US Warns of Problems In Chinese SCADA Software

← Back to Stories (view on slashdot.org)

US Warns of Problems In Chinese SCADA Software

Posted by Soulskill on Saturday June 18, 2011 @06:30AM from the not-for-use-in-nuclear-reactors-at-home dept.

alphadogg writes "Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued on Thursday (PDF) by the US Industrial Control Systems Cyber Emergency Response Team. The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops SCADA software for a wide variety of industries, including defense, petrochemical, energy, water and manufacturing. Sunway's products are mostly used in China but also in Europe, the Americas, Asia and Africa, according to the agency's advisory. SCADA software has come under increasing attention from security researchers, as the software has often not undergone rigorous security audits despite its use to manage critical infrastructure or manufacturing processes. SCADA systems are increasingly connected to the Internet, which has opened up the possibility of hackers remotely breaking into the systems. Last year, researchers discovered a highly sophisticated worm called Stuxnet that was later found to target Siemens' WinCC industrial control software."

66 of 95 comments (clear)

Min score:

Reason:

Sort:

Anyone surprised? by Opportunist · 2011-06-18 06:40 · Score: 4, Informative

I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Anyone surprised? by barik · 2011-06-18 07:43 · Score: 4, Insightful
  
  I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.
  I'd say that there are flaws in just about every major PLC (Allen-Bradley, Modicon, GE, and so on, to name a few) . Most are just legacy serial protocols that have been wrapped in Ethernet, so these controllers accept arbitrary packets from any source. With protocols like MODBUS, it is fairly easy to construct such packets by hand even.
  
  --
  Titus Barik
2. Re:Anyone surprised? by kubitus · 2011-06-18 08:56 · Score: 1
  
  Now lets assume they looked at the design and improved it / eg. removed some vulnerabilities -
  -
  and lets assume this makes the Chinese clones immune. -
  why would the US warn about Chinese products at all?
3. Re:Anyone surprised? by Opportunist · 2011-06-18 09:35 · Score: 1, Insightful
  
  Yeah. I mean, Siemens is a German company, and we would never expect that from the Germans. It's not like they ever started a war, China on the other hand...
  
  --
  We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
4. Re:Anyone surprised? by bell.colin · 2011-06-18 09:45 · Score: 2, Insightful
  
  The solution is simple, Just because they are Ethernet & TCP/IP now does not mean they need to be connected to the Public Internet.
  DISCONNECT THE DAMN THINGS FROM THE INTERNET!
  If you need remote communication from other sites use WAN links and VPN, Don't use the $20 on-sale special DSL/Cable Internet package of the week. How Fucking hard is this?
5. Re:Anyone surprised? by RobinH · 2011-06-18 13:26 · Score: 2
  
  Sigh. This is wrong. Yes, they should be kept on separate VLANs, etc., but at some point someone always needs to get software updates or engineering changes on to the machines, which means you're connecting *some* kind of laptop, thumbdrive, or whatever, from an outside source that has likely been connected to a network that has a connection to the public internet. If you keep the control system isolated, then keeping operating system and anti-virus software up-to-date is just that much harder, which means they'll be susceptible to even older malware. The recommended policy, at the moment, is to keep control system equipment on a separate VLAN (it still usually needs to be on a network for data acquisition, etc.), then make sure every box in the place has up-to-date OS updates and anti-virus. Industrial automation vendors are only now coming around to help out. Until very recently they used to *void the warranty* if you install anti-virus on the same computer as the software (Rockwell, for instance, used to do this with their RSSQL product, which was a PC-based product that reads data out of their PLCs and writes it to SQL databases, and vice-versa. The RSSQL server is typically a Windows 2003 Server box, and it obviously has a connection to a SQL Server that's connected to the front office for reporting use.). Stuxnet proved malware can easily just propagate over USB thumbdrives. In fact, we recently installed a metal cutting machine in our facility where the operating system was Windows XP Embedded (very common) and the machine came with a thumbdrive used to transfer work instructions back and forth between it and a CAD workstation. The thumbdrive had a virus on it and was picked up when we inserted it into the CAD workstation! This was a brand new machine from the manufacturer. It was not networked. It obviously didn't have anti-virus. While PLCs have always enjoyed relative protection because they're usually proprietary hardware and software, Stuxnet proved they're not safe, and also we're seeing most architectures move towards commercial main-stream OS's. One really big player in industrial automation is Beckhoff - their flagship product is called TwinCAT PLC, which is a PC-based PLC. You install a regular Windows XP PC, install TwinCAT, and it installs its own real-time OS underneath Windows to run the control software, and the Windows part runs the programming software and the HMI (Gui). By using commodity hardware, they have a much lower price point, so this is becoming more popular. SCADA systems are normally PC-based anyway, which is why you see a lot of security stuff about SCADA. I'm just saying PLCs are catching up. And none of the protocols that any of these systems use seem to have any kind of authentication built-in. If you know the protocol (most are open, particularly if you pay a membership fee to the vendor association), then you can connect to any device and tell it to change memory register XYZ to 5, and it will gladly comply. Chances are you'll crash it, but if you have a copy of the software it's running, then you can easily make it do whatever you want (or even upload a new modified program).
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
Idiots by sycodon · 2011-06-18 06:43 · Score: 4, Insightful

Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.

--
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
1. Re:Idiots by NFN_NLN · 2011-06-18 06:47 · Score: 2
  
  Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.
  I think that would qualify as both cruel AND unusual punishment.
2. Re:Idiots by GameboyRMH · 2011-06-18 06:56 · Score: 3, Informative
  
  Yeah buy it from an American company...that outsourced the programming to China or India.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
3. Re:Idiots by istartedi · 2011-06-18 11:08 · Score: 1
  
  I agree, where "Idiots" is defined as all the congresscritters, C*Os, and thinktank wonks who thought our currrent trade policy would be such a great idea.
  
  --
  For all intensive purposes, "whom" is no longer a word. That begs the question, "who cares"?
4. Re:Idiots by thegarbz · 2011-06-18 23:59 · Score: 2
  
  While I understand your snyde comments there still remains an issue of oversight. There are a great many things made in China. iPhones for instance. However I trust the quality of an iPhone exponentially more than those Chinese iPhone knockoffs. When you outsource to China there is still a modicum of control which can be just enough to make a difference.
  The same applies to industrial equipment from China. I would greatly prefer buying a valve from a western manufacturer who outsources production to China and controls the quality and has independent certification performed than to go to a Chinese company who's main claim to fame is that they'll print whatever certification you want on the nameplate for you*.
  *This was actually offered to me in a conversation with a Chinese valve manufacturer.
5. Re:Idiots by slick7 · 2011-06-19 04:00 · Score: 1
  
  Yeah buy it from an American company...that outsourced the programming to China or India.
  Look what Israeli programming did to Fukushima.
  
  --
  The mind conceives, the body achieves, the spirit manifests.
Re:I've said it before and I'll say it again by RatPh!nk · 2011-06-18 06:46 · Score: 3, Insightful

No need to unfairly single out the Chinese. I feel confident to extend that out to pretty much any nation. Wasn't our bestest friend (sarcasm) Israel found to have the biggest espionage ring yet uncovered rigth here in the US of A?

--
Argh. The laws of science be a harsh mistress.
Chinese Trust = Oxymoron by BoRegardless · 2011-06-18 06:55 · Score: 1

I won't buy things that contain their software & anyone who does, knows what they may get.
Newsflash: Vulnerabilities on software by guanxi · 2011-06-18 06:55 · Score: 2, Insightful

Is this news? Whatever software you are using has vulnerabilities.
So what if the software came from China? Do you think software from San Jose is any better? I don't see any evidence of some communist party conspiracy here.
1. Re:Newsflash: Vulnerabilities on software by Anonymous Coward · 2011-06-18 07:47 · Score: 4, Insightful
  
