Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Finds Nearly Two Dozen SCADA Bugs In a Few Hours

Posted by samzenpus on from the target-rich-environment dept.

Trailrunner7 writes "It is open season on SCADA software right now. Last week, researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric. And now a researcher at Exodus Intelligence says he has discovered more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours' work."

104 comments

  1. WTF is SCADA then? by Anonymous Coward · · Score: -1

    Eh?

    1. Re:WTF is SCADA then? by stpere · · Score: 3, Informative

      Google is your friend, as usual. It's basically a system to monitor and control an industrial site/process remotely (power plant, utilities, etc..).

      http://en.wikipedia.org/wiki/SCADA

    2. Re:WTF is SCADA then? by RobertLTux · · Score: 1

      just a hint about 80% of the time if you pop define: %something% into the usual location you will find a bit of wisdom

      in this case define SCADA gets you a link to
      http://en.wikipedia.org/wiki/SCADA

      reading and understanding how industrial bots are controlled is an Exercise Left to the Student

      --
      Any person using FTFY or editing my postings agrees to a US$50.00 charge
    3. Re:WTF is SCADA then? by Anonymous Coward · · Score: -1

      just a hint about 80% of the time if you pop define: %something% into the usual location you will find a bit of wisdom

      in this case define SCADA gets you a link to
      http://en.wikipedia.org/wiki/SCADA

      reading and understanding how industrial bots are controlled is an Exercise Left to the Student

      So we are making up excuses for lazy editing now?

    4. Re:WTF is SCADA then? by vlm · · Score: 1

      An important point is its a general class of software.
      A great /. analogy would be journalists reporting exploits in "web browsing" when they really mean specific (ancient) versions of MSIE.

      So if your SCADA software is listed above, I'd sweat. If not, eh.

      A good working definition is its like a robot that doesn't move, externally anyway.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    5. Re:WTF is SCADA then? by RobbieCrash · · Score: 5, Funny

      Where's the lazy editing? It's not like this is the first SCADA story on /.. Are we going to start defining every non-everyday term in a summary?

      "Researchers have identified a hole (an overlooked security concern) in the TCP (Transmission Control Protocol a system of information transmission that aids in reliable data transfer) layer (a metaphorical layer in a sandwich of other layers each of which pertain to certain elements of the network stack (the combination of hardware (physical parts of a computer) and software (the computer code that resides on a computer's storage that makes up a computer program) that allow a computer to /talk/ to another computer over a network)) of Windows (a computer operating system (a complex computer program that coordinates and translates software requests into hardware actions))."

      --
      Keep on knockin'
      https://robbiecrash.me
    6. Re:WTF is SCADA then? by Anonymous Coward · · Score: -1

      Really now. If I had to go around googling every acronym I see on slashdot I would never get anything done. Most likely the article is not interesting to me, but if the editor had bothered to at least type out what SCADA is short for I might immediately se wether it is worth my time to follow the link to the article or not.

      A few seconds extra on the editors part would save countless man hours across the nation.

      Also, SCADA sounds to me like something taken straight out of doctor Who.

    7. Re:WTF is SCADA then? by radl · · Score: 1

      "Researchers have identified a hole (an overlooked security concern) in the TCP (Transmission Control Protocol a system of information transmission that aids in reliable data transfer) layer (a metaphorical layer in a sandwich of other layers each of which pertain to certain elements of the network stack (the combination of hardware (physical parts of a computer) and software (the computer code that resides on a computer's storage that makes up a computer program) that allow a computer to /talk/ to another computer over a network)) of Windows (a computer operating system (a complex computer program that coordinates and translates software requests into hardware actions))."

      At least it would look nice.

      --
      1266953+17
    8. Re:WTF is SCADA then? by Anonymous Coward · · Score: 1

      As a developer with 20 years of experience, my exposure to the term SCADA might be limited because I primarily work on ETL tasks.

