of these exposed systems were developed before the 90's and switched to using the internet during the 90's to save costs. Many of these systems were put into use using industry standards which did not catch up to the level of knowledge about the put falls you have today. I still see companies with sensitive customer information using WIFI with WPA type encryption because it was industry standard when implemented.

After the Snowden debacle, it isn't entirely positive that many of the other secure industry standard are exactly secure any more either. In 10 years, we will be having the same discussion about companies who continue using products that just work because they just work before realizing that everything about them is easily exploitable.

As for the NSA, I can blame others. To take the position otherwise would seem to validate the NSA doing what they did. I don't want to be in that position. But in keeping things realistic, we cannot blame companies who have entire switching hardware and gateways with NSA or other back doors in them because the multi million dollar investment was industry standard at the time of install and we just now find there might be issues with it. Eventually, through discussion about the dangers and perhaps a few incidents, it will be replaced with more industry standard equipment and procedures and we will end up having the same discussions in the future.

Re:These issues have been flagged for 10 years (2)

lennier (44736) | about 9 months ago | (#45933709)

When a lot of these systems were placed in the open, the entire thought of exploiting them was pretty much non existent.

Only "non-existent" to people who weren't thinking and weren't paying attention to the literature. There had been a LOT of academic warnings back to the 1970s about the potential security problems of interconnected networks. Heck, the entire genre of cyberpunk science fiction in the 1980s - Neuromancer was 1984 - didn't come out of thin are but was based around the then-current academic discussions of the security problems of the early Internet. The first IBM PC virus [wikipedia.org] was 1986, the Morris Worm [wikipedia.org] was 1988, pretty late in the game.

Yes, it wasn't headline gossip-reality-show news like it is today - but industrial control designers? In the 1990s? Nope, there's no excuse. They were definitely in a position to know, should they have bothered to care.

Re:These issues have been flagged for 10 years (4, Insightful)

Billly Gates (198444) | about 9 months ago | (#45932277)

These issues have been flagged for roughly a decade. I have ZERO SYMPATHY for anyone who gets taken over.

MSOBKOW this is your boss.

What do you mean it is a security risk to put this on the internet? Everyone else has no problem doing this and I never heard of anyone being hacked. Like a billion dollar company would ever design such a thing when an internet connection is required to stay activated. Are you telling me that firewall you said we needed doesn't make is impenetrable?! Why can't you secure it? Do I need to hire someone who will?

Re:These issues have been flagged for 10 years (1)

tlambert (566799) | about 9 months ago | (#45932341)

Why can't you secure it? Do I need to hire someone who will?

Yes. Yes you do. And when they fail, you should know that my contract rate for you, with the negative discount, is $500/hour, in hour increments.

Re:These issues have been flagged for 10 years (1)

Endloser (1170279) | about 9 months ago | (#45932331)

I too have zero sympathy for those who get taken over. But the citizens it puts at risk are a different story.

Some of them expose to the internet via VNC... (5, Informative)

M0HCN (2981905) | about 9 months ago | (#45932183)

At 30C3 someone ran a portscan on the VNC port of the entire IPv4 internet, with 'interesting' results, highlights of which included a swimming pool chemical dosing control system, various power generation and control systems, building environmental control systems, air handlers, all sorts of wild and whacky things, some of them lacking in even the rudiments of passwords never mind proper crypto....

The best one looked to me like a medium voltage distribution cabinet where the setpoints on the overload trips looked like they could be reconfigured from the internet!

Ahh the things you can do in reasonable time with a 100Gb/s of bandwidth, the rsulting slides at the closing event (which is where I ran across it) were very, very scary.

SCADA on the internet is a really, really bad thing.

73 M0HCN. :wq

Re:Some of them expose to the internet via VNC... (1)

gmuslera (3436) | about 9 months ago | (#45932569)

You can scan the entire internet in less than an hour by now. And there are databases [scans.io] of open ports on all of it already if you want to save that hour. If is critical, should not be even visible on internet.

Re:Some of them expose to the internet via VNC... (1)

satuon (1822492) | about 9 months ago | (#45932995)

What's interesting is, why are news of anyone actually exploiting those vulnerabilities so rare? It seems even though the vulnerabilities are there, nobody is exploiting them.

