Slashdot Mirror
SCADA Problems Too Big To Call 'Bugs,' Says DHS
chicksdaddy writes "With the one year anniversary of Stuxnet upon us, a senior cybersecurity official at the Department of Homeland Security says the agency is reevaluating whether it makes sense to warn the public about all of the security failings of industrial control system (ICS) and SCADA software used to control the U.S.'s critical infrastructure. DHS says it is rethinking the conditions under which it will use security advisories from ICS-CERT to warn the public about security issues in ICS products. The changes could recast certain kinds of vulnerabilities as 'design issues' rather than a security holes. No surprise: independent ICS experts like Ralph Langner worry that DHS is ducking responsibility for forcing changes that will secure the software used to run the nation's critical infrastructure. 'This radically cuts the amount of vulnerabilities in the ICS space by roughly 90%, since the vast majority of security "issues" we have are not bugs, but design flaws,' Langner writes on his blog. 'So today everybody has gotten much more secure because so many vulnerabilities just disappeared.'"
"Bugs," "security vulnerabilities," "design flaws"--really doesn't matter. They can still blow up an Iranian centrifuge. And I'm pretty sure that means they can blow them up in other countries too, along with just about anything else that depends on a PLC. Stuxnet, as well-intentioned as it may have been for Israeli and U.S. interests, was a wake-up call that goes way beyond any petty Persian pissing contest.
SJW: Someone who has run out of real oppression, and has to fake it.
We've known for a while that some businesses are to big to fail, now we know that some vertical markets are too big to #FAIL.
Some extra info popped up online just a few days ago - a SCADA consultant posted this a few days ago. It's slightly terrifying, though someone with more SCADA experience than me would have to verify its accuracy:
For those who do not know, 747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.
The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed. For those who engage in Pen Testing and know what a shoveled shell is... I need not say more.
More here: https://www.infosecisland.com/blogview/16696-FACT-CHECK-SCADA-Systems-Are-Online-Now.html
sig:- (wit >= sarcasm)
SCADA? I don't care about. Not directly. But the problem is that once the government says, "These aren't vulnerabilities or security holes. These are design issues." The problem is that you've set the example, and other software vendors are going to follow.
Example: "The denial of service attack against your application is not a security vulnerability, it is just a design issue that everything locks up for a while if it gets an incoming packet, and tries to resolve the IP address against its authoritative DNS server while that is DNS server is offline. We only do security fixes on old products / old releases. Sorry."
"Design issue, not a security vulnerability" is not a distinction you want easily drawn. Others will follow a government example if it is an easy out.
Scada systems ,PLC's are a hackers dream.
It's equipment using protocols of at least 30 years old with no security at all in mind. Furthermore the equipment cannot be turned off or patched or else your factory and/or safety system will no longer work.
And the worst part is setting everything up, you just leave it be when it finally works...
I agree that they are design flaws and not bugs. But the industry has to only mentality to have it work, there is no security aspect during the entire process.
Buyers are not requesting it and vendors are not delivering devices with security in mind.
Making code secure is expensive. When these systems were designed, they were not going to be connected to any outside system, and thus were not designed securely because in order to do anything really bad you'd need to physically access the machine, which meant getting past security guards, cameras, etc without anybody noticing. Nobody could justify the expense of doing things right the first time.
Then somebody with no technical background comes along and says "Why can't we manage this system from our office desktops?"
I am officially gone from
We do SCADA systems in the States. We subscribe to several polices regarding SCADA networks:
1) DO NOT connect your SCADA network to the Internet
2) if you must connect for remote-access, use a patch cord that you ALWAYS unplug afterward.
3) DO NOT use your SCADA machines for desktop business purposes - especially on the Internet!
Argh, the crap that appears in the media. For example, you cannot "infect" a PLC. Why? They don't run Java (or script), or any language recognizable by the Internet community. They don't even run executables, in the sense that PCs do. Their programming is done in a specialized, proprietary language that requires a specialized IDE to manipulate. Write you own? Sure, if you have thousands upon thousands of man-hours handy. Do an open source IDE? Within 24 hours of posting your project somewhere, the manufacturer will be knocking at your door. PLCs are very, very proprietary, and they makers want them to stay that way.
