US Warns of Problems In Chinese SCADA Software

alphadogg writes "Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued on Thursday (PDF) by the US Industrial Control Systems Cyber Emergency Response Team. The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops SCADA software for a wide variety of industries, including defense, petrochemical, energy, water and manufacturing. Sunway's products are mostly used in China but also in Europe, the Americas, Asia and Africa, according to the agency's advisory. SCADA software has come under increasing attention from security researchers, as the software has often not undergone rigorous security audits despite its use to manage critical infrastructure or manufacturing processes. SCADA systems are increasingly connected to the Internet, which has opened up the possibility of hackers remotely breaking into the systems. Last year, researchers discovered a highly sophisticated worm called Stuxnet that was later found to target Siemens' WinCC industrial control software."

I've said it before and I'll say it again

You can't trust the Chinese.

Re:I've said it before and I'll say it again

[RatPh!nk]

No need to unfairly single out the Chinese. I feel confident to extend that out to pretty much any nation. Wasn't our bestest friend (sarcasm) Israel found to have the biggest espionage ring yet uncovered rigth here in the US of A?

Re:I've said it before and I'll say it again

[Saeed+al-Sahaf]

No, that's just you Jew Hatred coming out. Your biased source, such that it is, is not reliable. People like you are no better than the Aryan Nations morons, certainly every bit as biased.

Re:I've said it before and I'll say it again

Rense? Really? Why not just go full retard and point us at Time Cube?

Re:I've said it before and I'll say it again

[RatPh!nk]

I didn't realize the source was sh*tty (i still have no idea who or what rense is) it happened to be the first 2 or so hits on Google. However this is established that Israel spies on the US just as much, if not more than anyone. If different sources make you feel better:

http://en.wikipedia.org/wiki/Lawrence_Franklin_espionage_scandal http://www.alternet.org/world/130891/breaking_the_taboo_on_israel's_spying_efforts_on_the_united_states/
http://www.msnbc.msn.com/id/24256527/ns/us_news-security/t/american-charged-giving-secrets-israel/

You could list *any* country here. No need to get your vagina's up in arms because someone said something bad about Israel. The point was China is just the next in a long line of countries spying. Now, it might be much worse given how much they make for the US.

Re:I've said it before and I'll say it again

[couchslug]

You can't trust the Internet, so keep your control systems the fuck OFF the Internet, as in "air gap"

Do not run Windows on control systems.

The boss needs to rule users, give orders, and enforce obedience. If you don't want people to mess up (anything) lock it down and lock them down. Discipline doesn't have to be unpleasant, but it is reasonable to expect obedience and punish disobedience.

Re:I've said it before and I'll say it again

[milkmage]

what the fuck does trust have to do with shitty code?

"Sunway issued patches for the vulnerabilities on May 20 and thanked Beresford for his research in an advisory. ICS-CERT said there are no known exploits for the vulnerabilities, but computer security experts generally recommend patching software as soon as possible."

Re:I've said it before and I'll say it again

So you are saying it is false, and it is false just because you assert it as such and launch an ad-hominem attack? The the wikipedia page? MSNBC as well? How about less talking out of you ass and more sources that it was all a anti-Jew hoax.
I would also check his /. ID, it predates you by about 400,000+, so not sure where you made up the age from - wise old sage.

Re:I've said it before and I'll say it again

[cavreader]

Every country in the world spies on one another. It's SOP and has been so since countries were first recognized. What do you think the embassies are used for? Probably 70% of the embassy staffs report to their version of State Security. Diplomatic immunity is not for the ambassadors and political staff it is for protecting the spies who get caught.

Re:I've said it before and I'll say it again

[cavreader]

"Do not run Windows on control systems." OK, What OS has no vulnerabilities open to attack?

Re:I've said it before and I'll say it again

[couchslug]

Other OS have vulns, but using an OS that the drones aren't tempted to touch is preferable, as well as one they DO NOT HAVE AT HOME.

The average person is tech-ignorant, that will never change and has never been different. Throw many barriers to entry to discourage them and keep them in their place.

Re:I've said it before and I'll say it again

[lolcutusofbong]

OpenBSD, as of the current release.