  The entire slashdot piece is formulated as an us-vs-them issue. There are thousands of vulnerabilities discovered all the time in all kinds of software, and the submitter just happened to pick one in software sold by a Chinese company and that was discovered by US-based researchers, insinuating that there is something wrong with the Chinese. The nationalities are a red herring. They could have titled the story "Security team warns of problems with SCADA software" but that wouldn't lead to a jingoistic us-vs-them discussion.
2. Re:Newsflash: Vulnerabilities on software by Intrepid+imaginaut · 2011-06-18 08:14 · Score: 2, Insightful
  
  Indeed, I don't think there would be a headline if the software was from, say, Finland. Finding evidence it was put there deliberately, that's a different story.
3. Re:Newsflash: Vulnerabilities on software by Anonymous Coward · 2011-06-18 09:25 · Score: 1
  
  Scada systems are under scrutiny currently but there are a lot of PLC controllers with embedded Ethernet ports that use rudimentary or out right flawed IP stacks. Examples of protocols used are Siemens S7, modbus, GE Fanuc SRTP, FTP, HTTP, Global Ethernet Data (GE-Fanuc I believe) and many more. I know some problems with them but these really need ripped apart by experts and the manufacturers goaded in to fixing them. Anon for now.
4. Re:Newsflash: Vulnerabilities on software by cratermoon · 2011-06-18 11:51 · Score: 1
  
  Note that summary: a warning issued by US Industrial Control Systems Cyber Emergency Response Team.
  Not that an organization of US-based industrial control software vendors would have any sort dishonest or self-serving motivations to point fingers at Chinese software. Just sayin'
And the OS? by Teun · 2011-06-18 06:58 · Score: 2

I work with a SCADA compatible system, my greatest worry is the OS.
Several years ago a bean counter decided we could save money so it was recompiled from the trusted Unix platform to Windows.
Not a huge problem as in the day it wasn't exposed to the internet but today it is and now it's not just infected USB drives that do cause trouble.

--
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
Sharing by drydiggins · 2011-06-18 07:12 · Score: 1

If I operated linear networks like, say, Caltrans, the California Water Project, any number of river gauges or the California Independent System Operator (electric power broker), I'd probably see this as 'relevant to my interests'.
Just more fear propaganda by Anonymous Coward · 2011-06-18 07:13 · Score: 1

When I see these kind of articles coming out every other day, I can't help but think that this has more to do with security agencies pushing fear in the media to justify their existence. I'm tired of reading about how China is trying to take us down. We spend and spend with money we don't have. We borrow more from China and then buy the cheapest products from Walmart not even really thinking about the slave labor that produced those products. Are they complaining about working their ass off for almost nothing?
Want more security? Fire all these stupid fear-mongering security agencies and buy some open-hardware/software solutions from an American company that doesn't outsource their engineering and manufacturing jobs. Also, please don't connect your nuclear melt-down function to port 80. Problem solved.
1. Re:Just more fear propaganda by cavreader · 2011-06-18 10:48 · Score: 1
  
  "We borrow more from China " The US does not borrow money from China, China purchases US securities and bonds because it is a safe and stable investment. They currently hold only about 6% of all outstanding securities. If China was somehow trying destabilize the US they would lose all of the money they have invested.
too much dependence on the internet by __aaacoe2998 · 2011-06-18 07:22 · Score: 1

I can't think of any reason to have an industrial controls network directly connected to the internet. Maybe there are valid reasons; I'd love to hear them. This is not necessarily a failure of SCADA, but a failure by the engineers to properly consider security.
1. Re:too much dependence on the internet by ColdWetDog · 2011-06-18 08:47 · Score: 1
  
  I can't think of any reason to have an industrial controls network directly connected to the internet. Maybe there are valid reasons; I'd love to hear them. This is not necessarily a failure of SCADA, but a failure by the engineers to properly consider security.
  Yeah, doesn't the term "Sunway's ForceControl 6.1 WebServer" (one of the infected items in TFA) send a little electric tingle down your spine?
  