Stuxnet infected a PC, causing it to change the signals it was sending to motor speed controllers, thus fouling up a process. Which is why you keep your SCADA PCs as far away from the Internet as you possibly can.
That isn't a bug, it's a feature. It works that way by design!
Trust me, almost everything you have come to depend on in terms of outside resources or outside facilities, directly or indirectly, involves SCADA. Almost. Intelligent cars use unencrypted, unsecure Ethernet connections, often with some form of unsecure wireless connection in there somewhere. That's not SCADA, merely designed just as badly.
Society is riddled with interdependencies. If you thought Red Hat packages could put you through dependency hell, you've not looked too closely at the systems in the real world much. Those are infinitely worse, frequently unmaintained and it's a minor miracle that civilization hasn't been put back to the stone age. Yet. Unless some serious effort is put in, the effort of keeping semi-decayed interlocking systems even vaguely in operation will become infeasible. Left as-is, it WILL eventually become more practical to hard reset civilization than to fix the cumulative errors.
Finally, "design issues" ARE bugs. They may be bugs in the design, but they're still bugs. It's not that the distinction should not be easily drawn, it should never be drawn at all. A bug is a bug is a bug. If a compiler messes up your code, it may not be a bug in your code but it's still a bug. A compiler bug. If a CPU fails to execute code correctly, it may not be a software bug but it's still a bug. A silicon bug. In this case, we have a design bug, but it is STILL a bug.
Personally, I think design flaws is a much more damming claim to make about your product than a bug report. A bug is a low implementation level issue/oversight. A design flaw means your product is rubbish from the ground-up. I would MUCH rather someone say my software had a bud than that there were design issues. I doubt this is going to be a trend that catches-on. The only way I think it could possibly help a company to make such a damming claim would be if it took the words vulnerability or security off the table, which have a much worse connotation. --Although, design flaws create vulnerabilities and security concerns, so even that doesn't seem likely, IMHO.
also how much code is tacked on to older code makeing it so that lot's of hacks and other security holes more likely?
Now who want's to pay to rewrite the system from the ground up to make it secure or do you want to do it cheap and just patch over the bad design?
I use 'design flaw' for bugs that can't be corrected without rewriting the whole code. Software with design flaws are not called 'bug-free', but 'defective by design'.
This is the next logical step in addressing these problems. It was inevitable. You need to look at it from the company's point of view.
Vulnerability - "Oh, I'm so sorry, we will fix that problem immediately. Update all your controllers ASAP when we post the fix next week."
Design issue - "Oh, yeah, the old 5-R's were designed that way. Would you like to upgrade to the 5-T's? They'll be available next quarter and are only $100 more each than the 5-R's, but don't have that problem. Cheap insurance for your plant, really.
"Well, no they aren't compatible with your old control server, you'll need a new one. No, we won't buy back those 5-R's you bought last year, I don't even know where to sell them, they're just not in demand now.
"Remember, we guarantee to fix any security vulnerability with the 5-T's.
"Just like we did with the 5-R's."
Lowest bidders don't care about bug/vul exspoits. We are trusting people in other countries to do security work. Bring it in house and give your IT team the power to say hell no when developers do stuipid stuff
that's because PLC wasn't supposed to be networked; the core code were never designed with security in mind because they are supposed to be programmed and the parked somewhere and never mess with again.
ELOI, ELOI, LAMA SABACHTHANI!?
Right, because no software vendors ship software with disclaimers to the effect of "This software is unsuitable for any purpose".
Oh wait, they all do.
Microsoft doesn't path security vulnerabilities because they are unable to pass them off as design flaws without the help of government, they patch security vulnerabilities because they know they need to or they will face even greater user erosion.
Nerd rage is the funniest rage.
SCADA? you should care about it. These systems run all sorts of critical items.
Too big to be called bugs but apparently small enough to be brushed under the mat.
When I look at DHS, I can't find a single area in which they are competent. They can't seal the border, they can't ensure that terrorists are denied entry to our aircraft, they can't intercept a terrorist. What in hell CAN they do? Suddenly, they are in the business of issuing cyber security warnings?
The one and only thing that they MIGHT be able to do correctly, is to tell business to observe best practice advice from the professionals. Beyond that - I expect nothing.
Oh yeah, if they can grasp the concept, they might push the idea of strict air gapping.
"Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
We'd rather get back to feeling up 5 year olds and people's Afros rather than address an infrastructure and industries that are highly vulnerable to malicious hacking that could affect the safety and well being of thousands.
They're so paranoid about 3 oz of liquid -what about industrial controls at a petrochemical or other large chemical plants in which thousands of gallons of chemicals could be blown up or caused to release hazardous materials?
I'm just sayin'
When a bug is a point or a sphere, then a design flaw is a line or even a plane (each with a certain thickness) in the multi-dimensional space that is a program.
Hence it is a whole new level of bad.
In my personal system, a design flaw counts for 100-1000 bugs, depending on the project size.
But you're right: Nobody who has any saying gives a fuck about the bureaucrats. Only OCDers (which are also), bureaucrats and worthless pundits do. But nobody listens to them.
A defect is a defect. It doesn't matter if code doesn't operate as expected or if the design was faulty. Bugs can occur anywhere and any time in a system, even in the earliest phases of conception. You can try to call a spade a shovel, but it's still a spade.
...didn't Iran say this "bug" really didn't do anything? Why are people still acting as if this were a problem?
Dear DHS Secretary Janet Napolitano: Please resign. From recent events, it is painfully clear that you do not understand that one of the most fundamental aspects of security is not revealing your methods to the public. This includes telling us whether or not you plan on telling the whole truth about security flaws in the future. The announcement implies two things: 1. Your future comments might not be entirely truthful. 2. DHS's previous comments about cyber security in the past were 100% truthful, to the best of its knowledge. The knowledge of either one of the above two items is just another tool for the enemy. They thank you for giving it to them so willfully.
Aren't all bugs just "design flaws"?
"It's a trick. Get an axe."
There, see, you don't have to call it a bug.
It's still bad and customers still need to be told so they can work the design flaw into their operational plans.
Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
It's called an air gap firewall. Don't connect shit to the Internet that has no business being connected to the Internet. This means having strict policies in place, such as "connecting an uncertified wifi-capable laptop to the SCADA network shall result in the violator being shot, repeatedly, in the balls or other sensitive region."
Seems a fitting time to roll out the old Microsoft joke but with a twist
How many DHS analysts does it take to change a light bulb ?
None, because DHS defines darkness as the new standard
chances are that code are recycled from old product to new; ported forward with minute tweaks for the current hardware platform since the management can't see the value of starting from scratch; if anything starting a new is considered a liability.
ELOI, ELOI, LAMA SABACHTHANI!?
...this is an interesting liability loophole.
Someone found an exploit for a bug. D@mn those haxx0rs!
But now, the reason why 10,000,000 people lost power wasn't a bug--it was a Design Flaw. That means (by definition) whoever designed the software did a bad job. That's 10,000,000 lawsuits right there.
It's considerably easier for someone to disclaim liability for a "bug" (which could be argued was an "unforseeable usage case"or is otherwise unintentional) than for a "design flaw" (poor decision making which someone "knew or should have known" needed to be thought through).
IS THIS GUY SERIOUS???
(sorry)
It is my believe that most vulnerabilities are 'design issues' and not just "security holes" that can be patched over.
I have been studying OS design now for almost 20 years, I think most of these designs where fine for just trying hack something to work, but now with everything interconnected, they were just never built for that.
I have an OS design I have been working on for the past 10 years Amorphous OS that is intended to solve almost every issue I've seen talked about.
Most come from just having a common File System view for the whole OS. This become a place where malicious code can live and hide and exploit.
But memory could be treated much better and more efficiently. The Stack Also needs to be isolated better and separate data storage, instruction pointers, and code better.
None of this is new, it was talked about in the 60's and 70's then it seems everyone forgot about it. So today it's coming back to bite us.
I am always doing that which I can not do, in order that I may learn how to do it. - Pablo Picasso
Yes, but I think the concern here is that the law will -compel- you to fix security vulnerabilities, but allow the 'free market' to deal with 'design flaws'. And I'm sure that will work so well when a customer has so much invested in a particular system that they are basically locked in.
I walked into three power plants and an oil refinery I wasn't authorised to get into just by wearing the right coloured overalls. Of course to get authorisation to be allowed in I had to get inside first due to very weird and stupid rules.
It's called an air gap firewall. Don't connect shit to the Internet that has no business being connected to the Internet,
Not being connected to the Internet didn't keep STUXNET out of Iran's centrifuge SCADA systems. That propagated as a snearkernet virus from consultants' laptops to the machines on the air-gapped networkk which controlled and monitored the PLCs.
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
When I look at DHS, I can't find a single area in which they are competent. They can't ... . What in hell CAN they do? Suddenly, they are in the business of issuing cyber security warnings?
They DID, a few years ago, issue a warning to businesses to migrate off Windows and other Microsoft products, due to their security flaws and the resulting vulnerability of the US private-sector infrastructure to attack.
Of course they managed to hide this warning under a bushel rather than pressure the exectuives to actually HEED it. (Did YOU hear about it before now? Even on Slashdot?)
Bantam Dominique roosters crow a four-note song. Once you've heard it as "Happy BIRTHday" you can't NOT hear it that way
I wish you wouldn't have posted AC then at least I would know which contractor to avoid. Quite frankly your post smells of all the things that cause problems in our industry.
1) Airgapping isn't a be-all and end all security method. Actually it's typically the way people do security when they couldn't be bothered designing a secure system from the ground up. It's the theory that there's only 2 end points and no need for security that got us Modbus, a protocol with no authentication at all which was ported to TCP/IP verbatim with no authentication at all. It is the theory that airgapping = security that ultimately completely failed for Stuxnet's target.
2) When you remote access there's normally a reason to remote access. When you can physically go and plug a cable in you remove 99% of the need to remote access which usually falls into a category of "this SCADA system is on a pipeline in another state". Secondly if you give someone something as simple as a cable how many people do you think will unplug it? How many companies successfully enforce "security policies"? I've seen that at every major company oil company I've worked with. You got a ban on USB sticks? Why is there a USB stick in your pocket? You use passwords to prevent computer access? No you don't need to tell me someone wrote it on the computer case for me.
3) I agree with, but they are often required to be in some way connected to the business network. This is often at odds with 1) and should immediately put you on the path of careful network design.
As for PLCs being proprietary, yes but who cares? In a targeted attack the code could be pre-written, in a denial of service attack all it needs is for the link between the PLC and the rest of the world to be flooded to cause issues. While the PLCs are proprietary the way which they communicate with other systems is very much open, often with piss poor authentication, and often provide a vector for very real damage.
Unfortunately they are right. Much of the industry is based on standards and protocols which were created by one vendor and adopted by others long before the internet reared its ugly head. Many of the fundamental security issues in SCADA systems are failures of design. They aren't bugs because they work 100% as intended.
When you design protocols which are normally used to communicate between physically secure devices, and then open them up on a network to PCs which are now exposed to the open world (be it via USB stick or network cable) you have a fundamental design flaw (not a bug) if you hardcode your passwords or use a protocol with no authentication.
And of course there's absolutely no chance that Iran could reverse engineer that nice little Stuxnet and send it back our way. They could never be that cleaver, could they? Red Rover, Red Rover....
The problem is really that most people care much more about features, and their emotional well being when making purchasing decisions. The consumer usually doesn't know, or care about security, and so the companies that sell any kind of product generally do not either.
Siemens isn't alone there, and I really wouldn't put blame on DHS, they have no reasonable way of enforcing change of that magnitude across the states, think of how many companies wouldn't upgrade to the latest version of software, even if Siemens, and other PLC manufacturers spent the amount of money required to harden their OS, and do proper regression testing. It won't happen, it just isn't feasible, I don't really think that most embedded systems will be realistically secured, until we can find a way to make vulnerability testing cheaper. Maybe when quantum processors come along, and someone dreams up an algorithm to go with them that makes that sort of work orders of magnitude faster, and more effective then we may see industry wide adoption. The only other way is 'evangelism', whereby people tell consumers to care about something, and that never works...
Design flaws are not bugs. Hmmmm. Maybe if I say it the other way. Bugs are not design flaws. Nope. Still not making sense. Maybe I need to put on a suite and tie.
Having to work for a living is the root of all evil.
It has nosense conect everything to Internet, It is a must to evaluate if it is necessary, secure, and valuable. Sometimes the cost is bigger than revenues.