Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

Bugs In SCADA Software Leave 7,600 Factories Vulnerable

timothy posted about 7 months ago | from the about-that-skeleton-key dept.

Bug 70

mspohr (589790) writes with this news from the BBC: "The discovery of bugs in software used to run oil rigs, refineries and power plants has prompted a global push to patch the widely used control system. The bugs were found by security researchers and, if exploited, could give attackers remote access to control systems for the installations. The U.S. Department of Homeland Security said an attacker with 'low skill' would be able to exploit the bugs. About 7,600 plants around the world are using the vulnerable software. 'We went from zero to total compromise,' said Juan Vazquez, a researcher at security firm Rapid7 who, with colleague Julian Diaz, found several holes in Yokogawa's Centum CS 3000 software which was first released to run on Windows 98 to monitor and control machinery in many large industrial installations. The researchers also explored other SCADA software: 'We ended up finding over 1,000 bugs in 100 days.'" The vulnerabilities reported are in Yokogawa's Centum CS 300 industrial control software.

Sorry! There are no comments related to the filter you selected.

SoylentNews.org Tor Hidden Services: (-1)

Anonymous Coward | about 7 months ago | (#46667529)

SoylentNews (this page): http://7rmath4ro2of2a42.onion/ [7rmath4ro2of2a42.onion]
Development Site: http://skgmctqnhyvfava3.onion/ [skgmctqnhyvfava3.onion]
Wiki: http://kvs3xgkasyoqd4hx.onion/ [kvs3xgkasyoqd4hx.onion]
Site Status: http://kvs3xgkasyoqd4hx.onion/ [kvs3xgkasyoqd4hx.onion]

Minnowboard Max: Open-Source Computer from Intel (-1)

Anonymous Coward | about 7 months ago | (#46667541)

Intel Releases $99 "Minnowboard Max," An Open-Source Single-Board Computer

http://slashdot.org/submission... [slashdot.org]

##

"Not to be outflanked by rivals, Intel has released the $99 Minnowboard Max, a tiny single-board computer that runs Linux and Android. It is completely open source - you can check out the firmware and software here(1) - and runs a 1.91GHz Atom E3845 processor."

http://www.minnowboard.org/mee... [minnowboard.org]

http://newsroom.intel.com/comm... [intel.com]

http://techcrunch.com/2014/04/... [techcrunch.com]

(1) http://www.minnowboard.org/ [minnowboard.org]

Re:Minnowboard Max: Open-Source Computer from Inte (1)

K. S. Kyosuke (729550) | about 7 months ago | (#46668595)

Yes, but does it run SCADA?

Re:Minnowboard Max: Open-Source Computer from Inte (1)

allaunjsilverfox2 (882195) | about 7 months ago | (#46671283)

Yes, but does it run SCADA?

It appears that openSCADA would. (http://openscada.org/downloads/)

They all use WIndows 7 anyway (4, Interesting)

Billly Gates (198444) | about 7 months ago | (#46667577)

It is a good thing they all use Windows 7 with updates turned by default and are all disconnected from the internet. With a good understanding management mixed in who care about this more than their reports from IE 6 this is not a problem.

Re:They all use WIndows 7 anyway (3, Insightful)

davester666 (731373) | about 7 months ago | (#46667607)

I believe at this point in time, researchers should only shout out about their vulnerability testing of SCADA software if they DON'T find buckets of basic, serious flaws.

At this point in time, it's like shooting fish in a barrel. Every company with their SCADA system connected to the internet should get daily fines of a percentage of their worldwide revenue.

Re:They all use WIndows 7 anyway (2)

symbolset (646467) | about 7 months ago | (#46667671)

It is thinking like this that fuels my insomnia.

Re:They all use WIndows 7 anyway (2)

invictusvoyd (3546069) | about 7 months ago | (#46667687)

We ended up finding over 1,000 bugs in 100 days.'"

For say $10 per bug, that $100 a day :) . Wow wondoze is profitable for everyone! yay!

Oh! I Say! Shocking ! (1, Funny)

golodh (893453) | about 7 months ago | (#46667863)

I mean ... I had always understood that SCADA vulnerabilities were caused by amateurish system design (connecting SCADA systems to the Internet using cheapo consumer-grade routers, without precautions like stealth, VPN's, whitelist callbacks, etc.) and shoddy system management (factory default passwords, obvious passwords, dictionary passwords, no passwords).