    9. Re:WTF is SCADA then? by blackm0k · · Score: 1

      There's a fairly major difference between "everyday" terms for the general population and those for /. readers. What you've done is somewhat facetiously define a number of terms that one might consider "everyday" for the vast majority of the visitors to this particular news aggregator. SCADA isn't something that most of us deal with, and I think readers could be forgiven for wanting an definition in the summary, especially if they've missed the recent bout of SCADA-related articles.

    10. Re:WTF is SCADA then? by Trepidity · · Score: 3, Funny

      Glad to see another Extraterrestrial Life researcher on Slashdot!

      --
      10 PRINT CHR$(205.5+RND(1)); : GOTO 10
    11. Re:WTF is SCADA then? by Anonymous Coward · · Score: 0

      I think most Slashdot readers know how to use a search engine.

    12. Re:WTF is SCADA then? by Anonymous Coward · · Score: 0

      What's a computer?

    13. Re:WTF is SCADA then? by graphius · · Score: 1

      http://www.scada.org/

    14. Re:WTF is SCADA then? by adolf · · Score: 1

      Nonsense. You eat SCADA. You drive SCADA. You probably even wear SCADA.

      If the article were about CNC mills, would you want that term defined? Most of us don't deal with those, either...

      --
      Kid-proof tablet..
    15. Re:WTF is SCADA then? by Anonymous Coward · · Score: 0

      I think they mean Extra Territorial Law. Or maybe Extra Terse Language? Or Ending Terminal Life?

    16. Re:WTF is SCADA then? by Darinbob · · Score: 1

      Sweat anyway, if you've got SCADA connected directly to internet. Especially if it's older software. For a very long time these control systems were written assuming a closed network, or that customers were never going to use the devices in unsupported manners. Customers wanting cheap software and devices is half the problem. Customers wanting convenience is the other half (ie, they don't want to deal with hassles that must always come if security is beefed up).

      This has all come to a head because of the Stuxnet virus, but that's a bit of a red herring. If someone with the resources to build Stuxnet wanted to hijack a SCADA system then they probably could even if they had beefed up security. The worry is about more casual access to the devices, ie, hackers or terrorists.

      What's important is to make these hard targets instead of easy targets. Make sure they're deployed properly, train the staff, enable the security, be prepared to spend more money, keep your controlled network separated from internet, etc.

    17. Re:WTF is SCADA then? by RobbieCrash · · Score: 1

      There are 20+ Slashdot Posts tagged with SCADA going back to 2008, shitloads of posts about Stuxnet which infects and targets SCADA systems specifically.

      If you don't know what SCADA is, it's because you're not paying attention, not because the editors aren't doing their jobs.

      This time.

      --
      Keep on knockin'
      https://robbiecrash.me
    18. Re:WTF is SCADA then? by martinX · · Score: 1

      Eat yourself fitter.

      --
      When they came for the communists, I said "He's next door. Take him away. Goddam commies."
    19. Re:WTF is SCADA then? by Anonymous Coward · · Score: 0

      Natural Born Lisper!

    20. Re:WTF is SCADA then? by Anonymous Coward · · Score: -1

      I think most Slashdot readers know how to use a search engine.

      The parent poster has proven you wrong. MOST current slashdot readers barely know what a search engine IS, and a good chunk of them only know of them as the place they type blahblah.com into (No not the address bar, I really do mean the yahoo or google front page)

      The very tiny minority of slashdot readers left who can figure out how to find information they want is vastly outnumbered these days :/

    21. Re:WTF is SCADA then? by aaarrrgggh · · Score: 1

      You work for an Electrical Testing Laboratory and don't know what SCADA is?!

    22. Re:WTF is SCADA then? by Anonymous Coward · · Score: 0

      So you're making up excuses for being a lazy ass now?

    23. Re:WTF is SCADA then? by alexborges · · Score: 1

      SCADA is old and almost never replaced. It is the nature of the beast to not touch stuff that moves or monitors big and critical things. This is not a software engineer's idea, but an industrial/mechanic engineer's idea of how to work an indistrial facility. There is a gap in understanding between people that do the (really)hardware stuff in an industrial place, and the software people that make SCADA stuff.

