Slashdot Mirror

← Back to Stories (view on slashdot.org)

Italian Hacker Publishes 0day SCADA Hacks

Posted by timothy on from the how-to-turn-on-the-hot-water dept.

mask.of.sanity writes "An Italian security researcher, Luigi Auriemma, has disclosed a laundry list of unpatched vulnerabilities and detailed proof-of-concept exploits that allow hackers to completely compromise major industrial control systems. The attacks work against six SCADA systems, including one manufactured by U.S. giant Rockwell Automation. The researcher published step-by-step exploits that allowed attackers to execute full remote compromises and denial of service attacks. Auriemma appeared unrepentant for the disclosures in a post on his website."

19 of 106 comments (clear)

  1. Isolated networks are A Good Thing by davidwr · · Score: 4, Insightful

    Isolated networks are your friend.

    It won't stop insider attacks or naive-person-inserts-poisoned-USB-attacks but it's a good first step.

    As for naive employees: Train your people well.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
    1. Re:Isolated networks are A Good Thing by UdoKeir · · Score: 3, Informative

      To be honest, an insider attack can just as easily be carried out with a large hammer.

    2. Re:Isolated networks are A Good Thing by buanzo · · Score: 2

      But it's too noisy DURING the attack :P

      --
      Buanzo Consulting - 15 Years of GNU/Linux experience, for you.
    3. Re:Isolated networks are A Good Thing by geekoid · · Score: 2

      No really. I mean, you can smash their equipment, but that's hardly a big deal.

      Controlling valves, system, dropping rods, shutting off dam, and so on are the big risks.

      --
      The Kruger Dunning explains most post on /. http://en.wikipedia.org/wiki/Dunning%E2%80%93Kruger_effect
    4. Re:Isolated networks are A Good Thing by Bob+the+Super+Hamste · · Score: 2

      An insider would probably be able to mess with the system and control remote equipment, why smash some computers when you could melt a multi-million dollar generator, or break a large dam, blow up some high voltage transformers, etc... About the only way to deal with an insider is to make sure you hire good people and keep them happy. They do frequent background checks and some are quite detailed, get a background check to work on the system for the Israelis, have frequent trainings and other stuff. I probably get 2-3 background checks a year so that if I am needed I can work on various customer projects. I also do several security trainings each quarter, one for each company so I can continue to work on their systems. The insider is a huge thread and the systems I work on there has been a major push to limit access as much a possible. My company is starting to introduce some very fine grained user access to limit what one can do and see.

      --
      Time to offend someone
    5. Re:Isolated networks are A Good Thing by LoRdTAW · · Score: 3, Informative

      The Stuxnet worm proved that even isolated networks are vulnerable. Besides there is tons of valuable data and metrics on those networks that needs to make its way to plant managers who may or may not be onsite. That data also makes it way into reports that show plant efficiency and keep track of problems that pop up. Its difficult to isolate that data from the rest of the world.

      We need to face facts that many automation protocols are severely dated and insecure. Has anyone ever heard of Modbus? Its an industrial communications protocol that was developed by Modicon in the late 70's and is STILL used today. Its 100% insecure and can be used to write to registers and "coils" on many PLC's/PAC's. Originally it ran over rs232/422/485 networks but today it has a modern TCP version called ModbusTCP. And that has no authentication built in. As long as you can talk to that PLC you can write to any of its registers. Other protocols are also wide open such as the massively popular Profibus/ProfiNET, and etherNet/IP (IP stands for industrial protocol).

      There are dozens of automation controller manufactures out there. Many using these insecure protocols with no replacements in sight. Plus add to that that many end devices that communicate with these controllers are pretty simple in design, pressure gauges, temperature sensors, valve islands motion controllers, etc. are simple in design and implementing a security layer between them is not easy. Modbus is simply a send command to read a register or coil and a simple response. The only other setup is usually setting an 8 bit device address that is accomplished via a set of rotary or dip switches.

      Until someone that is big in the industry (Schneider/Modicon, Allen Bradley, Siemens or Rockwell) comes out with a secure protocol that is simple, reliable and open to anyone to implement, there wont be any change. The only security is to isolate networks and pray no one infects computers inside the control network.

  2. Why not isolate the networks? by kyouteki · · Score: 2

    I used to work at a foundry that had a Rockwell SCADA system. It operated on a completely physically separate network from the normal, internet-facing corporate network. If somebody needed access to both the SCADA system and their email, they had two computers on their desk. For something not as critical as say, a utility, I think this was a bit of overkill (at least they could have used VLANs), but why is this not a semi-common practice? Why do these controls need to be on a network with a route to the internet?

    --
    A slashdotter who didn't build his own computer is like a Jedi who didn't build his own lightsaber.
    1. Re:Why not isolate the networks? by mabhatter654 · · Score: 2

      Of course that was because of SOX. The design of most SCADA networks is so bad just about any normal computer security beraks them.. Especially when multiple vendors are involved. SOX auditors made everybody kick SCADA off the business network... Which has the side effect in most shops of keeping it off the Internet as well.. Or limited to point-to-point networking (dial up)

    2. Re:Why not isolate the networks? by rubycodez · · Score: 2

      not me, since early 90s there was *always* some guy with card in his pc hooked to SCADA net also NIC to corporate LAN. Maybe you should look at each and every box that touches your imagined "secure" systems to make sure.