  --
  Faster! Faster! Faster would be better!
2. Re:too much dependence on the internet by jeffstar · 2011-06-18 09:41 · Score: 1
  
  One good reason to connect an industrial control network to a network outside the immediate premise would be that it is a remote site that doesn't merit a human being nearby to mind it or is only economically viable if it doesn't require humans nearby. Thus it makes economic sense to network it, but a private network is too expensive, so it goes on the internet (probably with VPN only access).
  Private networks are expensive, getting a satellite/whatever internet connection isn't.
  Then you are only as secure as any other organization connected to the internet can be and vulnerable to the same attacks as the rest of the world.
This may be a stupid question... by tlambert · 2011-06-18 07:23 · Score: 2

This may be a stupid question...
What kind of moron connects their factory-internal manufacturing systems to the Internet?
-- Terry
1. Re:This may be a stupid question... by interiot · 2011-06-18 07:28 · Score: 2
  
  "DCS is commonly used to handle operations on a single locale, while SCADA is preferred for applications that are spread over a wide geographic location."
  The term "SCADA" is specifically used for industrial processes that have to be connected by long-distance networking.
2. Re:This may be a stupid question... by Silverhammer · 2011-06-18 07:41 · Score: 5, Insightful
  
  Not necessarily. SCADA is "Supervisory Control And Data Acquisition", which simply means collecting process data for presentation and analysis. Yes, many packages (disclosure: including the one I work on) allow SCADA functions to be performed over TCP/IP networks, but it is not a fundamental part of SCADA. Everything can be done on a single workstation, if that's how you're set up.
3. Re:This may be a stupid question... by Luckyo · 2011-06-18 08:21 · Score: 1
  
  This doesn't necessarily mean it has to be unsafe. A reasonable implementation is to control SCADA over VPN over TCP/IP. Insert a hardware firewall that is completely autistic to everything except for allowing VPN traffic between actual internet and machine running SCADA.
  While it won't be bulletproof, it will certainly limit ability to threaten machines running SCADA with malicious packets and such from internet. There are obviously ways to attack VPN, machine that's connected to other side of VPN and perhaps even firewall itself, but those are not issues covered by the article.
4. Re:This may be a stupid question... by h4rr4r · 2011-06-18 08:32 · Score: 1
  
  Or maybe spend a couple bucks and keep it all on leased lines. That way you control all the endpoints. It is not like site to site leased lines are anything new.
5. Re:This may be a stupid question... by ColdWetDog · 2011-06-18 08:49 · Score: 1
  
  Or maybe spend a couple bucks and keep it all on leased lines. That way you control all the endpoints. It is not like site to site leased lines are anything new.
  But. Site-to-site leased lines can be very expensive. And money talks. Give a PHB the choice between saving hard cash and the soft, squishy concept of hacking ("Oh, we have security systems in place, yessir"), which will they pick 9 times out of 10?
  
  --
  Faster! Faster! Faster would be better!
6. Re:This may be a stupid question... by ColdWetDog · 2011-06-18 08:51 · Score: 1
  
  Oh, and leased lines are still vulnerable. Not as easily as something directly on the Internet, but you still have to secure them and keep thinking about them. Then the argument of leased line vs. Internet gets even fuzzier. And the PHB is nodding off ....
  
  --
  Faster! Faster! Faster would be better!
7. Re:This may be a stupid question... by h4rr4r · 2011-06-18 08:53 · Score: 1
  
  I know what you are trying to say, but for the very low bandwidth needs of these systems leased lines are plenty reasonable.
8. Re:This may be a stupid question... by jeffstar · 2011-06-18 09:42 · Score: 1
  
  visiting sites can cost $$$ and be very time consuming...
9. Re:This may be a stupid question... by Laser+Lou · 2011-06-18 09:53 · Score: 1
  
  This may be a stupid question...
  What kind of moron connects their factory-internal manufacturing systems to the Internet?
  -- Terry
  Those who run uranium enrichment machines. That's who.
  