Re:Some of them expose to the internet via VNC... (2)

doesnothingwell (945891) | about 9 months ago | (#45933037)

Some ot them are not real. I sometimes start a virtual machine with Vnc wide open on 5800 and use a DOD emblem for wallpaper.

I've found hackers trying ports 5802 and when I tracert them I get a weird 2900ms delay leaving the last US hop at San Diego headed to the Orient.

Re:Some of them expose to the internet via VNC... (1)

M0HCN (2981905) | about 9 months ago | (#45933099)

Yea honeypots can be amusing to run sometimes.
The scary thing is that I suspect that some of them are real, and for a state actor the honeypots are not a big deal!

Exploits are rare for three reasons, firstly there is little profit to be had as a non state actor, no obvious oppertunity to profit in a way that doesn't attract a drone strike, secondly to actually do anything really interesting with these systems requires a level of familiarity with the tools and languages which is rare enough that these systems are seldom the low hanging fruit for script kiddies, thirdly nobody is going to fess up in public to having had their chemical plant hacked, the regulators response would be a nightmare.

Regards, Dan.

Just wait for what comes next (2)

Gim Tom (716904) | about 9 months ago | (#45932227)

SCADA systems are bad enough, but the push to "THE INTERNET OF EVERYTHING" should make it far more interesting for everyone.

I remember, far back in the late 1960s, when a popular DJ on a local radio station joked for everyone on a particular Interstate leading into the city to "CHANGE LANES". I was on that road and an amazing number of people did. With TIOE the cars can just do the lane change without having to tell the drivers to do it! Of course most of the drivers did make sure that the lane they were moving to had room for them. I doubt that will be the case next time.

Re:Just wait for what comes next (3, Interesting)

maxwell demon (590494) | about 9 months ago | (#45932285)

Indeed, thinking of the smart grid, you could probably get the grid down by issuing a command to sufficiently many household appliances to switch on at the very same time. Those will be even less protected than the power stations, because "who would want to attack my dishwasher?"

Re:Just wait for what comes next (1)

Gim Tom (716904) | about 9 months ago | (#45932585)

Good point. The soft undefended target is the ripe target.

Another Tao of math: For Electrical Engineers imaginary numbers are real.

Re:Just wait for what comes next (1)

Ol Olsoc (1175323) | about 9 months ago | (#45932871)

Indeed, thinking of the smart grid, you could probably get the grid down by issuing a command to sufficiently many household appliances to switch on at the very same time. Those will be even less protected than the power stations, because "who would want to attack my dishwasher?"

New Jersey's Governor will be able to more tightly focus his retribution efforts. Instead of old school shutting down lanes of traffic, he'll be able to turn off the electricity to every registered Democrat.

SCADA on one side (0)

Anonymous Coward | about 9 months ago | (#45932301)

Embedded XP running all those banking ATMs on the other.

2014 will likely prove very interesting for the "Internet of things".

Why the hell (1)

no-body (127863) | about 9 months ago | (#45932327)

are those systems connected to the Internet?

Plain stupidity or folks managing those don't know what this Internet stuff is?

Re:Why the hell (3, Insightful)

M0HCN (2981905) | about 9 months ago | (#45932491)

Because actually it is really very operationally useful, and USEFUL in normal use trumps security EVERY SINGLE TIME.

Consider someting simple like a public building heating control system, this is probably a modest PLC from the usual suspects, now if I am the poor sap in charge of the building systems (Nightmare, been there, done that), and the thing alarms at say 2100 on my day off, I have a choice:
I can go in and clear the (often but not always) unimportant problem, takes me an hour to get there and I was on my way in to see a show when it went off, or I can log in over the internet from my phone, see that the problem is that the number two AHU intake filter is showing high backpressure, clear the alarm and make a mental note to replace the filter next time I am in.
Same thing if the office phone up wanting me to change the setpoint on the air in the art gallery because some conceptual art is made of butter and is tending to melt (I kid you not, really happened).

Remote access to these systems is USEFUL, and nobody considers security until it bites them.

Further plant engineers still think in terms of 'ladder logic' which is essentially logic consisting conceptually of relays and coils and the connections between them, they are not by and large networking folk, and plugging the plc into a port on the external side of the firewall makes everything work where plugging it in inside the firewall makes the remote control not work properly....

