Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Publishes Industrial Complex Hack

Posted by samzenpus on from the who-runs-the-power-plant dept.

snydeq writes "Security researcher Kevin Finisterre has published code that could be used to take control of computers used to manage industrial machinery, potentially giving hackers a back door into utility companies, water plants, and even oil and gas refineries. The code exploits a flaw in supervisory control and data acquisition software from Citect. The vendor has released a patch and risk arises only for systems connected directly to the Internet without firewall protection. Finisterre, however, sees the issue as indicative of a 'culture clash' between IT and process control engineers, who are reluctant to bring computers off-line for patching due to the potential havoc wreaked by downtime. 'A lot of the people who run these systems feel that they're not bound by the same rules as traditional IT,' Finisterre said. 'Their industry is not very familiar with hacking and hackers in general.'"

19 of 190 comments (clear)

  1. Well by Anonymous Coward · · Score: 4, Insightful

    If you hook up a device to the internet without any firewall protection, you deserve what you get.

    1. Re:Well by lysergic.acid · · Score: 4, Insightful

      what do you get? internet herpes?

      a firewall will protect your computer from many exploit attacks, but that's not a reason to rely solely on a firewall for protection.

      running a system with a bunch of unpatched security vulnerabilities and simply relying on a firewall to protect you is just as foolish as connecting to the internet without a firewall. after all, what happens if the firewall fails, is bypassed, or has a security vulnerability of its own?

    2. Re:Well by PC+and+Sony+Fanboy · · Score: 4, Insightful

      If you hook up a device to the internet without any firewall protection, you deserve what you get.

      We should be glad that people release these 'bugs' openly - I'm sure that this information would have made Mr. Finisterre a lot of money, if he approached the right (wrong?) person. Imagine what would happen with no firewall AND no public notification?

    3. Re:Well by Solra+Bizna · · Score: 4, Funny

      Firewalls are amazingly easy to bypass.

      From the inside, certainly.

      -:sigma.SB

      --
      WARN
      THERE IS ANOTHER SYSTEM
  2. Why ... by sconeu · · Score: 4, Insightful

    The vendor has released a patch and risk arises only for systems connected directly to the Internet without firewall protection.

    Why would you have critical systems like that directly connected to the 'Net anyways?

    --
    General Relativity: Space-time tells matter where to go; Matter tells space-time what shape to be.
    1. Re:Why ... by phatvw · · Score: 5, Informative

      Why would you have critical systems like that directly connected to the 'Net anyways?

      To reduce costs. Its cheaper for an engineer to remote-in to check on something than have them physically drag their butt to work. Fewer people are able to monitor more 24/7 systems this way.

      And its almost always cheaper to use an Internet connection than a dedicated leased line for this sort of thing.

    2. Re:Why ... by PC+and+Sony+Fanboy · · Score: 4, Insightful

      Keeping critical systems offline sounds smart, until you realize that

      a) What is critical to you may not be critical to me
      b) Keeping them offline might make sense for security, but it makes servicing them more difficult, and so more people need to be hired, and so it is more expensive (which is bad, apparently)
      c) Sometimes, critical systems need to be online, and widespread. For example, if banking wasn't networked, then ATMs wouldn't work. If you had your license suspended, it would take hours to get that information to all the other cops, and you could keep driving without penalty. Also, work-from-home wouldn't 'work', and corporate VPNs would be pointless.

      Critical systems *should* be connected to the 'net, so we can have access to them. But, they should also be better protected, and backed up offline.

    3. Re:Why ... by dave562 · · Score: 5, Insightful

      You download the data to a historian server and reference that. There is no reason to ever remotely connect to the actual hardware that is controlling the valves and actually running the plant. I'm not sure what kind of sites you'd need to fly an admin out to, but odds are that there are already people there. I don't know too many power plants, electrical generation facilities, or oil/gas operations that are 100% automated and don't have any people around.