And now this! In some cases the actual software seems to have security holes too. Shocking, shocking, shocking!

Re:Oh! I Say! Shocking ! (3, Interesting)

Lumpy (12016) | about 7 months ago | (#46668501)

SCADA systems NEVER EVER get connected to the internet, not ones that are properly installed by competent engineers.

Re:Oh! I Say! Shocking ! (4, Informative)

Hamsterdan (815291) | about 7 months ago | (#46668671)

"not ones that are properly installed by competent engineers."

Depends how management (bean counters, PHBs and MBAs) listens to said engineer. You'd be surprised what stupid (and not even cost-cutting in the long term) decisions companies will make to save a dime tomorrow. The biggest Telco in Canada used (not so long ago) to deploy its wireless routers with only WEP and *NO* admin password on the device, even if WEP was broken about 10 years ago.

It's not like they don't have any competent tech people, but having worked there, yes, that's the kind of stupid decisions management will take.

Re:Oh! I Say! Shocking ! (0)

Anonymous Coward | about 7 months ago | (#46668981)

Oh, the engineers didn't connect it...

stupid managers, on the other hand, will.

Re:Oh! I Say! Shocking ! (0)

Anonymous Coward | about 7 months ago | (#46670453)

AMEN. There are ways to establish a VPN type connection for sending alarms to maintenance people, in an outgoing manner, so you don't have a server sitting out there, waiting to get exploited.

Re:Oh! I Say! Shocking ! (1)

mspohr (589790) | about 7 months ago | (#46670691)

I don't believe that Iran's SCADA systems were connected to the Internet but were infected anyway by a compromised Windows machine (Stuxnet) which was used to transfer the program to the SCADA system.
From the Wikipedia STUXNET page: The reason for the discovery at this time is attributed to the virus accidentally spreading beyond its intended target (the Natanz plant) due to a programming error introduced in an update; this led to the worm spreading to an engineer's computer that had been connected to the centrifuges, and spreading further when the engineer returned home and connected his computer to the internet.

Re:Oh! I Say! Shocking ! (2)

Mousit (646085) | about 7 months ago | (#46671005)

If only. Come be a utility in Texas, where ERCOT (the state-wide electric utility authority) seriously considered making their push notification system be Internet-only. As in, you HAD to connect your SCADA system to the Internet (even if through an intermediary server in a DMZ) to be able to receive the (required, if you wanted to be licensed and in business) control signals from ERCOT. Thankfully, for once, the backlash was so bad ERCOT actually listened to it and backed off that plan. That's exceedingly rare.

Or backed off kinda-sorta anyway. They still have a dual setup, you can receive either via Internet or via private frame-relay between ERCOT's site and yours. We of course opted for the latter, heavily secured and sanitized through multiple hops, but nonetheless that does still mean we have an external connection into our SCADA system, not air-gapped, though I will grant you it doesn't connect to the Internet at large (we hope; who knows what the fuck ERCOT does on their end). And we MUST have it, if we want to actually operate as a licensed utility in Texas. And Texas is FAR from alone in having this bureaucratically-created shit for operating requirements. These types of enforced setups are nationwide.

That is the sad, stupid state of affairs we live in today.

Re:Oh! I Say! Shocking ! (1)

Dare nMc (468959) | about 7 months ago | (#46671041)

>SCADA systems NEVER EVER get connected to the internet
Easy for the clueless to say. But often not connecting a SCADA system (through a firewall) to the internet has more payoff than risk. Worked in a factory with 24 hour operations, having a competent engineer on staff at all times just isn't practical (good engineers don't like to work off shifts, just in case.) So when the meat of the operations go down costing $1000's a hour, allowing the system to be troubleshoot remotely without waiting for a hour drive in for the closest engineer, is more valuable than the risk of being targeted by a hacker who compromised a PC on the network.

Re:They all use WIndows 7 anyway (0)

Anonymous Coward | about 7 months ago | (#46667879)

Updates turned on and disconnected from the Internet? Why are people modding up this nonsense?

