Slashdot Mirror

← Back to Stories (view on slashdot.org)

New Siemens SCADA Vulnerabilities Kept Secret, Says Schneier

Posted by Roblimo on from the watch-those-centrifuges-spin-out-of-control dept.

From the article: SCADA systems -- computer systems that control industrial processes -- are one of the ways a computer hack can directly affect the real world. Here, the fears multiply. It's not bad guys deleting your files, or getting your personal information and taking out credit cards in your name; it's bad guys spewing chemicals into the atmosphere and dumping raw sewage into waterways. It's Stuxnet: centrifuges spinning out of control and destroying themselves. Never mind how realistic the threat is, it's scarier." What worries Bruce Schneier most is that industry leader Siemens is keeping its SCADA vulnerabilities secret, at least in part due to pressure from the Department of Homeland Security .

29 of 119 comments (clear)

  1. Re:Read it before by McGiraf · · Score: 2

    Uh oh, this comment looks exactly like this comment.

  2. If it did cause an accident... by AmiMoJo · · Score: 3, Insightful

    Seems like Israel and the US are playing a dangerous game here. Say that Stuxnet caused an accident that released radioactive material into the environment...

    --
    const int one = 65536; (Silvermoon, Texture.cs)
    SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    1. Re:If it did cause an accident... by Lehk228 · · Score: 2

      the whole thing would have been denied and covered up instead of bragged about.

      --
      Snowden and Manning are heroes.
    2. Re:If it did cause an accident... by MRe_nl · · Score: 2, Interesting

      The Japanese nuclear plant in Fukushima ran on Siemens computers that the Stuxnet worm was programmed to infect- in fact the virus was found in Fukushima systems last year.
      Makes you wonder why the cooling system wasn't functioning. Maybe the tsunami caused failures which Stuxnet made the reactors unable to handle.
      Failures at four other plants in Japan, German and South African reactors shut down.
      Using Siemens systems as well?

      --
      "Kill 'em all and let Root sort 'em out"
    3. Re:If it did cause an accident... by rubycodez · · Score: 2

      Quit reading tin hat nonsense sites. Have you seen the 1970s systems that control those GE Mark I's? No virus exists for those old things

    4. Re:If it did cause an accident... by Yvanhoe · · Score: 2

      Of course you have the sources for that ?

      From what I understand, stuxnet was targeting unrichment facilities, which is very different from what Fukushima is.

      --
      The Wise adapts himself to the world. The Fool adapts the world to himself. Therefore, all progress depends on the Fool.
    5. Re:If it did cause an accident... by Svartalf · · Score: 4, Informative

      Stuxnet doesn't "target" anything other than Windows SCADA systems (which should cause concern when you see those three words together...), notably those from Seimens. Anywhere you've got one of those SCADA systems, you've got a possibility of Stuxnet. It's just that Iran was using them for their process control systems for the enrichment plant.

      --
      I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
    6. Re:If it did cause an accident... by dachshund · · Score: 3, Interesting

      Stuxnet doesn't "target" anything other than Windows SCADA systems (which should cause concern when you see those three words together...), notably those from Seimens. Anywhere you've got one of those SCADA systems, you've got a possibility of Stuxnet. It's just that Iran was using them for their process control systems for the enrichment plant.

      Stuxnet targets a Siemens centrifuge controller that's programmed by an (air-gapped) Windows machine. Unfortunately this same basic pattern repeats itself all over the place.

      For any given SCADA system --- regardless of manufacturer --- you're extremely likely to see it connected to a modern PC, typically a windows machine. Even if the Windows machine is just running a terminal program, it's connected.

      What Stuxnet showed us is that these Windows boxes are a critical vulnerability, even if they're just an ingredient in the programming chain, even if the box is separated by an air gap. I'm sure Israel/US would have found a way to those centrifuge controllers, but without the Windows infection vector it would have been a whole hell of a lot more difficult.

    7. Re:If it did cause an accident... by TubeSteak · · Score: 3, Informative

      Stuxnet doesn't "target" anything other than Windows SCADA systems (which should cause concern when you see those three words together...), notably those from Seimens.