    4. Re:Why ... by geekoid · · Score: 3, Insightful

      It will only take one incident to loose any cost savings by an order of magnitude.

      Seriously, you can't get into any of your machines for an hour, how much does that cost? the machines start doing the wrong thing?

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    5. Re:Why ... by LaminatorX · · Score: 3, Funny

      If only there were some sort of virtual private network available that could give them a reasonably secure low-cost option for remote access.

    6. Re:Why ... by baggins2001 · · Score: 5, Interesting

      What if the machine is a nuclear reactor?
      If an engineer can get eyes on without disrupting operation (talking over the phone), then he might be able to avert a problem.
      What if the machine is part of a chemical plant?
      Same as above.

      As an engineer in both instances, you would probably move more than an hour away.

      Since there are usually junior engineers on at night it can be very helpful to have a senior engineer with eyes on. It wasn't until I had 10 years of experience before I realized that I didn't have the knowledge or experience to handle an emergency during my first 5 years.

      And the powers that be wouldn't think of paying for someone that had more experience to be there.

      So some of the accidents that occur at night which are blamed on people being tired are due to them not having enough experience.

      I agree that more money and security are needed.
      But very few managers get paid extra for spending more money.
      The worst I've seen is where a controller was connected to a phone line. That controller had about 20 chemical reactors tied to it. Another controller also had a phone line and it had 4 reactors tied to it. But before this sounds really dramatic, if someone had hacked in they probably could have done some damage to the reactors, but it would not have caused a danger to humans.

      The worst I saw (safety/security) was where someone had installed pipelines carrying caustic chemicals without using a double-walled pipe (Yeah, Electrical Engineers are the same as Chemical Engineers). Yep , sure enough they had a leak. Luckily no one was injured. Some equipment was trashed, but they had insurance.
      The funniest was when the insurance guys came and wanted it to be turned on to confirm that it wasn't working. The engineer told him that he highly recommended that the equipment not be turned on. He actually showed them the fuzzy crap that was growing on the controller boards. He and another guy went and gathered five fire extinguishers, put those at their feet and told them to pull out the big red button and to press this button to start it up, if they really had to. Then told them they would be waiting outside. The insurance guy turned popped out the emergency stop button. The robotics went nuts and white flashes could be seen from the vents of the controller panel. Never got to the power on button. Experiment lasted about 3 sec. Insurance agent nearly drove the Emergency off button into the panel.

      There were 3 more systems and they decided that they could just look at the fuzzy stuff on the control cards. Didn't need to turn them on after all.

      So considering all the trouble we had with keeping safety standards in check, I'd say good luck with handling getting money for proper security costs.

      And they finally did double-wall their chemical lines and eventually it became a legal requirement. So from then on there wasn't a problem with getting chemical lines double-walled and properly labeled, not with just the yellow caution tags, but with flags. Flags weren't a legal requirement, but they are cheap.

      --
      He who said 1,000,000 monkeys on 1,000,000 typewriters would eventually type the great novel, never saw an AOL chat room
  3. Well according to Die Hard... by Enderandrew · · Score: 4, Funny

    ...a standard cell phone will let you pretty much instantly hack and control anything in the country except for the utilities. For those, you need to go to 2 different locations that control all the utilities in the country.

    That movie had the "Mac guy" so I totally trust it.

    --
    http://blindscribblings.com - Tasty pop-culture in conceptual fashion.
  4. Disconnected from reality by dave562 · · Score: 5, Informative
    I've done a little bit of work with control systems (Honeywell) that are used to run a power plant. The author of the article is a bit disconnected from reality. You can't exactly just take one of those systems offline to patch it. Shutting the powerplant down is a complex operation that takes time. Starting it back up takes time. Things need to get up to temperature. Pressures need to build up. Fuel needs to be loaded. It's not just as simple as, "Email is going to be down for 15 minutes while we reboot the Exchange server."

