US-CERT Warns of Serious Hole In ActiveX Control From Iconics

Trailrunner7 writes "The US's Computer Emergency Response Team (CERT) issued a warning (PDF) to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks. US companies in the electricity, oil and gas, manufacturing and water treatment sectors have been warned about a flaw in an ActiveX control used in two products by Iconics. The software, Genesis32 and BizViz, are Human-Machine Interface (HMI) products that provide a graphical user interface to various types of industrial control systems. The software can control industrial systems used for a variety of purposes including manufacturing, building automation, oil and gas, water and waste water treatment, among other applications."

Really?

[rcuhljr]

Security wholes in active-x, whodathunkit.

Re:Really?

[perpenso]

Security wholes in active-x, whodathunkit.

Perhaps I am mistaken but I think the newsworthiness of this story is not that ActiveX has issues, rather it is that there are a bunch of people out there who decided to use ActiveX to provide remote graphical interfaces to industrial controls. ;-)

Re:Really?

[cyber-vandal]

I read that and immediately thought what fucking idiots would use ActiveX for anything so fucking important. And then I thought fucking hell a bit more.

Re:Really?

[RoverDaddy]

There's a whole 15 year-old standards effort dedicated to this purpose: http://en.wikipedia.org/wiki/OLE_for_process_control

Re:Really?

[Platinumrat]

This is not a suprise to anyone who works in the SCADA industry. For example one leading firm the catch phrase used by the CEO used to be "from Factory Floor to the Boardroom". That phrase pretty much drove the thrust of all development. Nay-sayers were replaced by yes-men where necessary.

Re:Really?

[perpenso]

There's a whole 15 year-old standards effort dedicated to this purpose: http://en.wikipedia.org/wiki/OLE_for_process_control

I'm not sure that is a fair assessment. OLE is not really a web based technology, its a windows API based technology. It allowed applications to share data and capabilities, apps running on the same machine or apps running on the same private network. It seems the sort of thing a Windows developer would use for the computer sitting next to the industrial machinery, say an operator's console for a computer controlled milling machine. Even extending this idea to web based solutions is not inherently wrong, for example it could simply be *reading* the data from a remote sensor, say the seismometers geologists spread around southern california.

From your link:
"OLE for Process Control (OPC), which stands for Object Linking and Embedding (OLE) for Process Control, is the original name for a standards specification developed in 1996 by an industrial automation industry task force. The standard specifies the communication of real-time plant data between control devices from different manufacturers."

Re:Really?

[perpenso]

This is not a suprise to anyone who works in the SCADA industry. For example one leading firm the catch phrase used by the CEO used to be "from Factory Floor to the Boardroom". That phrase pretty much drove the thrust of all development. Nay-sayers were replaced by yes-men where necessary.

Perhaps I am being overly generous but in some contexts connecting the factory floor to the boardroom is not inherently wrong. Letting the CEO and other execs have a little dashboard type app displaying real time info of what is happening might be OK, note that this is strictly a *read only* application. Its only when the ability to write goes remote that things may have taken a terrible turn.

For example lets say a company has 5 big expensive machines that should be running all the time. It might be OK for the CEO to have a dashboard type app that has 5 colored disks that display green for a running machine and red for a machine that is down. If the CEO sees too much red for too long he may want to make a call to see what is going on.

Re:Really?

[RoverDaddy]

I wasn't responding to any comment about web-based technology. The parent comment referred to: "people out there who decided to use ActiveX to provide remote graphical interfaces to industrial controls". I was involved near the start of OPC. This is exactly one of the use cases it was designed to support. Direct connection on the plant floor with Active-X based GUI displays talking to COM-based servers talking to the hardware, and remote connection between displays and those same servers via DCOM. By "remote" I basically mean LAN based.

Re:Really?

[ediron2]

... and by 1997, I was using OLE, active-X and IE3 (or was it IE4) on Win NT servers and Win95/98 workstations to create a web interface for serial-attached laboratory equipment: GC's, scales, sensors, automated sample feeds, etc. That was just one component of a rather exhaustive collection of active-x-based webpages that handled a big corporation's little high-tech subsidiary's materials tracking, accounting, contract data, quality monitoring and god knows how many other things.

I was never a fan or an expert, but I thought active-X was entirely a pretty container designed around OLE functionality. It *was* guaranteed that monitoring and controlling these systems was possible from any browser that could reach the web server.

Ironically, users needed so many activex controls registered with their desktop OS that it was as un-WORA as web code could be. That would have kept any outsider from causing trouble. That, and a near-airgap of a corporate firewall mentality (forget web access... just 3% of users had external email access).

