Siemens Fixes SCADA Flaws

itwbennett writes "Siemens has fixed a pair of bugs in its S7-1200 controller, which is used to control machines on factory floors, power stations and chemical plants. The bugs were discovered earlier this year by NSS researcher Dillon Beresford, who planned to disclose the bugs at Black Hat in August. The US Department of Homeland Security said that Siemens' patches fix 'a portion' of the problems Beresford has discovered and that it 'continues to work with Siemens and Mr. Beresford on the other reported problems.'"

Cool

[SheeEttin]

Cool. Glad to see they fixed it in short order. I am anxiously awaiting the time when these fixes are put in place. I'll set my clock for... 7 years. That should be enough.

Re:Cool

[jhoegl]

But... but thats when the 2024 bug scare will start.
No one wants to see robotic arms start killing humans because they think its 1924 and they should exist, thus making them go crazy.

Re:Cool

[slashqwerty]

I am actually quite surprised. I fully expected Siemens to hand the guy some hush money so he would cancel his presentation. This could be the first time in years that the black hat conference has run without canceling a controversial presentation.

Re:Cool

[datapharmer]

This isn't their first opportunity. They've had since May at the least: http://www.prweb.com/releases/2011/5/prweb8458069.htm

Re:Cool

[drinkypoo]

Cool. Glad to see they fixed it in short order

Do I detect a note of sarcasm? Say, wasn't this talk already delayed to give Siemens time to find their ass with both hands and a map?

Firewalls

[IntentionalStance]

SCADA networks are usually on a completely separate domain from the corporate network. It'll be behind two sets of firewalls controlled by anal retentive engineers

Re:Firewalls

so...not an air gap, then.

Re:Firewalls

Don't forget the set of firewall exceptions that allow management to access the controls remotely through Windows Remote Desktop.

If it's not an air gap, it's never good enough.

Re:Firewalls

[DarthBart]

That's not "completely separate domain". That's "same domain with some sandboxing".

There's still the chance of some prick tossing sand in from the other box.

Re:Firewalls

[thegarbz]

There's still the chance of some prick tossing sand in from the other box.

If there is then you haven't set it up properly. These aren't enterprise firewalls designed to allow maximum user friendlies while limiting a small set of nasties from entering from the outside. These are default deny all, and on a very select case by case basis allow one way data back out to certain machines on certain ports.

This is several layers deep in a corporate network, the firewall gear is not part of the standard package, the data historian or other products that rely on data from the process networks are not part of a standard package, so you'd need to penetrate in at least that far just to see what you're up against next. To get through something like this you would need to know details beforehand.

For any attack like this to be feasible you would need rather large amounts of inside information. If you're that close to the inside information chances are you're within touching distance of the control system itself, in which case nothing is usually safe

Re:Firewalls

[IntentionalStance]

Correct

The default position will be that nothing and I mean nothing in the corporate domain will be able to open a TCP connection to anything in the SCADA domain.

and the guys in charge of this will take it all the way to senior management if you even look like you are thinking of breaking this rule.

and you'll have to sign some serious career limiting documents before the guys in suits will sanction this.

or at least that's how it's been at place I have worked where they have SCADA networks and my specialist topic is data integration so I tend to bump into these issues fairly often

Re:Firewalls

In my experience vendors of SCADA management tools are never able to exactly tell me which firewall ports need to be open to enable their applications to work. Most firewalls will end up looking as Swiss cheese (enabling all communications from one IP address to another).

Good luck with your security ... It usually takes about 2 firewall hops to go from the internal Internet connected network to the SCADA network.

Most of those management servers are now web-based (or web services based), but are never tested for web application security.

Re:Firewalls

[jroysdon]

That's correct. The executives with their neck on the line won't go for it because if it is a misstep NERC/FERC will be all over them with fines and audit spot checks forever.

The best solution is to not connect SCADA systems with IP to any external network, firewall or not. Serial-based RTUs are totally acceptable to pass data and isolate networks from IP and most of the problems there.

The next level of protection needed in SCADA is protocol specific command-by-comamnd firewalling (ICCP, DNP3, etc.) of key hosts. There are a few vendors, but this is a very green, very niche market. However, this would allow for protection of PLCs and "less-smart" devices that are more easily abused (think Stuxnet), even within the secured SCADA networks.

Re:Firewalls

If it's connected, you're doing it to pass traffic somewhere. If that's the case someone will figure out a way to use it as a communication channel if they think hard enough about it.

Re:Firewalls

[DerPflanz]

When we install S7's (with our own SCADA/visualisation solution) we insist that we have VPN access from our offices, to ensure the SLA and reaction time guarantees.

So, yes separate networks, but certainly not completely off the internet. The separation of networks is mostly a performance and reliability measure (you don't want NETBIOS, ERP and webbrowsing trafic on the industrial LAN), not about security.