    At the place I did the work for, the control systems were completely isolated from the internet. They sit on their own network and only talk to each other. They are all running Windows Server 2003 on HP Proliant ML370s with redundant everything (RAID drives, power supplies, UPSes, etc). The closest those things get to communicating with the outside world is when they download their data to a historian server on the other side of a DMZ link. It is a one way connection to the historian server. The historian is then referenced when people offsite need to know what is going on at the plant. The only way to connect to the historian is with VNC from one specific IP/MAC.

    Enough of the security tangent. The point I was originally trying to make is that most industrial machinery doesn't need to be patched. It runs one or two software applications that do a specific thing. There is absolutely no reason to touch the box once it is up and running. Security in an industrial environment needs to be handled at the physical/network layer, not at the box. Why does the hardware running your valves need internet access? Why does a box running a CNC machine need internet access?

    1. Re:Disconnected from reality by Vancorps · · Score: 4, Interesting

      You make a fair point but what happens if one of those machines does fail? Believe me, I've had triple redundant power supplies fail on me before it will happen.

      The IT world believe in redundancy and so too I would have thought does the industrial world where uptime has to be 100%. Rebooting your Exchange server should not result in any downtime if email is considered mission critical.

      So if there are redundant control systems in place why can't individual machines be brought offline and patched as necessary?

      The only argument I can see that holds water here is that an update could theoretically break the tool but if it is properly redundant then it won't come back online when you're done and the problem stops there until the node can be replaced or updated.

    2. Re:Disconnected from reality by WillRobinson · · Score: 3, Interesting

      I have done quite a bit of work in the scada area in the past. What we had was the machine network physical separated from everything.

      A serial link was used to query the scada system and recorded all the interesting points.

      There was no way to write to the scada system via the serial link. That system then dumped the data to sql databases, where it was then queried by the internal web server and provided lookups and pretty pictures for those that dont really need to know, but want to.

      The webserver was then on the office network, but could also be accessed by dialup, the office network was not internet facing.

        Think that is a bit more secure due to the fact that we actually took 10 minutes to think of a method that would be

  5. By the numbers. by khasim · · Score: 4, Insightful

    a) What is critical to you may not be critical to me

    And who are you? Seriously. Why is your opinion of what is "critical" worth anything in this discussion?

    b) Keeping them offline might make sense for security, but it makes servicing them more difficult, and so more people need to be hired, and so it is more expensive (which is bad, apparently)

    And the cost of hiring those people vs the cost of cleaning up after an attack? Skipping security is ALWAYS cheaper. As long as you never consider the cost of an attack.

    c) Sometimes, critical systems need to be online, and widespread. For example, if banking wasn't networked, then ATMs wouldn't work. If you had your license suspended, it would take hours to get that information to all the other cops, and you could keep driving without penalty. Also, work-from-home wouldn't 'work', and corporate VPNs would be pointless.

    #1. ATM's. No. They were not originally connected to the Internet.

    #2. Driving license. So what? That would catch up to you after the traffic tickets were entered into their system.

    #3. Corporate VPN's. We're talking critical systems here.

    Critical systems *should* be connected to the 'net, so we can have access to them. But, they should also be better protected, and backed up offline.

    Wrong. There is access to them without having them connected to the Internet. Just as it was back in 1990.

    All of your reasons come down to "cheaper".

    "Cheaper" should not have more weight than "secure".

  6. SCADA security is a mixed bag. by Ransak · · Score: 5, Informative
    I've done SCADA security audits and managed a variety of environments with SCADA devices (PLCs, HMIs, etc).

    It's a mixed bag. Some (older GE Fanuc PLCs for example) have zero security features, and only have a telnet daemon wide open to the world. The obvious answer is to bitch at the vendor and mitigate it with ACLs or some such, but really you'd have to know something about what you're hacking at to force it to do anything more than lock up, which might be bad, but generally is more of an inconvenience to a worker on the floor since all mission critical environments should have people standing by in such a case with the ability to manually override.

