Slashdot Mirror
US-CERT Warns of Serious Hole In ActiveX Control From Iconics
Trailrunner7 writes "The US's Computer Emergency Response Team (CERT) issued a warning (PDF) to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks. US companies in the electricity, oil and gas, manufacturing and water treatment sectors have been warned about a flaw in an ActiveX control used in two products by Iconics. The software, Genesis32 and BizViz, are Human-Machine Interface (HMI) products that provide a graphical user interface to various types of industrial control systems. The software can control industrial systems used for a variety of purposes including manufacturing, building automation, oil and gas, water and waste water treatment, among other applications."
Why are computer systems that control critical infrastructure accessible from the Internet? And even if it has access to the Internet, why is someone using it to go to web pages that are not on the company Intranet?
The truth is that all men having power ought to be mistrusted. James Madison
I am a Controls Engineer and work with HMI interfaces everyday.
We keep seeing more and more things like this in the controls world. Every few months, we hear, this HMI or this controls software has these vulnerabilities and can be owned this way or that. Properly designed controls systems do not touch the internet or extend beyond the controls world.
Place I work at, we have completely separate hardware then IT. Our own switches, our own computers, etc. We keep everything separate specifically to guard against someone hacking into our system and taking it over. Someone can't sit across the world and hack into our system because it doesn't connect. They would have to penetrate our security perimeter first in order to gain access to our controls system. If they do that, then it doesn't really matter which HMI software we are using, we are owned anyway.
It does scare me when I think about some of the other plants and industries make connections to the intranet for reasons from their controls system and trust that their securities will hold.
Security wholes in active-x, whodathunkit.
Perhaps I am mistaken but I think the newsworthiness of this story is not that ActiveX has issues, rather it is that there are a bunch of people out there who decided to use ActiveX to provide remote graphical interfaces to industrial controls. ;-)
For the love of God, WHY THE HELL would you EVER EVER EVER EVER EVER EVER consider using ANY product even REMOTELY related to Windows for Industrial Control Systems?????? THIS is not some anti-microsoft rant mind you- its simply that Industrial Control Systems DO NOT USE consumer operating systems but rather HARD REAL TIME OPERATING SYSTEMS. If you do not know what the word "Deterministic" means in relation to Embedded Computing, you should go look it up first. There is a process known as Verification whereby every goddamn functional unit and every goddamn line of code is mathematically proven, is rigorously tested in some kind of Unit Testing Verification Harness software, and you simply would not slap some Windows or even normal Linux on an Industrial Control System. If you have an Industrial Control System using ACTIVEfuckingX you are probably dealing with a developer who is not actually an embedded systems developer, but rather a lazy idiot. Ciao
I read that and immediately thought what fucking idiots would use ActiveX for anything so fucking important. And then I thought fucking hell a bit more.
Isn't this something you'd have to be using IE to catch?
Nope .. a lot of HMI software that runs on windows allows you to embed ActiveX controls. These systems don't runin IE, but do utilise ActiveX technology. The Genesis32 mentioned in TFA seems to be that sort of product (not that I have used it)
I am Slashdot. Are you Slashdot as well?
Is there a reason ActiveX is being used in software that controls critical infrastructures? I don't want to jump to conclusions, but that seems almost as silly as a Security Consulting firm that doesn't test their own website for security holes.
Sorry, offtopic:
Has anyone ever told you that the way you try and make your points actually kinda weakens them ? Your post has some interesting content, but the way it is written angers, distracts, even takes away quite a chunk of your credibility.
The Cloud - because you don't care if your apps and data are up in the air.
Because it is easier to control your system with a GUI than a command line. A picture is worth a thousand words, especially if you are monitoring various components across a large system. Nothing says the control systems themselves aren't running on specialized OS's, but what is wrong with exposing hooks for a GUI to control it with (and now-a-days you WILL need a GUI in a control room somewhere for most applications)? At least with Windows you know the risks and can at least mitigate if not eliminate them. It isn't any worse than running Linux for a GUI and trusting that it is safe since "no-one writes viruses for Linux." And as far as running control systems across a network, oil pipeline companies do it all the time. Or do you expect them to locate guys out in a hut with a telephone at every valve location in a thousand mile pipeline system? Hey Joe open the valve a little more. Not everything runs in one room.
-- I ignore anonymous replies to my comments and postings.
This is not a suprise to anyone who works in the SCADA industry. For example one leading firm the catch phrase used by the CEO used to be "from Factory Floor to the Boardroom". That phrase pretty much drove the thrust of all development. Nay-sayers were replaced by yes-men where necessary.