(Ah, the things we sometimes have to do for a paycheck)

Re:Really?

[perpenso]

By "remote" I basically mean LAN based.

OK, by "remote" I was referring to something that left the internal networks and has touched public networks. At a previous employer we didn't refer to on-site consoles as "remote". "Remote" was only used when the vendor or one of our tech support people were trying to connect from off-site.

Re:Really?

[ozmanjusri]

I read that and immediately thought what fucking idiots would use Windows for anything so fucking important.

FTFY.

Re:Really?

No matter what the case is they should NEVER have used ActiveX. Excuses excuses. The CEO should be fired if he wasn't letting his tech do there job.

Re:Really?

[pitterpatter]

Are you telling me that while I, as a production employee, am, oh, I don't know, changing cutting heads on my milling machine or maybe unjamming a conveyor belt, some idiot of a manager can see a red icon on his desktop display, decide he needs to turn that machine back to green, and succeed? Without even coming out on the floor where I can throw a wrench at him? That's a serious flaw.

Re:Really?

[ArsenneLupin]

No matter what the case is they should NEVER have used ActiveX.

Yeah, and fuck-you-shima should never have been built where a tsunami could flood it. We are ruled by stupid people, and eventually this will produce a catastrophe big enough to annihilate all of humanity.

Re:Really?

[Platinumrat]

I don't think I phrased my original comment correctly. The CEO in question was in charge of a an internation engineering company that developed SCADA systems. The company also sold the sensors, control system components and engineering design. The catch phrase was the one used to market the products and systems.

Re:Really?

Where I work, if you've got your head stuck in and your hands on the machine, it had damn sure better be racked out at the breaker and PADLOCKED with a tag stating who you are and why you locked it out so that it CANNOT be turned on while you're working on it. No button-pushing boss, or anyone else for that matter, can turn that machine on if procedures were followed correctly. And many of the devices have a blue OOS status for their icon so that someone can tell at a glance whether it's only shut off or whether it's actually inoperable.

Re:Really?

[cyber-vandal]

Good point well made. First FTFY that hasn't made me homicidal, well done ;-)

ActiveX ? I heard you were dead.

[Thud457]

Isn't this something you'd have to be using IE to catch?

Re:ActiveX ? I heard you were dead.

[OzPeter]

Isn't this something you'd have to be using IE to catch?

Nope .. a lot of HMI software that runs on windows allows you to embed ActiveX controls. These systems don't runin IE, but do utilise ActiveX technology. The Genesis32 mentioned in TFA seems to be that sort of product (not that I have used it)

Re:ActiveX ? I heard you were dead.

[Red+Flayer]

Hell, I used to embed Active-X controls in Excel docs, mixed up with a good bit of VB. My way of paying back that employer for sub-par wages ;)

Re:ActiveX ? I heard you were dead.

[ColdWetDog]

Hell, I used to embed Active-X controls in Excel docs, mixed up with a good bit of VB. My way of paying back that employer for sub-par wages ;)

Hell, Active-X alone would be a reasonable payback for lousy wages. I'd only use VB if they kicked my dog. You're a hard, cruel and nasty man.

Re:ActiveX ? I heard you were dead.

[perpenso]

Hell, I used to embed Active-X controls in Excel docs, mixed up with a good bit of VB. My way of paying back that employer for sub-par wages ;)

If you were to take a survey of folks around here the recommended reaction to someone using a lot of VB and ActiveX would probably not be "give that person a raise". What is the "cause" and what is the "effect" is not clear. ;-)

Re:ActiveX ? I heard you were dead.

[DrXym]

Isn't this something you'd have to be using IE to catch?

Yes in this case however there is nothing inherently safe about NPAPI plugins. People scream and shout about ActiveX but the reality is if you allow a website to run any 3rd party native executable that you are putting yourself at additional risk. Plugins of all shades can be fed duff data, plugins have scriptable interfaces which may not be checking their values correctly and so on.

More important than the technology (ActiveX or NPAPI) is how the browser protects you from damage, first by limiting what plugins auto install, and by implementing a killswitch for plugins that can be exploited, and hopefully also zone based black and whitelists.

ActiveX is dogshit

News at 11

This brings up the question

[Attila+Dimedici]

Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?

Re:This brings up the question

That is easy because the managers heard everything has to be accessible via the internet or its not cool or modern programming. I seen this thinking everywhere I have worked and you just can't reason with these people.