    To my knowledge there's only been one real targeted SCADA hack that caused damage, and he had inside information. Don't get me wrong, I'm all for increasing security in SCADA environments, but the biggest hurdle isn't technical; it's political. Most SCADA environments that I've seen have been set up by electricians that programmed the SCADA devices but know pretty much nothing about IT (FYI, there's a lot of Linksys gear out there). They're usually paid overtime to work on the SCADA network and they see IT personnel as a threat to their livelihood. Someone I know was threatened with a screwdriver for just trying to replace a router.

    --
    "Powers. I have them."
  7. He doesn't get it ... by ScrewMaster · · Score: 3, Interesting

    'A lot of the people who run these systems feel that they're not bound by the same rules as traditional IT,' Finisterre said. 'Their industry is not very familiar with hacking and hackers in general.'"

    He's attempting to lay blame for these infrastructural issues at the feet of the engineering staff. What he doesn't understand is that engineering systems have very different operational requirements from running a server farm or a few thousand desktops. Engineers avoid IT like the plague, because IT people will come down on engineering systems like a ton of bricks, enforcing arbitrary company-wide standards regardless of the damage they do. For example, if you have a timing-sensitive real time process running on a PC, it may not be wise to put the Symantec Antivirus pig on that particular box. Yet I've seen that happen, usually without the person in charge of that equipment even being notified. Afterwards, everybody wonders what happened with something goes seriously wrong with a production process. IT's attitude in such cases is usually "we followed company policies. Not our fault." The hell it wasn't.

    The reality is that IT misguided or ignorant departments are frequently a far bigger danger to process control and real-time data acquisition systems than any number of Chinese crackers. That's because they rarely make the slightest effort to accommodate the needs of the technical staff, and have often gone to extreme lengths to have upper management approve utterly Draconian policies that MUST be applied to ALL computers.

    Engineers are often justifiably leery of having IT involvement in any of their projects. The consequence of that, of course, is that now you have people with no specific security training implementing remote communications. Of course, a lot of these problems could be ameliorated with some simple requirements such as "all off-site communications MUST be secured with a VPN" or something similar.

    Ultimately, what it comes down to is communications being handled by conscientious, well-trained individuals that are open-minded and willing to accommodate the special needs of engineering systems. I can't tell you how rarely I've seen that happen.

    --
    The higher the technology, the sharper that two-edged sword.
  8. It's not as bad as it sounds. by Weasel+Boy · · Score: 4, Informative

    I developed an HMI using Citect, and for my needs it was significantly better than the alternatives. Actually, it was pretty excellent. But you wouldn't use it to control dangerous machines: it runs on Windows. :-) Supervisory Control and Data Acquisition is high-level: the user-friendly end of process control. We used Citect to control the machines that control the machines.

    You could poke a button on Citect that said, "open this valve," but all Citect did was message an industrial PLC that performed all the safety calculations and bounds checks and actuated the relay, then sent the result back for Citect to display. Actually, a better example would be to poke a button to start the next phase of a run. You wouldn't use SCADA to open or close an individual valve much more than you'd invoke a single C function from a CLI.

    I would argue that in fact the traditional rules of IT do not all apply to these SCADA systems. They are quite often single-purpose PCs that have little or no connection outside the plant floor. If they worked on commissioning day, they'll probably still work today. They don't need a lot of management. Not that machines don't get taken down for maintenance, but you don't want a surprise incompatibility in your software update keeping the system down longer than anticipated. Wreaks havoc on the supply chain. Actually, Citect can clone control stations (legitimately, not just 0wn3d), so you could do a phased deployment of patches without losing any capability; I was speaking more generally.

    It is true, though, that process engineers I've known don't think much about network security. They're concerned about guarding against a china syndrome, so the important stuff is off the net and often talks to SCADA via RS-232. A hacker might steal data or stop the run, but probably couldn't make things go boom.