Re:I've said it before and I'll say it again

Amusing. The rest of the world sees it as Mr Pot meet Mr Kettle.

Re:I've said it before and I'll say it again

[Saeed+al-Sahaf]

"Flaimbait" or fact? When someone posts a comment that trashes the Jewish State rather than addressing the actual subject of the article, isn't that "flaimbait"?

Re:I've said it before and I'll say it again

[dragonturtle69]

DO NOT HAVE AT HOME

You just may have given me the argument for management that I need to get away from endlessly trying to "lockdown" Windows.

Re:I've said it before and I'll say it again

[deniable]

Aren't you the guy who said Iraq was winning? Wow, Baghdad Bob is working for Israel now.

Re:I've said it before and I'll say it again

[deniable]

The boss is often the problem. They 'need' access from their desks to 'monitor' things. That's where the cross-over happens. One way data feeds into a reporting engine are better but then the muppets don't feel they're in control.

Re:I've said it before and I'll say it again

**** WINSHILL ALERT!****

Re:I've said it before and I'll say it again

Jewish State != Jewish People

Besides, if someone referred to the USA or any European country as a "White State" you would rightly accuse them of racism. Even China, as homogeneous as most Americans think it is, makes a big deal about having a bunch (51?) of minority groups. What makes it okay then to want a "Jewish State"?

Re:I've said it before and I'll say it again

[cavreader]

I doubt many people have access to a SCADA system at home and anyone trying to compromise this type of system would have harder time getting hold of a SCADA test bed then they would getting access to any OS.

Re:I've said it before and I'll say it again

[Aighearach]

You can't trust an anonymous coward.

NO SHIT !!

I mean, it's chinese !!

Anyone surprised?

[Opportunist]

I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.

Re:Anyone surprised?

[barik]

I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.

I'd say that there are flaws in just about every major PLC (Allen-Bradley, Modicon, GE, and so on, to name a few) . Most are just legacy serial protocols that have been wrapped in Ethernet, so these controllers accept arbitrary packets from any source. With protocols like MODBUS, it is fairly easy to construct such packets by hand even.

Re:Anyone surprised?

[kubitus]

Now lets assume they looked at the design and improved it / eg. removed some vulnerabilities -

-

and lets assume this makes the Chinese clones immune. -

why would the US warn about Chinese products at all?

Re:Anyone surprised?

the chinese probably put it there on purpose... in case they need to use the vulnerability to launch an attack

Re:Anyone surprised?

[Opportunist]

Yeah. I mean, Siemens is a German company, and we would never expect that from the Germans. It's not like they ever started a war, China on the other hand...

Re:Anyone surprised?

[bell.colin]

The solution is simple, Just because they are Ethernet & TCP/IP now does not mean they need to be connected to the Public Internet.

DISCONNECT THE DAMN THINGS FROM THE INTERNET!

If you need remote communication from other sites use WAN links and VPN, Don't use the $20 on-sale special DSL/Cable Internet package of the week. How Fucking hard is this?

Re:Anyone surprised?

[RobinH]