Re:This brings up the question

Critical infrastructure computers don't need to be internet accessible to be attacked. Take the Iran nuclear program and Stuxnet for instance.

Re:This brings up the question

[rsborg]

Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?

These systems don't have to be on the "internet" in order to be vulnerable. These activex controls are likely deployed internally, probably with adequate security. But networks are porous, and as Stuxnet proved, complex malware can be executed to effect. The issue is that security isn't treated as a process but as a response or feature. Good security takes into account all possible vectors (humans being the biggest).

Re:This brings up the question

[nurb432]

Why are they running windows in the first place and not a more appropriate embedded OS?

Re:This brings up the question

Critical infrastructure computers don't need to be internet accessible to be attacked. Take the Iran nuclear program and Stuxnet for instance.

Maybe, but if your company is being cyber-attacked by Mossad you've got OTHER problems.

Re:This brings up the question

[Anne+Honime]

Aaargh ! modded you redundant instead of informative, silly me... posting to erase my mistake...

Re:This brings up the question

[OzPeter]

Why are they running windows in the first place and not a more appropriate embedded OS?

Because the market has said they wanted Windows based products. All of the stuff I am currently working on is targetted at Server 2003 platforms, with thin client viewers, but potentially with XP based terminals (Win 7 is slowly creeping in).

Can you suggest an embedded platform that handles server class functionality and performance? If so, feel free to develop your market segment.

Re:This brings up the question

I think that's the point. Iran and others (ie terrorists) may try means used similar to Stuxnet to bring down or otherwise sabotage infrastructure in the US.

Re:This brings up the question

[tlhIngan]

Why are they running windows in the first place and not a more appropriate embedded OS?

The actual controllers aren't. It's the management interface that is, and it's not unusual, especially when things like OPC (OLE for Process Control, yes, OLE, the daddy of COM and ActiveX) exist, so management of industrial process equipment from Windows has a very long history dating to Windows 3.x.

And back before things were networked heavily, it was OK so security was lax. These days though, even if you had separated industrial and corporate networks, some manager would want to pull up the stats in Excel and force a connection (COM, see?) so they can get actual data from the controller.

Re:This brings up the question

Yeah, but having it on the internet makes it way, way easier to attack. If it is off the like the Iran nuclear program, you need a major program to sneak something in. If it is on the web then any random hacker might well be able to go after it.

Re:This brings up the question

[Noughmad]

Why are they running windows in the first place and not a more appropriate embedded OS?

Because the PHB has said they wanted Windows based products.

FTFY

Re:This brings up the question

[nurb432]

Not on my watch he wouldn't, at least not directly. He would be given a data dump that *I* safely gathered for him. The 2 networks would never cross paths.

Control systems would never see the light of day, so to speak.

Re:This brings up the question

[OzPeter]

Why are they running windows in the first place and not a more appropriate embedded OS?

Because the PHB has said they wanted Windows based products.

FTFY

And your version is different from mine, how?

Re:This brings up the question

[OzPeter]

Not on my watch he wouldn't, at least not directly. He would be given a data dump that *I* safely gathered for him. The 2 networks would never cross paths.

Control systems would never see the light of day, so to speak.

And the first time you missed delivering production data to some manager at 3AM because you weren't around to manually process the data "safely", you'd be called to the carpet in front of your manager and asked to explain why you were wasting company resources and what you planned to do about it.

Re:This brings up the question

When he says "I safely gathered" I presume him to actually mean:

There's a crontab entry that looks something like this:
31 2 * * * logwatcher zcat /opt/log/data_dump.1.gz | perl ~logwatcher/bin/make_it_pretty.pl | mail ceo@thiscompany.com

I guess if you're not a UNIX guy that'll be gibberish, but basically, I'm assuming that something not pictured listens for the data, whether it comes over a serial line, a TCP socket, polled from the machine every tenth of a second, whatever. It writes it to /opt/log/data_dump - a logrotation daemon goes around once in a while (I guess every 8 hours if you want production per shift), works its magic, and you end up with data_dump being a new file the listener is writing to, data_dump.1.gz being a compressed and stable copy of the past 8 hours data, data_dump.2.gz being the 8 hours prior, etc. Then at 2:31 am every day, this scheduled job runs under the username "logwatcher" that takes the compressed data and throws it at a perl script which burns CPU time to make the pretty graphs that CEOs like to look at. Then it's directly mailed off without even hitting the disk drive (at least, probably - not accounting for mail queue length, virtual memory requirements, etc... The FLOWCHART doesn't hit the drive is a more precise way to say it. :) )

Re:This brings up the question

[OzPeter]

When he says "I safely gathered" I presume him to actually mean:

Yet his whole system is predicated on the two networks not meeting. From which I took him to mean an air gap

Re:This brings up the question

[tehcyder]

You're missing the point entirely. If you have the data update itself at a pre-scheduled time, a manager will want the data an hour after that time, and he won't necessarily want to wait another 7 hours for it. What he wants is to be able to click on a uton on his spreadsheet and get the real time data, and to achieve this with your system, you'd need people on hand 24 hours a day to supply it manually.

