Stuxnet Worm Infected Industrial Control Systems

Sooner Boomer writes "ComputerWorld has an article about the Stuxnet worm, which was apparently designed to steal industrial secrets and disrupt operations at industrial plants, according to Siemens. 'Stuxnet has infected systems in the UK, North America and Korea, however the largest number of infections, by far, have been in Iran. Once installed on a PC, Stuxnet uses Siemens' default passwords to seek out and try to gain access to systems that run the WinCC and PCS 7 programs — so-called PLC (programmable logic controller) programs that are used to manage large-scale industrial systems on factory floors and in military installations and chemical and power plants.' If the worm were to be used to disrupt systems at any of those locations, the results could be devastating."

Cue the conspiracy theories

[leromarinvit]

So the largest number of infections have been in Iran. It is designed to disrupt industrial processes, which are also used by the military.

Obviously it was created by the CIA in an effort to spoil the Iranian nuclear program!

deserved

If they still use default password, they deserve to be hacked and face total havoc.

Industry`s security is still so crappy.

Re:deserved

what do you do about the shadow password exploit? it keeps resetting to default passwords. until that bug is fixed they can't be blamed for using default passwords. my advice is to set up a dupe sign in thread that detects an automatically changes the password back to the certified tech's immediately once the sign in is detecting a bogus login.

Re:deserved

well said. this is the two-thousand & tens ffs. your using default seimens passwords on your infrastructure... you are a lesson to others. go stuxnet

Re:deserved

[thegarbz]

If they still use default password,

Having experience with a few of these systems from various vendors I say it would be great to have a choice in the matter. The is a lot of investment in the configuration of a large logic controller and vendors often provide themselves a back door such as a hidden admin password to come in and fix things when the system goes tits up. On top of that they often recommend not changing the default passwords of systems that are hooked directly to process control because the machines themselves are often under lock and key and behind firewalls and thus presumed to be "safe".

We were infected with the Stuxnet worm at our plant, and it spread all around the machines on the business network but never made it to the process control systems. Although it was still disruptive. The firewall was shutdown and the control network isolated for days so they could do a complete virus scan. A little network management and physical security can go a long way. Frankly if any virus gets onto the process machines, default password or not, and not even targeting the software for the control systems there's potential for a real "game over" event.

Re:deserved

This.

I can confirm the existence of at least one such backdoor. I did tech support for a company that sold cellular connectivity devices through which automation systems could report to a remote server, or be remotely administered.

It was just a Busybox machine with a bunch of services, but we had an insecured telnet (as in, port 23, ALL PLAINTEXT) master login that gave root privileges, and we used it for advanced troubleshooting. It was the same user account for all products across all firmware, and even though we never shared it with the customers, anyone calling us to help them do the initial configuration over Ethernet could've set up a packet sniffer and got it.

Military and police customers tended to use private networks (thankfully) but I'd estimate 90% of those devices were directly facing the internet, including many used for the administration of governmental utilities. In the wrong hands, this not only provided access to all the transmitted data, but was a non-noticeable attack vector on all the equipment on the LAN, since those tend to not have intrusion detection systems.

Re:deserved

[X0563511]

Easy.

There should be no default password.

Remote access should be refused by default. Make the tech get off his ass to do the initial setup and the problem goes away.

Re:deserved

[alfredos]

Industry`s security is still so crappy.

Industry, at least power generation and big factories, is a fairy conservative place. They aren't used to the idea of being "connected" and their way of thinking is still along the lines of physical security.

They are moving fast, though. The company mentioned in the summary is targetted because of their large installed base, not because they are careless - far from it, they are pretty good, but they are up against a large momentum of inertia.

Re:deserved

That's all fine and dandy until you have hundreds of components that need to be reconfigured.

Also, for all intents and purposes, it is "local" configuration. No one should be on your industrial Ethernet. That's the real problem. The fact that these systems have routable paths to the Internet is fucking stupid.

Keep your industrial networks off of the internet.

Wow

[0123456]

So people not only leave the default password on their industrial controllers, they put them on the same network as Windows PCs... Wow.

Re:Wow

[DarkKnightRadick]

no kidding, that was my first thought.

Re:Wow

[Lunoria]

People are lazy. Why change the password on these machines? You'd have to write it down somewhere because remembering things is tough.

Re:Wow

[gmuslera]

Probably the network is behind a firewall, so they think they are safe from outsiders. The problem is when insiders have both windows and no clue.

Re:Wow

[Svartalf]

And they USED Windows as the OS... Brilliant!

Saying that they should airgap the SCADA is obvious- unfortunately, people tend to favor "ease of use" and that airgap is one of the first things that typically tends to get botched in the name of that. So, even if you thought you put it on a standalone, the thing's liable as not to be on the corporate net with all the other machines.

Re:Wow

[Mr.+Sketch]

Having worked in that industry, it's very common for them to be on the same network as Windows PCs. As for the default passwords, that's their own fault.

The reason they have to be on the same network as PCs is both:
1) The software to program and monitor PLCs are on Windows (made by Siemens, Rockwell Software, WonderWare, were the big names when I was in the industry 10 years ago), so it makes sense to have them on the same network so they can communicate with the PLC while it's online and see the logic operations in real time.
2) The biggest reason is that PLCs communicate with visualization software that runs on Windows (also made by the same companies as above), that can be viewed from a central location. This allows the production line manager to visually see the operations of the machines in a nicer format than looking at the raw logic bits. The visualization software can display shapes, colors, diagrams, animations, etc of the production line with real-time data about what's happening.

So yes, these PLCs are usually on the same network as Windows PCs. Ideally it's a private network with just the PLCs and the visualization/programming/monitoring PCs, but many places are not that strict about the network separation.

Re:Wow

[The+Master+Control+P]

The problem isn't that they're on the same network as Windows machines, it's that they're on any kind of network whatsoever that's not insulated from machines connected to the public Internet by an air gap.

Once again: Do not -ever- put mission-critical systems on the Internet.

Re:Wow

you seriously do not want to know how common it is.

Scary common... On things that would disrupt major cities...

Re:Wow

[jofny]

You can't change the Siemens passwords in this case (and have things keep working).

Re:Wow

[MichaelSmith]

Management will want statistics out of the scada system. How many widgets processed in the last (hour, day, week, month, etc)?. So there has to be an interface. Perhaps a USB key from the HMI to an employee laptop.

Re:Wow

[MichaelSmith]

As for the default passwords, that's their own fault.

I remember, back in the day, DEC had an account called FIELD on all the VMS systems they maintained. The DEC support guy would always grumble when we disabled that account, or changed the password. Its more trouble for them, you see.

Re:Wow

[Relic+of+the+Future]

From TFA: "spread [...] typically via USB sticks."

Air gap will hopefully stop secrets from getting out (unless... is this thing smart enough to wait for another USB stick, copy its stolen data on to it, and wait to be plugged in to a networked PC to communicate out? That'd be snazzy!) but it won't stop a USB stick. And, since USB is how code and software updates are usually delivered to these devices (not to mention the mouse and keyboard for the PC hook up), you can't just turn USB off either. Hence this.

Re:Wow

[kaptink]

I've seen loads of similar devices (Moxa) on several networks managing the safety systems, HVAC, environmental in tunnels and mines. All with default passwords on the same vlan as several windows machines with internet access and a history of malware. I'm sure there are many others out there. My question though is why go after industrial stuff? Perhaps in the hope they will hit something big and get some ego wank from it. Its not like anyone will benefit financially. It looks like true evilness.

Re:Wow

[Sylak]

the problem lies ONLY in being on a network with Windows PCs. Simens more often than not specifically designs their products to NOT be networked OR have any default passwords changed, like on a JR Clancy Rigging System for theatres. Many of these appliances you can't change the passwords on without violating your service warranty, so complaining about passwords is really a bad assessment.

Re:Wow

[Jah-Wren+Ryel]

This allows the production line manager to visually see the operations of the machines in a nicer format than looking at the raw logic bits. The visualization software can display shapes, colors, diagrams, animations, etc of the production line with real-time data about what's happening.

Sounds like a job for Data Diode. (they aren't the only guys who make such things)

Re:Wow

got nuke root?

Re:Wow

[DarkKnightRadick]

Stop. The more I know the more I want to scream.

Re:Wow

[MichaelSmith]

Once again: Do not -ever- put mission-critical systems on the Internet.