  --
  No data, no cry
10. Re:This may be a stupid question... by DarkOx · 2011-06-18 10:32 · Score: 3, Interesting
  
  You'd be surprised but I bet many maybe most US manufactures have their shot floor networks connected to the their other networks for one reason or another. Do they firewall the crap out them, well probably but that is no air gap?
  In my experience this is how its usually evolved on the networks I've seen
  1. Shop floors started off with some proprietary network, not connected to anything else
  2. Equipment got upgraded and replaced with cheaper ethernet or token over ethernet solutions
  3. Management eventually decides that simplifying and increasing statistics gather and reporting is worth the risk of connecting the shop floor networks to the rest of the corporate networks, even though IT warned them of the potential risks. They tell IT "Just don't let that happen"
  4. IT installs good a good firewall with strong rules, and establishes solid procedures around what, how, when, and who connects anything to the shop floor. This works well at time.
  5. The vendor, who has never properly documented the communications requirements of their software, sends some techs out to do an upgrade or change or something. Said techs run into problems and lacking any documentation assume its IT's security measures causing them. Management is upset because the line has stopped and they are paying these consultants by the hour on top of that. They demand IT relax the rules.
  6. The consultants get the shop floor running again but they never really circle back and tell IT what the issue was, perhaps it was unrelated, who knows.
  7. You might think IT will sniff packets for awhile and see what actually could be tightened back down but they won't because, they have other problems and have spent a week being interrupted by the consultants already, management wants to see those other projects getting done. All the procedures don't get updated either. The security measures while still in place are mostly ineffective.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
11. Re:This may be a stupid question... by Luckyo · 2011-06-18 11:37 · Score: 1
  
  It's worth noting that such SCADA application are usually remote control of production site. This is usually because of outsourcing of these functions to the lowest bidder.
  As a result, even a little extra spending on security would be under huge scrutiny from "is this really important? We could lose the contract if our costs go up" aspect.
12. Re:This may be a stupid question... by RobinH · 2011-06-18 13:38 · Score: 1
  
  I've been in dozens of plants. The answer is... all of them, except the ones where they don't even have the know-how to setup a wireless router at home. Every single decent-sized plant I've visited has most of their industrial automation equipment connected to their computer network. Now, some are more sophisticated than others. Some separate plant-floor from office networks with VLANs. Some actually have physically separate networks, though almost every time I've suggested that, the IT guys demand everything be separated with VLANs (there's too much hassle to maintain two physical networks, especially when you generally have one drop from each at most shop-floor locations). These industrial automation devices collection production data. That data has to be moved up to MES, and then to ERP systems for reporting. People connect to the ERP from their office PCs. They also need Google. There has to be a connection.
  If you *don't* connect them, and your competitors do, then you'll be less efficient and you'll go out of business. That's the unfortunate reality of what's going on. If we want security, it will have to be mandated by laws and audited by 3rd parties. Otherwise there's no incentive to do it, particularly if you're already worried about being in business next quarter.
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
13. Re:This may be a stupid question... by RobinH · 2011-06-18 13:41 · Score: 1
  
  If you're talking about Stuxnet, it was designed to transmit over USB drives. Plus, even though the machines don't necessarily have ethernet ports, you usually program them from an IDE on a laptop communicating over a serial or other proprietary network, and that laptop moves from machine to machine, and even from plant to plant if you're hiring contractors.
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
14. Re:This may be a stupid question... by jjp9999 · 2011-06-18 18:02 · Score: 1
  
  Yeah, they didn't used to. I spoke with someone on this a bit back - it ties, of course, into metrics and them trying to market themselves.
15. Re:This may be a stupid question... by thegarbz · 2011-06-19 00:05 · Score: 1
  
  No one directly. But most SCADA systems somehow have a physical link that gets them all the way to the internet. The place where I work has a one way push to another network which is separated by a strict firewall from our corporate network, which is separated by a weak firewall from the internet. It is in theory possible for an attacker to work their way down, but the critical piece is that this is plainly not needed.
  These vulnerabilities on SCADA systems nearly always work from the PC that is connected to the system for maintenance / data logging purposes, the actual method of getting to this system does not need to be the internet. Stuxnet didn't work like this (spread via USB, a favoured method of transferring code to and from these machines in industry), and many virus these days, while they appear to spread via the internet, actually exploit via social engineering.
  Airgapping a machine is useless if you can convince a user to carry the virus to the machine for you. It's a false idea of security to assume that if you remove the internet we are safe.
16. Re:This may be a stupid question... by drinkypoo · 2011-06-19 01:37 · Score: 1
  