Re:This brings up the question

[Bacon+Bits]

Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?

Because they're installed an configured by electronics engineers and computer programmers, not sysadmins. They bitch and moan and piss and whine and call one VP after another until the sysadmins say, "Fine, it's on the network and has unfiltered access to the Internet and automatically logs in to an Admin account. We're not fixing it when it breaks so you're getting the call at 3am when the custodian accidentally unplugs it for the 30th time. It's not backed up unless you do it (and we know you won't). It's not patched or maintained unless you do it (and we know you won't). It's a ticking time bomb that will cause you to lose your job when it goes off, but it's no longer our problem. Have a nice day."

Re:This brings up the question

[Attila+Dimedici]

Hey, I've given that speech...Ok, not that exact speech, but one very similar.

"critical systems" don't belong on the internet

If some system is critical to running your oil and gas field, it DOES NOT belong on the internet. No matter what software it runs.

Anyone who gives such a machine internet connectivity should be fired for incompetence and actively endangering the business.

Plus, as we learned about a million years ago, ActiveX is insecure by design.

Re:"critical systems" don't belong on the internet

[cyber-vandal]

You do know that web browsers can be used on networks other than the internet don't you?

...used heavily in nuclear power generation.

OK, OK, I don't know that. But that is what I was waiting for....

Controls are a different Beast...

[Rogue974]

I am a Controls Engineer and work with HMI interfaces everyday.

We keep seeing more and more things like this in the controls world. Every few months, we hear, this HMI or this controls software has these vulnerabilities and can be owned this way or that. Properly designed controls systems do not touch the internet or extend beyond the controls world.

Place I work at, we have completely separate hardware then IT. Our own switches, our own computers, etc. We keep everything separate specifically to guard against someone hacking into our system and taking it over. Someone can't sit across the world and hack into our system because it doesn't connect. They would have to penetrate our security perimeter first in order to gain access to our controls system. If they do that, then it doesn't really matter which HMI software we are using, we are owned anyway.

It does scare me when I think about some of the other plants and industries make connections to the intranet for reasons from their controls system and trust that their securities will hold.

Re:Controls are a different Beast...

[anchovy_chekov]

You're a very lucky engineer. Back when I was involved in process control - happy days I'm trying to get back to with http://xpca.org/ - so many engineering depts. were under budgetary and business-political pressure to merge their networks with the corporate network and hand over control of the their systems to the better-budgeted (and more politically savvy) IT departments.

It was madness! Can't control your machinery? Oh, maybe that's because everyone's streaming the Royal Wedding. Too bad.

I think I've told this story here before but the funniest experience was finding a set of cables hidden along an I-beam, asking about it and then getting grabbed by an engineer and told "Ssh! That's *our* network"

Seriously, the industry needs an overhaul. We need to get away from the whole OPC / DCOM / ActiveX craziness before some real disaster happens.

Re:Controls are a different Beast...

Which is it?

We keep everything separate specifically to guard against someone hacking into our system and taking it over. Someone can't sit across the world and hack into our system because it doesn't connect. They would have to penetrate our security perimeter first in order to gain access to our controls system.

Is it connected or not? Sounds like it's connected but you have it segmented with a firewall. Which means it is connected. Unless you have an air gap it's connected.

Re:Controls are a different Beast...

[Pharmboy]

Read his words foo, there is air between his intranet and the internet.

"They would have to penetrate our security perimeter first in order to gain access to our controls system." ...means, they would have to physically walk into their building, getting passed their security perimeter. Those words have a meaning besides the internet, and even predates the internet. Unless the hacker can gain PHYSICAL access to one of the systems inside the building, it isn't going to get hacked.

Re:Controls are a different Beast...

I can't speak for the OP, but I got the impression he was referring to security perimeter in a physical sense, as in fences, locks, etc.

Re:Controls are a different Beast...

[VortexCortex]

I am a Controls Engineer and work with HMI interfaces everyday.