Re:They all use WIndows 7 anyway (0)

Anonymous Coward | about 7 months ago | (#46668205)

Updates turned on and disconnected from the Internet? Why are people modding up this nonsense?

It was modded as interesting by people who probably didn't get the joke. Personally, I find that paradox quite interesting, I'd like to know how it is made to work.

Re:They all use WIndows 7 anyway (2)

l0n3s0m3phr34k (2613107) | about 7 months ago | (#46668343)

SUS server that it gets updates from?

Re:They all use WIndows 7 anyway (0)

Anonymous Coward | about 7 months ago | (#46669395)

Connecting an industrial control system to a SUS server that is itself connected to the Internet adds one hop. It is not safe.

Re:They all use WIndows 7 anyway (1)

louzer (1006689) | about 7 months ago | (#46667897)

You underestimate the power of software to jump airgaps. Imagine spreadsheets bringing down, everything.

Re:They all use WIndows 7 anyway (2)

Jaktar (975138) | about 7 months ago | (#46669143)

The bugs are in the Centum CS 3000 software that controls the SCADA system, not Windows.

When these systems were first being introduced, there were multiple competing standards on design and everything was proprietary. That model hasn't really changed. Some manufacturers, like ABB, do offer an upgrade path to transition from an older model to a newer model. If you wanted to transition from one manufacturer to another though, you're SOL. So, if you bought into a system that is now defunct, you'll have to reprogram your entire process from scratch. If the toolsets are different (and they will be, it was all proprietary) then you're going to have a bad time. That's why ancient systems are still running, bugs and all.

Re:They all use WIndows 7 anyway (1)

mspohr (589790) | about 7 months ago | (#46670713)

And as STUXNET shows, it's trivially easy to compromise Windows (all versions) and thereby compromise the SCACA system.

Yay! (1)

DrPBacon (3044515) | about 7 months ago | (#46667617)

Who's hiring?

Re:Yay! (0)

Anonymous Coward | about 7 months ago | (#46667941)

Insurance companies. No, just kidding.

"Windows" (0, Funny)

Anonymous Coward | about 7 months ago | (#46667655)

Well I stopped reading right there.

Factories are vulnerable. (2, Insightful)

Anonymous Coward | about 7 months ago | (#46667741)

Why did you need factories with direct connections to the internet anyway? Seems like an easy way to have shit go bad to worse.

Re:Factories are vulnerable. (0)

Anonymous Coward | about 7 months ago | (#46667903)

There is a need for the owners to control and monitor the plant remotely.

Re:Factories are vulnerable. (0)

Anonymous Coward | about 7 months ago | (#46667935)

Well that's wrong. The owners should play golf while someone on-site controls and monitors the plant.

Re:Factories are vulnerable. (1)

geogob (569250) | about 7 months ago | (#46668479)

And why would you need internet for this?

Re:Factories are vulnerable. (1)

hjf (703092) | about 7 months ago | (#46670735)

Because this is 2014 and we don't use leased lines anymore.

Re:Factories are vulnerable. (1)

geogob (569250) | about 7 months ago | (#46675431)

I beg to differ. For critical applications where down time costs millions, I would use a dedicated line. I'd even consider a dial-in modem interface rather than an Internet connexion. I'd even rethink remote monitoring. Is it really needed? But connecting critical applications to the Internet, especially when you have hardware requirering old OS verions that are full of holes and unsupported, is playing with fire.

Re:Factories are vulnerable. (1)

hjf (703092) | about 7 months ago | (#46676407)

I'm talking about mobile.

And I sincerely doubt there are "7600" (as the article states) "CRITICAL" applications. If you ever connect to the vulnerable ones, chances are they will be a small factory no one cares about.

There is nothing wrong with remote MONITORING, as it happens to be just that: MONITORING. It's not about remotely controlling a process. It's about "the boss" seeing some dumb parameters (production counters). All logic should run in the PLC. Control sould be performed locally, through HMIs. You have to walk 150M inside the factory to set the oven's temp a little lower? Good. It's your job. The boss isn't interested in doing that from his phone.

Re:Factories are vulnerable. (1)

sjames (1099) | about 7 months ago | (#46671127)

Give them a busybox. I doubt they'll know the difference.