  Does anyone know of any cases where anyone has been hacked or their data compromised because they're using one of those fake leased lines where you're actually sharing a ring? And if not, isn't that good enough for this purpose? Genuine end to end leased lines are there to bypass problems with communications systems. Of course, they're just as vulnerable to backhoes as anything else...
  
  --
  "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
17. Re:This may be a stupid question... by Foobar+of+Borg · 2011-06-19 06:30 · Score: 1
  
  Okay, so run your own lines. You will then have:
  1. Greater control
  2. Greater security
  3. Greater uptime (not competing with other users for limited bandwidth)
  Oh, but that's right, it might cost a little more to set up a low-bandwidth network. I guess I should be thinking like a manager.
  
  --
  Similar to the upcoming US election results
Re:I've said it before and I'll say it again by RatPh!nk · 2011-06-18 08:39 · Score: 4, Informative

I didn't realize the source was sh*tty (i still have no idea who or what rense is) it happened to be the first 2 or so hits on Google. However this is established that Israel spies on the US just as much, if not more than anyone. If different sources make you feel better:
http://en.wikipedia.org/wiki/Lawrence_Franklin_espionage_scandal http://www.alternet.org/world/130891/breaking_the_taboo_on_israel's_spying_efforts_on_the_united_states/
http://www.msnbc.msn.com/id/24256527/ns/us_news-security/t/american-charged-giving-secrets-israel/
You could list *any* country here. No need to get your vagina's up in arms because someone said something bad about Israel. The point was China is just the next in a long line of countries spying. Now, it might be much worse given how much they make for the US.

--
Argh. The laws of science be a harsh mistress.
What goes around (Stuxnet), comes around (SCADA) by Paul+Fernhout · 2011-06-18 08:47 · Score: 1

We need to move beyond irony in our global defense community: http://www.pdfernhout.net/recognizing-irony-is-a-key-to-transcending-militarism.html
"There is a fundamental mismatch between 21st century reality and 20th century security thinking. Those "security" agencies are using those tools of abundance, cooperation, and sharing mainly from a mindset of scarcity, competition, and secrecy. Given the power of 21st century technology as an amplifier (including as weapons of mass destruction), a scarcity-based approach to using such technology ultimately is just making us all insecure. Such powerful technologies of abundance, designed, organized, and used from a mindset of scarcity could well ironically doom us all whether through military robots, nukes, plagues, propaganda, or whatever else... Or alternatively, as Bucky Fuller and others have suggested, we could use such technologies to build a world that is abundant and secure for all. ... We the people need to redefine security in a sustainable and resilient way. Much current US military doctrine is based around unilateral security ("I'm safe because you are nervous") and extrinsic security ("I'm safe despite long supply lines because I have a bunch of soldiers to defend them"), which both lead to expensive arms races. We need as a society to move to other paradigms like Morton Deutsch's mutual security ("We're all looking out for each other's safety") and Amory Lovin's intrinsic security ("Our redundant decentralized local systems can take a lot of pounding whether from storm, earthquake, or bombs and would still would keep working"). "

--
A 21st century issue: the irony of technologies of abundance in the hands of those still thinking in terms of scarcity.
Re:I've said it before and I'll say it again by cavreader · 2011-06-18 10:34 · Score: 1

Every country in the world spies on one another. It's SOP and has been so since countries were first recognized. What do you think the embassies are used for? Probably 70% of the embassy staffs report to their version of State Security. Diplomatic immunity is not for the ambassadors and political staff it is for protecting the spies who get caught.
Re:I've said it before and I'll say it again by cavreader · 2011-06-18 10:37 · Score: 1