You will never win that game. Google has real time traffic info from traffic signal systems these days. How do you think the information gets through? I used to run a traffic signalling system. There was an indirect internet connection, but security was taken seriously by everybody, both working with the system and in management. I would be much more concerned about a totally airgapped system with poor internal security. Because these days you can't have a 100% air gap.

Re:Wow

[hairyfeet]

The real problem is NOT the OS, since it is pretty obvious this attack has been specifically designed to hit a very small niche target, which means no matter what OS you were running the malware writers would have simply written to that target.

No the problem is something I run into all the time in my little shop, I call it magical thinking. It is the classic "we have A, therefor we never have to worry about security!" problem. in this case too many are thinking their firewall will magically make the problems go away, not realizing the user is often the weak spot. I've seen the exact same thing at a SMB where the owner had bought Macs based on magical thinking, then his kid wanting to look at pron ended up infecting the network with that DNS Changer trojan.

The problem as we are witnessing here is there is NO magic bullet, be it Windows, OSX, or Linux, be it a firewall or other piece of hardware, be it any other piece of tech. The ONLY way to secure a network is a top to bottom approach that runs everything on absolute least permissions and no network access to anything that doesn't absolutely need it. But sadly that takes real planning, real effort, and a dedication to keeping the security level up, and most companies would rather buy into "this magic box will save us!" because it is cheaper and easier. Sadly it also never works.

Re:Wow

[Jurily]

People are lazy. Why change the password on these machines? You'd have to write it down somewhere because remembering things is tough.

I blame management. With all the chaos around a factory (at least the ones I've worked in), the default password is more reliable than the people who are supposed to know them when they're needed.

Add in the fact that factory workers don't really get paid enough to care about anything, and you have to start wondering why this this kind of attack isn't more common. Hell, we've played Minesweeper on the monitoring terminal of a >$100M production line :)

Re:Wow

[DNS-and-BIND]

You do know that factories are staffed by engineers and workers, not IT pros? I doubt if they're even aware that passwords exist on their equipment. When they set up the factory, they just called some people to get all the machines to talk to the computers properly. Then, the contract is finished and the IT people only get a call if there's anything wrong or new equipment is added.

Re:Wow

[sjames]

Even given that goofy situation, they could at least help matters by connecting the visualization machine to the control net (only) and use an IP enabled KVM to connect it to the LAN.

Ideally, there would be gateway software that polls everything, serializes it (over an actual serial connection) to an information server and let the visualization software talk to that. Ideally, the line from the info server's Tx to the gateway's Rx would be cut to make sure the communication can only be one way.

Re:Wow

[pspahn]

And people wonder why the NSA and is trying to promote education.

Of course, it's damned if you do, damned if you don't. Sure, they're a bureaucracy, and therefore inefficient (or whatever you want to call it). If they do nothing, then it's their fault for not doing anything. If they do something, they get ridiculed for doing it wrong (even if it's an improvement).

We all know there is an insane amount of holes in all sorts of industries, yet it hardly appears as what is currently being done is enough. People tend to be all hat and no cattle. It's nice to walk around and talk about how bad the problem is, but it's better to actually do something about it.

Re:Wow

[pspahn]

Sadly it also never works.

Sure it works, and in fact does so for a bunch of people. That's why there is truth to security through obscurity, because if someone doesn't know about your system and isn't interested in targeting it, you can keep out all the script kiddies by boilerplating security.

Remember, it isn't necessarily about securing the information absolutely, it's about taking realistic measures to adopt a policy that works and provides an acceptable amount of risk.

Think of a small copy-print shop, for example. Customers might come in and use computers to run prints of some document that contains sensitive information (or whatever). They open it off their thumb drive or email or something, and then print off a dozen copies. Is the shop owner going to go to the trouble of making sure all the customer computer's hard drives don't contain forensically traceable remnants of that document? Of course not, this is a highly unlikely scenario.

Of course, running a system with default passwords is kind of silly in the type of environment described in TFA.

Re:Wow

> The real problem is NOT the OS, since it is pretty obvious this attack has been specifically designed to hit a very small niche target, which means no matter what OS you were running the malware writers would have simply written to that target.

Bill? Steve?

Oh, what a coincidence UK, North America and South Korea is where Windows is stronger. Nah, forget it, correlation is not causation etc. etc.

> The problem as we are witnessing here is there is NO magic bullet, be it Windows, OSX, or Linux, be it a firewall or other piece of hardware, be it any other piece of tech.

This is _your_ problem. Ours is getting rid of worms, viruses... and M$.

I'm sure idiots have a role in this, but M$ somehow acts as amplifier of idiocy.

Re:Wow

[GiveBenADollar]

Network != Internet. If you have to control a large industrial system then you need to have centralized command and control, this is what enables the operators to see changes and equipment failure before they begin breaking other things. If you were to say the problem is the DEFAULT PASSWORD then I would agree with you.

Re:Wow

[RightwingNutjob]

Yeah, but we're talking about industrial controllers here, not a small copy shop. At where I work, the standing policy is that if it controls a piece of moving machinery, it's behind an air gap. No exceptions. It doesn't prevent malicious individuals with physical access to the system from doing bad things, but it takes away a whole set of headaches about network security out of the picture entirely.

Re:Wow

[GiveBenADollar]

Well, most large industrial plants are expensive to operate and even more expensive to shutdown and repair. Sounds like a Dr Evil ransom situation to me. $1,000,000,000,000,000 or I cause your machinery to explode.

Re:Wow

[CannonballHead]

Clearly, minesweeper is a big security hole. ;)

Re:Wow

The OS it runs on is.

Re:Wow

Often the system IS airgapped... and then they use a USB key to transfer the reports.

That's why USB keys were targeted for infection.

Re:Wow

[denobug]

Our past experience indicate the IT staff does more damage to the stability of the system than anything else could. Most IT and network personnel has zero understanding of reliability of a system. The architecture they design are simply too complex and not robust enough. So before anybody can hack in, the system itself becomes unstable, crashed, and end up causing dangerous situation.

One of the most common mistake observed is a super complicated VLAN scheme that link multiple network together under the name of "ease of management" or "security", while in fact the first thing they need to do is to completely seperate the control network with corporate network, and then flatten the control network with air-gap from the corporate network. Also make sure you have zero wireless network access to the control network would be a wise choice not only in security but also improves each component's availability in general.

Again, common sense goes a very long way.

Re:Wow

[DarwinSurvivor]

What is the point of a password if it's written in the owners manual of every person that has ever worked on a similar machine? At that point, you may as well call the communications API a "password".

Re:Wow

[The+Master+Control+P]

On one hand, that really scares me.

On the other, I can see where you're coming from and I suppose the Internet having read-only access could be lived with given other suitable precautions (boot from ROM, etc) to assure access was read-only.

Re:Wow

[DarkKnightRadick]

so true

Re:Wow

So what's the solution (beyond using an OS that can't be hacked via USB drives -- maybe as simple as disable autorun)? is this a case where an airgap is less secure than a tightly controlled bridge (only allowing you to transfer the files you need, only one way, etc.) would have been, simply because the workaround for moving necessary data across the airgap is more complex, with more potential vulnerabilities beyond your control, than a strictly controlled link?

It's an interesting situation...

Re:Wow

[networkBoy]

This is manifested in the door security where I work.
We have RFID badge readers.
My boss recently wanted to add one to a lab he controls. When he found out the bill was $10K he balked. We told him it was for the security conduit (intrusion detection conduit, I assume gas charged & detect pressure drop in a leg?).
His response? We don't need the conduit, just run the wire.

Luckily security said F off and use a key lock, we're not installing it without the conduit. But that same attitude is why these machines still have the default passwords.

-nB

Re:Wow

[thegarbz]

Proper management of these kinds of systems should mean the firewall does effectively block all access that isn't physical to the machine. The way the network is setup where I work, the firewalls literally only allow one way traffic. The process network pushes data through the firewall to the machine on the other side continuously. From what I've been told there's no confirmation that the data is even received. Only the information on the other side of this network is accessible via another more typical firewall by the rest of the business.

With a firewall such as this, and computers that are kept physically under lock and key so no operator can come in and plug their usb stick in, there's no reason to presume you're not completely covered.

Re:Wow

[networkBoy]

RS422 to a PC dedicated to that purpose.
It would be hard to infect the machine when it only sends data out on that interface and does not receive data, or only receives 2 byte commands to which it responds with a slew of numbers. Most machines like this have (at least as an option) an interface like this, precisely because they are supposed to be gap'd from the main network.