Re:Factories are vulnerable. (1)

l0n3s0m3phr34k (2613107) | about 7 months ago | (#46668345)

so Skynet can easily re-purpose them to make weapons to destroy us, why else?

Re:Factories are vulnerable. (0)

Anonymous Coward | about 7 months ago | (#46668503)

Because the guy who maintains the software doesn't like to drive in at 3am to make a small change. (Really)

Incompetent programming in a bad language (4, Insightful)

Animats (122034) | about 7 months ago | (#46667775)

The code:

for ( i = 0; v3 != '\n'; ++v2) // Dangerous loop, copying data to a stack buffer, until an end of line is found
{ if ( v3 == '\r' ) break;
*(_BYTE *)(i + a1) = v3; // Byte copy to the stack, without having destination size into account.
v3 = *(_BYTE *)(v2 + 1);
++i;
}

The company that let that code out the door should be sued for gross negligence, and managers fired. That's not the only example; they failed to do basic checks at least three times. This isn't a subtle bug. This is failing C Programming 101.

(Several times, I've tried to convince the C standards committee to put a "strict mode" [animats.com] in the language and move towards a form of C that's resistant to buffer overflow problems. Maybe I should try again.)

C - now with over thirty years of buffer overflows.

Some can some shouldn't (1)

chuckugly (2030942) | about 7 months ago | (#46667895)

Some people can't be trusted with pointy tools and should only eat with a spoon, but I still want a knife and fork as well. Many people are capable. For the rest, they have Java.

Re:Some can some shouldn't (1)

DamonHD (794830) | about 7 months ago | (#46668129)

Hmm, I prefer Java over C and assembler because although I can write highly stable and secure code in C/asm, the effort to sustain the required level of paranoia and navel-gazing is for most code better directed elsewhere to visible benefits. I write code that actually has respected security crazies and bank auditors telling me to lighten up a bit, yes really!, but I'm still perfectly capable of making a mistake.

However, I'm inclined to think that whoever wilfully lets code out the door without appropriate bounds checking and incredible scrutiny of all input should face some kind of punishment.

(I dislike C++ because it combines the traps of C/asm with some novel ones of its own, but fools programmers into thinking that they are in a safe programming environment... Yes, I did a lot of C++ design and coding in mission-critical applications too!)

Rgds

Damon

Re:Some can some shouldn't (1)

sjames (1099) | about 7 months ago | (#46671135)

Some operations are never the right answer, such as trusting input not to overrun the buffer.

Re:Incompetent programming in a bad language (1)

mean pun (717227) | about 7 months ago | (#46668019)

Nice idea that is long overdue, but perhaps a better way to get this accepted is to implement this in a real high-profile compiler such as llvm/clang.

I'm afraid, however, that the Real Men Don't Need Bound Checks mentality that is prevalent among C programmers will be a big obstacle.

Re:Incompetent programming in a bad language (1)

Animats (122034) | about 7 months ago | (#46668055)

I'm afraid, however, that the Real Men Don't Need Bound Checks mentality that is prevalent among C programmers will be a big obstacle.

I've run into that. Usually from second-rate programmers. Programmers who think that way should be put them on maintenance programming for a while. Have them debug program crashes in code written by others.

Re:Incompetent programming in a bad language (0)

Anonymous Coward | about 7 months ago | (#46668025)

Hard to agree with this code today, but we don't know when it was written. Thirty years ago it might have seemed kosher.

Re:Incompetent programming in a bad language (0)

Anonymous Coward | about 7 months ago | (#46668117)

(Several times, I've tried to convince the C standards committee to put a "strict mode" [animats.com] in the language and move towards a form of C that's resistant to buffer overflow problems. Maybe I should try again.)

Better yet, maybe you should try to understand why C holds the position it does and that your recommendation would not help it at all.

Re:Incompetent programming in a bad language (4, Informative)

AmiMoJo (196126) | about 7 months ago | (#46668185)

That looks like library code that the compiler generated. Maybe some kind of strcpy variant. As I'm sure you are aware strcpy does not check buffer sizes, but without knowing the context it is used in it is hard to say how bad this problem is.