"Do not run Windows on control systems." OK, What OS has no vulnerabilities open to attack?
Re:Not really the issue. by Anonymous Coward · 2011-06-18 10:38 · Score: 1

Stuxnet did not need internet connections to infect centrifuge controllers. The infection vector is humans with thumbdrives or other means of sharing warez with access to 'secure' networks.
Re:I've said it before and I'll say it again by couchslug · 2011-06-18 10:50 · Score: 1

Other OS have vulns, but using an OS that the drones aren't tempted to touch is preferable, as well as one they DO NOT HAVE AT HOME.
The average person is tech-ignorant, that will never change and has never been different. Throw many barriers to entry to discourage them and keep them in their place.

--
"This post is an artistic work of fiction and falsehood. Only a fool would take anything posted here as fact."
I guess it all depends on definitions by hyades1 · 2011-06-18 11:11 · Score: 1

We call it a bug...China calls it a feature.

--
I've calculated my velocity with such exquisite precision that I have no idea where I am.
Re:I've said it before and I'll say it again by lolcutusofbong · 2011-06-18 11:50 · Score: 1

OpenBSD, as of the current release.
Re:Yeah? Re:Chinese Trust = Oxymoron by lolcutusofbong · 2011-06-18 11:52 · Score: 1

Sure you can... if it's open-source. This isn't a "Chinese software sucks" problem, it's a "proprietary software sucks" problem.
I worked on SCADA systems back in '97-'98 by Rogerborg · 2011-06-18 12:29 · Score: 2

Every line of code that we wrote was signed off by an individual chartered engineer. And that means that we printed off the entire source, and a Very Serious Chap sat down and Very Seriously Reviewed it, and if he approved it, he wrote his initials against it. Against every single individual line, using his hand, and a pen. A red pen. And if one line, one single line, didn't have that Very Serious Chap's initials against it, then the software didn't ship. No way, no how.
And once it shipped, that Very Serious Chap would Very Seriously take full responsibility for it, and for the consequences of using it, in the most literal and legal sense.
And now to save a penny in the dollar, SCADA systems are sourced from by the Whang Dong Control Systems, Light Industrial Tools and Edible Cuttlefish Products Conglomerate, of Zing Ping Province, China. WITHOUT ANY WARRANTY; WITHOUT EVEN THE IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Ain't it marvellous living in the Future?

--
If you were blocking sigs, you wouldn't have to read this.
1. Re:I worked on SCADA systems back in '97-'98 by lolcutusofbong · 2011-06-18 13:48 · Score: 1
  
  Hopefully, the horrendous quality of all this lowest-bidder outsourced crapware (both hard- and soft-) will leave a market for people to bring manufacturing, and thus jobs, back to first-world nations, and (in my own selfish mind) the US in particular. I don't know about the average consumer, but I'd gladly pay more for a better, more durable product.
2. Re:I worked on SCADA systems back in '97-'98 by RobinH · 2011-06-18 13:53 · Score: 1
  
  I've been contracting on Industrial Control systems for over 10 years. I've never ever seen what you're talking about. However, there are certain *industries* that I haven't worked in where that might be the case. However, I have worked on a machine in the pharma industry, but even though they had much more stringent testing procedures, they still (a) didn't review every line of code and (b) hadn't caught a very serious bug that I found in the code when I was making some changes. In fact, I'm a P.Eng. (very serious chap), and I've never had to put my stamp on anything in this industry.
  Now, there is a subset of Industrial Controls broadly labelled as Safety Systems. These are the parts of the machine that ensure that an operator can't be harmed (it affects how you guard the machine, physical access control, etc.). There are lots of regulations, audits, etc., and you definitely need a P.Eng. involved for that, depending on your geographic location of course. However, that only has to do with controlling potential energy (so, if an operator wants to open an access door, and there's a spinning component, you might need a zero speed sensor interlocked with the door to prevent them from opening it until it's verified that it's stopped, and that has to be a really expensive device that's proven that any single component failure will be detected, and won't allow the door to be opened. That is, however, nothing to do with the computer security we're talking about.
  I should note, modern Safety Systems are available that are software-based and therefore vulnerable to computer security vulnerabilities. They are, at least, required to be locked with a password once the system has been built and signed-off, and you're supposed to have to enter the password to change it, but that doesn't mean the authentication system doesn't have any security holes in it. I highly doubt that part is being audited.
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
3. Re:I worked on SCADA systems back in '97-'98 by germansausage · 2011-06-18 14:02 · Score: 1
  