Regards, Dan.

Re:Why the hell (1)

ebno-10db (1459097) | about 9 months ago | (#45932655)

Point taken, but I think the appropriate security/convenience tradeoff needs to be assessed for different situations. Messing up a building's HVAC is going to wreak a lot less havoc that messing up water, power or sewage systems.

I also have a question. How is connection between PLC's to the Internet handled for such things? Is the PLC directly connected (probably a very bad idea) or is it through a computer that can be used as a firewall?

Re:Why the hell (2)

M0HCN (2981905) | about 9 months ago | (#45932795)

Security/convinience tradeoff? You try explaining that to a building contractor sometime!

As to the interfacing, it depends, sometimes it is a direct link to the plc, sometimes the plc talks CAN or RS485 or such to a windows xp box which runs a web gateway... I personally think the first option is likely more secure, especially when the machine in the corner of the plant room is found by the local security guard to be a good place to browse porn sites and download videos on the night shift (It happened, and I bet we were not the first, I found out when we got a phone call from the ISP about something on our network abusing port 25 outbound).

Generally security is not mentioned in the contracts for the installation of this stuff, and is at best an afterthought by non specialist developers, the effectiveness of this is left as an excersize for the reader.

Note also that the support contract with the installer often specifies that no software is to be installed on the user control computer except by their engineers (Who might come out once a year and then forget to do it) and this includes updates for security fixes.

73 Dan.

Re:Why the hell (2)

Ol Olsoc (1175323) | about 9 months ago | (#45932899)

Point taken, but I think the appropriate security/convenience tradeoff needs to be assessed for different situations. Messing up a building's HVAC is going to wreak a lot less havoc that messing up water, power or sewage systems

True. ALthough there might be some business reasons to do so. Imagine making your competitor's HVAC systems go down during important meetings, or in the dead of winter before a big deadline. ANd considering that we live in a country where American on American attacks are political gold: http://www.latimes.com/nation/la-na-christie-bully-20140111,0,3128420.story#axzz2qD3vqu1x [latimes.com]

No, I think this is an untapped market of Screwing With Your Competition.

Re: Why the hell (0)

Anonymous Coward | about 9 months ago | (#45932517)

Systems Control AND Data Aquisition. How to acquire data from an air gapped computer with all the ports plugged with epoxy? I guess you gotta stare at the monitor.

unlocked doors (2)

markhahn (122033) | about 9 months ago | (#45932337)

These systems are the moral equivalent of leaving your door not just unlocked but ajar. It doesn't change the morality of anyone trespassing to steal or destroy, but it does make the owner much more culpable. We do not face a threat to our cyber-infrastructure, but rather have irresponsibly left the infrastructure unprotected, and should not be surprised that people of varying motives might take advantage.

We do not need a cyber-infrastructure police force, unless they're actually tiger teams who publicly shame the idiots who leave their systems unprotected...

The Internet of Things (2)

RotateLeftByte (797477) | about 9 months ago | (#45932351)

could someone a lot wiser than me please explain why we need to connect everything and anything to the internet?
I expect the hackers are rubbing their hands with glee at the prospect of being able to hack all sorts of things. Imagine all the havoc they could cause by making all the freezers in a country suddenly defrost?

Frankly, I think this drive to connect everything is totally misguided.

 

Re:The Internet of Things (2)

LoRdTAW (99712) | about 9 months ago | (#45932401)

Cost.

Why pay a person to stay on site or make periodic visits to maintain equipment or change settings when a few people can do it remotely? It does sound convenient but it opens a whole can of worms as any one anywhere on earth can potentially wreak havoc on your low cost maintenance systems.

Re:The Internet of Things (1)

ebno-10db (1459097) | about 9 months ago | (#45932579)

That's not the whole answer. First, there were remotely monitored and controlled systems before the Internet (though I'm not sure how the various links were implemented). Second, I suspect that the convenience, or perceived convenience, may be as important as cost. Lastly, anything you can't connect to the Internet seems outdated (whether or not the connection is a good idea).

Re:The Internet of Things (1)

Lumpy (12016) | about 9 months ago | (#45932767)

Not Cost.

Profit.

Please do not confuse the two as Profit has a higher driving force than Cost does.