What you have to keep in mind is that this software was written for Windows 98. Windows 98 doesn't even have filesystem permissions or any real user segregation. There is no firewall by default. Chances are it would be running on some industrial equipment anyway, not connected to an external network. Yes, it uses UDP, but that is actually quite a common technique for processes on the same machine to communicate, or devices within a single piece of industrial equipment. We don't have enough context to know.

I write software for embedded systems. I'm talking microcontrollers, not Windows based. The products I make are complex, but have very few computing resources because they have to run for 10 years on a couple of AA batteries. 16k ram is a luxury. I know that if someone decided to hack one they could do, easily. No through incompetence, through a deliberate decision not to compromise other aspects for extra security. Yeah, we could set up encryption keys on the comms protocol, but then we would need to get the minimum wage morons who deploy these things to understand how to install and use them. We have enough problems already. And no, we can't employ better people, our customers are the ones doing the deployment. They demand features like being able to send a completely unauthenticated text message from a standard phone to a device installed somewhere and have it execute those commands.

So I imagine in this case it is a closed system, never designed to be connected to a network where it could be attacked with malformed UTP packets. The system has been tested and found to be stable because it never generates such packets itself. The real morons are the ones who tried to network it, presumably against Yokogawa's recommendations.

This is commercial reality. Just like your car has a massive vulnerability where the passenger can reach over and yank the wheel and cause an accident the manufacturer probably figured that people ignoring their recommendations wasn't their problem.

Re:Incompetent programming in a bad language (1)

Hamsterdan (815291) | about 7 months ago | (#46668569)

"but then we would need to get the minimum wage morons who deploy these things to understand how to install and use them. We have enough problems already. And no, we can't employ better people, our customers are the ones doing the deployment."

So, the minimum wage morons *are* your customers?

Re:Incompetent programming in a bad language (0)

Anonymous Coward | about 7 months ago | (#46668573)

What you have to keep in mind is that this software was written for Windows 98.

It was originally written for Windows 98. Current versions run on XP.

Re:Incompetent programming in a bad language (0)

Anonymous Coward | about 7 months ago | (#46670655)

software engineer that used to work in remote telemetry space confirms -- I wrote code that could not only run from a text message somebody composed on their motorola razr, but had a command that would let the RTUs rebroadcast and relay the command to their peers. *Our* slightly better than min wage techs wanted a command that would rebroadcast to all "local" company machines, including across clients...

Crypto and authentication was not only removed from the spec, but we were instructed not to implement any form of it by management.

The SCADA space is fucking terrifying.

Re:Incompetent programming in a bad language (1)

mspohr (589790) | about 7 months ago | (#46670749)

As STUXNET has proven, you don't have to have a SCADA system connected to the Internet to get infected. STUXNET infected Windows machines which were used to program the SCADA system. Internet->Windows->SCADA. You only need to be connected once to get infected (kind of like STDs).

Re:Incompetent programming in a bad language (0)

Anonymous Coward | about 7 months ago | (#46670941)

so fix all these issues and release a new model and sell it for 10 times as much for the non-morons

Re:Incompetent programming in a bad language (1)

Animats (122034) | about 7 months ago | (#46674433)

That looks like library code that the compiler generated. Maybe some kind of strcpy variant.

Read the analysis of the code. It's not. It is, however, decompiled assembly code; the people doing the analysis don't have access to the source.

What you have to keep in mind is that this software was written for Windows 98.

Irrelevant. This code is vulnerable on any OS that lets it get UDP packets.

We don't have enough context to know.

Read the actual vulnerability report. There's enough context there.

The real morons are the ones who tried to network it, presumably against Yokogawa's recommendations.

You have to assume today that if it has an Internet-accessable interface, an attacker will find a way to get to it from the public Internet. Because, in practice, attackers do.

"Low Skill" (2)

Tablizer (95088) | about 7 months ago | (#46667779)

The U.S. Department of Homeland Security said an attacker with 'low skill' would be able to exploit the bugs.

"That's okay, only high-skilled hackers are interested in our operations." - PHB

Say HELLO to the Internet (0)

Anonymous Coward | about 7 months ago | (#46667815)

now that you have come out from under your rocks.

By the way, we have security for you, at a price.

KaChing!