      You might want to do a little more research on the matter.
      Stuxnet's code has been picked apart: the trojan was designed to infect SCADA systems, but only to attack very specific hardware configurations.

      Stuxnet's payload was designed to (1) spin the uranium centrifuges used by Iran at certain known-to-be-destructive RPMs,
      (2) lie to the monitoring software which was supposed to prevent out of bounds conditions and set off alarms if they occur,
      and (3) should 1 & 2 not ruin the centrifuges, Stuxnet would go dormant and reawaken to try (1) and (2) again.

      Stuxnet is completely harmless unless you happen to attach the exact same hardware the Iranians had plugged into their SCADA controllers.
      Just to be very clear: Stuxnet's payload was specifically crafted to attack the known configuration of Iran's uranium centrifuging program

      --
      [Fuck Beta]
      o0t!
  3. Sometimes a SCADA hack is a good thing by Anonymous Coward · · Score: 3, Funny

    How do you think Reese's initially got chocolate in their peanut butter?

  4. Call me naive or something, but... by Pecisk · · Score: 2

    ...simply good old network security with hardened OSes (Linux, BSD, OS X) with seriously turned off all other services, firewalls and proxies with filtering won't do a trick?

    Who is running industrial systems with direct contact with Internet anyway?

    --
    user@ubuntubox:~$ stfu This server is going down for shutdown NOW!
    1. Re:Call me naive or something, but... by wiredog · · Score: 2

      Many systems are remotely accessible, just not over the internet, and no one thought that heavy security would be needed. Even though those networks were getting compromised back in the 60's.

      Just pulling the cable when remote access isn't needed is a highly effective, and often neglected, security practice.

      --

      Best Slashdot Co
    2. Re:Call me naive or something, but... by jimicus · · Score: 4, Insightful

      I'm not sure it would have done much good. The general consensus of opinion is that this was a case of a determined attacker with a lot of resources, not some nutter on the Internet with a copy of the latest Virus Generator Toolkit (TM).

      How much weight we should give that opinion is something I'm not going to discuss.

      In any case, you think a determined attacker is going to be put off by a small thing like that? Hell, if it boils down to it you either organise double agents to apply for jobs at the target site or you target someone who already works there with a brown envelope full of unmarked, non-sequential notes. The latter is high risk, but find the right person, someone who's in debt up to their eyeballs and has been keeping it from their family for some time perhaps, and away you go.

    3. Re:Call me naive or something, but... by Black+Parrot · · Score: 2

      Just pulling the cable when remote access isn't needed is a highly effective, and often neglected, security practice.

      I tried that, but my screen went black.

      --
      Sheesh, evil *and* a jerk. -- Jade
  5. Re:I find the idea by smelch · · Score: 2

    Yeah, well how would you like incubators for human babies to start spinning out of control and destroying themselves?

    I'm not so worried about what terrorists might do in a cyber attack, I'm worried about the trolls.

    --
    If I can just reach out with my words and touch a butthole, just one, it will all be worth it.
  6. DHS probably wants the security holes by Anonymous Coward · · Score: 4, Insightful

    Actually it's probably the CIA, NSA and other TLA's that truly want the security holes. They're just using the DHS as the mouthpiece to convince the companies to keep quiet and not plug the holes. After all, without those holes, Stuxnet (and likely other woms/viruses/trojans) wouldn't be as effective as they apparently have been.

    1. Re:DHS probably wants the security holes by fuzzyfuzzyfungus · · Score: 4, Insightful

      I'm not so sure: Obviously, assorted sinister TLAs are happy to exploit available holes; but all but the really stupid ones have to realize that they don't exactly live in a unipolar world when it comes to writing viruses, and that the US(and its assorted western buddies) have a lot to lose in an atmosphere of general SCADA-smashing.

      If all SCADA systems become deeply vulnerable, who loses more? Industrial or post-industrial societies with high levels of complexity that could be on the edge of collapse with a few days of supply chain disruption, or the dusty low-GDP countries of the world where disenfranchised hackers, cheap laptops(and/or exploits provided by friendly powers using them as proxies) are still easily available?