Re:The Internet of Things (1)

RotateLeftByte (797477) | about 9 months ago | (#45933419)

Have you never heard of Firewalls and VPN's?
As part of my job I login to sites all over the world via VPN (actually two VPN's). None of the systems I connect to are visible on the internet. Good job too.
Putting all sorts of devices directly on the Internet as all those IPV6 advocates are so fond of reminding us that there is plenty of address space to do it is just stupid and will eventually cost a lot of lives. Perhaps it will take a major catastrophy to wake people up to the dangers of doing this.

Having been involved with computer networks since 1974 I feel that some of these 'connect everything' advocates need to be taken outside and given a good seeing too in the hope of making them see sense.

Re:The Internet of Things (1)

fisted (2295862) | about 9 months ago | (#45932415)

Thats typically because fully air-gapped machines are terribly useful, unless they inherently do not need to communicate for the task they are doing. for example .... uh.

Re:The Internet of Things (1)

fisted (2295862) | about 9 months ago | (#45932417)

eh and that should ofc read 'terribly useless'

Re:The Internet of Things (1)

ebno-10db (1459097) | about 9 months ago | (#45932601)

unless they inherently do not need to communicate for the task

Unless they inherently do not need to communicate beyond the local network.

for example .... uh

Most SCADA systems. There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy.

Re:The Internet of Things (3, Insightful)

Lumpy (12016) | about 9 months ago | (#45932761)

It is trivial to make a "one way, unhackable" ethernet connection to export data to a unsafe network device.

you have a machine on the SCADA network with TWO network cards. One connects to another PC on the insecure network via an ethernet cable with ONLY the TX wires connected. no RX lines. set both to a static IP and then UDP broadcast your information from the secure PC to the insecure one.

There is no hacker or security expert on this planet that can hack that connection and gain access to the SCADA system. Unless they found a way around physics or can teleport things with their mind.

http://www.stearns.org/doc/one-way-ethernet-cable.html [stearns.org]

The problem is most places refuse to hire educated IT staff with experience in security. They want low cost MCSE holders that can barely do their job at the lowest cost possible.

If updates to SCADA software are needed, "most are not in reality" you use write once media such as a DVD or BluRay created on a machine that has nothing to do with the SCADA system and based on an OS that is drastically different to further reduce the chances of homogenous OS infection vectors. If it's important, then the files are inspected byte by byte on a security computer designed to look for infections and injection. then after full and careful inspection you apply the updates.

THIS is how you run a critical system SCADA network. and 99% of them out there are not ran this way as the people in charge of it have zero education in security let alone networking and IT.

Re:The Internet of Things (1)

fisted (2295862) | about 9 months ago | (#45932911)

Administration of said machine is a staff-intensive mess then.

Re:The Internet of Things (0)

Anonymous Coward | about 9 months ago | (#45932567)

Getting design files, software updates, etc. onto production machinery can probably be done fairly easy with USB sticks (though they might also be infected). But MRP wants live updates of widgets-made, and the MRP system is accessed by people with a poor grasp of network security, such as accountants.

No thanks (1)

PPH (736903) | about 9 months ago | (#45932673)

I'm already creeped out by how much a Nest Thermostat [engadget.com] looks like HAL 9000.

Re:The Internet of Things (0)

Anonymous Coward | about 9 months ago | (#45933321)

Any Sysadmin or Programmer with a hint of intelligence can smell the BS on "The Internet of Things" from 10 miles away, downwind, on a rainy day.

"How does connecting my toaster to the internet help my business?"

Good business managers can smell the BS, too.

But like any good automotive car salesmen, you need to sell something to make a living. The way you do that in the IT industry is you come up with some grand general pie in the sky bullshit and see how many skin-eating blood-sucking fly's you can attract to give you venture capital, then go off and see who you can make feel insecure enough or sucker into buying your bullshit.

In the 90's it was websites and E-everything commerce. In the 2000's it was wearable computing, tablet computing, everything through a phone line remotely, wireless internet, "Thought Leadership", "Information Silo's", etc. In the 2010's now it's the "cloud" and the "internet of things".

And when people call them on the bullshit, they start making the lies bigger, because the bigger the lie the more people tend to believe it, at least at first glance. And once you have them debating you can pick off the suckers.

