Slashdot Mirror

← Back to Stories (view on slashdot.org)

Siemens SCADA Flaws To Be Disclosed At Black Hat

Posted by timothy on from the infra-infrastructure dept.

itwbennett writes "In May, NSS Labs Researcher Dillon Beresford pulled out of a Dallas hacking conference at the last minute when Siemens was unable to fix problems he'd found in the firmware of its S7 programmable logic controller. Now NSS Labs CEO Rick Moy says Beresford is rescheduled to deliver his talk at Black Hat, which runs Aug. 2-3. Beresford has discovered six vulnerabilities in the S7 that 'allow an attacker to have complete control of the device,' Moy said. Devices like the S7 do things such as control how fast a turbine spins or open gates on dams."

12 of 101 comments (clear)

  1. Hmm... by fuzzyfuzzyfungus · · Score: 3, Funny

    Does Mr. Beresford realize that, in the blasted wasteland that follows the fall of industrial civilization, pasty computer experts are relegated to the status of "slave" or "food source" by psychotic warlords wearing football/BDSM themed armor?

    Make sure that Lord Humongous owes you some favors before Blackhat rolls around, everyone!

  2. ... or open gates... by c0lo · · Score: 3, Interesting

    Devices like the S7 do things such as control how fast a turbine spins or open gates of doom.

    FTFY

    --
    Questions raise, answers kill. Raise questions to stay alive.
    1. Re:... or open gates... by fuzzyfuzzyfungus · · Score: 4, Funny

      The various fissures of Mt. Doom are SCADA controlled; but the consequences of merely possessing one of the interface controllers needed to communicate on the.. er.. somewhat sinister legacy ring bus that Sauron uses are so horrific that security through obscurity has proven more than adequate.

    2. Re:... or open gates... by gratuitous_arp · · Score: 2

      but the consequences of merely possessing one of the interface controllers needed to communicate on the.. er.. somewhat sinister legacy ring bus that Sauron uses are so horrific that security through obscurity has proven more than adequate.

      Is that Tolkien Ring?

  3. Is is settled this time? by c0lo · · Score: 2

    NSS Labs expects Siemens to issue a patch in the next few weeks, well ahead of the August presentation. "They didn't give any firm timelines," he said. "They said unofficially that they were pretty confident that they'll be able to get their stuff out before then."

    Beresford wasn't impressed with that comment. [...]. "Now that they're trying to minimize the impact and do PR damage control, I feel that they're not servicing the public's interest," he said. "I'm not pleased with their response... They didn't provide enough information to the public."

    What if Siemens confidence evaporates and, August time, some of these vulns are not yet patched? Will they allow the presentation?

    --
    Questions raise, answers kill. Raise questions to stay alive.
    1. Re:Is is settled this time? by fuzzyfuzzyfungus · · Score: 2

      At some point, unless Siemens has a very nasty legal trump card of some sort, they are going to have to adopt the "fuck it, better that the admins know." approach.

      It isn't as though white hats have anything like a monopoly on security/penetration expertise in this world, and the word is already out about what device the vulnerabilities are in, and(since they are working on a new patch) that it exists in the latest available patch level. Presumably, any blackhats who care about access to such devices are already sniffing around. Also, with something like SCADA, where putting it on the public internet has always been seen as a bad idea, the "but if you release the information, even script kiddies will have a working attack toolkit" objection is arguably less serious. For internet-facing stuff, script kiddies with access to tools built by people smarter than they are are a serious hazard, as are low-rent cybercriminals looking for new bots and spam hosts and stuff.

      For computationally limited and(hopefully) internal stuff, sophisticated attackers are a serious concern(since they are the ones most likely to perform a focused attack on the outer face of an organization, looking for holes that get them onto theoretically "internal" networks); but the noobs will hopefully never make it past the gates, and the spammers are unlikely to have an economic incentive to compromise something that makes a lousy bot. If the vendor can't get their act together, and fast, it quickly becomes more valuable for the admins to know, so that they can take appropriate measures at whatever points potentially link their internal and external networks.