  7. Responsible Disclosure by Aladrin · · Score: 2

    Last I checked, 'responsible disclosure' meant giving the company time to fix the vulnerabilities before you released the info to the public.

    Am I missing the part where we've gone beyond that point?

    --
    "If you make people think they're thinking, they'll love you; But if you really make them think, they'll hate you." - DM
  8. NO!!!!! by SirTreveyan · · Score: 2

    It was peanut butter in their chocolate

    --

    SELECT * FROM User WHERE Clue > 0

    0 rows returned

  9. Re:Duh? by nedlohs · · Score: 5, Insightful

    or fix it, that works really well too.

  10. Re:Duh? by markus_baertschi · · Score: 4, Insightful

    That is exactly what will not happen.

    The ones who should tell their Customers about the problem is Siemens. But they will play the problem down because it might affect the sales of the next batch of stuff.

    The evil hacker will just buy a bunch of systems, analyze it and find the vulnerabilities. This completely independent of the disclosure. Stuxnet was developed before this disclosure and I think the vulnerabilities used by Stuxnet are still there.

    This is why security by obscurity does not work in the real world.

  11. Re:Duh? by chaos.squirrel · · Score: 2

    If you want to prevent the bad guys from exploiting a vulnerability, then don't... um... tell them about the vulnerability? But do tell the affected parties about it.

    I think nuclear power plants and the like warrant something a bit more than security through obscurity...

  12. Re:Secure the perimeter by drinkypoo · · Score: 2

    Now imagine the scenario where you have windows machines on the same network as your SCADA devices because the tools you've bought or built work this way. Someone attaches an unauthorized device to your network and fail, fail.

    Now, I think we can probably agree that you can and should take steps to prevent something like that from happening, but there is the issue of getting from point A, where your network is insecure, to point B, which requires at least buying or developing a whole bunch of new software. This is non-trivial and it costs a lot of money so a lot of operators probably weren't even looking at it until recently.

    --
    "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
  13. Re:Read it before by Chris+Mattern · · Score: 2

    Sure! "It's just a jump to the left, and then a step to the riiight..."

  14. Re:I find the idea by Gilmoure · · Score: 2

    We're incubating troll babies?

    WAH?

    --
    I drank what? -- Socrates
  15. Re:Secure the perimeter by Interfacer · · Score: 4, Informative

    Not really. The process control is done on real-time controllers, but visualization is usually on windows machines. Data historians, configuration databases, OPC servers, etc are often Windows servers. Add to that that hotfixes and service packs have to be vendor approved before putting them on the live system. This means that those systems often run whatever was approved at the time of installation, which can be years out of date.

    Many SCADA and DCS systems are also horribly insecure, have default or hard coded administrative passwords, etc. What doesn't help is that they are often managed by people who are good at the actual process stuff, but not necessarily at security or system administration.

  16. Open Secret by adavies42 · · Score: 5, Informative

    I did my master's thesis on SCADA security. tl;dr: there isn't any. We're talking about an industry that uses unencrypted radio links in their control systems....

    --
    Media that can be recorded and distributed can be recorded and distributed.
    -kfg
    1. Re:Open Secret by Svartalf · · Score: 2

      Heh... They're "thinking" about using crypto on things like the radio links. They're "concerned" about things like "latency" (Here's a hint, if you're worried about injecting a 1-2 character's worth of transmission time delay at 9600 baud, you're doing it wrong.) so the industry's been reticient at trying to at least lock down some aspects of the remote links. Biggest problem is the downtime of some systems in addition to the overall expense of things while they retrofit to higher data rates, end-to-end crypto (and not the security mode of DNP3 and other SCADA device protocols...), and security monitoring. Most of the "smart grid" security model's been predicated on security through obscurity and authenticated command and control with data being plaintext in most cases because that's the "least expensive" solution to the "problem".

      --
      I am not merely a "consumer" or a "taxpayer". I am a Citizen of the State of Texas
  17. Re:I find the idea by torgis · · Score: 3, Funny

    Spinning Incubator Babies would be a really excellent name for a rock band.