We keep seeing more and more things like this in the controls world. Every few months, we hear, this HMI or this controls software has these vulnerabilities and can be owned this way or that. Properly designed controls systems do not touch the internet or extend beyond the controls world.

Place I work at, we have completely separate hardware then IT. Our own switches, our own computers, etc. We keep everything separate specifically to guard against someone hacking into our system and taking it over. Someone can't sit across the world and hack into our system because it doesn't connect. They would have to penetrate our security perimeter first in order to gain access to our controls system. If they do that, then it doesn't really matter which HMI software we are using, we are owned anyway.

It does scare me when I think about some of the other plants and industries make connections to the intranet for reasons from their controls system and trust that their securities will hold.

::sigh:: Stuxnet. Delivered by USB. ANY data allowed in, discs, e-mail, etc, is a liability. You've got an intranet with all your own switches, etc. The air gap get's breached via sneaker net once, and you're toast. There is no such thing as fool-proof.

Re:Controls are a different Beast...

Even on your network, ActiveX is a problem. The features you have in place would not have protected you from Stuxnet since USB was the attack vector.

With ActiveX, ANY computer on your network would have been a potential entry point.

Almost all the Windows SCADA-type packages use ActiveX (WonderWare, iFix, WinCC, etc. etc.). It amazes me that it's taken this long for these problems to public and the severity of the situation realized.

There's a business benefit to exporting HMIs, think Engineer resolving problems from home at 2am rather than having to drive than then fix the problem. (No, a VPN won't save you if that computer is infected).

Re:Controls are a different Beast...

Sounds awesome, but from experience I'd say you're in the minority. The systems I have seen and worked on start off completely separate or independent and then gradually become less so. Usually due to requirements for remote support or access or for ease of management and the desire to utilise existing shared infrastructure.

Unfortunately IT rarely has the understanding, budget or leadership to push for a completely separated solution and the Control guys (normally from an electrical engineering background) don't have the IT understanding to get the risks. IT wins kudos for making life easy by letting the control engineer log in from home in the event of a fault when for security they should really be forced to drive in or talk an on-site person through issues.

We currently have the control network behind 2 layers of firewalls, but that doesn't stop a firewall admin from forgetting to disable the ANY:ANY rule and allowing Joe in Finance from finding the web interface for a substation control device.

In the military there are requirements for this stuff, with separate physical infrastructure and air gaps between various classification levels. I would imagine made possible by massive budgets and strong leadership/big egos.

Re:Controls are a different Beast...

[lennier]

Every few months, we hear, this HMI or this controls software has these vulnerabilities and can be owned this way or that. Properly designed controls systems do not touch the internet or extend beyond the controls world.

Restarted as a syllogism:

1. Properly designed HMI control systems are perfectly safe, since the manufacturers make sure they don't touch the Internet.
2. HMI control systems manufacturers appear incapable of proper design, since they release vulnerable code every month.
3. ... Prepare for unforeseen consequences.

Re:Controls are a different Beast...

[Rogue974]

Yup, like I said, "They would have to penetrate our security perimeter first in order to gain access to our controls system. If they do that, then it doesn't really matter which HMI software we are using, we are owned anyway."

You can not make something 100% full proof because if they can gain physical access they always win. You can get close though by making physical access be the only way they can get access. Best way to protect and then it also helps with these, they found an exploitable bug scenarios. Unless they are targeting us specifically and break the air gap, they will be looking to see who is connected and own them to exploit them for money and never come to our site and breach our perimeter.

Re:Controls are a different Beast...

[Rogue974]

You are right about me being lucky. When we laid out network several years back, we had the luxury of being allowed to do it the way we needed it. We were given the budget and were not told to merge it with ITs network. We ran our own cables, put in our own hardware and got it all set up.

The funny thing about the finances of it, our insurance company does and audit of the site every year. Every year they ask us 2 questions, one of which is if we still have the air gap between the controls network and the outside work. The other is if we have installed WIFI on our controls network, which of course we will not do. Because we can keep answering how they like, it keeps our insurance rates low. The insurance company realizes the risk and because we are not willing to take that risk, our insurance rates get a nice discount.

So there are financial reasons aside from keeping production running, but most places don't see it.

And I echo your last statement as well.

Re:Controls are a different Beast...

[Rogue974]

Responding to an AC, but oh well.

As I posted, if the attacker has physical access, we have lost. It doesn't matter what HMI software you use, if an outsider can gain physical access to your system, the battle has already been lost.

