US Warns of Problems In Chinese SCADA Software

← Back to Stories (view on slashdot.org)

US Warns of Problems In Chinese SCADA Software

Posted by Soulskill on Saturday June 18, 2011 @06:30AM from the not-for-use-in-nuclear-reactors-at-home dept.

alphadogg writes "Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued on Thursday (PDF) by the US Industrial Control Systems Cyber Emergency Response Team. The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops SCADA software for a wide variety of industries, including defense, petrochemical, energy, water and manufacturing. Sunway's products are mostly used in China but also in Europe, the Americas, Asia and Africa, according to the agency's advisory. SCADA software has come under increasing attention from security researchers, as the software has often not undergone rigorous security audits despite its use to manage critical infrastructure or manufacturing processes. SCADA systems are increasingly connected to the Internet, which has opened up the possibility of hackers remotely breaking into the systems. Last year, researchers discovered a highly sophisticated worm called Stuxnet that was later found to target Siemens' WinCC industrial control software."

19 of 95 comments (clear)

Min score:

Reason:

Sort:

Anyone surprised? by Opportunist · 2011-06-18 06:40 · Score: 4, Informative

I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.

--
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
1. Re:Anyone surprised? by barik · 2011-06-18 07:43 · Score: 4, Insightful
  
  I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.
  I'd say that there are flaws in just about every major PLC (Allen-Bradley, Modicon, GE, and so on, to name a few) . Most are just legacy serial protocols that have been wrapped in Ethernet, so these controllers accept arbitrary packets from any source. With protocols like MODBUS, it is fairly easy to construct such packets by hand even.
  
  --
  Titus Barik
2. Re:Anyone surprised? by bell.colin · 2011-06-18 09:45 · Score: 2, Insightful
  
  The solution is simple, Just because they are Ethernet & TCP/IP now does not mean they need to be connected to the Public Internet.
  DISCONNECT THE DAMN THINGS FROM THE INTERNET!
  If you need remote communication from other sites use WAN links and VPN, Don't use the $20 on-sale special DSL/Cable Internet package of the week. How Fucking hard is this?
3. Re:Anyone surprised? by RobinH · 2011-06-18 13:26 · Score: 2
  
  Sigh. This is wrong. Yes, they should be kept on separate VLANs, etc., but at some point someone always needs to get software updates or engineering changes on to the machines, which means you're connecting *some* kind of laptop, thumbdrive, or whatever, from an outside source that has likely been connected to a network that has a connection to the public internet. If you keep the control system isolated, then keeping operating system and anti-virus software up-to-date is just that much harder, which means they'll be susceptible to even older malware. The recommended policy, at the moment, is to keep control system equipment on a separate VLAN (it still usually needs to be on a network for data acquisition, etc.), then make sure every box in the place has up-to-date OS updates and anti-virus. Industrial automation vendors are only now coming around to help out. Until very recently they used to *void the warranty* if you install anti-virus on the same computer as the software (Rockwell, for instance, used to do this with their RSSQL product, which was a PC-based product that reads data out of their PLCs and writes it to SQL databases, and vice-versa. The RSSQL server is typically a Windows 2003 Server box, and it obviously has a connection to a SQL Server that's connected to the front office for reporting use.). Stuxnet proved malware can easily just propagate over USB thumbdrives. In fact, we recently installed a metal cutting machine in our facility where the operating system was Windows XP Embedded (very common) and the machine came with a thumbdrive used to transfer work instructions back and forth between it and a CAD workstation. The thumbdrive had a virus on it and was picked up when we inserted it into the CAD workstation! This was a brand new machine from the manufacturer. It was not networked. It obviously didn't have anti-virus. While PLCs have always enjoyed relative protection because they're usually proprietary hardware and software, Stuxnet proved they're not safe, and also we're seeing most architectures move towards commercial main-stream OS's. One really big player in industrial automation is Beckhoff - their flagship product is called TwinCAT PLC, which is a PC-based PLC. You install a regular Windows XP PC, install TwinCAT, and it installs its own real-time OS underneath Windows to run the control software, and the Windows part runs the programming software and the HMI (Gui). By using commodity hardware, they have a much lower price point, so this is becoming more popular. SCADA systems are normally PC-based anyway, which is why you see a lot of security stuff about SCADA. I'm just saying PLCs are catching up. And none of the protocols that any of these systems use seem to have any kind of authentication built-in. If you know the protocol (most are open, particularly if you pay a membership fee to the vendor association), then you can connect to any device and tell it to change memory register XYZ to 5, and it will gladly comply. Chances are you'll crash it, but if you have a copy of the software it's running, then you can easily make it do whatever you want (or even upload a new modified program).
  
