Slashdot Mirror
Support Forums Reveal SCADA Infections
chicksdaddy writes "We hear a lot about vulnerabilities in industrial control system (ICS) software. But what about real evidence of compromised SCADA and industrial control systems? According to security researcher Michael Toecker, a consultant at the firm Digital Bond, the evidence for infected systems with links to industrial automation and control systems is right under our eyes: buried in public support forums. Toecker audited support sites like bleepingcomputer.com, picking through data dumps from free malware scanning tools like HijackThis and DDS. He found scans of infected systems that were running specialized ICS software like Schweitzer Engineering Labs (SEL) AcSELerator Software and GE Power's EnerVista Software (used to configure GE electric power protection products). The infected end user systems could be the pathway to compromising critical infrastructure, including electrical infrastructure. 'With access to a protection relay through a laptop, a malicious program could alter settings in the configuration file, inject bad data designed to halt the relay, or even send commands directly to the relay when a connection was made,' Toecker wrote."
Why are you people posting about your nuclear power plant problems online?
if you keep picking on the SCADA, it will never heal!
of course it gets infected.
--
"It is now safe to switch off your computer."
Why would anyone responsible for these computers (running devices whose operation is dangerous to human life) ever connect them to the internet?? Are they complete morons? Why would they be able to keep their jobs? Are they all idiot sons of rich people and therefore can't be fired or something? I don't get it? What am I missing?
How many millions of dollars a year do you want to spend to maintain that isolation? You can do it, it's just really expensive.
1. Lock down/destroy all wireless comm on all hardware
2. Make entire network visible - all cable runs visible in clear conduits.
3. No software installs without full audit (sorry, no commercial installs allowed, no audit software allowed on the gold network)
4. Destroy all hardware leaving the building (and yes, that includes guests' cellphones.)
5. No windows, line of sight, radio leakage, etc.
6. Fab your own chips. Even a 555 timer can hold a rogue 8086.
7. No interns. Assume every Chinese grad is a malware vector (and everyone else, too.)
8. Assume you still have a 1 bit per second channel to the outside world (power draw, sound, etc.)
My impression is that there are two basic schools of problem:
1. The SCADA-related stuff is, in fact, properly air-gapped. Then the contractor who has to update the firmware on widget Z shows up and plugs in or a stupid and/or malicious insider manages to find a working USB port.
2. You install a fancy Supervisory Control and Data Acquisition system. Your Boss says "WTF, why can't I supervise and manage from the comfort of my iPad like in the vendor demo?" You proceed to punch one or more holes in your precious security.
I'm a sysadmin for a small municipal office with a SCADA system. I manage every computer except the one used for SCADA, which is the responsibility of the vendor. Their only concern is that the computer stays unmodified from their "standard" set up, but it still requires unrestricted Internet access. This means:
*Windows XP SP2
*Automatic Updates turned off
*No third-party software (ex: antivirus)
*No domain/group policy
*Symantec pcAnywhere 11 host (this is the version Symantec admited to being breached and to stop using)
As the sysadmin I can stick it on a VLAN to keep it away from the computers I'm responsible for, but other than that, my hands are tied.
I was not completely clear, but even if you opt for even a simple DIP-8 555, current tech lets us embed a side-saddle microprocessor (4004, 6502, 8086) easily. Unless you pry the top off and scan it, you can't be sure you don't have a trojan horse. It's only a few thousand lines of code for the chip to decide it's in the right place for its payload (running a centrifuge, controlling a missile fin, etc) and then to fail nastily.
We've been doing targeted component sabotage for decades (Russian gas pipelines, Stuxnet, xerox tricks.) Don't trust integrated circuits to be what they claim to be.
What the fuck did I just read?
Something about actual security issues (like what the article was about,) rather than "system ok, internet link bad, idiot sons of rich people" post.
The only thing I could do was to log all the traffic to/from those boxes and save it in case anything happened in the future.
I blame whomever negotiated those contracts. There is no reason why those machines cannot be firewalled at the very least.
I can tell you that none of the protective relays I've installed, the engineers involved didn't care one bit for security and all the SEL relays, Square D SEPAM relays, GE Relays, they are all installed with the default password with full access to anyone that has a RS-232 or Modbus cable. None of these relays are set correctly and barely anyone knows what setups to use on them. If someone really wanted to create a disaster, these relays are wide open, and someone with a laptop can easily just make a quick script to upload malicious settings and code to these relays very easily and quickly. The ones that are networked via status updates are even worse. As for SCADA systems, the majority of them are running Windows XP with no updates on, no antivirus, no anything and have full unrestricted access to the internet with full access to the PLC's on machines. These vulnerabilities have been known for YEARS by many installers, so I really don't find this article that surprising.
Almost all situations fall into the first category. The SEL relays have rear ports for permanent connections and a front port for service. Usually they are set up so programming can't be changed over the serial or Ethernet network, but the front port has no ability for lock-down. SEL even has a cute little "data transporter" that has a serial port on it, so you don't have to bring your laptop to the relay.
The attack alluded to should be able to bypass the sneakernet use of the data transporter. Conceivably, if the service tech's laptop is compromised all relays would allow for remote settings change despite the visible settings on the laptop.
But, unless you could crack the relay firmware downloading the settings to another device or viewing from the built-in screen (which is extremely tedious), you would easily identify the problem.
I'm torn on how serious to take this. It isn't like settings are changed often, so practical implications are limited.
I currently take care of one the largest SCADA/DCS/PLC systems. I have had numberous discussions about security but our policy seems to be security through obscurity.
Later
You're actually missing quite a lot.
1. Many of these systems are remote and need to be managed remotely. The ability to do this via leased lines through telecoms is greatly diminishing and the result is often even if you do get some kind of leased line it still gets routed through the internet.
2. These systems need to be constantly visible and accessed by a wide variety of non control software to help optimise a process.
3. Legal requirements often force you to physically connect this to some kind of remote network making airgap not an option.
4. The idea that airgap = security is outright dangerous and leads to the idea of "Nothing is foolproof because fools are ingenious."
These are fundamental things to consider when installing a system. A non-airgapped system with proper security processes and network design in place can be far more secure than a simple "We didn't connect it to the net so it should be fine" system. I've seen Operators adjust settings on carefully setup gear to get it to stop beeping at them on night shift. I've seen people bring in USB sticks and HDDs from their home and plug them into machines on the control network because they couldn't find a CD or company USB stick to use. And more importantly I've seen waaaaaaay too many machines with login "Admin" password "Manager" or "password" to believe that a network connection is the only source of security concerns.
The problem is the people who install these systems are of instrument/electrical engineering backgrounds not network security backgrounds. The problem is these systems were picked by managers who were shown by the vendors how they can view and control live plant running from their mobiles without any thought as to why they would want to do this. The problem is some people think airgaps are the beginning and end of security. And the problem is you should never underestimate how boring night shift at a running plant can be for operators who simply LOVE pressing buttons.
Oh and they aren't idiot sons of rich people, they are short term contractors with a no-liability clause in their contracts. They come in, setup insecure systems without any proper training on how to maintain and operate them securely and then they leave with their payout.