      But its all good IMHO because what is going to happen is that SCADA will get better, and believe me, it should. Every single SCADA ive seen sucks to the point of oblivion, they are all made with all four paws.

      --
      NO SIG
    24. Re:WTF is SCADA then? by Nefarious+Wheel · · Score: 1

      Not necessarily. A good number of SCADA RTUs (I'm thinking of the Logica units) have built in parameterised overrides -- you can set a safe range of settings for an RTU (e.g. "close this valve if sensor A gets above 150, no matter what") that can't be overridden, or re-flashed, via the network. This can severely limit any attempts at outside fiddling by muckabouts. At the same time, you can read them across a network for operational situation displays. You just have to engineer the limits into the deployment project.

      --
      Do not mock my vision of impractical footwear
    25. Re:WTF is SCADA then? by Nefarious+Wheel · · Score: 1

      ...You probably even wear SCADA....

      Wasn't there a movie about that? "The Devil Wears SCADA" ?

      --
      Do not mock my vision of impractical footwear
    26. Re:WTF is SCADA then? by smellotron · · Score: 1

      Are we going to start defining every non-everyday term in a summary?

      Why not? I don't see the harm in <span title="Transmission Control Protocol">TCP</span> Ok, spans are semantically void so there's probably a better tag, but it's the attribute which matters. HTML titles are quite appropriate for unobtrusive expansion of TLAs. Your example is intentionally absurd, but it would be fine if applied only to acronyms and "initialisms".

    27. Re:WTF is SCADA then? by Anonymous Coward · · Score: 0

      If someone with the resources to build Stuxnet

      Compiler, check.
      Computer, check.
      Internet connection, check.

      Despite what you see in the media, it does not take a large government budget to build something like Stuxnet. It could arguably take a government body to deploy Stuxnet in the Iranian nuke facilities, but the development of the software itself could easily be done by a small group or even a single person.

    28. Re:WTF is SCADA then? by Anonymous Coward · · Score: 0

      Dear aaarrrgggh, we wanted your opinion on why Lawnmowers can't mulch anymore, or catch grass anymore, why the suction engineering and the lift on the cut grass is all fucked up. Why lawnmowers come with safety handle, safety clutch, safety kill switch, safety goggles, safety ear muffs, safety gloves, safety chaps, and safety jacket, which make you feel like your driving a forklift in space, instead of a simple fucking "one with nature" throttle like back in the 70's. The new "green gas cans" which can't pour, and drip leak all over the fucking place, including the ground, due to lack of bleeder hole, and all the new UN (where Leon Panetta gets his war marching orders) agenda 21 COPE/Carbon Tax/Global Govt/Global Bankster/no more constitution requirements, now only made of plastic not metal, and finally we wanted your opinion on the new formulated GAS fascism. Gas that can't be stored for long, and when it needs to be used after long storage it's fucked, because it has water in it. We also wanted to know what you do with "old gas with water in it" , do you throw away the contaminated cans, and where? We've never seen, "bring your GAS back ad recycle here" signs.

    29. Re:WTF is SCADA then? by aaarrrgggh · · Score: 1

      What, you haven't heard of a fuel polisher? 8-)

  2. When the light turns on... by PlusFiveTroll · · Score: 4, Interesting

    When the light turns on, the roaches scurry. SCADA has been ignored by infosec up till now. Many of these systems are old, or are new systems not designed any different then they were in the 80's or 90's. It's not hard to find low hanging fruit when you're the first person picking it. Give 'the system' a few years and it won't be any different then Linux and Windows bug hunting now.... once you convince everyone to upgrade, that is.

    1. Re:When the light turns on... by vlm · · Score: 4, Interesting

      Give 'the system' a few year

      I've been hearing anti-scada fud for about two decades and it never gets any better.