"IBM PC/AT compatibles" should be warning enough (2)

Trax3001BBS (2368736) | about 7 months ago | (#46667835)

"IBM PC/AT compatibles" being an old term for a PC

"The Human Machine Interface (HMI) of CENTUM CS 3000 is general-purpose PCs (IBM PC/AT compatibles), running Windows 2000 and Windows XP. Windows 2000 and Windows XP have superb networking functions, and OPC for interfacing with supervisory computers are standard – so supervisory computers can easily access the process, and you can optimize your company at the enterprise level. In addition to OPC for communicating between PCs, we can also provide communication with UNIX machines and the like."

XP has Data Execution Prevention (DEP), WK2 doesn't, every exploit listed was a buffer overflow; which DEP is there to prevent. http://en.wikipedia.org/wiki/D... [wikipedia.org]

"CENTUM CS 3000 is a key part of most of Yokogawa’s Enterprise Technology Solutions, and features:
    Open environment for optimizing the whole enterprise,"

An open environment; which the most ardent supporters for non-proprietary software/hardware have to admit is an entry point for ones exploits, when used with a software interface of WK2, and now XP; (Win98 is never mentioned)

HOSTS file prevent me viewing the first link but the above is good reason to of checked out the hardware.

cite: CENTUM CS 3000 Integrated Production Control System System Overview
http://cdn2.us.yokogawa.com/TI... [yokogawa.com]

Hey don't worry, companies can police themselves. (0)

Anonymous Coward | about 7 months ago | (#46667901)

Catastrophic failure as an excuse to declare bankruptcy is MBA 101. Who coulda known!

"first released to run on Windows 98" (0)

jcr (53032) | about 7 months ago | (#46667971)

Seems to me that if you care about securing your software, you shouldn't be deploying it on Windows in the first place.

-jcr

Re:"first released to run on Windows 98" (0)

Anonymous Coward | about 7 months ago | (#46668411)

That is so tired argument already.

Re:"first released to run on Windows 98" (1)

Anonymous Coward | about 7 months ago | (#46668515)

If you were REALLY serious about security you would deploy your sofware on a banana, no one has ever hacked a banana before.
 
That's how your argument sounds in 2014. It's easy for even the most novice users to maintain and run so its popular, if they started people on *NIX in grade school everybody would run *NIX and it would have 1000 new security exploits every month because it is the bigger target. Obscurity is not security.

Re:"first released to run on Windows 98" (0)

Anonymous Coward | about 7 months ago | (#46669025)

Sorry - bananas have been hacked since nearly forever.

One or two hacks with a machete and they come crashing down... unless someone catches them on the way. :)

Re:"first released to run on Windows 98" (0)

Anonymous Coward | about 7 months ago | (#46671645)

I think their point is more anachronistic than anything to do with your point - which is also a fallacy.

In 1998 people used windows and didn't really feel that badly about it. If they were ahead of the computing curve they used Sun or CGI or... VAX even, back then. Digital Unix. Are you really going to get a setup like that in 1998 for 1 mil $ when you can hook up a 2k$ computer with win98 for the same spiel?

Oh yeah, linux goes back to 1991 or whatever. No one had heard of it until like 2000.

Bugs.... (2)

Lumpy (12016) | about 7 months ago | (#46668491)

I am surprised when I find that SCADA software works properly. Bugs are expected.

Craptastic SCADA suites like WonderWare are so poorly written and horribly implemented that they barely run. Then you have plant managers that are so stupid they dont understand that you NEVER run anything but the SCADA on the computers, but instead install other software and have them all on the company LAN with internet access...

They deserve the problems they have, because if the SCADA systems were designed right, and managers and business owners were hit in the face with a sack of nickles when they ask for stupid security rick crap, the bugs would not be a problem as there would be a frontline security defense in place.

Dumbasses (1)

Runaway1956 (1322357) | about 7 months ago | (#46669593)

Boys and girls, SCADA IS A FRIGGING BUG!!

Let's think about this for just a second or ten. I own a corporation that has produced products for a century or more. In the old days, people did EVERYTHING by hand. Then, along came the assembly line - making things easier and faster. Then came automation. At each stage, my corporation has been pretty secure. Then, along comes this newfangled internet thing. Every Tom, Dick, and Javier in the world can get on this internet thing, and play Hack-a-Day with any device they can possibly connect to.