Change control on SCADA is usually a nightmare waiting to happen; you back them up, put safety protocols in place so when they error out nobody dies and the damage is minimal, and run it. You run those systems on a separate network, and if they need to be hooked into automated systems, you double-encrypt the connection (stack the devices at either end) and use a 1-way proxy.

The companies that hook SCADA to the internet deserve it when some 16 year old kid goes and kills someone with a hot pot of iron or shuts their systems down and blows out power relays all over the plant for shits and giggles. They really, really do; if you can't even be bothered to put up proper signage you deserve it.

The scary part (1)

gmuslera (3436) | about 9 months ago | (#45932581)

people and companies with big salaries and/or contracts still putting critical systems on the open internet. And that will keep their salaries, contracts and continuing to do so even after this is exploited.

Re:The scary part (1)

Lumpy (12016) | about 9 months ago | (#45932699)

It's because they hire management that are dumb as boxes of rocks or a small salad bar. Educated managers are not wanted, only ones that can schmooze.

article lies (0)

Anonymous Coward | about 9 months ago | (#45932605)

"researchers" are not hackers.....like it claims what a crock a shit ....
time to ask the nsa to stop pretending and fuck the hell off

DUH. (4, Insightful)

Lumpy (12016) | about 9 months ago | (#45932695)

Almost ALL of us that have had to deal with SCADA knew this was possible. Most of the time because incredibly stupid managers DEMAND the systems be accessible from the internet.

SCADA systems need to be airgapped completely from any network other than their own. Boo Hoo to the company that needs to buy a second set of computers for the employees to get email on. the SCADA computers are to be used ONLY for SCADA systems.

100% of the security failures lie at the feet of the managers of these facilities. Until we start beating them with sacks of doorknobs nothing will change. and yes, the SCADA infection via usb drives are the fault of management. allowing the use of USB or any other device that has not been secured and low level formatted before use on a known clean machine is the fault of management.

All USB ports should be disconnected or physically inaccessible via lock and key to users.

Re:DUH. (1)

bill_mcgonigle (4333) | about 9 months ago | (#45932741)

Most of the time because incredibly stupid managers DEMAND the systems be accessible from the internet.

How does this not drive their insurance premiums through the roof? It should, and it's not, so something is broken in the process.

Do they have government protection from liability?

Re:DUH. (1)

zippthorne (748122) | about 9 months ago | (#45933057)

Why can't they do it the way that satellites do - all control operations are sent encrypted.

Re:DUH. (1)

dkf (304284) | about 9 months ago | (#45933359)

Why can't they do it the way that satellites do - all control operations are sent encrypted.

Because the SCADA vendor probably had encryption as an option that you had to pay extra for, and management wanted to chisel another few bucks off the setup costs.

Network communication is too high function (1)

Marrow (195242) | about 9 months ago | (#45932821)

Maybe these systems dont actually need all the bells and whistles of networking to communicate their state. Maybe an output-only serial communications solution would be perfect for some of these systems. They can alert when they have a problem without exposing a bi-directional communications channel through tcpip. In fact, you could even cut the pins on the serial and guarantee that nothing comes in. Its the ultimate one-way firewall.
Im not saying that all of the systems can run this way, but I bet many of them can.

Re:Network communication is too high function (0)

Anonymous Coward | about 9 months ago | (#45933585)

Nope: Scada buses are typically master/slave query/response

Lets over react (1)

AbrasiveCat (999190) | about 9 months ago | (#45933127)

Let get the media to over react. That will be fun, more government rules, more government oversight. I know we have multiple "SCADA" systems on my site, except most of them aren't control, they are monitoring. (Oh my! the B4-12 SquareD power meter is reading too low!! That groups power bill will be to low next month.) The other LAN connected SCADA systems on site, that I know of, would fail safe. The worst you could do is cause some experiments to fail. Part of the power of PLCs these days is having them on a LAN. (Who wants the ip of one of our PLCs, I'll give you a hint, it is on the 10. network.) Oh and do slap the folks that have true control systems open on the Internet with addressable IPs that could fail in a dangerous way.

why are these things connected to the internet? (1)

csumpi (2258986) | about 9 months ago | (#45933529)

what moron would hook these things straight to an internet connection? in the private sector, stuff like this would get you fired on the spot.
Load More Comments
Slashdot Login

Need an Account?

Forgot your password?