Sigh. This is wrong. Yes, they should be kept on separate VLANs, etc., but at some point someone always needs to get software updates or engineering changes on to the machines, which means you're connecting *some* kind of laptop, thumbdrive, or whatever, from an outside source that has likely been connected to a network that has a connection to the public internet. If you keep the control system isolated, then keeping operating system and anti-virus software up-to-date is just that much harder, which means they'll be susceptible to even older malware. The recommended policy, at the moment, is to keep control system equipment on a separate VLAN (it still usually needs to be on a network for data acquisition, etc.), then make sure every box in the place has up-to-date OS updates and anti-virus. Industrial automation vendors are only now coming around to help out. Until very recently they used to *void the warranty* if you install anti-virus on the same computer as the software (Rockwell, for instance, used to do this with their RSSQL product, which was a PC-based product that reads data out of their PLCs and writes it to SQL databases, and vice-versa. The RSSQL server is typically a Windows 2003 Server box, and it obviously has a connection to a SQL Server that's connected to the front office for reporting use.). Stuxnet proved malware can easily just propagate over USB thumbdrives. In fact, we recently installed a metal cutting machine in our facility where the operating system was Windows XP Embedded (very common) and the machine came with a thumbdrive used to transfer work instructions back and forth between it and a CAD workstation. The thumbdrive had a virus on it and was picked up when we inserted it into the CAD workstation! This was a brand new machine from the manufacturer. It was not networked. It obviously didn't have anti-virus. While PLCs have always enjoyed relative protection because they're usually proprietary hardware and software, Stuxnet proved they're not safe, and also we're seeing most architectures move towards commercial main-stream OS's. One really big player in industrial automation is Beckhoff - their flagship product is called TwinCAT PLC, which is a PC-based PLC. You install a regular Windows XP PC, install TwinCAT, and it installs its own real-time OS underneath Windows to run the control software, and the Windows part runs the programming software and the HMI (Gui). By using commodity hardware, they have a much lower price point, so this is becoming more popular. SCADA systems are normally PC-based anyway, which is why you see a lot of security stuff about SCADA. I'm just saying PLCs are catching up. And none of the protocols that any of these systems use seem to have any kind of authentication built-in. If you know the protocol (most are open, particularly if you pay a membership fee to the vendor association), then you can connect to any device and tell it to change memory register XYZ to 5, and it will gladly comply. Chances are you'll crash it, but if you have a copy of the software it's running, then you can easily make it do whatever you want (or even upload a new modified program).

Idiots

[sycodon]

Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.

Re:Idiots

[NFN_NLN]

Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.

I think that would qualify as both cruel AND unusual punishment.

Re:Idiots

How is it punishment to say "wipe and reinstall" all day, every day?

Re:Idiots

[GameboyRMH]

Yeah buy it from an American company...that outsourced the programming to China or India.

Re:Idiots

[istartedi]

I agree, where "Idiots" is defined as all the congresscritters, C*Os, and thinktank wonks who thought our currrent trade policy would be such a great idea.

Re:Idiots

[thegarbz]

While I understand your snyde comments there still remains an issue of oversight. There are a great many things made in China. iPhones for instance. However I trust the quality of an iPhone exponentially more than those Chinese iPhone knockoffs. When you outsource to China there is still a modicum of control which can be just enough to make a difference.

The same applies to industrial equipment from China. I would greatly prefer buying a valve from a western manufacturer who outsources production to China and controls the quality and has independent certification performed than to go to a Chinese company who's main claim to fame is that they'll print whatever certification you want on the nameplate for you*.

*This was actually offered to me in a conversation with a Chinese valve manufacturer.

Re:Idiots

[slick7]

Yeah buy it from an American company...that outsourced the programming to China or India.

Look what Israeli programming did to Fukushima.

Chinese Trust = Oxymoron

[BoRegardless]

I won't buy things that contain their software & anyone who does, knows what they may get.

Newsflash: Vulnerabilities on software

[guanxi]

Is this news? Whatever software you are using has vulnerabilities.

So what if the software came from China? Do you think software from San Jose is any better? I don't see any evidence of some communist party conspiracy here.

Re:Newsflash: Vulnerabilities on software

I don't see any evidence of some communist party conspiracy here.

no one has claimed as much. projecting? paranoid? or 50 cent?

Re:Newsflash: Vulnerabilities on software

The entire slashdot piece is formulated as an us-vs-them issue. There are thousands of vulnerabilities discovered all the time in all kinds of software, and the submitter just happened to pick one in software sold by a Chinese company and that was discovered by US-based researchers, insinuating that there is something wrong with the Chinese. The nationalities are a red herring. They could have titled the story "Security team warns of problems with SCADA software" but that wouldn't lead to a jingoistic us-vs-them discussion.

Re:Newsflash: Vulnerabilities on software

[Intrepid+imaginaut]

Indeed, I don't think there would be a headline if the software was from, say, Finland. Finding evidence it was put there deliberately, that's a different story.

Re:Newsflash: Vulnerabilities on software

Scada systems are under scrutiny currently but there are a lot of PLC controllers with embedded Ethernet ports that use rudimentary or out right flawed IP stacks. Examples of protocols used are Siemens S7, modbus, GE Fanuc SRTP, FTP, HTTP, Global Ethernet Data (GE-Fanuc I believe) and many more. I know some problems with them but these really need ripped apart by experts and the manufacturers goaded in to fixing them. Anon for now.