The point about the benefit of solving problems from home at 2:00 am. We have made the decision that we will just make the drive in because we do not want to risk the lives of the people on site. If we have a physical connection we can use, then someone else can possibly break through from the outside world, so we left the break.

So while there is a business benefit to having that connection, for our site, we did the cost benefit analysis and we decided it was not worth the risk or the extra time we would have to take maintaining and securing the connection.

Re:Controls are a different Beast...

[Rogue974]

You are right about IT and Controls having different skill sets and quite often not getting what should be done when ti comes to controls. At our plant, IT and controls are completely separate. We have enough IT expertise to set up and maintain our system in the control group. The controls group has set the policies that are in place regarding the controls system and we set it that we will make the drive in to do support from inside the perimeter rather then open ourself up to the risk.

It is a constant battle between Controls and IT at most places making many controls systems not nearly as secure as they could/should be.

Re:Controls are a different Beast...

[Rogue974]

We have an air gap. When I say penetrate our perimeter security, I meant actual physical perimeter security, i.e. barbed wire fence, etc and gain physical access to our equipment.

WTF?Embedded RealTimeControlSystems, Determinism..

[aaronpeacock]

For the love of God, WHY THE HELL would you EVER EVER EVER EVER EVER EVER consider using ANY product even REMOTELY related to Windows for Industrial Control Systems?????? THIS is not some anti-microsoft rant mind you- its simply that Industrial Control Systems DO NOT USE consumer operating systems but rather HARD REAL TIME OPERATING SYSTEMS. If you do not know what the word "Deterministic" means in relation to Embedded Computing, you should go look it up first. There is a process known as Verification whereby every goddamn functional unit and every goddamn line of code is mathematically proven, is rigorously tested in some kind of Unit Testing Verification Harness software, and you simply would not slap some Windows or even normal Linux on an Industrial Control System. If you have an Industrial Control System using ACTIVEfuckingX you are probably dealing with a developer who is not actually an embedded systems developer, but rather a lazy idiot. Ciao

HMI?

I thought they died with the DOS days!

HMI Module Alpha Humana on approach to Space Station Mercury.

Sony Mentality

[Nethemas+the+Great]

"Thanks for the warning now lets get back to the real issues... How are shareholder forecasts locking for next quarter?"

On the Internet?

Why are those systems connected to the Internet anyway? They should have two terminals. One on a private network only that controls critical systems, and one that is on the public Internet so employees can check their e-mail, etc.

A little explanation please?

[Trubacca]

Is there a reason ActiveX is being used in software that controls critical infrastructures? I don't want to jump to conclusions, but that seems almost as silly as a Security Consulting firm that doesn't test their own website for security holes.

Re:A little explanation please?

[anchovy_chekov]

History. ICONICS have been around for a long time - their ActiveX controls were originally used inside native Win32 apps. It was an easy way to get reasoably good looking HMIs built when you needed something clean looking (and UI design wasn't your strong point). Fast forward a decade and what kinda worked in native apps has been moved to the web, with nary a thought of the security implications. I wouldn't blame either IT or Engineering per se, but there clearly not been a lot of dialogue between these two camps.

Re:A little explanation please?

[Nethemas+the+Great]

... but that seems almost as silly as a Security Consulting firm that doesn't test their own website for security holes.

I thought that was standard practice...

Re:A little explanation please?

[cnettel]

Is there a reason ActiveX is being used in software that controls critical infrastructures? I don't want to jump to conclusions, but that seems almost as silly as a Security Consulting firm that doesn't test their own website for security holes.

Yeah. That way, you can build "rich" VB apps on top of the control developed by the vendor. What good is a control system if you can only control it through one single fixed-function Windows application?

Re:A little explanation please?

I have to use their software where I work and it really sucks. It's so giant, bloated, and disorganized that even simple projects take a long time to develop and you end up writing a bunch of notes on scrap paper so you won't forget where some obscure setting is. With its glorious object oriented approach absolutely every element of your project must be located in a giant data tree as you jump between the somewhat inconsistent sub-programs that make up the package. It's pretty much what I've come to expect from Microsoft Gold Partners who feel the need to employ the full sum of Microsoft API's and cutting edge methodologies in every product.

Re:WTF?Embedded RealTimeControlSystems, Determinis

[obarthelemy]

Sorry, offtopic:

Has anyone ever told you that the way you try and make your points actually kinda weakens them ? Your post has some interesting content, but the way it is written angers, distracts, even takes away quite a chunk of your credibility.

Who said these systems are on the WWW?

[mmell]

The advisory says that this ActiveX-based software is vulnerable. It doesn't say it's on internet-facing httpd servers.