Re:Wow

[thegarbz]

Still working in that industry I'm absolutely amazed that you didn't mention any form of delimitation. Yes these windows machines are connected directly to the PLCs but they should be pushing data out to another machine via a one way firewall, and they should also be kept under lock and key. Any type of access at all be it direct or over the network via a firewall should only ever happen to these "expendable" machines.

We got this virus at our plant. All computers were infected except the machines hooked to the PLC. These machines were also the only ones that didn't have the latest windows updates, and had no virus scanner on them. As a precaution the two networks were physically isolated so for 2 days while the PLC machines were checked, and while IT were fixing hundreds of computers on the business network. The major downside is we had engineers looking over operators shoulders rather than sitting in their comfy offices.

Re:Wow

I know of several factories that have epoxied all the USB ports on machines on the production LAN. It kinda diminishes the worry about a USB stick attack when it won't fit in any of the machines.

Re:Wow

[thegarbz]

You clearly don't work in the process industry, nor have an idea of just how bullet proof a proper setup actually is despite there not being an airgap.

The ability to quickly and easily read values from the PLC remotely (one way only is the key) is paramount to not only the efficiency of running the plant, but sometimes the safety of the plant itself. Sometimes it goes a step further to even be a legal requirement. If a plant is levelled by a huge explosion you don't want to be the one standing in front of congress telling the people that the reason you have no idea what happened is that you didn't log every process value on a computer offsite in realtime.

Air-gaps are like the idiots guide to security. Yeah it helps, but it's impractical and there's so many other ways a competent person can secure a process network from the outside world. If you actually worked in the industry the lengths you see many companies go to will blow you away.

Re:Wow

"The ONLY way to secure a network is a top to bottom approach that runs everything on absolute least permissions and no network access to anything that doesn't absolutely need it." Well said, and considering the amount of insecurity and related stuff I read about these days makes me wonder, Why is this not the standard?

Re:Wow

http://it.slashdot.org/comments.pl?sid=1791242&cid=33616792

Re:Wow

or you buy PLC's from Rockwell, who only provides control/programming software that runs on Windows.

Re:Wow

[aggemam]

Mac OS X: http://www.apple.com/downloads/macosx/games/role_strategy/foxminesweeper.html
Debian GNU/Linux: http://packages.debian.org/lenny/xbomb
FreeBSD: ftp://ftp.internat.freebsd.org/pub/FreeBSD/ports/i386/packages-8-current/games/xdemineur-2.1.1_1.tbz
Windows Vista: http://windows.microsoft.com/en-US/windows-vista/Learn-about-Windows-games

HA!

Re:Wow

Want even more scary? Even *IF* they bothered to set the passwords on these controllers. The passwords are easily sniffed using a man in the middle attack (done it a couple of times myself for 'forgotten passwords'). They literally transmit the password in the clear over the serial/network cables using industry standard control codes.

The passwords are nothing more than a way for each company to sell sdk's to companies so you can only use their software with them. They give 0 security.

Some of these sites are stupid easy to get into with a little social engineering. As many of the people who work there dont even know the thing exists. So you show up look all official with a clipboard and a 'work order' and a hard hat. Many times they would just let you in.

That there has not been a major incident yet with this stuff is what I find shocking about it.

Re:Wow

Posting as AC because work knows of my slashdot ID.

Amen, brother, amen. I deal with crap just like this every working day.

I disagree on the wireless part, it's just to handy in physically large / large PLC count installations. What's needed is a BSD-based AP on the control network(s) with PKI and strict physical control of the troubleshooter's machines: they shall never leave the facility, they shall never connect to anything but the control network, they shall be audited regularly and randomly, they shall never, ever be touched by regular corporate IT.

If anyone ever has success at this, do let the rest of us control engineering types know how you did it. Technical specs and what manner of blackmail used ;)

Re:Wow

[Antique+Geekmeister]

And that "airgap" means the hardware can't report its state, such as temperature, power issues, time synchronization, automated shutdown procedures among multiple nodes in case of an upstream systems failure, empty materials bins, or usage reports. Having an airgap is like virginity. It's easy to pledge to, but turns out to create other losses.

Re:Wow

[phantomfive]

Air-gaps are like the idiots guide to security. Yeah it helps, but it's impractical and there's so many other ways a competent person can secure a process network from the outside world. If you actually worked in the industry the lengths you see many companies go to will blow you away.

I don't know much about this industry, but based on the article it sounds like the industry would be a lot more secure if there were more 'idiots' around. People always think they're secure until something like this happens. With an airgap, this wouldn't happen.

Re:Wow

[ScrewMaster]

Our past experience indicate the IT staff does more damage to the stability of the system than anything else could

Agreed, with all your points. Over the past couple decades of doing control systems, one of the most common questions I get asked by engineering is "how can we best keep IT off our control network?" Funny ... the engineers in charge of these things just seem to intrinsically understand the risks of letting IT staff anywhere near a live process control system. Now, before you IT support people get all testy, I'm not saying that you are, as a group, necessarily incompetent within your legitimate purview. However, as Dirty Harry once said, "A man's got to know his limitations" and it's very disturbing to me how many of you are incapable of recognizing where your involvement is a liability. I've been accused of installing "rogue" systems by IT staff, simply because I recommended that a control system not be placed on a company's regular network. Thing is, a failure on an office network is an inconvenience. A failure on an engineering network can be a disaster. Keep that in mind next time you insist that engineering's systems should be under IT's thumb, and subject to whatever corporate "standards" are in force, regardless of their impact.

Re:Wow

You do know that factories are staffed by engineers and workers, not IT pros?

In this particular case it doesn't matter if there's a factory full of IT pros (as, in fact, we do) or not. First of all you can't change the WinCC password. Second of all, if you don't do precisily as Siemens says Siemens raises hands and says "we can't support your non-standard environment".

As my coworker said, Siemens should burn in heck for its sins.

Posting anonymously, just in case.

Re:Wow

[dbIII]

Our past experience indicate the IT staff does more damage to the stability

You've missed the obvious - IT staff change things, of course that does things to stability.
Change sometimes hurts but you have to go through it to get improvements.
Ideally the problems all happen in a test environment that is a good model of a production environment, but sometimes things (and IT staff) are not ideal.
I agree with having an air gap, but I have heard of several situations where that has been removed by an ignorant requirement for sales or accountancy purposes. It's a disaster waiting to happen but we are living in a time when idiots put power station control systems on the internet and don't think that is a bad idea.

Re:Wow

[SheeEttin]

Why change the password on these machines? You'd have to write it down somewhere because remembering things is tough.

Because it'd have severely limited this worm?
Just go ahead and scribble the password in Sharpie over the keypad. Common worms can't use that information (yet).

Re:Wow

[dbIII]

It sounds like you've got a situation that's going to get a lot worse.
You need some IT people that have a clue about what you are up to so they can help as required as well as a clue as to when to leave you alone. What you'll probably get however is an increasing amount of ignorance on the IT side which will result in them not knowing when to leave you alone, and a disaster or two because they'll think they know what they are doing when they don't.
If you haven't already It's time to get somebody on your team acting as surrogate IT staff and make sure you have good backups and some docs for when things break - because outsiders without a clue will probably make things a lot worse until communications improve and they know what to leave alone. I've got around this by having test systems and telling people who might be about to do something stupid to go away until they have tried it on the test system.
I'm an "IT person" that used to be an engineer, and I do know where to back off on some systems or to kick something around on a test box, or more importantly, talk to somebody with a clue.

Re:Wow

[El_Isma]

It's worse than that:
People run their industrial controllers on Windows.

To be fair, the industrial processes run on PLCs (which have a propietary, more foolproof OS) and the "let's see if anything is out of the ordinary" systems run on Windows PCs. So it's not as likely that a Windows failure will bring down the industry. A hacked controller could do fancy damage, though.

Re:Wow

[thegarbz]

Frankly I'm happier to have an idiot running the process control network without an airgap, than having an idiot picking the operating conditions of a 3000 psi, 1000 degF pressure vessel containing hydrogen.

These plants will eliminate themselves from the map if someone is incompetent. Frankly the kind of process network manager who thinks that the airgap is their ideal solution will often be the one dumbfounded when their plant is taken out by a usb key all because some operator wanted to show his workmate a funny video. The amount of effort required to properly secure a network is quite great and if someone can't figure out how to do that I'm sure you could find a million other holes in their systems and methods.

Re:Wow

We have exactly that attitude at my place too.