Re:Newsflash: Vulnerabilities on software

China and Russia are both sources of attacks, disproportionately so. Yes, by all means, make your purchasing/implementation decision with a view of where the software comes from. From my own experience, supporting a specific suite of commercial mission critical software for more than a dozen years, outsourcing of coding to China and India have had perhaps the greatest negative impact on product quality and resulting large opex need to deal with said abysmal software quality. Just so we're on the same page, mission critical systems ( for example energy sector, telecoms, plant process control [SCADA is used in all of these]) should never be exposed to or controlled by software of known bad provenance. You might as well publish all your credit card details directly to the carding sites, your home address, school routes and pictures of your kids to alt.binaries.pedo.

http://www.telecomtiger.com/Corporate_fullstory.aspx?passfrom=topstory&storyid=7067&section=S162

 

Re:Newsflash: Vulnerabilities on software

[cratermoon]

Note that summary: a warning issued by US Industrial Control Systems Cyber Emergency Response Team.

Not that an organization of US-based industrial control software vendors would have any sort dishonest or self-serving motivations to point fingers at Chinese software. Just sayin'

And the OS?

[Teun]

I work with a SCADA compatible system, my greatest worry is the OS.

Several years ago a bean counter decided we could save money so it was recompiled from the trusted Unix platform to Windows.

Not a huge problem as in the day it wasn't exposed to the internet but today it is and now it's not just infected USB drives that do cause trouble.

Re:And the OS?

I was shocked when I started seeing full featured, retail versions of Windows shoe-horned into real-time hardware like the Rockwell in-rack pc modules. How in the hell could anyone be willing to trust critical system control to the full retail version of Windows is beyond me.

Sharing

[drydiggins]

If I operated linear networks like, say, Caltrans, the California Water Project, any number of river gauges or the California Independent System Operator (electric power broker), I'd probably see this as 'relevant to my interests'.

Just more fear propaganda

When I see these kind of articles coming out every other day, I can't help but think that this has more to do with security agencies pushing fear in the media to justify their existence. I'm tired of reading about how China is trying to take us down. We spend and spend with money we don't have. We borrow more from China and then buy the cheapest products from Walmart not even really thinking about the slave labor that produced those products. Are they complaining about working their ass off for almost nothing?

Want more security? Fire all these stupid fear-mongering security agencies and buy some open-hardware/software solutions from an American company that doesn't outsource their engineering and manufacturing jobs. Also, please don't connect your nuclear melt-down function to port 80. Problem solved.

Re:Just more fear propaganda

[cavreader]

"We borrow more from China " The US does not borrow money from China, China purchases US securities and bonds because it is a safe and stable investment. They currently hold only about 6% of all outstanding securities. If China was somehow trying destabilize the US they would lose all of the money they have invested.

too much dependence on the internet

[__aaacoe2998]

I can't think of any reason to have an industrial controls network directly connected to the internet. Maybe there are valid reasons; I'd love to hear them. This is not necessarily a failure of SCADA, but a failure by the engineers to properly consider security.

Re:too much dependence on the internet

[ColdWetDog]

I can't think of any reason to have an industrial controls network directly connected to the internet. Maybe there are valid reasons; I'd love to hear them. This is not necessarily a failure of SCADA, but a failure by the engineers to properly consider security.

Yeah, doesn't the term "Sunway's ForceControl 6.1 WebServer" (one of the infected items in TFA) send a little electric tingle down your spine?

Re:too much dependence on the internet

[jeffstar]

One good reason to connect an industrial control network to a network outside the immediate premise would be that it is a remote site that doesn't merit a human being nearby to mind it or is only economically viable if it doesn't require humans nearby. Thus it makes economic sense to network it, but a private network is too expensive, so it goes on the internet (probably with VPN only access).

Private networks are expensive, getting a satellite/whatever internet connection isn't.

Then you are only as secure as any other organization connected to the internet can be and vulnerable to the same attacks as the rest of the world.

This may be a stupid question...

[tlambert]

This may be a stupid question...

What kind of moron connects their factory-internal manufacturing systems to the Internet?