      I suppose as agitprop the early 1980s movie "wargames" is pretty good anti-scada. Or claims that Kevin Mitnick can whistle into a telephone thus launching nuclear missiles. There was a cheesy hollywood horror/action movie in the late 80s or 90s that could basically be subtitled "misterhouse grows into a skyscraper and has a tantrum killing everyone inside". I distinctly remember a 6-million dollar man or 6-million dollar woman (a late 1970s psuedo-scifi tv show) which had a nuclear power plant scada attack, with a friendly computer that donated a 7400 series TTL logic chip to repair the magic prosthesis that was LOL funny at the time. There is also at least one anti-scada james bond movie, probably 80s era but I can't remember the details. Oh and there was a cheesy 80s "hacking" TV kids show perhaps the "whiz kids" or something that also had a anti-scada plotline.

      There's about 50 zillion star trek episodes and movies which basically show a scada attack on a warship. Most notably when Kirk drops Kahn's shields remotely and pretty much blows his ship up in ST2. But there's about 49 other examples.

      This would be a fun /. article... everybody troll the depths of your memory to build a timeline of anti-scada FUD.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:When the light turns on... by grantspassalan · · Score: 2

      Why does any control system have to be connected in such a way as to be accessible by some hacker in Russia or who knows where?

      --
      A sufficiently advanced simulation is indistinguishable from reality.
    3. Re:When the light turns on... by NatasRevol · · Score: 1

      Duh, for the plot lines!

      --
      There are two types of people in the world: Those who crave closure
    4. Re:When the light turns on... by ArhcAngel · · Score: 3, Informative

      IF you plan to see Skyfall read no further.

      The current Bond is pretty much nothing but a SCADA horror story.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    5. Re:When the light turns on... by Beardo+the+Bearded · · Score: 3, Insightful

      At first I thought it was pretty silly but then I remembered that the Chinese government had such in-depth control of Nortel's systems that they could control the thermostats.

      So it's really only one step away from something that happened in real life.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
    6. Re:When the light turns on... by BlackThorne_DK · · Score: 0

      It doesn't. TCP/IP over Avion Carrier has been superseeded by Payload over USB stick, and since that attack vector came into play, 'connected to the internet' is no longer a requirement...

    7. Re:When the light turns on... by oodaloop · · Score: 1

      I read that Skyfall is actually inspired by Stuxnet, which was way worse than controlling thermostats and happened in real life.

      --
      Tic-Tac-Toe, Global Thermonuclear War, and relationships all have the same winning move.
    8. Re:When the light turns on... by aXis100 · · Score: 1

      Because the engineers that service it dont want to have to be in the middle of no-where to get access, nor do the operating companies want to have to pay for engineers to be on site all of the time.

      An air gap is a great defense but it's expensive and inconvenient.

    9. Re:When the light turns on... by Darinbob · · Score: 1

      I suspect most SCADA systems are less buggy than most Windows applications. Most of them really to have a lot of stability and reliability. A buggy SCADA device is bad news and customers get very angry over it (much angrier than merely having a Windows application crash), as it means lost money, lost safety, etc. Companies who build SCADA systems absolutely paying attention to this. Where is falls down though is the relatively new prevalence of SCADA systems connected to external networks.

    10. Re:When the light turns on... by Anonymous Coward · · Score: 0

      This old EDS commercial is my favorite example of a SCADA system being compromised to hell. At least I think it's one of the funnier ones.

    11. Re:When the light turns on... by PlusFiveTroll · · Score: 1

      These days you have to design your system in such a manner as to have expected that your 'private' network has become connected to your public network. What used to be a techs laptop, is now a techs laptop with a 3G/4G card. You can have a network connection open to the world where you never expected it. Things also get connected by accident, someone plugs the internet switch in to the private network, then later some hacker notices it. Holes in the firewall, or other compromised computers relaying a tcp tunnel via authorized traffic ports. Oh, and the most major one, convenience without thinking about security.