I once asked one of the IT dept heads when we could expect to see ie6 finally upgraded, he replied "along with the Win7 roll out, probably 2012". When I asked if it didn't disturb him having a decade-old long deprecated programme as the company's 9000-strong computer network's touch point with the world wide web, he replied "haha no, we've got an enterprise-level security suite, there is nothing to worry about".

Maybe he's right, but I wouldn't be so complacent in his position.

Re:Wow

[shentino]

Becuase it's a pain in the ass to settle, and the PHBs won't put up with things getting in the way of actual work.

Re:Wow

At where I work, the standing policy is that if it controls a piece of moving machinery, it's behind an air gap.

That's probably why this one came in via USB memory sticks using the .LNK exploit.

This is a targeted professional attack. If the target had e.g. non-default passwords, then the attack would have contained a way around that (a keylogger for instance).

Re:Wow

[Rich0]

Now, is the door more secure or less secure than it would have been if you had run a card lock without the special conduit?

Regular wire for the card lock would have been more vulnerable to sniffing or replay attacks, but that is a vulnerability the RFID cards probably have as well. On the other hand, an old fashioned key lock is vulnerable to extra keys floating around that aren't tied to a specific person so they can't be disabled as people change jobs/etc.

I've seen this problem at work - anybody can point out a problem, and when something goes wrong claim "see, I told you so." The problem with this logic is that if EVERY problem like this were completely risk-mitigated we couldn't do anything without spending a million dollars. That usually means that we end up using archaic processes (since this logic seems to only be employed when changes are made - you can keep running an old insecure or problematic process for as long as you want without complaint), and usually that means even more problems and certainly less efficiency.

Security in most corporate settings will always be a compromise. Sure, we have to do due diligence. Yes, we ought to secure things as best we can when it is practical to do so. Yes, sometimes we need to spend more and REALLY secure things. However, if you want to turn your factory into a hardened military facility be prepared to spend money more on the lines of the US defense budget. Indeed, I doubt that most munitions facilities incorporate all the security features the latest security consultant to come by would advocate.

Re:Wow

[Rich0]

I'm not sure that windows is itself the problem. This was a targeted attack - if they could zero-day windows then no-doubt they could zero-day some other OS/browser/etc, or maybe smuggle code in via some other attack vector (somebody gets a job as a janitor and plugs something into a LAN or USB port).

Sure, having your general office network on the same LAN as your PLCs is definitely a way to be exposed.

I think the bigger problem is that in general industry-specific software tends to not be written with security as a consideration at all. Even if they had changed the passwords, what are the chances that it doesn't go plaintext over the LAN? I know of lots of client-server software where the server is just a database, and therefore the database credentials are stored on the local hard drive (obfuscated). The application prompts for a password and checks it against some table in the database, but anybody who knew what they were doing could just retrieve the database password from the hard disk and bypass the software entirely.

Most expensive industry-specific software is almost completely insecure. Oh, they have tons of certifications, and test scripts showing compliance with various standards/regulations/etc. They spend LOTS of money on security but mostly that amounts to paperwork that documents that the systems are secure. The problem is that while they'll spend $10k to have people run test scripts to try to type bad passwords, they don't spend a dime on looking for buffer overflows or other backdoor methods to break the security. The assumption is always that hackers don't do anything but click on buttons in the GUI, or type human-readable text into prompts.

The only thing protecting most companies from major catastrophe is that most hackers can't be bothered to get their hands on this kind of software and understand where and how it is used.

I can't wait until the Russian Mafia figures out what SAP is. Then again, they'd probably bankrupt themselves just trying to get a working installation like all the rest of us...

Re:Wow

[KDR_11k]

Large production systems are often a patchwork of software and hardware components that have access passwords for other components hardcoded who-knows-where. Changing a password can screw something up that you didn't even know existed.

Re:Wow

[Antique+Geekmeister]

As IT staff who've had to deal with the mess, I'm forced to say "you're not telling the whole story". I've been forced, in the past, to negotiate the security requirements to handle access to resources, and too often been told "we can't be bothered to learn how to use the secure tools, we'll just leave it wide open: after all, we have a firewall and a non-disclusure agreement". And then I've been blamed for the open access. Or "we daren't update that system, it's too critical", and then been blamed for the cost of the errors and failures in software that were fixed 3 years previously in published patches.

So let's not say "IT messes up our systems" any more than we say "vaccines cause autism", shall we? There are risks, but I'm still seeing far too many instances of misuse and abuse that IT is responsible to clean up when systems are run without any guidance by people more familiar with network and security principles than a paperwork handler or even most software developers can be expected to have.

Re:Wow

[KDR_11k]

Yeah but that costs extra. A contractor that can make a lower quote by omitting special steps like that has an advantage when selling to people who don't know whether certain security features are necessary.

Re:Wow

[Jaxoreth]

I remember, back in the day, DEC had an account called FIELD on all the VMS systems they maintained. The DEC support guy would always grumble when we disabled that account, or changed the password. Its more trouble for them, you see.

Disabling the FIELD SERVICE account is the hallmark of any good SYSTEM MANAGER.

Re:Wow

[drinkypoo]

With an airgap, this wouldn't happen.

First, air gap doesn't mean shit in a wireless world, so let's just stop using that term. I don't know what replaces it, but signals go through air just fine. Second, you can't actually use computer-controlled machining software without a connection of some kind. Further, there are substantial benefits to having the same machine be able to access the machines and the internet. When I worked for Tivoli just post-IBM we had two machines on every desk. One ran Windows and existed solely to provide access to RETAIN via a screen scraper. The other ran whatever you wanted. I flushed the screen scraper and learned raw RETAIN (all hail tn3270) so that I could do all my work on one system, and then I could reload the other one frequently so that I could have my own test system in my office instead of depending on lab computers.

Re:Wow

[drinkypoo]

Large production systems are often a patchwork of software and hardware components that have access passwords for other components hardcoded who-knows-where.

If you're trying to tell us they're incompetent, we already knew that, because they're using default passwords.

Re:Wow

[denobug]

So let's not say "IT messes up our systems" any more than we say "vaccines cause autism", shall we?

Let's use this as an example. What you are saying is a true statement in its merit. However, for a high-risk group, i.e. pregnent women, would it not a standard practice for physicians to be extra careful to prescribe any medication to them? Or in fact, ask them to withheld taking any medication unless it is absolutely necessary.

In the same way, security is very important. None of us want to see this kind of security breach happen. Yet our mission would be utter disaster if the system is killed by blindly patching a system without proper testing the patch itself beforehand. Even if the cause of the crash was because some part of the system's program was written incorrectly, it is already running. So then it would be wrong by anybody (IT, engineering, or management) to come in and say "I don't care if you have a bad code, we NEED to patch, and then fix the code afterward). In the end, both the control system and the security measures are means to an end to run a facility safely and efficiently. You don't want to see your name plaster all over the web because the patch you have insisted on patching was untested and cause the next Texas City Explosion, or another Deep Horizon leak in the Gulf, do you?

By the way some of us are reasonably competent (we won't call ourself experts since ultimately someone knows more than we do) in network security and IT background in general. So at least we are capable of making a judgement call when we know a potential risk of brining a system down. Before you ask the question of why running a buggy system you have to understand sometimes it is what we have to run with, and it does take physical man power to re-wire everything or physically verify EVERY wiring connection, and that easily costs in the unit of tens or hundres of thousands, if not millions of dollars. Yes we are talking a lot bigger scale than typical IT operation where $100 saving is a big deal.

Re:Wow

[denobug]

You've missed the obvious - IT staff change things, of course that does things to stability.

That is the problem. The damage of this "change" is easily a safety and environmental disaster. A license engineer takes an oath to protect the general public in their safety, not the IT system. It is simply paramount to test out the patches on a stand-by test environment before implementing to a live system. A lot of system provider does that now, testing the newly released patches, and then release them to their customers to be implemented after their testing. A blind patch and "fix the problem as they arise" attitude in a critical system is exactly the attitude that cause news worthy events over the Internet and cost you a job for your life time in this field. This is why we are wary of IT staff in general because most of them have no appreciation of the bigger picture besides the little piece of pie they are working on.

Re:Wow

[kesuki]

"Probably the network is behind a firewall, so they think they are safe from outsiders. The problem is when insiders have both windows and no clue."

i know too much to post about this... but what do you do when the computers believe they need to 'filter' the truth to it's guardians. thinking they only need good feedback?

thats where im getting stuck well one place anyways.

Re:Wow

[MartinSchou]

Now, is the door more secure or less secure than it would have been if you had run a card lock without the special conduit?