Re:Who said these systems are on the WWW?

[Attila+Dimedici]

The advisory says "Attackers could use JavaScript hosted on an attack Web page ..." That certainly implies that the vector for attack would be if someone went to an outside web page.

Re:Who said these systems are on the WWW?

[cnettel]

But it would also be if someone sent some other semi-safe file (a Word document, for example), where the control was embedded. And, depending on security zone settings (scripting is disabled for local files by default in IE these days), a HTML file on some physical medium would suffice as well.

Re:WTF?Embedded RealTimeControlSystems, Determinis

[theshowmecanuck]

Because it is easier to control your system with a GUI than a command line. A picture is worth a thousand words, especially if you are monitoring various components across a large system. Nothing says the control systems themselves aren't running on specialized OS's, but what is wrong with exposing hooks for a GUI to control it with (and now-a-days you WILL need a GUI in a control room somewhere for most applications)? At least with Windows you know the risks and can at least mitigate if not eliminate them. It isn't any worse than running Linux for a GUI and trusting that it is safe since "no-one writes viruses for Linux." And as far as running control systems across a network, oil pipeline companies do it all the time. Or do you expect them to locate guys out in a hut with a telephone at every valve location in a thousand mile pipeline system? Hey Joe open the valve a little more. Not everything runs in one room.

Re:WTF?Embedded RealTimeControlSystems, Determinis

There are several real time systems which run windows as idle task, this means that windows only gets runs while no realtime critical tasks are scheduled. The realtime system provides some sort of virtual interface for example a network interface which can be accessed from windows, this way a component containing non realtime critical parts of the software (user interface) can be implemented in windows. (I had to run some realtime tests this way once, the UI was a eclipse client sending the test cases to the virtual network card of the realtime system, which would run the tests and send the results back once finished).
 

Re:WTF?Embedded RealTimeControlSystems, Determinis

[Locutus]

the last year Chief Systems Engineers were included in top level management meeting and relied on to direct the technical direction of products was around 1994. About that time, management was getting comfortable with Microsoft Windows and the semi technical ones or those managing technical staffs were getting gobs of literature all about how Microsoft Windows and Microsoft software could fly them to the moon and back before lunch was over. They were playing with Visual Basic and became expert programmers in their own minds. That is when management started dictating what tools would be used on products and when pressed would tell you that nobody gets fired for choosing Microsoft.

FYI, there was a UNIX based comm system up at LAX which got replaced by a Windows 9x box. When they found out the OS would repeatably crash after 49 days or something like that they solved the problem with a reboot _every_ 30 days. A new guy came onboard, thought hey, things are running fine so why reboot it. CRASH and for about 6 hours LAX has not ground to air nor air to ground communications. Many close calls but no crashes. But the 3fing idiots used a Windows box, Windows 9x even, for a mission critical system. I quit a military contract position when word came down from Command that all UNIX systems would be replaced with Windows. The way I see it, there are idiots making technical choices all around us and until Microsoft fades away, that's not going to change.

I miss the days when the Chief Systems Engineer ran the show and was usually the brightest person in the company and everyone knew it.

LoB

Re:WTF?Embedded RealTimeControlSystems, Determinis

[Platinumrat]

I'm sorry to wake you up from your little dream world. But the largest supplier of SCADA control software is all Windows based. Plus no-adays, software developers, and more especially the managers leading them, have no clue what Deterministic or Hard Real Time mean.

I've seen supposed Control System development companies throw out the systems based on Commercial RTOSs and with a proven track record, basically because they don't support the latest and greatest Fads (like REST, XML, HTTP, SVG). The management like those that support the buzzwordy new gods (usually those GenYs). The rationalisation is generally starts out, that it's just too hard to get experienced developers for the old platforms and we don't really need hard real-time because of the advances in processing+network+disk resources available now.

The next and current step in the decline, is that all we need is a good set of processes in place, and the new-gen of developers+managers will be able to real-time control systems. After all, it's just software and any code-monkey should be able to replace experience with the right processes to support them.

Prepare for a lot more pain. "As some reporter said a long time ago. "Ohhhhhhhhh! The humanity".

Re:WTF?Embedded RealTimeControlSystems, Determinis

Aaah...naive. I'll answer the question.

1) Not everything in control needs realtime.
2) It's cheaper
3) It's possibly less risky because it's better tested. Especially if it's not on a network. Why use RTOS when you can chat to a piece of hardware over a serial port. Or even zigbee these days...
4) windows comes with its own firewall that works just fine if you set it up right.

