Researcher Publishes Industrial Complex Hack

← Back to Stories (view on slashdot.org)

Researcher Publishes Industrial Complex Hack

Posted by samzenpus on Wednesday September 10, 2008 @11:41AM from the who-runs-the-power-plant dept.

snydeq writes "Security researcher Kevin Finisterre has published code that could be used to take control of computers used to manage industrial machinery, potentially giving hackers a back door into utility companies, water plants, and even oil and gas refineries. The code exploits a flaw in supervisory control and data acquisition software from Citect. The vendor has released a patch and risk arises only for systems connected directly to the Internet without firewall protection. Finisterre, however, sees the issue as indicative of a 'culture clash' between IT and process control engineers, who are reluctant to bring computers off-line for patching due to the potential havoc wreaked by downtime. 'A lot of the people who run these systems feel that they're not bound by the same rules as traditional IT,' Finisterre said. 'Their industry is not very familiar with hacking and hackers in general.'"

8 of 190 comments (clear)

Min score:

Reason:

Sort:

Well by Anonymous Coward · 2008-09-10 11:43 · Score: 4, Insightful

If you hook up a device to the internet without any firewall protection, you deserve what you get.
1. Re:Well by lysergic.acid · 2008-09-10 11:51 · Score: 4, Insightful
  
  what do you get? internet herpes?
  a firewall will protect your computer from many exploit attacks, but that's not a reason to rely solely on a firewall for protection.
  running a system with a bunch of unpatched security vulnerabilities and simply relying on a firewall to protect you is just as foolish as connecting to the internet without a firewall. after all, what happens if the firewall fails, is bypassed, or has a security vulnerability of its own?
2. Re:Well by PC+and+Sony+Fanboy · 2008-09-10 11:54 · Score: 4, Insightful
  
  If you hook up a device to the internet without any firewall protection, you deserve what you get.
  We should be glad that people release these 'bugs' openly - I'm sure that this information would have made Mr. Finisterre a lot of money, if he approached the right (wrong?) person. Imagine what would happen with no firewall AND no public notification?
Why ... by sconeu · 2008-09-10 11:44 · Score: 4, Insightful

The vendor has released a patch and risk arises only for systems connected directly to the Internet without firewall protection.
Why would you have critical systems like that directly connected to the 'Net anyways?

--
General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
1. Re:Why ... by PC+and+Sony+Fanboy · 2008-09-10 11:52 · Score: 4, Insightful
  
  Keeping critical systems offline sounds smart, until you realize that
  
  a) What is critical to you may not be critical to me
  b) Keeping them offline might make sense for security, but it makes servicing them more difficult, and so more people need to be hired, and so it is more expensive (which is bad, apparently)
  c) Sometimes, critical systems need to be online, and widespread. For example, if banking wasn't networked, then ATMs wouldn't work. If you had your license suspended, it would take hours to get that information to all the other cops, and you could keep driving without penalty. Also, work-from-home wouldn't 'work', and corporate VPNs would be pointless.
  
  Critical systems *should* be connected to the 'net, so we can have access to them. But, they should also be better protected, and backed up offline.
2. Re:Why ... by dave562 · 2008-09-10 11:58 · Score: 5, Insightful
  
  You download the data to a historian server and reference that. There is no reason to ever remotely connect to the actual hardware that is controlling the valves and actually running the plant. I'm not sure what kind of sites you'd need to fly an admin out to, but odds are that there are already people there. I don't know too many power plants, electrical generation facilities, or oil/gas operations that are 100% automated and don't have any people around.
3. Re:Why ... by geekoid · 2008-09-10 12:02 · Score: 3, Insightful
  
  It will only take one incident to loose any cost savings by an order of magnitude.
  Seriously, you can't get into any of your machines for an hour, how much does that cost? the machines start doing the wrong thing?
  
  --
  The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
By the numbers. by khasim · 2008-09-10 12:14 · Score: 4, Insightful

a) What is critical to you may not be critical to me
And who are you? Seriously. Why is your opinion of what is "critical" worth anything in this discussion?

b) Keeping them offline might make sense for security, but it makes servicing them more difficult, and so more people need to be hired, and so it is more expensive (which is bad, apparently)
And the cost of hiring those people vs the cost of cleaning up after an attack? Skipping security is ALWAYS cheaper. As long as you never consider the cost of an attack.

c) Sometimes, critical systems need to be online, and widespread. For example, if banking wasn't networked, then ATMs wouldn't work. If you had your license suspended, it would take hours to get that information to all the other cops, and you could keep driving without penalty. Also, work-from-home wouldn't 'work', and corporate VPNs would be pointless.
#1. ATM's. No. They were not originally connected to the Internet.
#2. Driving license. So what? That would catch up to you after the traffic tickets were entered into their system.
#3. Corporate VPN's. We're talking critical systems here.

Critical systems *should* be connected to the 'net, so we can have access to them. But, they should also be better protected, and backed up offline.
Wrong. There is access to them without having them connected to the Internet. Just as it was back in 1990.
All of your reasons come down to "cheaper".
"Cheaper" should not have more weight than "secure".