-- Terry

Re:This may be a stupid question...

[interiot]

"DCS is commonly used to handle operations on a single locale, while SCADA is preferred for applications that are spread over a wide geographic location."

The term "SCADA" is specifically used for industrial processes that have to be connected by long-distance networking.

Re:This may be a stupid question...

Lazy managers who want to be able to check on systems remotely and can't be bothered to actually visit the site.

Re:This may be a stupid question...

[Silverhammer]

Not necessarily. SCADA is "Supervisory Control And Data Acquisition", which simply means collecting process data for presentation and analysis. Yes, many packages (disclosure: including the one I work on) allow SCADA functions to be performed over TCP/IP networks, but it is not a fundamental part of SCADA. Everything can be done on a single workstation, if that's how you're set up.

Re:This may be a stupid question...

[Luckyo]

This doesn't necessarily mean it has to be unsafe. A reasonable implementation is to control SCADA over VPN over TCP/IP. Insert a hardware firewall that is completely autistic to everything except for allowing VPN traffic between actual internet and machine running SCADA.

While it won't be bulletproof, it will certainly limit ability to threaten machines running SCADA with malicious packets and such from internet. There are obviously ways to attack VPN, machine that's connected to other side of VPN and perhaps even firewall itself, but those are not issues covered by the article.

Re:This may be a stupid question...

[h4rr4r]

Or maybe spend a couple bucks and keep it all on leased lines. That way you control all the endpoints. It is not like site to site leased lines are anything new.

Re:This may be a stupid question...

[ColdWetDog]

Or maybe spend a couple bucks and keep it all on leased lines. That way you control all the endpoints. It is not like site to site leased lines are anything new.

But. Site-to-site leased lines can be very expensive. And money talks. Give a PHB the choice between saving hard cash and the soft, squishy concept of hacking ("Oh, we have security systems in place, yessir"), which will they pick 9 times out of 10?

Re:This may be a stupid question...

[ColdWetDog]

Oh, and leased lines are still vulnerable. Not as easily as something directly on the Internet, but you still have to secure them and keep thinking about them. Then the argument of leased line vs. Internet gets even fuzzier. And the PHB is nodding off ....

Re:This may be a stupid question...

[h4rr4r]

I know what you are trying to say, but for the very low bandwidth needs of these systems leased lines are plenty reasonable.

Re:This may be a stupid question...

[jeffstar]

visiting sites can cost $$$ and be very time consuming...

Re:This may be a stupid question...

[Laser+Lou]

This may be a stupid question...

What kind of moron connects their factory-internal manufacturing systems to the Internet?

-- Terry

Those who run uranium enrichment machines. That's who.

Re:This may be a stupid question...

[DarkOx]

You'd be surprised but I bet many maybe most US manufactures have their shot floor networks connected to the their other networks for one reason or another. Do they firewall the crap out them, well probably but that is no air gap?

In my experience this is how its usually evolved on the networks I've seen

1. Shop floors started off with some proprietary network, not connected to anything else
2. Equipment got upgraded and replaced with cheaper ethernet or token over ethernet solutions
3. Management eventually decides that simplifying and increasing statistics gather and reporting is worth the risk of connecting the shop floor networks to the rest of the corporate networks, even though IT warned them of the potential risks. They tell IT "Just don't let that happen"
4. IT installs good a good firewall with strong rules, and establishes solid procedures around what, how, when, and who connects anything to the shop floor. This works well at time.
5. The vendor, who has never properly documented the communications requirements of their software, sends some techs out to do an upgrade or change or something. Said techs run into problems and lacking any documentation assume its IT's security measures causing them. Management is upset because the line has stopped and they are paying these consultants by the hour on top of that. They demand IT relax the rules.
6. The consultants get the shop floor running again but they never really circle back and tell IT what the issue was, perhaps it was unrelated, who knows.
7. You might think IT will sniff packets for awhile and see what actually could be tightened back down but they won't because, they have other problems and have spent a week being interrupted by the consultants already, management wants to see those other projects getting done. All the procedures don't get updated either. The security measures while still in place are mostly ineffective.
 

Re:This may be a stupid question...