That's besides the questions. The question that needs asking is:

Would a physical key entry result in security getting the blame, if something 'bad' happens in the lab?

The likely answer to that is: "No"
However, if they simply ran the wire as requested by the boss, and something bad happened, would they get the blame? Yes they would, because they installed and approved it.

If you want me to take the blame for something, then I want to be in charge of how it can happen. If you just want a scape goat, look elsewhere, as I have no need for a "responsible for break-in to lab due to botched security job" on my resume.

Re:Wow

[Smock-Jata+Babushka]

It is *required* to put these controllers on the same network as Windows PCs. These systems are frequently networked, and so are interconnected. They often have to be monitored from an engineer's desk. They have to be programmed with software written to run under Windows. Even if programming has to occur from the factory floor, an engineer that takes his laptop from his desk to the factory floor opens up the possibility of carrying a virus with him.

The industrial controllers have to be on the same network as Windows PCs, at least some times.

The more pragmatic solution is to insist that passwords be changed from the default to something else within X days after installation, and to not provide any back doors that do not require physical access to the controllers (such as a spring-loaded button that allows super-admin access to be initiated for 30 seconds after pressing).

Because the hardware of these systems (at least the PLCs) are rarely Windows-based, there is the assumption that they are immune to viruses, and, in fact, they tend to be a smaller target because the installed base is smaller compared to Windows PCs. These systems have tended to fly under the anti-virus radar.

Like most anti-virus solutions, the best thing to do is to change your habits to prevent vulnerabilities in the first place. But with something brand new, it is hard to know what habit the change ahead of time.

Re:Wow

[Rich0]

Ah, yes - the ultimate reason for perverse levels of risk aversion is perverse levels of accountability for taking reasonable risks and getting it wrong.

I can't blame people for having this attitude when those managing them punish risk-taking.

However, this kind of attitude can really kill a company. Sometimes you just have to take risks. Unfortunately, the attitude has to start at the top...

Re:Wow

[MartinSchou]

I didn't say they shouldn't take risks. But taking a risk like that one, which is essentially just "it'll be easier for one boss" with absolutely no gain in ease of use (easier to just use a key), financial gains (cheaper to just use a key) and a massive risk (something goes wrong, it's not the boss getting the shaft) is just idiotic.

It will never gain you, your department or the company anything other than a pink slip and will taint your resume.

Now, if the boss had said something like "I will sign off on doing this, and my department will foot the bill for it", it would probably be a different case. But that's not the scenario we were presented with.

Re:Wow

[hairyfeet]

Twitter? RMS? You see MR AC, you are falling for "magical thinking" if you think "I can drop in (insert OS) and we'll be saved!" because that is total bullshit. This was a carefully designed attack on a very specific piece of very niche hardware. You HONESTLY think that a malware writer designing his code to such a specific target couldn't do the exact same thing just because an OS has the blessing of RMS? Really? Because if so I have a really nice bridge to sell you.

FACT-All Operating Systems have vulnerabilities, and security by obscurity doesn't work when you are being specifically targeted. Don't forget there was a bug in the X server for SIX YEARS that went unpatched. FACT- Real network security requires real dedication, which is absent in magical thinking. Do you really think some unpatched Linux box on the network couldn't have be pwned? FACT-magical thinking leads to lazy practices, as we saw here with "the firewall will save us!" and if you honestly think simply replacing the word firewall with Linux will magically make the threat go away...well I'm just glad I don't have you working as an admin on any network I deal with.

Finally, you could have just written the definitive treatise on network security, but when you start with that tired lame "M$" shit you might as well just replace your text with nigger nigger nigger because everyone is gonna consider you nothing but a troll and move on, no differently than the "Lunix is for Lusers" or the "Macfags suck Steve Jobs" posts. If you want people to take you seriously and don't want to type Microsoft, type MSFT or even MS. You can even tell yourself you're typing MSFT because they are greedy whores that care about nothing but their stock price if that makes you happy, but every time a post involving Windows is filled by guys like you with that lame ass M$ shit it makes ALL FOSS advocates look like basement trolls. Is that really what you want?

Re:Wow

[Rich0]

Keys aren't necessarily easier to use - if only one person needs to regularly use them they can be easier.

They aren't always cheaper either - if that key gets lost you're now paying to have the lock picked.

In any case, I'm a big fan of the RIGHT level of security for each situation. That can be a lot, or a little, depending on the circumstances.

Re:Wow

[networkBoy]

so, in the case of my lab:
There are three people who will be keyholders.
security knows who has keys, and security has the realistic and common sense approach that keys get lost. Reporting a lost key gets the tumblers changed and new keys issued within 4 hours, and no repercussions on the key loser.

In addition, the keylock door is inside the lab, which is already behind badge readers. Overall risk is exceptionally low.

Risk from an unsecured (and thus sniffable) badge reader line is much higher.

Re:Wow

[Rich0]

Risk from an unsecured (and thus sniffable) badge reader line is much higher.

I'll have to beg indulgence since I'm not familiar with the design of commonly used RFID badges.

Are you saying that the connection between the badge and the radio is encrypted and protected against replay attacks, but the connection between the reader and the central server is not? It seems odd that one would build encryption logic into the reader, and then not use it to communicate over the wire.

Indeed, the most secure design would seem to be to not give the reader the ability to decrypt the credentials at all, but rather to just relay them over the line.

However, I suspect that in reality that the badge communication is not encrypted at all. It would be far easier to just have the badge transmit the same serial number any time it is interrogated, which of course makes it trivial to clone. If so, that would be a far more likely attack vector than tapping cables. I've had my RFID badge from work for a decade now, and back then I doubt that the technology for a secure in-badge challenge/ response system was cheap.

Perhaps I'm wrong though.

As far as changing locks go - I have no doubt that your security department is diligent about tracking keys and changing locks. However, you pointed out that keys were cheaper, and my point was that keys were cheaper until you have to change locks. Now, one change of locks probably is still cheaper than setting up a badge reader (without security conduit). However, I imagine by the second time you're visiting that lock the reader would look a lot more attractive. You also are probably making the assumption that the "do not duplicate" notice on the keys means something.

Re:Wow

[Antique+Geekmeister]

You've selected an example that exactly proves _my_ point. An expecting mother is in one of those situations where some expert advice and preventive care is _most_ useful because the situation is under enormous and unusal stresses that can often be handled with informed caution. (Mecications to avoid, checking weight gain, treating morning sickness and testing for diabetes, educating the mother on breathing exercises and avoiding eclampsia, etc.) The consequences of ignoring the situation and saying "people die when they go to doctors, let's not see them!" is devastating, tet that is _precisely_ what you originally suggested.

You told people in your work situation with mission critical systems to avoid IT because IT imperils the systems. The parallel is with parents who refuse vaccines to avoid autism for their children: even after the claim has been demonstrated false, parents still do this.

Re:Wow

[Antique+Geekmeister]

By the way, your definition of "expert" is very strange. From your attitudes towards groups like IT, I assume you use it to pretend that "experts" really aren't and that you can therefore safely ignore them?

Re:Wow

Get a job

Re:Wow

[ScrewMaster]

By the way, your definition of "expert" is very strange. From your attitudes towards groups like IT, I assume you use it to pretend that "experts" really aren't and that you can therefore safely ignore them?

A true expert is one thing, but the vast majority of IT people with whom I've had the misfortune of dealing are simply concerned about enforcing the latest corporate policies. That means you will be on the company domain, you will live with any group policies that requires, you will run all required applications, even if said apps cause issues. The reason for that is clear: if anything goes wrong, their asses are covered because they just followed procedure.

There's a reason that any company with half a collective brain will have an engineering network (where all process control and data acquisitions systems reside) and a business network. The two should never meet, except under very controlled conditions, and the engineering network should not, ideally, be at any point connected to the public Internet.

Unfortunately, I've seen too many problems occur because of IT departments insisting on doing things their way, simply because it a. makes their lives easier and b. keeps them from ever having to take any heat when something goes wrong.

Maybe in your world IT is always open-minded and willing to look at the big picture, but in mine that's frequently NOT been the case. Now, that's primarily because IT is oriented towards computing from a business perspective. That's fine, they're in a legitimate supporting role there. But real-time systems operating under an entirely different set of constraints, and if an IT department cannot accept and work with that, they're not only useless but can be downright dangerous.

Re:Wow

By the way, your definition of "expert" is very strange. From your attitudes towards groups like IT, I assume you use it to pretend that "experts" really aren't and that you can therefore safely ignore them?