There's a whole 15 year-old standards effort dedicated to this purpose: http://en.wikipedia.org/wiki/OLE_for_process_control
I'm not sure that is a fair assessment. OLE is not really a web based technology, its a windows API based technology. It allowed applications to share data and capabilities, apps running on the same machine or apps running on the same private network. It seems the sort of thing a Windows developer would use for the computer sitting next to the industrial machinery, say an operator's console for a computer controlled milling machine. Even extending this idea to web based solutions is not inherently wrong, for example it could simply be *reading* the data from a remote sensor, say the seismometers geologists spread around southern california.
From your link:
"OLE for Process Control (OPC), which stands for Object Linking and Embedding (OLE) for Process Control, is the original name for a standards specification developed in 1996 by an industrial automation industry task force. The standard specifies the communication of real-time plant data between control devices from different manufacturers."
the last year Chief Systems Engineers were included in top level management meeting and relied on to direct the technical direction of products was around 1994. About that time, management was getting comfortable with Microsoft Windows and the semi technical ones or those managing technical staffs were getting gobs of literature all about how Microsoft Windows and Microsoft software could fly them to the moon and back before lunch was over. They were playing with Visual Basic and became expert programmers in their own minds. That is when management started dictating what tools would be used on products and when pressed would tell you that nobody gets fired for choosing Microsoft.
FYI, there was a UNIX based comm system up at LAX which got replaced by a Windows 9x box. When they found out the OS would repeatably crash after 49 days or something like that they solved the problem with a reboot _every_ 30 days. A new guy came onboard, thought hey, things are running fine so why reboot it. CRASH and for about 6 hours LAX has not ground to air nor air to ground communications. Many close calls but no crashes. But the 3fing idiots used a Windows box, Windows 9x even, for a mission critical system. I quit a military contract position when word came down from Command that all UNIX systems would be replaced with Windows. The way I see it, there are idiots making technical choices all around us and until Microsoft fades away, that's not going to change.
I miss the days when the Chief Systems Engineer ran the show and was usually the brightest person in the company and everyone knew it.
LoB
"Anyone who stands out in the middle of a road looks like roadkill to me." --Linus
Hell, I used to embed Active-X controls in Excel docs, mixed up with a good bit of VB. My way of paying back that employer for sub-par wages ;)
"Trolls they were, but filled with the evil will of their master: a fell race..." -- J.R.R. Tolkien on Olog-hai
This is not a suprise to anyone who works in the SCADA industry. For example one leading firm the catch phrase used by the CEO used to be "from Factory Floor to the Boardroom". That phrase pretty much drove the thrust of all development. Nay-sayers were replaced by yes-men where necessary.
Perhaps I am being overly generous but in some contexts connecting the factory floor to the boardroom is not inherently wrong. Letting the CEO and other execs have a little dashboard type app displaying real time info of what is happening might be OK, note that this is strictly a *read only* application. Its only when the ability to write goes remote that things may have taken a terrible turn.
For example lets say a company has 5 big expensive machines that should be running all the time. It might be OK for the CEO to have a dashboard type app that has 5 colored disks that display green for a running machine and red for a machine that is down. If the CEO sees too much red for too long he may want to make a call to see what is going on.
Hell, I used to embed Active-X controls in Excel docs, mixed up with a good bit of VB. My way of paying back that employer for sub-par wages ;)
Hell, Active-X alone would be a reasonable payback for lousy wages. I'd only use VB if they kicked my dog. You're a hard, cruel and nasty man.
Faster! Faster! Faster would be better!
... and by 1997, I was using OLE, active-X and IE3 (or was it IE4) on Win NT servers and Win95/98 workstations to create a web interface for serial-attached laboratory equipment: GC's, scales, sensors, automated sample feeds, etc. That was just one component of a rather exhaustive collection of active-x-based webpages that handled a big corporation's little high-tech subsidiary's materials tracking, accounting, contract data, quality monitoring and god knows how many other things.
I was never a fan or an expert, but I thought active-X was entirely a pretty container designed around OLE functionality. It *was* guaranteed that monitoring and controlling these systems was possible from any browser that could reach the web server.
Ironically, users needed so many activex controls registered with their desktop OS that it was as un-WORA as web code could be. That would have kept any outsider from causing trouble. That, and a near-airgap of a corporate firewall mentality (forget web access... just 3% of users had external email access).
(Ah, the things we sometimes have to do for a paycheck)
I read that and immediately thought what fucking idiots would use Windows for anything so fucking important.
FTFY.
"I've got more toys than Teruhisa Kitahara."