[Luckyo]

It's worth noting that such SCADA application are usually remote control of production site. This is usually because of outsourcing of these functions to the lowest bidder.

As a result, even a little extra spending on security would be under huge scrutiny from "is this really important? We could lose the contract if our costs go up" aspect.

Re:This may be a stupid question...

[RobinH]

I've been in dozens of plants. The answer is... all of them, except the ones where they don't even have the know-how to setup a wireless router at home. Every single decent-sized plant I've visited has most of their industrial automation equipment connected to their computer network. Now, some are more sophisticated than others. Some separate plant-floor from office networks with VLANs. Some actually have physically separate networks, though almost every time I've suggested that, the IT guys demand everything be separated with VLANs (there's too much hassle to maintain two physical networks, especially when you generally have one drop from each at most shop-floor locations). These industrial automation devices collection production data. That data has to be moved up to MES, and then to ERP systems for reporting. People connect to the ERP from their office PCs. They also need Google. There has to be a connection.

If you *don't* connect them, and your competitors do, then you'll be less efficient and you'll go out of business. That's the unfortunate reality of what's going on. If we want security, it will have to be mandated by laws and audited by 3rd parties. Otherwise there's no incentive to do it, particularly if you're already worried about being in business next quarter.

Re:This may be a stupid question...

[RobinH]

If you're talking about Stuxnet, it was designed to transmit over USB drives. Plus, even though the machines don't necessarily have ethernet ports, you usually program them from an IDE on a laptop communicating over a serial or other proprietary network, and that laptop moves from machine to machine, and even from plant to plant if you're hiring contractors.

Re:This may be a stupid question...

[jjp9999]

Yeah, they didn't used to. I spoke with someone on this a bit back - it ties, of course, into metrics and them trying to market themselves.

Re:This may be a stupid question...

[thegarbz]

No one directly. But most SCADA systems somehow have a physical link that gets them all the way to the internet. The place where I work has a one way push to another network which is separated by a strict firewall from our corporate network, which is separated by a weak firewall from the internet. It is in theory possible for an attacker to work their way down, but the critical piece is that this is plainly not needed.

These vulnerabilities on SCADA systems nearly always work from the PC that is connected to the system for maintenance / data logging purposes, the actual method of getting to this system does not need to be the internet. Stuxnet didn't work like this (spread via USB, a favoured method of transferring code to and from these machines in industry), and many virus these days, while they appear to spread via the internet, actually exploit via social engineering.

Airgapping a machine is useless if you can convince a user to carry the virus to the machine for you. It's a false idea of security to assume that if you remove the internet we are safe.

Re:This may be a stupid question...

[drinkypoo]

Does anyone know of any cases where anyone has been hacked or their data compromised because they're using one of those fake leased lines where you're actually sharing a ring? And if not, isn't that good enough for this purpose? Genuine end to end leased lines are there to bypass problems with communications systems. Of course, they're just as vulnerable to backhoes as anything else...

Re:This may be a stupid question...

[Foobar+of+Borg]

Okay, so run your own lines. You will then have:

1. Greater control
2. Greater security
3. Greater uptime (not competing with other users for limited bandwidth)

Oh, but that's right, it might cost a little more to set up a low-bandwidth network. I guess I should be thinking like a manager.

This is wonderful..

Given that China is hellbent on kicking the ass of every nation..

Re:This is wonderful..

[Foobar+of+Borg]

Given that China is hellbent on kicking the ass of every nation..

He says on a US-centric site. Oh, Irony, thou hast been outdone!

What goes around (Stuxnet), comes around (SCADA)

[Paul+Fernhout]