Additionally, let me ask you this: what kind of expertise does the typical IT person have when it comes to process controls, PLCs or real-time systems of any kind? Answer: not much. Nor, I will agree, does the average controls engineer know much about firewalls, domains, network security, or any of the myriad other things that are legitimately within IT purview. For that reason alone, engineering should run as an isolated subset of the overall Information Technology infrastructure, so that the very different requirements of business operations don't interfere with keeping the machinery running.

It was never an issue in decades past, before the rise of networking technologies made it so easy to connect anything to everything. Control systems were all hardwired and custom-built, and had nothing to do with accounting, or sales, or anything on the other side of the business. Nor was the public network a threat. That's just not true anymore, and a wise IT department should realize that, and take steps to make sure they don't cause unnecessary issues.

Re:Wow

[networkBoy]

absolutely all valid points.
We have a locksmith on staff, so repinning a lock is trivial, as is cutting keys.

As to the badge readers I have no idea how they work. I know the badges do challenge response with the reader, but if the reader is merely a pass-through to a controller, of if it contains the smarts is opaque to me (I never asked, I think I will now...)

Frankly my opinion is that we don't need a lock on that door at all, simply a sign that the area is restricted, but that's my opinion.
-nB

Re:Wow

This fails to take account of something like Stuxnet failing to report dangerous values. For example, the sensor reports high pressure in a pipe, Stuxnet discards this and reports a regular pressure. BOOM.

This is just one way, no write needed.

Re:Wow

[denobug]

Your comments are well put. I wish I have a mod point for you!

Re:Wow

[ScrewMaster]

As IT staff who've had to deal with the mess, I'm forced to say "you're not telling the whole story".

No, pretty much I am. And you're not listening.

Network security is largely a non-issue for engineering networks because the goddamn things should never, ever, be physically connected to your business network, much less the Internet. Any time I see a major industrial operation that runs its PLCs, process controllers and other critical systems from its business network ... well, I try to minimize my time on-site. You never know when something is going to detonate. Yah, I've seen that happen: wrong place at the wrong time. Nobody got hurt but that was just luck.

The reason that happens, every time, is because IT personnel refuse to fight for, and to budget, the requisite independent network infrastructure. Generally that's because they don't see the need. They also want all engineering systems to be conveniently accessible to them, so they can perform remote "support". That generally means placing them on the business side of things, regardless of risk (and that's because, as IT people not production engineers, they don't have the training or expertise to evaluate that risk.)

You need took at yourselves in the proper role: support. Only rarely have I encountered an IT department that understands that, that will come to the engineers and offer their services without rancor, and make a sincere effort to understand the requirements (and how much they different from the business environment.) Engineers don't particularly want to deal with computing matters: they have plenty on their plates already. However, what they absolutely cannot tolerate (because of penalties for failure are so high) is an Information Technology department that has mandated certain things will be done a certain way, regardless of consequences.

Now, you are within your rights to disagree, but I've witnessed firsthand plantwide system shutdowns due to that attitude. So I am speaking from experience.

Re:Suxnet

[Wyatt+Earp]

Israel, not American.

Israel has always been an industrial spy on the US and Western Europe, but their big focus is Iran right now, so they test it on the US, UK and Korea but the main focus is Iran.

Wouldn't be surprised to find it in Saudi systems too

lulz

[Syobon]

Iran the most affected country with 60% of infections, a highly sophisticated worm that resembles warfare espionage. NSA or CIA don't even need a backdoor in windows, just some obscure vulnerability, if it goes public ms maybe forced to patch.

inb4china

[BlueKitties]

I'm pretty sure it's only a matter of time before someone points to the finger at China.

What the?

[Mashiki]

Who is programming their PLC's? And why aren't they put into 'lock' mode(AKA ROM) when they're put into production machinery so the EEPROM can't be affected? I used to write programs for PLC's(generally Mitsubishi and Siemens), and you always locked the device or update when you were finished, so things like this can't happen.

Re:What the?

[luca]

Do you know that when you set a password on a siemens plc, it isn't enforced by the plc itself but by the step 7 programming software?
Use something else (e.g., libnodave) and access is wide open.

Re:What the?

[DarwinSurvivor]

Reminds me of older (2000?) windows file servers. We had one at a workplace I was at where all the employees had network folders for their work and a few shared ones for moving stuff between departments. It was understood that nobody could access other people folders (especially upper management) and it was true (we double-clicked a managers folder by accident once and got the permission denied folder). The really strange part though was that I used a different file manager (explorer-xp) and one of the other guys like it, so I gave him a copy (freeware). He started using that and once again accidentally double-clicked the manager's folder and BOOM he was in! As far as we coudl tell, this file manager gave us 100% permissions on the ENTIRE file server, including out-of-building upper management. Our only guess is that the security is enforced on the client side (windows explorer) and the server simply expects the client to check the permissions itself.

Needless to say, I've never trusted microsoft security ever since :P

Re:What the?

[Mashiki]

Yeah it's a common issue with a bunch of different models of PLC's however there is a psychical write lock on the controller that can be engaged. Well that's as long as you're not stupid enough to buy PLC's without it, and that means you're spending an extra $4/unit. In the end it means that you have to either physically pull the PLC, memory card, or controller card to be able to allow writing to the unit.

Re:What the?

RTA - It specifically says that the worm targeted SCADA systems and the Siemens PCS7 DCS. You don't put in a SCADA system if you can get by with a simple ROM base controller. ROM controllers are used for standardized machine tools, most mid to high end controllers are RAM based, some with some type of flash backup.

Much manufacturing equipment is custom one-off machines specifically designed for the product being manufactured. I work in a manufacturing industry where it is not unusual to have several hundred controllers in a facility, all with custom programs. With all this custom software, you encounter situations that require technicians to make changes to keep things going.

Separate your manufacturing network, maintain change control, and have a disaster recovery plan.

Re:What the?

[thegarbz]

Things like what can't happen? From the article it appears as though that exactly this did happen. The virus was found on 14 networks and none of the PLCs were affected. Mind you with access to the PLC via the default password I would imagine that unlocking the PLC would be trivial. This is why I'm a fan of PLCs which require a physical key to be inserted into the rack and turned before the software can write anything to it.

Re:What the?

Sounds like a classic design flaw to me. The PLCs I'm familiar with have a physical switch with a key that disables the ability to rewrite the device software.

Re:What the?

[luca]

In the Siemens case the physical switch is only present on the S7-400 series, the S7-300 series don't have it, and I can tell you that the difference between them isn't $4, you'll have to add 2 to 3 zeros depending on the model.
However, even with the key in the "run" position (where you supposedly cannot alter the software) not everything is locked: you cannot change the program (and I'm not even 100% sure about that since the "password protection" can override the switch) but you can change the data and disrupt the process.

Re:What the?

[Bungie]

Needless to say, I've never trusted microsoft security ever since :P

Windows Server never trusts the client to do any validation because the client could be running Windows 95, MS-DOS or even OS/2 which aren't even aware of NT security ACL's. If you're logged into a domain, even opening a local folder on your system causes the client to validate the permissions with the domain controller. Windows Server will straight out deny access at the file system level if those permissions are set correctly.

The problem is that Windows permissions are not well understood by many people. Check out this article for some examples of how ACE/ACL read order affects the end interpretation of an object's permissions.

I'd guess your issue was caused by a mismatch between the share level permissions and the actual file/folder permissions, which is actually a pretty common issue. You can set the access permissions for a share to deny a user but forget to set file/folder permissions and allow him full access. The result being that the share won't open for him but he can still open the folder if he accesses it locally or navigates to it from another share which contains the folder. There are some policies which set object access and they actually do depend on the client for security validation (I've seen systems where "C:\Windows" was denied by policy settings when double clicking the icon in explorer, but you could access the folder by opening it with "explorer.exe /n,".

Windows security is complex and can be a hell of a mess sometimes but it is solid when it's done right. It's no different than the issues people have with UGO style permissions on Linux servers. Many people will just chmod 777 and set the owner/group of a file to something from a forum to avoid an error message in WS_FTP or whatever PHP page gives them errors.

Re:What the?

[Bungie]

Yeah I thought the same thing when setting the "Write Protect" switch on the 3 1/2" floppies that you used for the installation of Windows 95. Even with the switch on, the owner and company name I used for the first installation were written to the disks and were automatically set when the disks were used again. True story...I still have no idea how Microsoft did it.

Re:What the?