  --
  "I have never let my schooling interfere with my education." - Mark Twain
Idiots by sycodon · 2011-06-18 06:43 · Score: 4, Insightful

Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.

--
When Fascism comes to America, it will call itself Anti-Fascism, and tell you to give up your guns.
1. Re:Idiots by NFN_NLN · 2011-06-18 06:47 · Score: 2
  
  Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.
  I think that would qualify as both cruel AND unusual punishment.
2. Re:Idiots by GameboyRMH · 2011-06-18 06:56 · Score: 3, Informative
  
  Yeah buy it from an American company...that outsourced the programming to China or India.
  
  --
  "When information is power, privacy is freedom" - Jah-Wren Ryel
3. Re:Idiots by thegarbz · 2011-06-18 23:59 · Score: 2
  
  While I understand your snyde comments there still remains an issue of oversight. There are a great many things made in China. iPhones for instance. However I trust the quality of an iPhone exponentially more than those Chinese iPhone knockoffs. When you outsource to China there is still a modicum of control which can be just enough to make a difference.
  The same applies to industrial equipment from China. I would greatly prefer buying a valve from a western manufacturer who outsources production to China and controls the quality and has independent certification performed than to go to a Chinese company who's main claim to fame is that they'll print whatever certification you want on the nameplate for you*.
  *This was actually offered to me in a conversation with a Chinese valve manufacturer.
Re:I've said it before and I'll say it again by RatPh!nk · 2011-06-18 06:46 · Score: 3, Insightful

No need to unfairly single out the Chinese. I feel confident to extend that out to pretty much any nation. Wasn't our bestest friend (sarcasm) Israel found to have the biggest espionage ring yet uncovered rigth here in the US of A?

--
Argh. The laws of science be a harsh mistress.
Newsflash: Vulnerabilities on software by guanxi · 2011-06-18 06:55 · Score: 2, Insightful

Is this news? Whatever software you are using has vulnerabilities.
So what if the software came from China? Do you think software from San Jose is any better? I don't see any evidence of some communist party conspiracy here.
1. Re:Newsflash: Vulnerabilities on software by Anonymous Coward · 2011-06-18 07:47 · Score: 4, Insightful
  
  The entire slashdot piece is formulated as an us-vs-them issue. There are thousands of vulnerabilities discovered all the time in all kinds of software, and the submitter just happened to pick one in software sold by a Chinese company and that was discovered by US-based researchers, insinuating that there is something wrong with the Chinese. The nationalities are a red herring. They could have titled the story "Security team warns of problems with SCADA software" but that wouldn't lead to a jingoistic us-vs-them discussion.
2. Re:Newsflash: Vulnerabilities on software by Intrepid+imaginaut · 2011-06-18 08:14 · Score: 2, Insightful
  
  Indeed, I don't think there would be a headline if the software was from, say, Finland. Finding evidence it was put there deliberately, that's a different story.
And the OS? by Teun · 2011-06-18 06:58 · Score: 2

I work with a SCADA compatible system, my greatest worry is the OS.
Several years ago a bean counter decided we could save money so it was recompiled from the trusted Unix platform to Windows.
Not a huge problem as in the day it wasn't exposed to the internet but today it is and now it's not just infected USB drives that do cause trouble.