We need to move beyond irony in our global defense community: http://www.pdfernhout.net/recognizing-irony-is-a-key-to-transcending-militarism.html
"There is a fundamental mismatch between 21st century reality and 20th century security thinking. Those "security" agencies are using those tools of abundance, cooperation, and sharing mainly from a mindset of scarcity, competition, and secrecy. Given the power of 21st century technology as an amplifier (including as weapons of mass destruction), a scarcity-based approach to using such technology ultimately is just making us all insecure. Such powerful technologies of abundance, designed, organized, and used from a mindset of scarcity could well ironically doom us all whether through military robots, nukes, plagues, propaganda, or whatever else... Or alternatively, as Bucky Fuller and others have suggested, we could use such technologies to build a world that is abundant and secure for all. ... We the people need to redefine security in a sustainable and resilient way. Much current US military doctrine is based around unilateral security ("I'm safe because you are nervous") and extrinsic security ("I'm safe despite long supply lines because I have a bunch of soldiers to defend them"), which both lead to expensive arms races. We need as a society to move to other paradigms like Morton Deutsch's mutual security ("We're all looking out for each other's safety") and Amory Lovin's intrinsic security ("Our redundant decentralized local systems can take a lot of pounding whether from storm, earthquake, or bombs and would still would keep working"). "

Yeah? Re:Chinese Trust = Oxymoron

You don't think that applies to German, Russian, US, or *insert nation state here* as well?

Well actually it doesn't since you can't "know" what you might get... it might well be something entirely new :P but that applies to China as well.

Re:Yeah? Re:Chinese Trust = Oxymoron

[lolcutusofbong]

Sure you can... if it's open-source. This isn't a "Chinese software sucks" problem, it's a "proprietary software sucks" problem.

Re:Yeah? Re:Chinese Trust = Oxymoron

[drinkypoo]

This isn't a "Chinese software sucks" problem, it's a "proprietary software sucks" problem.

Which coreboot-compatible motherboard are you using? What video card are you using? Do you have a RAID controller?

Re:Yeah? Re:Chinese Trust = Oxymoron

[lolcutusofbong]

I do my RAID in software under Linux and every GPU I own has the open-source drivers loaded.

Re:Not really the issue.

Stuxnet did not need internet connections to infect centrifuge controllers. The infection vector is humans with thumbdrives or other means of sharing warez with access to 'secure' networks.

What??

Security problems in software? Made by the Chinese?? Wow. That would NEVER happen in software developed in the US...

Unless there's evidence the vulnerabilities were put there deliberately, how is this newsworthy?

I guess it all depends on definitions

[hyades1]

We call it a bug...China calls it a feature.

I worked on SCADA systems back in '97-'98

[Rogerborg]

Every line of code that we wrote was signed off by an individual chartered engineer. And that means that we printed off the entire source, and a Very Serious Chap sat down and Very Seriously Reviewed it, and if he approved it, he wrote his initials against it. Against every single individual line, using his hand, and a pen. A red pen. And if one line, one single line, didn't have that Very Serious Chap's initials against it, then the software didn't ship. No way, no how.

And once it shipped, that Very Serious Chap would Very Seriously take full responsibility for it, and for the consequences of using it, in the most literal and legal sense.

And now to save a penny in the dollar, SCADA systems are sourced from by the Whang Dong Control Systems, Light Industrial Tools and Edible Cuttlefish Products Conglomerate, of Zing Ping Province, China. WITHOUT ANY WARRANTY; WITHOUT EVEN THE IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

Ain't it marvellous living in the Future?

Re:I worked on SCADA systems back in '97-'98

[lolcutusofbong]

Hopefully, the horrendous quality of all this lowest-bidder outsourced crapware (both hard- and soft-) will leave a market for people to bring manufacturing, and thus jobs, back to first-world nations, and (in my own selfish mind) the US in particular. I don't know about the average consumer, but I'd gladly pay more for a better, more durable product.

Re:I worked on SCADA systems back in '97-'98

[RobinH]

I've been contracting on Industrial Control systems for over 10 years. I've never ever seen what you're talking about. However, there are certain *industries* that I haven't worked in where that might be the case. However, I have worked on a machine in the pharma industry, but even though they had much more stringent testing procedures, they still (a) didn't review every line of code and (b) hadn't caught a very serious bug that I found in the code when I was making some changes. In fact, I'm a P.Eng. (very serious chap), and I've never had to put my stamp on anything in this industry.

Now, there is a subset of Industrial Controls broadly labelled as Safety Systems. These are the parts of the machine that ensure that an operator can't be harmed (it affects how you guard the machine, physical access control, etc.). There are lots of regulations, audits, etc., and you definitely need a P.Eng. involved for that, depending on your geographic location of course. However, that only has to do with controlling potential energy (so, if an operator wants to open an access door, and there's a spinning component, you might need a zero speed sensor interlocked with the door to prevent them from opening it until it's verified that it's stopped, and that has to be a really expensive device that's proven that any single component failure will be detected, and won't allow the door to be opened. That is, however, nothing to do with the computer security we're talking about.