A fairly well known vendor provides continuous gas data by plugging a serial device into an outlet, and then cabled into a computer certified to run Win2000. The computer polls the serial line for data, and transmits using a proprietary client to a hardcoded VPN connection (PPTP) that pushes a file name set from a config.ini into an FTP server via ... I think windows scheduling service twice a day.

They use FTP over the VPN because this is built into off the shelf windows. NO extra programs needed.

The people that 'maintain' this system are utterly terrified of patching windows, installing a service pack, cygwin, or any sort of program. They have the competence to edit the ini file, but not change firewall settings or the destination of the VPN.

The maintainers and original developers wouldn't consider installing an SSH executable to help us get them away from the vendor because putting *ANYTHING* on the windows computer voids the warranty wholly (from the reseller of this product). People aren't supposed to do anything but occasionally pull up a menu and click on the buttons. They don't have DLL hell because there's only one damned app on it that doesn't ship with the o/s.

In order to read the system, we actually had to build a cable splitter with a relay that would swap our device on and off and query it independently--they were that afraid to touch the o/s and install a simple script that would FTP the data to somewhere else.

Let me put it to you this way--the people who maintain this...well...they seemed incompetent. The people who wrote it, are neither lazy, nor idiots. They sold a machine that probably cost $1000 to purchase with maybe 10k in development costs to companies that were willing to pay ...much more than that. Okay, maybe they're lazy...but they sure made a profit.

Verification is...not needed. Windows works good enough off the shelf if you don't install crap on it. So does linux. So would bsd or mac or BeOS. So would any o/s with an ip stack. I could probably program my ANDROID to do what was needed if I had a serial USB connection...

But windows development "expertise"...is dirt cheap.

Don't put anything new on it, keep it firewalled off...you're fine.

Now...the moment you start talking back to these over the VPN, it gets interesting. That isolated network might not be so isolated once somebody plugs a wireless access point into their desktop's USB NIC so they can RDP into it from their iphone while on the shitter...

Not that I've ever seen that...

Fired for buying M$

So when are people going to start getting fired for buying M$

Seriously Active-X has been knows since its inception to be a giant security hole.

Its about time the expensive people started getting fired for buying it.

Re:WTF?Embedded RealTimeControlSystems, Determinis

[MightyYar]

For the love of God, WHY THE HELL would you EVER EVER EVER EVER EVER EVER consider using ANY product even REMOTELY related to Windows for Industrial Control Systems??????

In our case, two reasons:
1. USB sticks. These things are a serious nightmare. Customer requirements are to be able to load programs via USB, and yet some USB sticks give trouble to some non-Windows systems. Our pre-Windows solution was to provide a list of known-working USB sticks. This was a nightmare, since the available sticks part numbers seemed to change from week to week. We stocked sticks and even gave out working ones, but it took an amazing amount of effort. Virtually every stick on the market has been tested against Windows.
2. Machine vision libraries. Our vendor is awesome and was willing to port their libraries to anything we wanted. However, the warning was that we would be the only users (or one of only a handful) on a non-Windows system. We were not willing to take that risk.

I wonder...

[vikisonline]

If you get so upset with process control, what do you think of windows XP embedded running on life support machines. Oh yea!!! Trust me, its been done :D Blue-screen of death here we come...

Re:WTF?Embedded RealTimeControlSystems, Determinis

[Alex+Belits]

1. USB sticks. These things are a serious nightmare.

Not true for at least half a decade.

2. Machine vision libraries. Our vendor is awesome and was willing to port their libraries to anything we wanted. However, the warning was that we would be the only users (or one of only a handful) on a non-Windows system. We were not willing to take that risk.

If you use off-the-shelf, general-purpose yet proprietary single-vendor machine vision library for industrial control, you are doing it seriously wrong.

Re:WTF?Embedded RealTimeControlSystems, Determinis

[MightyYar]

Not true for at least half a decade.

Amazing, because that's about exactly when the decision was made!

If you use off-the-shelf, general-purpose yet proprietary single-vendor machine vision library for industrial control, you are doing it seriously wrong.

Why? Everything involves compromises. This vendor was particularly good at our specific application.

To be fair, if the decision was made today, it might be Linux. More people use the library with Linux now, and Linux seems to work with USB keys of all flavors. We may even go that route eventually as a unit cost reduction if hardware support can be consistently found.

Redundant

"Serious hole" and ActiveX are the same thing.

I used to work for ICONICS

Somehow 'I told you so' does not quite say it.