--
"The likes of Facebook and WhatsApp are free to those whose privacy is of zero value."
This may be a stupid question... by tlambert · 2011-06-18 07:23 · Score: 2

This may be a stupid question...
What kind of moron connects their factory-internal manufacturing systems to the Internet?
-- Terry
1. Re:This may be a stupid question... by interiot · 2011-06-18 07:28 · Score: 2
  
  "DCS is commonly used to handle operations on a single locale, while SCADA is preferred for applications that are spread over a wide geographic location."
  The term "SCADA" is specifically used for industrial processes that have to be connected by long-distance networking.
2. Re:This may be a stupid question... by Silverhammer · 2011-06-18 07:41 · Score: 5, Insightful
  
  Not necessarily. SCADA is "Supervisory Control And Data Acquisition", which simply means collecting process data for presentation and analysis. Yes, many packages (disclosure: including the one I work on) allow SCADA functions to be performed over TCP/IP networks, but it is not a fundamental part of SCADA. Everything can be done on a single workstation, if that's how you're set up.
3. Re:This may be a stupid question... by DarkOx · 2011-06-18 10:32 · Score: 3, Interesting
  
  You'd be surprised but I bet many maybe most US manufactures have their shot floor networks connected to the their other networks for one reason or another. Do they firewall the crap out them, well probably but that is no air gap?
  In my experience this is how its usually evolved on the networks I've seen
  1. Shop floors started off with some proprietary network, not connected to anything else
  2. Equipment got upgraded and replaced with cheaper ethernet or token over ethernet solutions
  3. Management eventually decides that simplifying and increasing statistics gather and reporting is worth the risk of connecting the shop floor networks to the rest of the corporate networks, even though IT warned them of the potential risks. They tell IT "Just don't let that happen"
  4. IT installs good a good firewall with strong rules, and establishes solid procedures around what, how, when, and who connects anything to the shop floor. This works well at time.
  5. The vendor, who has never properly documented the communications requirements of their software, sends some techs out to do an upgrade or change or something. Said techs run into problems and lacking any documentation assume its IT's security measures causing them. Management is upset because the line has stopped and they are paying these consultants by the hour on top of that. They demand IT relax the rules.
  6. The consultants get the shop floor running again but they never really circle back and tell IT what the issue was, perhaps it was unrelated, who knows.
  7. You might think IT will sniff packets for awhile and see what actually could be tightened back down but they won't because, they have other problems and have spent a week being interrupted by the consultants already, management wants to see those other projects getting done. All the procedures don't get updated either. The security measures while still in place are mostly ineffective.
  
  --
  Repeal the 17th Amendment TODAY! Also Please Read http://www.gnu.org/philosophy/right-to-read.html
Re:I've said it before and I'll say it again by RatPh!nk · 2011-06-18 08:39 · Score: 4, Informative

I didn't realize the source was sh*tty (i still have no idea who or what rense is) it happened to be the first 2 or so hits on Google. However this is established that Israel spies on the US just as much, if not more than anyone. If different sources make you feel better:
http://en.wikipedia.org/wiki/Lawrence_Franklin_espionage_scandal http://www.alternet.org/world/130891/breaking_the_taboo_on_israel's_spying_efforts_on_the_united_states/
http://www.msnbc.msn.com/id/24256527/ns/us_news-security/t/american-charged-giving-secrets-israel/
You could list *any* country here. No need to get your vagina's up in arms because someone said something bad about Israel. The point was China is just the next in a long line of countries spying. Now, it might be much worse given how much they make for the US.

--
Argh. The laws of science be a harsh mistress.
I worked on SCADA systems back in '97-'98 by Rogerborg · 2011-06-18 12:29 · Score: 2

Every line of code that we wrote was signed off by an individual chartered engineer. And that means that we printed off the entire source, and a Very Serious Chap sat down and Very Seriously Reviewed it, and if he approved it, he wrote his initials against it. Against every single individual line, using his hand, and a pen. A red pen. And if one line, one single line, didn't have that Very Serious Chap's initials against it, then the software didn't ship. No way, no how.
And once it shipped, that Very Serious Chap would Very Seriously take full responsibility for it, and for the consequences of using it, in the most literal and legal sense.
And now to save a penny in the dollar, SCADA systems are sourced from by the Whang Dong Control Systems, Light Industrial Tools and Edible Cuttlefish Products Conglomerate, of Zing Ping Province, China. WITHOUT ANY WARRANTY; WITHOUT EVEN THE IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Ain't it marvellous living in the Future?

--
If you were blocking sigs, you wouldn't have to read this.