I should note, modern Safety Systems are available that are software-based and therefore vulnerable to computer security vulnerabilities. They are, at least, required to be locked with a password once the system has been built and signed-off, and you're supposed to have to enter the password to change it, but that doesn't mean the authentication system doesn't have any security holes in it. I highly doubt that part is being audited.

Re:I worked on SCADA systems back in '97-'98

[germansausage]

Do not despair. I am sometimes that "Very Serious Chap". I write and review code for a certain type of control systems (allow me to be a little vague on what sort ). People's lives and safety depend on the correct functioning of these systems. The code is exactly as you described and when I have reviewed it and put a yellow highliter through every line (this is the future, after all) I sign my name to it, stamp it with my magic Professional Engineer stamp and take personal and professional responsibility for the code.

The hardware may sometimes come from China, we mostly buy the systems from North American companies, but the components are for certain made in China. The software, however, is still made here, and the software is at least 50% of what makes it safe or not safe.

Re:I worked on SCADA systems back in '97-'98

Well I'm chinese and write controller code for *snip* systems overseas and we're the lowest bidder by far. I earn about 350 bucks a month.

I have the keys to some pretty important parts and if you wouldn't believe it, I'm supposed to roll out updates over remote desktop. No one checks what I'm doing. I get no specifications except *snip* jargon over messenger. Quite frequently I'm supposed to do impossible tasks, things I've estimated to take two months, to be completed over the weekend. I'll work over the night today and make an update tomorrow. It's one of those times again...

It's utterly mind boggingly insane, but what I think is not important to the purchaser.

For me it's a paycheck and I need it no matter what.

Re:I worked on SCADA systems back in '97-'98

Do not despair. I am sometimes that "Very Serious Chap". I write and review code for a certain type of control systems (allow me to be a little vague on what sort ).

Hahaha... fuck of you British type!... I won't allow you to be vague. If peoples lives depend on it, it should never be secret.

To the US: We need to wake up and realize that all this "security" and secrecy is what is KILLING us. We have to look for our forefathers for guidance. We narrowly escaped this bullshit in the 18th century... please don't let freedom die with all this fear of terrorism or national security. Watch something like America: The story of us. You will realize that we are undoing everything that America once stood for: The home of the brave! Freedom! Once these assholes take control, we will almost certainly never regain the freedoms that we (with the help of the French) fought so hard for. This is the ONLY reason that other nations might still have any reason to still respect the USA. We used to be a beacon of freedom. Wakeup!

Re:I worked on SCADA systems back in '97-'98

[thegarbz]

Actually you'll find the code physically running on the controllers still does and likely always will be signed VSC next to each line. The attacks on the systems often come from the lines that were never needed to be signed in the first place, namely the interface lines. Back in the day this meant something like serial modbus, these days it's serial modbus nastily hacked into a TCP/IP wrapper with no implied security just as there was no implied security back in the day either, or even better OPC, or some propriety protocol.

VSC does not concern himself with external attack on the system. Never has, never will. The theory has always been that you have a hardened PLC, SCADA, DCS whatever, and a stock standard piece of shit computer connected to it which falls under some other Very Less Serious Chap's responsibility, usually same sales rep who simply says, yes our software will run on windows.

Hell half the time the computers connected to the SCADA system which are assumed to be trusted aren't even purchased with the system itself.

What does it mean to be sovereign?

Who is surprised?: TIme to Tighten things up and take some sort of control.

Dont put chinese shit in your important shit

Is that to fucking hard to understand.

That's odd

> Two vulnerabilities found in industrial control system software made in China

If there were only two vulnerabilities, China clearly didn't copy it from any western developer of SCADA software.

and they're doing WHAT with this stuff?

[swschrad]

they're connecting it to the electronic Wild Wild West, the Internet.

critical systems should N E V E R be connected to an open network.

ever.

that's rule one.

why aren't the guys making these connections going to jail?