Re:Firewalls

[aix+tom]

Good luck getting Windows to run on 2560k, which is the memory the biggest of those things have.

I also have seen Windows for x86, x86_64, Itanium and in the NT4 days for Alpha processors. Never for, say, 315T-2 DP processors.

The most likely attack vector here would not be a network to the device itself, it would be something that infects the windows (or still DOS in some cases) notebook that is carried around the plant and plugged in the serial port for software updates and maintenance.

Re:Firewalls

[RobinH]

SCADA networks are usually on a completely separate domain from the corporate network. It'll be behind two sets of firewalls controlled by anal retentive engineers

Thanks for making me snort my coffee. Two problems: a Siemens S7 PLC is a PLC, not a SCADA system. They are extremely different things. It's like confusing a toaster and a kitchen. Everyone seems to miss this. Problem two: while up until a few years ago, PLC's didn't have network connectivity, so they couldn't be connected to ethernet (they now are routinely), SCADA systems are almost all ethernet capable, and in my experience, they are rarely even put on a separate VLAN, much less behind a firewall. Besides, Stuxnet was designed to transmit via USB thumbdrives and laptops which are used by everyone in industrial control systems. In my experience, control systems are the least secure systems on the planet, which is scary because they control stuff in the real world! If you want to follow the (very sad) security state of industrial control systems, follow ICS-CERT.

Re:Firewalls

[thegarbz]

Serial is fine for many smaller projects such as control of a couple of turbines but breaks down quickly as the data points scale up. For a small partial-upgrading refinery you won't have the bandwidth to get the required data out of of the DCS into a historian and a protocol that can run over TCP becomes close to your only option, the most popular being OPC.

Re:Firewalls

[sjames]

The SCADA controllers are managed by software that runs on a Windows box. That box is connected to the SCADA network. Often, that box is also connected to the internet through a firewall. Better hope they don't poke too many holes in the firewall for the convenience of management, such as, allowing remote desktop.

Re:Firewalls

And OPC don't play nicely with firewalls. At least, legacy OPC.

It must of been difficult.

[iiiears]

Thousands of lines of code on likely more than one type of hardware. (Did they audit their compiler?) We are obliged to rely on technology from womb to tomb i hope they get better quality assurance in place.

"Some"

[symbolset]

The headline is missing the word "some" somewhere in it.

Re:"Some"

[iiiears]

Funny. It escaped me that some flaws are beneficial. This was leveraged to save lives. - Technology is surprises.

Re:"Some"

[symbolset]

Stop that. We like to pretend.

I hope

I hope the researcher said:

Sure I'll postpone disclosure. If you pay me what you should have paid someone to do the amount of work I did.

But he probably didn't.

S7-1200 is a very low end plc, and only very new.

The S7-1200 would never be used in a power station, it's too low end, and very new.
I wouldn't use it anything more that a packaging machine.
It's the model that is less than $1000 US.

Siemens...

...bribing politicians since 1847.

Attacking the Grid

"For example, in March, Rubén Santamarta notified US ICS-CERT of a vulnerability in BroadWin WebAccess, a web browser-based HMI product. ICS-CERT forwarded the vulnerability information to BroadWin. Unfortunately, BroadWin was not able to validate the vulnerability and said it was false. So Mr. Santamarta publicly released details of the vulnerability including exploit code". link

drinkypoo we detect cowardice & trolling from

http://tech.slashdot.org/comments.pl?sid=2225174&cid=36390518

The funniest part is that when you search google for slashdot site queries on drinkypoo, all of these questions drinkypoo runs from show up.

(Hilarious: You're exposing yourself to the planet as a troll, drinkypoo, just by running away from that question in the link above).

Re:drinkypoo we detect cowardice & trolling fr

Why don't you two get a room?

Siemens Fixes SCADA Flaws 29

This information is really helpful. visit my website"

Re:S7-1200 is a very low end plc, and only very ne

The S7-1200 would never be used in a power station, it's too low end, and very new.
I wouldn't use it anything more that a packaging machine.
It's the model that is less than $1000 US.

There are vulnerabilities in the protocol as well which allow an attacker to do the exact same thing to the S7-300 and S7-400 which are used in power stations. The S7-1200 uses the same protocol ( i.e. replay attacks ) as the S7-300 and S7-400. Expect much more... The researcher is sitting on way more than what he disclosed. I saw a presentation he gave at a hacker space in Austin, TX. He was controlling every aspect of the PLC. It was like Stuxnet on steroids! Siemens is obviously trying to keep the issue with the 300/400 quiet so they don't get pwned.

More fun to watch drinkypoo run

like the trolling coward he is

Re:S7-1200 is a very low end plc, and only very ne

Try $100 with built-in Ethernet
Compared to a S7-400, it is nothing but a smart relay