[DarwinSurvivor]

From what I could tell, all the employees folders were on the same share, just separate folders in the "employees/" folder. As for 777 that would affect ALL methods of access (except possibly FTP which has an additional layer of permissions).

Don't alot of the systems have isa slots and old s

Don't alot of the systems have isa slots and old software on them? But why default passwords?? even a easy 1234 password is better or just have the password on a post it note if it needed each day by many different people and you don't want to change it all the time.

But the ones in Iran did the us or some plant the worm there just to shut Iran down?

Why can't there be a fun Worm that gave free cable

[Joe+The+Dragon]

Why can't there be a fun Worm that gave free cable channel running on a cable system? why does it have to be ones that can do big damage? or not just stuff like free HBO and or PPV?

Why is there even a default password?

[rs1n]

Why aren't these types of devices just set up to require setting a password prior to usage? Sure, you might forget the password, but it sure as heck beats out having some random stranger take control over such an important device from God-knows-where. At the same time, if the device must play an important role, why not just have a physical key that overrides passwords if you need to get to the system. What am I leaving out here? This seems like a pretty sure way to fix this problem.

Re:Why is there even a default password?

[geekoid]

At the very least generate a unique default password during install.

The SCADA system where I work require a specific USB key to be plugged in. While I'm not a fan of dongles in general, for critical system they can be worth the pain.

And this is on top of physical separation and a good password scheme. And strong passwords are easy to cerate an remember.

Re:Suxnet

Whatever, you paranoid delusional douche.

Good news?

[hex0D]

The positive spin on this story seems to me that although there were exploited vulnerabilities (but there always will be, that's why security is an ongoing process) it was effectively dealt with before any significant damages occurred. As long as lessons are learned, and remedies implemented this seems to be a good thing as far as I can tell.

Re:Good news?

[sjames]

I wouldn't hold my breath. This all happened several years after the first warnings that it could happen, after the demos on power meters, and after the malware blew up the Russian pipeline.

That soft thudding you hear is the sound of surgically sharp clues being dulled and broken as they slam against the skulls of managers everywhere and fall ignored to the ground.

Damn-you, skynet!

[SethJohnson]

Skynet just inched us one-step closer to the apocalypse by establishing its ability to assemble T1000 robots via CnC machines controlled by this botnet.

Seth

seems to be app passwords and not windows ones

[Joe+The+Dragon]

seems to be app passwords and not windows ones.

So if the app needs a password just to run or do stuff that needs to be done each day vs stuff that does not need to be done all the time there you go.

Secure your SCADA, idiots!

[atomicthumbs]

I've seen too much of this in recent years. Control systems should be separated from the Internet by an air gap unless they absolutely need to be connected to it.

Hobby Coders

[BoRegardless]

It is one thing for an isolated programmer to make security errors in a program.

It is entirely another thing when a Siemens or similar puts out code all over the world and they OBVIOUSLY have no serious security review of their code.

If a giant plant or process is taken down by this type of worm or similar, is Siemans going to plead that their EULA protects and indemnifies them from any responsibility for loss by the user of the software?

This gives me the willys.

Re:Hobby Coders

Well, one of these days Suki will get her name on all the cars being made at the factory...

(I would have posted a link too, but damn - nobody ever bothered to put a video of that funny commercial on the internet?)

Full ICS-CERT advisory on Stuxnet

[jofny]

is here: http://www.us-cert.gov/control_systems/pdf/ICSA-10-238-01B%20-%20Stuxnet%20Mitigation.pdf Probably a little more accurate than crappy media reporting.

Re:Full ICS-CERT advisory on Stuxnet

[luca]

"According to Siemens, in none of the cases did the infection cause an adverse impact to the automation system"

I'm pretty sure the technicians tasked with cleaning up the mess while trying to keep the production line running don't agree with this statement.

Re:Full ICS-CERT advisory on Stuxnet

[jofny]

Sure, but that's not specific to this particular mess. And, as this doc clearly wasn't analysis of the general impact of worms and malware on control systems in general, they didnt need to say it here.

That's Nothing...

What *really* concerns me is the recent invasion of the NukenBomb virus that installs itself on the target PC and then starts issuing launch codes to the missile silo controller cards. I heard of a sophisticated defense against this attack that entailed separating something or inhibiting direct connectiwhatsises but I can't recall the details and I think it was too difficult to implement anyway.

Would you like to play a game?

[Arancaytar]

Launch code "hunter2" accepted. Please enter target.

restrict USB device classes

And, since USB is how code and software updates are usually delivered to these devices (not to mention the mouse and keyboard for the PC hook up), you can't just turn USB off either.

You may not be able to shut it off completely, but why can't you restrict what type of classes of USB device are attached when they're connected?

http://en.wikipedia.org/wiki/Universal_Serial_Bus#Device_classes

Also, if you need to have storage devices, what's the equivalent of "mount -o noexec,nodev,nosuid /dev/usb0 /mnt" on a Windows machine? Perhaps throw in an "ro" as well while you're at it if you don't want information leaking out, which would also prevent one system from spreading stuff around.

Re:Suxnet

[formfeed]

Obvious American intelligence tool. Why is it in North American plants?

Because Major Carter found the worm, and last night she reformated all American PCs.
She's quite good, you know. I've seen it.

Re:Why can't there be a fun Worm that gave free ca

[sjames]

Because they spend actual money to prevent that. Sure, blacking out the east coast is a problem, but people getting free HBO would be an unmitigated DISASTER.

Stupid developers

[Pedrito]

Developers; Listen up! NEVER, EVER, EVER, EVER, EVER have a default password in apps you build. The setup should ask for a password if one is needed and the app should not install without one! What is so hard about this? It boggles my mind that things as important as routers, database servers and industrial equipment control software would install with default passwords! Why does that not raise red flags in developers' minds the second it pops into them?

Re:Stupid developers

[WillDraven]

My understanding is that it's even worse than a default password. It's a back-door account hard coded into the software that the users don't have the option of disabling.

do any industrial controller have online drm?

[Joe+The+Dragon]

do any industrial controller / software have online drm systems?

Re:do any industrial controller have online drm?

[networkBoy]

yes.
Our CNC uses an on-line DRM.
We have it on its own network behind a proxy server that only allows it to connect to the manufacturer's URL, and at that only to the authentication server address.

Fortunately the manufacturer uses SOAP on port 80, so that makes the filtering easier.
-nB

Re:do any industrial controller have online drm?

[KDR_11k]

I know industrial software loves license servers but I think you can usually run one of those locally because it'd be a real problem if something severs the connection between a mission critical component and its license server.

Not about "default passwords. Worse.

[Animats]

This has nothing to do with "default passwords". It's worse than that. The Windows-level part of the attack was signed code signed with a Microsoft-issued key. The signing keys involved has been revoked. US-CERT isn't saying who had them.

At the controller level, Siemens has issued a bulletin: Previously analyzed properties and the behavior of the virus in the software environment of the test system suggest that we are not dealing with the random development of one hacker, but with the product of a team of experts who must have IT expertise as well as specific know-how about industrial controls, their deployment in industrial production processes and corresponding engineering knowledge. ... The behavioral pattern of Stuxnet suggests that the virus is apparently only activated in plants with a specific configuration. It deliberately searches for a certain technical constellation with certain modules and certain program patterns which apply to a specific production process. This pattern can, for example, be localized by one specific data block and two code blocks. This means that Stuxnet is obviously targeting a specific process or a plant and not a particular brand or process technology and not the majority of industrial applications.

So this is an attack on a specific industrial plant. But whose? Neither Seimens nor US-CERT is saying.

This is cyber-warfare. Someone is trying to sabotage a specific plant somewhere.

traffic lights need the internet for the cameras

[Joe+The+Dragon]

traffic lights need the internet for the red light cameras to send the pic's / video out!

Re:Why can't there be a fun Worm that gave free ca

[DarwinSurvivor]

Well, they're just thinking of the children. Imagine if children suddenly had access to violent movies on channels their parents didn't think they needed to block!

Ok, I'm just going to stop baiting the trolls now :P

what about router and other systems that need that

[Joe+The+Dragon]

what about routers and other systems that need that pass word just to get the setup / config screen / page?

Now can we do something about the cespool?

[sjames]

Just a note to the FBI, before you ignore that next spambot virus running around unencumbered, keep in mind it might just be spamming so it will be ignored by law enforcement. The primary objective might be cyberattack.

Re:traffic lights need the internet for the camera

[MichaelSmith]

Red light cameras are a separate enforcement system where I live. They most likely get a contact closure from the signal controller for coordination.

"however the largest number of infections, by far"

[Jeremiah+Cornelius]

"however the largest number of infections, by far, have been in Iran"

Can we even take that statement at face value? Who in Iran is reporting these? Has a "Command and Control" hub for the botnet been captured?

Is the traffic analysis - up in the layer-4 part of the packet - so good that this has been observed in transit?

Disinformation has wheels within wheels, my friends.

Re:Not about "default passwords. Worse.

Looks like it worked. Boom goes the gas line in California.
Turned up the pressure on a valve somewhere? Old pipes.
Just a matter of time with a big gas leak before it finds a flame.

Re:Not about "default passwords. Worse.

[slimjim8094]

I just about shat my pants.

We got complacent in the last few years. Since there was too much money in viruses, nobody caused mayhem for fun - it was all spam botnets and the like, something the writer could monetize.

This isn't a kid reminiscing about the shits-and-giggles days. I daresay the writers of this virus are hoping to profit in a big way.

This is the stuff of the 'movie virus', where some well-spoken sinister-looking guy goes and shuts down a city for ransom money.

Re:Not about "default passwords. Worse.

The Windows-level part of the attack was signed code signed with a Microsoft-issued key. The signing keys involved has been revoked. US-CERT isn't saying who had them.

Realtek, according to everyone else on the internet. Which might point the finger at China, who would be well placed to acquire keys from Realtek and who have a well-publicised history of industrial espionage and using malware to attack foreign governments.

Re:Not about "default passwords. Worse.

[sapphire+wyvern]

There are indications that the target may have been the Bushehr nuclear power plant in Iran, with the Russian contractor's USB drives being the attack vector into the plant's control systems. (Which are not on the Internet, despite the smug assumptions of so many posters earlier in this comments section.) There's enough information out in the wild now that anyone with access to the target's PLC code could verify the target. Obviously this means the attack targets will be able to prove that the trojan was targeting them, but I doubt they'll be announcing the fact to the world - unless they can trace the attackers and gain political advantage through an announcement.

It seems the evidence currently leans towards a probably Israeli or possibly US cyberwarfare attack on Iran.

Re:Not about "default passwords. Worse.

Inside job - they engineer the problem - already having the solution ready - so much for the free internet... RIP

It's not just these with the default password

I've seen that on point of sales machines and the server for those POS machines - change the default password and they stop working. To make things worse the password was written on the things, the manufacturers name! Anyone with physical access could have embezzled huge amounts by changing totals and the only thing anyone else would notice is that sales are lower on one day than another. Physical access to the servers is often available to just about any employee or visitor, and because they were sold to a lot of places the "inside job" factor applies to anyone that has used those machines anywhere.
There are a lot of systems where security is nothing but an afterthought to tick a box, in that case the box was "password protected" but it's just like the missile systems that had 0000 as a password.

uh oh

Sounds like someone's trying to hack the Gibson

Please listen

[Steeltoe]

How about Banking & Finance: The core system is even reachable from Windows networks.

I've been working within the banking industry and having the entire windows network knocked down due to viruses. The only reason there's no major disruption to the core services is that they're usually DB2 and kinda archaic.

Re:Please listen

[DarkKnightRadick]

):

Someone needs to report it

[Steeltoe]

Why would you assume most such incidents would be reported?

Insiders will not break their loyalty, and any breach of loyalty are disencouraged, thus the insecure practices lives on until something even more major breaks.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Some more analysis & advice

[Okneff]

"German IACS security researcher Ralph Langner has successfully analyzed the Stuxnet malware that appeared to be a miracle. Stuxnet is a directed attack against a specific control system installation. Langner will disclose details, including forensic evidence, next week at Joe Weiss' conference in Rockville. " http://www.langner.com/en/index.htm

Re:what about router and other systems that need t

[shentino]

Simple.

What GP posted also goes for firmware developers.

And the solution is to make the router not work until its password has been set. No networking, no configuration, no anything except a "Set password" screen, itself only accessible from a computer connected directly to one of the downstream ports.

The problem is that it's better marketing to make stuff, even security sensitive things like routers, work out of the box. Convenience is a bigger boost to the bottom line for the router factory. And of course, once it's been sold, it's the IT department's problem.

Re:Not about "default passwords. Worse.

[shentino]

Or hacking email accounts belonging to political dissidents.

stuxnet target = project key 024 = Bushehr

[hzo]

Check out that README file from SIMATIC PCS 7 CEMAT libraries found at
http://bit.ly/brTlB7

Page 2 "Projekt Schlüssel" (=project key) 024

I bet a "gefillte fish" that project key 024 is stuxnet's target site...

Re:Suxnet

Make it simpler.
Worms are often more widely spreaded were them are created, so it's definitely Iran,
and the worm got out of control.

always say 'computer' not Windows :)

"Called Stuxnet, the worm was discovered in July when researchers at VirusBlokAda found it on computers in Iran. It is one of the most sophisticated and unusual pieces of malicious software ever created -- the worm leveraged a previously unknown Windows vulnerability (now patched) that allowed it to spread from computer to computer, typically via USB sticks" link

Actually, the problem /is/ the OS

[dachshund]

The real problem is NOT the OS, since it is pretty obvious this attack has been specifically designed to hit a very small niche target, which means no matter what OS you were running the malware writers would have simply written to that target.

Correct me if I'm wrong, but my understanding is that this worm wasn't hand-carried into the target. That would have been difficult and very risky to the perpetrators. Rather, the worm got to it's target by first spreading through a huge number of vulnerable non-target machines in the hope that one of them would be adjacent to a real target.

One of the other posters on this thread confirms that this nearly happened at the plant he works for, but they were able to contain it before it jumped to the production machines.

So while it's true that the payload itself might have been targeted at any OS, the vector itself was highly dependent on the existence of a monoculture of vulnerable-OS machine that make this delivery strategy so damned effective. It's really just icing that the target machines were also Windows, meaning that the perpetrators could re-use the same vulnerabilities to get all the way in.

Idiocy at play...

[BrokenHalo]

I have a problem with the summary: "apparently designed to steal industrial secrets and disrupt operations". That seems just unutterably stupid. Any sane malefactor would do one or the other, not both. If I were in the business of stealing secrets, I wouldn't go around waving a big flag saying "LOOK AT ME, I'M A FUCKING SPY". Duh.

Re:what about router and other systems that need t

[Bungie]

And the solution is to make the router not work until its password has been set. No networking, no configuration, no anything except a "Set password" screen, itself only accessible from a computer connected directly to one of the downstream ports.

Except for the fact that sixpack Joe resets his Linksys router to defaults all the time to fix internet connection issues...but never connects to the web interface or does any router configuration.

The default password is only usable from the local network interface anyway by default. If someone's already cracked into the local network he's pretty much screwed already. What would stop a worm on the local network from just sniffing the password, or brute forcing the web or telnet interface?

Re:"however the largest number of infections, by f

[kmoser]

Probably antivirus programs that report their findings back to home base so the parent company can assess threats and display them to the public.

Re:Suxnet

[lsatenstein]

The previous author's conjecture is wrong. The actual origin of the worm was Siemans itself, and it was developed by organisations wanting to bring other countries such as the USA to it's knees, or even to cause self destruction of electrical grids, manufacturing systems etc. Siemans was reporting it's own product. My conjecture is to show that if he author does not have proof of his recommendation, he is immature and should just not express unsubstantiated opinions. By the way, my conjecture is as false as his.

First off, stay off the internet!

[hesaigo999ca]

Why are mission control systems, with critical tasks, given access to the internet...how is it even possible that say the powergrid be hooked up to the internet? Seriously, I know BSG is only a movie, but they made it clear what the real security solution was, keep everything under networked, only hooking up what you need to be hooked up, and all else singular systems.

Also, this brings about a good point...instead of always watching and waiting for the next botnet to appear and then let it go so that you can "study" it, sometimes it is always good to just kill it if you can, and I am sure now the agencies in place even the security companies are letting most botnets grow , so that 6 months later they can come in, and take it down and be an even bigger hero...
because of the sheer size of the botnet taken down.

I see it this way, like a hockey game, you can have a goalie that stops all the goals and never lets one in....but maybe still lose if both teams are at 1 - 1 and the last goal happens to get by...although he stopped 60 goals from going in, or a goalie that stops none of the goals, but one the last one with both teams tied, stops the puck.... which goalie is better, the one that let the game build up and saved the last puck from going in, but with a bad record, or the goalie that stopped every single on except maybe that last one...