  4. fearmongering? by Anonymous Coward · · Score: 2, Informative

    I've worked with Siemens' S7 and SiMotion systems, and i've never seen a single company attach them to a large computer network inside their company.
    The only ways to reprogram S7 or SiMotion is by either connecting to an ethernet / profinet connection the machines are on, or by acquiring physical access and establishing a serial connection.

  5. Re:Security through obscurity never works by dkf · · Score: 2

    The real danger is not a random script kiddie connecting to the system to play games. Danger comes from people who have inside knowledge of the system, people who know things like network addresses, which machine does what. There's no way to be obscure here, because the enemy already knows what he needs to enter. Remember stuxnet, everyone seems to agree that it was the work of experts.

    The real problem is that security by obscurity does work, but only for a little while. As soon as someone inside blows the whistle, or someone outside just stumbles over the secret, the security from the obscurity is gone. Anything just protected by just obscurity will appear to be nice and secure, but will not be secure at all, and the people who want it secured won't know the difference until its too late. Real effective security is in depth. Obscurity can be used in the mix, but may only ever be a small part of it; cryptography, key management, port monitoring, downright suspiciousness: these are all necessarily larger parts of the whole...

    --
    "Little does he know, but there is no 'I' in 'Idiot'!"
  6. Security 101 by currently_awake · · Score: 2

    A fundamental principle of security: critical infrastructure (flood gates, nuclear power plants...) doesn't connect to the internet. Any design that violates this basic principle of security should be considered proof of criminal negligence. (I'm not a lawyer). You are not responsible for what happens when you release details of serious security vulnerabilities if you've told them about the problem and given a reasonable amount of time given to repair the fault.

    1. Re:Security 101 by Viol8 · · Score: 2

      "You are not responsible for what happens when you release details of serious security vulnerabilities if you've told them about the problem and given a reasonable amount of time given to repair the fault."

      I'm sorry , what? Seriously?

      So you release details of a vulnerability which you've discovered and its "not your fault" if someone then uses it after you've decided on some arbitrary length of time the manufacturer needs to fix it?

      Okay, riiight.

      You my friend need to take off your rose coloured teen hacker glasses and wake up to the real world. There may be a lot of reasons that the fault can't be fixed quickly or at all - it may need a hardware upgrade for a start which can't be rolled out to large industrial systems overnight and even if its only a software upgrade are you aware of the hoops software has to jump through during testing in what may be safety critical systems?

      No , didn't think so.

      When you've finished college and worked in the real world for a while perhaps you might get a clue but I won't hold my breath.

    2. Re:Security 101 by Tweezer · · Score: 2

      I hate to break it to you, but that horse left the barn years ago. The data from these systems is much too valuable and companies that would follow your advice would be at a large competitive disadvantage. That being said, these systems should still be protected with multiple layers of security. I work on SCADA systems and there are multiple security measures such as no default gateways and no less than three firewalls between the SCADA system and the Internet, but it is required that it be connected. For example we need to exchange data on 5 min intervals with our energy market that was implemented, because deregulation and public markets are supposedly better. For example if you would like to see near real time energy market data in the Midwest you can look here https://www.midwestiso.org/MarketsOperations/RealTimeMarketData/Pages/LMPContourMap.aspx

    3. Re:Security 101 by cusco · · Score: 2

      doesn't connect to the internet

      This statement always annoys me, because people seem to be assuming that the only way into a network is through the web server or something. If I wanted into someone's network I'd plug into the guard shack at the gate, or a meeting room if I could get into the building. To attack a SCADA system all I would need to do is jump a fence into a substation. No one is watching those cameras, they're for forensics to go after copper thieves.

      Want to get into most supposedly 'high security' locations? Walk up to the door with a tool bag in one hand, a ladder in the other, and some boxes under one arm around shift change. People will badge you through and even hold the door open for you. This includes military facilities. The biggest security risk is never the hardware or the software, it's **ALWAYS** the wetware.

      --
      "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin