Slashdot Mirror
Researchers Find Slew of Flaws In SCADA Hardware, Software
Trailrunner7 writes "At the S4 security conference this week, 'Project Basecamp,' a volunteer-led security audit of leading programmable logic controllers (PLCs), performed by a team of top researchers found that decrepit hardware, buggy software and pitiful or nonexistent security features make thousands of PLCs vulnerable to trivial attacks by external hackers that could cause PLC devices to crash or run malicious code. 'We were looking for a Firesheep moment in PLC security,' Peterson told the audience of ICS security experts. They got one. 'It's a blood bath mostly,' said Wightman of Digital Bond. 'Many of these devices lack basic security features.' While the results of analysis of the various PLCs varied, the researchers found significant security issues with every system they tested, with some PLCs too brittle and insecure to even tolerate security scans and probing."
So you're saying closed source, only-validate-functionality, stale code has security holes?
I want to delete my account but Slashdot doesn't allow it.
Most of these PLCs were simply too successful for their own good. Many of these designs were created in the 70s with no real intent of ever having then live in an on-line environment, but rather to be isolated in machinery as simple as pumps, motors, and simple stand along controllers for a variety of machines.
The problem lies not with the PLCs but the questionable decision to wire these things into the network.
Some of these things are extremely simple controllers. Others, like the mentioned D20 ME are micro computers onto themselves. These devices are built from a long line of simple process controllers, which grew to their current state from simply hanging more and more interfaces, better processors, and a mountain of legacy software, onto what started life as a very simple device.
None of them were ever intended to be put directly on the wild and wooly net, even when the did contain Ethernet ports, modems, and radios. Everyone assumed these were on their own in-plant network and that no one would hook them up to even their general purpose lan, let alone to computers accessible to the internet.
Anything less successful would have been replaced by a total redesign and rewrite from the ground up.
Sig Battery depleted. Reverting to safe mode.
Especially the ones that require IE 6 to remotely manage. I mean in that kind of environment complete pre SP 1 XP with no firewall unpatched that uses unsigned active X controls... or not what could possibly go wrong!
http://saveie6.com/
Cool, sort of like having access to an industrial 3d printer. Tho picking up your finished products might be tough.
---- Booth was a patriot ----
Disable autorun for USB devices too!
lot of the stuff comes from a dos / win 3 / 9X mine set likely loaded with hacks and out stuff to keep them going so to get real security they may need to be rebuild from the ground up.
two decades old = lack of funds to update or PHB who think if it's running now we don't need to update them or ones who say we don't need on staff IT outsource it and the outsourcing puts them on web so they can do remote admin or maybe the IP part was to be on the inside network only and some one put it on the web maybe becomes they don't know what they are doing or maybe so some can remote admin it.
Now there are a lot of places where engineers (non IT) run the a lot of hardware and keep IT out of it and over time more and more has moved to IP / windows / + outside venders and what you get is people who may know what they are doing with the hardware but not the under laying IT side. golf courses meeting with mangers do not help as then you can end up getting some piece of software dumped on you that may not even work that well.
Did they get a grant for this? Almost anyone who works in this field and knows what a TCP/IP port is could produce a overwhelming list of security flaws.
So now we'll see network segmentation proposals "Don't put controls on you corporate network". Stuxnet proved that was useless.
You don't get a budget for preventing a possible problem, so until there are some comprehensive exploits nothing will happen. Problem is, that those exploits could take down the power grid, or water/waste water or almost any major utility.
Wait until they get to analyze the GPU processing...
No security at all. DMA in/out to any address desired. Assumptions made about the runtime library loaded with the application, assumptions made about memory handling, assumptions made about I/O.
This series of zero-day public disclosures is an abhorrent act that violates most any professional or ethical code out there.
As these vulnerabilities impact devices which are known to be networked, as well as being in control of critical infrastructure, these "researchers" have at their disposal US-CERT/ICS-CERT, as well as direct contacts with the vendors in question.
They chose to turn this into a marketing stunt to sell tickets to their conference and to attempt to sell consulting services to the control systems industry. Luckily, I see this, and I will NEVER recommend that Rapid7, Dale Peterson, Digital Bond, Dillon Beresford, Jacob Kitchel, Tenable Network Security, or Ruben Santamarta be allowed near ANY critical systems.
These individuals have shown their true colors. The vendors WANT to play along, they WANT to increase security. Instead, these fools did a complete end-run around them and just dropped EXPLOIT CODE into the hands of everyone in the world. These "researchers" clearly do not care about the users of these systems, just the $$ they can milk out of the newly instilled fear.
dident some of them have dial in only and you needed to war dial to find them and likely get very little info on what you found. But with a IP you can find some thing and get alot more info on the hardware just by running some commands / looking at what software is on the IP that that has a open port.
Under the Electro-Magnetic-Pulse (EMP), they (the SCADA hardwares/softwares) failed to pass the certification of reliability of this life-critical complex system.
JCPM
At a recent convention some researchers demonstrated a proof of concept hack they developed that allowed them to control many aspects of correctional facilities. Things like, oh you know, opening cell doors but showing them as closed on the guard terminals. Things like that.
Interesting preso : http://www.youtube.com/watch?v=C7O7HxHSHE0
The wired.com article has this choice quote
http://www.wired.com/threatlevel/2012/01/scada-exploits/
"I didn't want a vendor to jump out in front of the announcement with a PR campaign to convince customers that it wasn't an issue they should be concerned with," Wightman said.
I can't imagine the type of two faced dickery it would take to spin weaponized exploits as something not to be concerned with.
[Fuck Beta]
o0t!
We just got a great deal on some barely used USB sticks from Iran. Only plugged into their centrifuge controllers once.
Have gnu, will travel.
i just restarted an entire brewery because the ethernet card cpu utilization was up at a wopping 73% which is too high and causing intermittent messaging to other plcs. 78% is high right?
It's also the engineers who have moved / been moved into management or sales. If they weren't senior, they'd be out the back accounting for bolts. As it is, we had enough trouble convincing them that a good lawyer can't find a loophole in the laws of gravity and thermodynamics.
Rule #1 being that you do not connect control systems to the internet.
I don't care how good the hacker is, he can't overcome an airgap. Which leads to,
Rule #2 Train your people well enough not to fall for helping him.
I agree. I work for a water utility and making any changes to our system requires us to physically report to the locked, alarmed office and access (through password login) a scada computer terminal, or to report to the facility in question and log in there. I often wish I could at least access current complete "read only" system data on my phone or computer so that when I'm paged by the system and it reports that a fault has occurred (example could be as simple as "pump #1 failed to start") I could see how crucial it is for me to respond or if it's something that could wait till morning. But we so far have avoided the slippery slope of remote access and so I have to respond physically and access the situation. (and to avoid responding to less than crucial problems, we just set the system to only call out on serious issues and just log the others for review during business hours).
Chris Roberts gave a presentation on a very similar issue at GrrCON and other places this year.
GrrCON video of his presentation can be found here.
"If you see a man on a horse, he is likely an enemy. Kill the man and eat the horse."
So...GE makes jet engines and PLC controllers both to 6 Sigma. How come I don't feel as good about flying now?
Wikipedia: "Six Sigma originated as a set of practices designed to improve manufacturing processes and eliminate defects, but its application was subsequently extended to other types of business processes as well. In Six Sigma, a defect is defined as any process output that does not meet customer specifications, or that could lead to creating an output that does not meet customer specifications."
Next we'll find out its not a good idea to have a POTS connection to the US War Operations Plan Response system
2 brittle to be tested is part of security. I used to work on ATV's and one thing I found is that some companies do stuff like fill their electronics up with busted up glass and silica gel and rtv to be sure you don't get to see the electronics inside without destroying the unit. I'm talking about you overpriced Denso
I guess that is what I'll be doing Monday. Pulling the Ethernet cables on the controllers I have control on. It was nice to be able to check on the function on my PLCs over the "local" net, but it is time to play safe rather than sorry and disconnect them. (I had even been playing with a function last week where I ended up thinking, "ah it should do that. Someone could take this thing over(?)") Task two Monday. Send a email to my PLC company and see what they think. Task three, talk to our cyber security folk.
A lot of newer DCS gear is starting to have process firewalls being build in to the hardware at the controller layer. Also a change I've seen of late is that a lot of vendors software no longer runs ABSOLUTELY EVERYTHING at a privileged level as has been done in the past!!!
This should reduce the attacks on the PLC devices themselves, however the protection of the SCADA/DCS Servers (usually Windows Based) relies on GOOD system administration and knowledge about possible attack vectors..
Anything that straddles a corporate and process network NEEDS to be hardened, however more often than not this is the weak point (Process historians and other servers that provide end-user data are the biggest risk)
I've seen windows 2000 machines that are on both networks running 2000 SP1 and no later security patches THIS YEAR (Not a practice recommended by the vendor either, this was a customer who 'knew better').... lets also mention that it also had a VERY easy to guess Admin password!
Tis a scary world.
Most vendors have best practices for keeping nasties off the process networks, it's usually the customers who compromise to make their own life easier. Usually decisions made by the onsite IT people who, lets be honest, have NO idea about how/what a process system does. I work across many large sites and in general the IT people do not understand what is required and tend to be the ones who punch the massive holes in the firewalls to get things to work.
The vendors (I work for one) are now catching up by hardening things better at the hardware and software levels, but it's the legacy stuff that scares the bejeezus out of me!!!
Burma?
Nothing new. It's called a two wire serial printer port -- can even drive a 300 baud modem.
well what do you expect? these devices use microcontrollers and are limited by size of memory in the chips. its not allways possible to secure to the Nth degree, so one must analyse the risk of the hardware provided. dont connect them to a public network. at most. connect the ethernet to a windows PC that can recive emails, but is not connected to the company LAN.
PLC hardware must remain hardware modules from 20 years ago, so its no good putting in the latest and gratest microcontroller in every year, if it breaks compatabilty for that RS232 card the company made 20 years ago.
in other news, dont send unterminated strings over TCP ethernet, i.e. without carriage return, to a toshiba robot. It will crash the controller in the robot and stop the process.
in further news, dont fill up your gas tank with water, dont hit your spouse and dont drive on your sidewalk.
In the products I've seen (including some of the source code), they were loaded with factory backdoors, sloppy coding, and many designs hadn't been updated since the mid 1990s.
Certainly doesn't help that a lot of the operators of these devices hire the cheapest engineers or techs they can find, usually without a good computer eng background.
Ok, firstly SCADA and PLC's are two different things. SCADA is the HMI control system and PLC's are the parts that actually talk to the physical devices. While sometimes they are in the same box usually they are totally different devices. Secondly PLC's can be anything from windows PC's to low level simple processors. However they have one overriding concern and that is real time control of the plant hardware. This is why PLC's are hard to secure. Often they have not the power to run encryption algorithms required for security.
But they should not need to. Almost all of them are bespoke running closed simple OS, using proprietary languages. More importantly they should all isolated both behind physical security and network within a DMZ. That's not to say security cannot be improved, however these are not your PC's connected to the internet.
SCADA machines are more problematic Generally they are standard PC's running windows(Often quite an old version of windows). The very generic nature of the hardware and OS is its biggest weakness. As are their users. One of the problems we have encountered is viruses being stuck on PC's via USB sticks brought in from outside. We have even found games installed by bored users. So why not put antivirus software on them you may ask? Well the problem there is finding AV software which does not affect the operation of the SCADA software. Secondly is maintaining updates. To do that is either a manual process(not really feasible) or connect them to a central server or internet. This introduces an attack vector of its own.
STUXNET is always highlighted when these conversations come up, but this is misleading. If reports are to be be believed this was perpetrated by national agencies with all the resources that implies. No system is totally secure in that situation, the best you can hope for is to detect and delay. However most systems will never come under such a coordinated attack. Saying that it has concentrated the PLC industries mind on security, so thats not a bad thing, but we are no where near the Armageddon scenario that such articles seem to hint at
Choose your allies carefully, it is highly unlikely you will be held accountable for the actions of your enemies
PLCs come from the ages when "networking" was some wet dream of the die hard geeks (yes, both of them), when it was already a semi-miracle if things worked the way they should. Also the ages when speed was essential, room for the logic was scarce and generally .... fuck, you were happy you could cram the crap into the PLC at all without having to buy another expensive piece of hardware!
We're talking about ancient technology here. Sadly, it has never seen much of an upgrade. Compatibility, we love and hate you. Security took a back seat there because, hell, those things were expensive enough as it is!
And now add that these machines sell even if they're insecure and that security is a cost but no revenue factor and you know why this is anything but a surprise.
We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
I worked the D20. It really is 15-year old hardware/software that continues to be used because of its installed base and GE sales team rather than its technical merits. A rewrite will never happen because the people who originally built it have all been outsourced by incompetant maintenance teams in India. More likely GE will acquire a superior product then re-brand it. I'd vote for virtualized D20's that can run existing configurations on new hardware.
The biggest problem at my former plant is that management saw our SCADA system as a remote automation system. Instead of hiring night people, we all took turns monitoring from home in our free time. That's right, you work a full day, then have to monitor from home!
So what's the first thing they did with the million dollar SCADA system? Hook it up to the internet. Not change the passwords from defaults, those are still the same, not patch windows with the SCADA manufacturer's recommended patches, they're still running stock Server 2003.
I've seen it a million times and it's always a disaster. Just look at the user interfaces for the vast majority of appliances & peripherals - ghastly...
YES!
The engineers that use this equipment don't want anyone looking over their shoulders. They tell management that everything is fine all the while keeping it patched together with duct tape. If IT does want to get involved the engineers run to their management, screaming. "The IT guys will stop us from producing X. Do you want the IT department involved with our production?" Typically the engineers who use the SCADA systems report up through different executives. The executive responsible for producing the product tells the CEO, "If IT gets involved I'm no longer being hold solely responsible for producing X. What do you want to do?" The CEO will alway choose the devil he knows.
So the SCADA systems continue to run on Windows 95, Windows NT, Windows XP, and in most cases unpatched versions, lacking anti-virus, with no Intrusion Detection, nor logging, nor monitoring, or robust authentication, or in some case personally identifiable authentication.
It's just like the airlines prior to 9/11. For years security experts were calling out the huge gaping holes associated with air travel. Simple changes that would have made 9/11 impossible, but nothing was done because it was too hard, too costly, too much work. Bottom line, no one wanted to be bothered.
The SCADA industry will have their 9/11 and then there will be Department of Homeland Security agents sitting in Waste water treatment plants, nuclear power plants, water plants, chemical plants, and prisions.
I'm assuming the guards are carrying personal data (files, movies, music, etc.) on those USB sticks. All it would take is someone getting into a guard's computer and dumping a virus onto the USB stick. The unsuspecting guard carries it past the physical protection, loads it into the private network, and the virus then infects the isolated network.
Come to think of it, isn't this how the centrifuges were attacked with stuxnet?
ONE MORE TIME:
You DO NOT put your PLCs or SCADA networks in connection with the Internet. Period.
These devices are made for control, not security. If you are that much of an idiot, you deserve what you get.
There are many great read-only solutions, if you need to see what your plant is doing from a ways away.
The alternative? "Security Hardened" PLCs, whose price will double or quadruple. "Secure" SCADA software , which will be even more pricey than it already is. The control world, and the office worlds are TWO DIFFERENT WORLDS, and woe to he who will try to join them.
Since hackers have demonstrated that NOTHING is really secure, the only real security is this:
DO NOT CONNECT YOUR CONTROL NETWORK TO THE INTERNET.
If you really need to, for example, to allow short-time access for engineers or programmers, then unplug the connection afterward. No hacker can make electrons jump a gap in a wire. That's it, those are the facts.
not new to us.. not to me atleast :|
ever since that oil platform came down.. in the US not everyone knows that the Siemens supplied SCADA sys could've been at fault.. wait..wait a sec. am i missing something what abt a cyber attack on those..precisely those systems.. ?
knowbody will ever come to know this.. you gotta read until your eyes are burned out. POP :D
oh btw..SCADA systems have always been fk'd up badly :| :D
http://www.mtl-inst.com/products/category/industrial_security/