Suddenly, all the investors expect me to connect all my robots and crap to this INTERNET?!?!?! What are they, frigging CRAZY? They expect me to expose my hardware to this huge-ass Hack-a-Day game?

No thanks. Those bugs for brains executives and investors who think this is a good idea are all security risks, and I need to boot their asses OUT!!

Re:Dumbasses (1)

hjf (703092) | about 7 months ago | (#46670831)

You, sir, are an idiot.

SCADA is a reporting tool. SCADA is for your manager. If your managers want access, you provide them with access. Because if you're not a fucking incompetent idiot, you can make a secure system that will let management see factory data in real time.

But you're an idiot who just forwards the SCADA web access port to the internet with no password.

The problem with industrial automation "vulnerabilities" is not SCADA, it's not software, it's not anything you're thinking of. The problem with it is that these programs are designed for MECHANICAL ENGINEERS. They're decided for the really clever people that come up with those amazing designs. Who happen to be a fucking LOT better than most slashdotters at it. They're not "geeks", they're not sitting down in a computer all day. They don't understand (and don't have to) how the internet works.

I know this because I've been in both sides. I currently do some automation jobs (programming PLCs) and I don't know SHIT about mechanics (I didn't know that 3-phase motors could be wired different to work in different voltages, but that's something you learn in first year in TECHNICAL HIGH SCHOOL). But I can program a PLC, and connect the SCADA to the internet SAFELY.

It's not about being a smug idiot, thinking everyone else is stupid, and management is wrong. That attitude won't get you far in life. It's about convincing management that there are different skill sets involved and it's dangerous to do what they are doing. And offer a solution.

Re:Dumbasses (1)

Runaway1956 (1322357) | about 7 months ago | (#46671153)

No, you, sir, have chosen not to understand. I am MOCKING every moron in the world who wants all that information to flow out over the intarwebs in real time. The "managers" at my plant choose passwords like "1234abcd". They think it's witty or something.

The fact is, our nation worries itself sick about cyberattacks, when there is no need to worry.

JUST DISCONNECT ALL THAT CRAP FROM THE WEB!!

As for passwords, encryption, or any other security measures, recent events have pretty much demonstrated that the government works against all of our best interests. Do they really have backdoors into encryption methods, do they really have the source code to popular operating systems? Can they really waltz into your network, undetected, at will? And, if gubbermint can do it, why can't anyone else?

Re:Dumbasses (1)

hjf (703092) | about 7 months ago | (#46671209)

I just use VPN. Android and iPhone both can dial in. I even use it for my house CCTV. Give them a strong certificate, then let them have any dumb password they want when they are inside the LAN.

Re:Dumbasses (1)

Runaway1956 (1322357) | about 7 months ago | (#46673755)

And, what happens with a MIM? Someone spoofs a cell phone tower, and intercepts your communications. They get the strong certificate, and they are in. Wireless communications (radio) has been known to be inherently insecure by the armed forces since the days of the first radios.

http://www.wired.com/2010/07/i... [wired.com]

Re:Dumbasses (1)

hjf (703092) | about 7 months ago | (#46676385)

It all comes down to what kind of facility you're working with.

If it's a nuclear power plant, or a missile factory, then there is no need to "dial in". No employee should need to monitor anything remotely.

If it's a small bread factory and you use SCADA to monitor the production line, who cares? No one is going to want to hack you so badly.

Really, this is all a non-issue.

How many years are we going to see SCADA? (1)

msobkow (48369) | about 7 months ago | (#46672231)

Just how many years are we going to see postings/articles on how buggy and security-hole-ridden SCADA is?

Near as I can recall, people have been bitching about this steaming pile of shit for over a decade.

Scadais garbage because Scada is mostly Winbloze (0)

Anonymous Coward | about 7 months ago | (#46672279)

Scadais garbage because Scada is mostly Winbloze, the most defective process software ever conceived.

executives will be shocked and outraged (1)

asjk (569258) | about 7 months ago | (#46673975)

My prediction is the executives of any compromised oil rigs, refineries and power plants will assure us they will not stop until they bring to light any shortcoming that caused any resultant catastrophe. They will go on to say that no one could have foreseen this happening and they are laser focused on keeping our infrastructure safe.
Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?