  3. Re:You cant blame him by Anonymous Coward · · Score: 2, Insightful

    Like the US economy?

  4. Its not that hard! by inasity_rules · · Score: 4, Insightful

    Most SCADA's are still bound to COM. Easiest way to get DCOM working; disable *ALL* security. When you're commissioning a site, and the hardware is being finicky, the last thing you want to do is spend 9 hours debugging some obscure DCOM glitch specific to server 2003 service pack 1 (the only system some of this stuff runs on), so it isn't hard to see why most people have zero security.

    Bring on the days of OPC UA, which makes security possible without having a hernia!

    --
    I have determined that my sig is indeterminate.
    1. Re:Its not that hard! by hjf · · Score: 3, Interesting

      2003 SP1? HA! I've seen stuff running on Win98, because the electric engineers in charge are out of their league when it comes to computers, and win98 "just works"

      I took some PLC introduction course in 2006 or 2007 and the guy was bitching about linux, because linux doesn't have support. And he liked linux because it's stable, but manufacturers only support Windows, and the only way to be SURE that your software is going to work AND last for many years, is to use a not-so-new computer. I'm glad that guy only does small things like cooling control and wood drying facilities.

      But at least he got one thing right: All the control LOGIC has to be in the PLCs. The SCADA is for a nice GUI and logging ONLY. You should add enough buttons, switches and lights to make the system fully usable even if all the SCADA computers are down. And that doesn't mean "manual override", which is something else you should have too.

      I doubt there are applications where a SCADA system should be making decisions.

    2. Re:Its not that hard! by inasity_rules · · Score: 2

      Actually, support at rockwell, will specify your windows version and service pack. Otherwise the software does not run. It isn't always a matter of incompetence on the engineer's side, but sometimes the vendor shoves stuff down your throat. And its all well and good to only work with vendors with decent support and security, but practically if you are a SI, your clients often specify what hardware and software you use. And the most secure systems sometimes lack functionality. We tend to select the latest software the vendor will support as much as we can, but that still leaves us running a lot of Server 2003 PCs.

      Though most of the software I've seen in the field is minimum Windows 2000, Toshiba's PLC software looks like it was written for windows 3.10.

      --
      I have determined that my sig is indeterminate.
  5. Re:You cant blame him by said213 · · Score: 5, Insightful

    That it's 'in the open' just means that there is an urgency to correct these problems... problem being; that urgency existed prior to public disclosure.

    Better to have this information publicly disclosed and subject to scrutiny than the previous system... which involved, apparently, obfuscating or ignoring vulnerabilities or gross incompetence of those responsible for detecting such vulnerabilities.

    --
    help me fix this "Terrible" karma, please!
  6. Re:You cant blame him by doogledog · · Score: 2

    99)... ... ... ...

    I take it a bitch isn't one of those problems though?

  7. DUH.... by Lumpy · · Score: 2

    If your SCADA system is on an unprotected and ISOLATED network then you deserve the hack.
    Kick managers in the nuts that ask for a remote connection to the SCADA system or it's PC's running the pretty UI for the plant operators. there is NO reason to allow any access except from the keyboard and mouse. anyone WORKING on the systems, IE the programmers and engineers should be using sanitized laptops that are ONLY USED for that purpose.

    I was doing this in 1996 when I was doing SCADA systems using the craptastic WonderWare and AB systems.

    --
    Do not look at laser with remaining good eye.
  8. Re:You cant blame him by Exitar · · Score: 2

    Silvio, is it you?

  9. Luigi Auriemma is my hereo by WaffleMonster · · Score: 2

    It would not surprise me if he ends up finding more vulnerabilities than the rest of the world combined and he does it exclusivly for fun/challenge.

    "Responsible" disclosure does tend to mitigate problems in the real world much like a virus scanner installed on a random desktop.

    However neither approach provides the proper incentives to the market to address the root cause of the design/process deficiency which allowed the defect to occur. Responsible disclosure actually artifically lowers the cost the industry has to pay for a security failure only while it is found by someone who is deemed to be "responsible". This makes all software less safe in the long run.

  10. 2011 and we still have the same idiot programming by Old+Wolf · · Score: 2

    I checked over a few of his bug reports, and was bemused to see the same old rubbish

    "mplayer" - calloc() called with a 32-bit integer multiply
    "id Tech 4 engine" - memcpy(_,_, size - 6) , where 'size' is the size of a received packet and can be 5 bytes
    "Unreal server" - crash the server by sending an unexpected packet (the code does an assert() instead of just dropping the packet or whatever)
    "winamp" - craft a video with large dimensions, winamp does signed 16bit multiply of video height*width

    I guess the mplayer one can be explained by free software people not having proper programming training, but iD etc. , you would think that they would hire programmers who think about the possible contents of the variables each time they write an arithmetic operation, especially when it's known that the value of the variable is read from a file or socket and could be anything.

    It really is not difficult to check that size >= 6 (and then that size - 6 buffer_size) before writing "size - 6" in a memcpy.

    I never understood assert() either, just seems like a recipe for disaster in production; it's not difficult to test conditions and invoke actual error handling and recovery