  Do not despair. I am sometimes that "Very Serious Chap". I write and review code for a certain type of control systems (allow me to be a little vague on what sort ). People's lives and safety depend on the correct functioning of these systems. The code is exactly as you described and when I have reviewed it and put a yellow highliter through every line (this is the future, after all) I sign my name to it, stamp it with my magic Professional Engineer stamp and take personal and professional responsibility for the code.
  
  The hardware may sometimes come from China, we mostly buy the systems from North American companies, but the components are for certain made in China. The software, however, is still made here, and the software is at least 50% of what makes it safe or not safe.
4. Re:I worked on SCADA systems back in '97-'98 by thegarbz · 2011-06-19 00:12 · Score: 1
  
  Actually you'll find the code physically running on the controllers still does and likely always will be signed VSC next to each line. The attacks on the systems often come from the lines that were never needed to be signed in the first place, namely the interface lines. Back in the day this meant something like serial modbus, these days it's serial modbus nastily hacked into a TCP/IP wrapper with no implied security just as there was no implied security back in the day either, or even better OPC, or some propriety protocol.
  VSC does not concern himself with external attack on the system. Never has, never will. The theory has always been that you have a hardened PLC, SCADA, DCS whatever, and a stock standard piece of shit computer connected to it which falls under some other Very Less Serious Chap's responsibility, usually same sales rep who simply says, yes our software will run on windows.
  Hell half the time the computers connected to the SCADA system which are assumed to be trusted aren't even purchased with the system itself.
Re:I've said it before and I'll say it again by dragonturtle69 · 2011-06-18 16:36 · Score: 1

DO NOT HAVE AT HOME

You just may have given me the argument for management that I need to get away from endlessly trying to "lockdown" Windows.

--
"What luck for the rulers that men do not think." - Adolph Hitler
Re:I've said it before and I'll say it again by deniable · 2011-06-18 17:18 · Score: 1

The boss is often the problem. They 'need' access from their desks to 'monitor' things. That's where the cross-over happens. One way data feeds into a reporting engine are better but then the muppets don't feel they're in control.
Re:Yeah? Re:Chinese Trust = Oxymoron by drinkypoo · 2011-06-19 01:40 · Score: 1

This isn't a "Chinese software sucks" problem, it's a "proprietary software sucks" problem.
Which coreboot-compatible motherboard are you using? What video card are you using? Do you have a RAID controller?

--
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
and they're doing WHAT with this stuff? by swschrad · 2011-06-19 03:13 · Score: 1

they're connecting it to the electronic Wild Wild West, the Internet.
critical systems should N E V E R be connected to an open network.
ever.
that's rule one.
why aren't the guys making these connections going to jail?

--
if this is supposed to be a new economy, how come they still want my old fashioned money?
Re:I've said it before and I'll say it again by cavreader · 2011-06-19 06:17 · Score: 1

I doubt many people have access to a SCADA system at home and anyone trying to compromise this type of system would have harder time getting hold of a SCADA test bed then they would getting access to any OS.
Re:This is wonderful.. by Foobar+of+Borg · 2011-06-19 06:32 · Score: 1

Given that China is hellbent on kicking the ass of every nation..
He says on a US-centric site. Oh, Irony, thou hast been outdone!

--
Similar to the upcoming US election results
Re:I've said it before and I'll say it again by Aighearach · 2011-06-19 14:01 · Score: 1

You can't trust an anonymous coward.
Re:Yeah? Re:Chinese Trust = Oxymoron by lolcutusofbong · 2011-07-02 04:44 · Score: 1

I do my RAID in software under Linux and every GPU I own has the open-source drivers loaded.