    12. Re:When the light turns on... by Yetihehe · · Score: 1

      When you consider "no security whatsoever" as "not a bug" then yes, they are really solid.

      --
      Extreme Programming - Redundant Array of Inexpensive Developers
    13. Re:When the light turns on... by Anonymous Coward · · Score: 0

      Stuxnet served several purposes.

      Taking the discussion away from Geo-Engineering and haarp tech weather weapons.
      Creating Fear so more cyber warfare criminalization propaganda can be pushed forward globally.

    14. Re:When the light turns on... by AF_Cheddar_Head · · Score: 1

      Yep, since the bran counters have gotten so obsessed with saving money by reducing head count we have to have lights out facilities and remote managenent. Hook everything up to the internet, security be damned and who gives a shit about employmentor security we saved $700,000 this year.

    15. Re:When the light turns on... by Anonymous Coward · · Score: 0

      I read that Skyfall is actually inspired by Stuxnet, which was way worse than controlling thermostats and happened in real life.

      Aaand Stuxnet was designed to target which systems again? SCADA systems.

      By and large, black hats can do a shit-ton more actual, physical damage to a society by gaining control of (or simply wrecking) their utilities' SCADA infrastructure than any of their other networks.

      That's why any engineer worth their ring designs the SCADA infrastructure to be completely isolated from teh interwebs, with no remote control capabilities that aren't conducted over secured and dedicated leased lines. If emergency remote access is required for troubleshooting, then it is formally requested via phone, and if approved an operator on site will push a button that physically connects the system to a VPN router for a preset amount of time (5 mins to 1 hour, usually). If more time is required, the operator has to push the button again, otherwise the remote party is physically disconnected in the middle of whatever they were doing.

      Yes, it can be a nuisance for remote support, but better this than leaving the systems connected (and vulnerable) all the time...

    16. Re:When the light turns on... by denobug · · Score: 1

      IF you plan to see Skyfall read no further. The current Bond is pretty much nothing but a SCADA horror story.

      Yup the new Q should have been fired on the spot if he was still a network engineer grunt at MI6 for making a rookie mistake!!! Why is he putting a non-secured machine from a hostile party into a secure network in the first place???

    17. Re:When the light turns on... by grantspassalan · · Score: 1

      Getting a USB stick from Russia or who knows where else physically plugged into a SCADA system somewhere in the USA is quite a bit more difficult than some hacker sitting in a basement in some distant land breaking in over the Internet.

      --
      A sufficiently advanced simulation is indistinguishable from reality.
    18. Re:When the light turns on... by grantspassalan · · Score: 1

      Yes yes, convenience and saving a few dollars is more important to the bean counters than security.

      --
      A sufficiently advanced simulation is indistinguishable from reality.
  3. segmentation by Anonymous Coward · · Score: 4, Insightful

    This is why SCADA needs to be built out separately from your data network.

    1. Re:segmentation by Anonymous Coward · · Score: 5, Insightful

      This is why SCADA needs to be built out separately from your data network.

      While that is indisputably a good idea, it does not cover all the bases. Disgruntled employees, industrial espionage, and state-sponsored sabotage (in the case of critical or defense industries) won't let a silly air gap stop them.

      As Iran learned at its peril.

    2. Re:segmentation by vlm · · Score: 3, Interesting

      False dilemma. One excellent security practice not being the sole practice necessary doesn't mean its not an excellent security practice.

      I've never worked at a place without airgapped or at least tightly firewalled "IT" and "production"/"engineering" networks. I'm sure there exist places where the receptionist can install a toolbar or weatherbug on her windows PC and literally blow up the plant, but I've never personally seen or worked at one.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    3. Re:segmentation by interval1066 · · Score: 1

      The LAN is getting better, but SCADA itself is hardly being looked at. I wrote about this myself in April: http://twittech.wordpress.com/2012/04/25/industrial-automtion-news/. It doesn't help when SCADA providers are the culprits.

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
    4. Re:segmentation by Anonymous Coward · · Score: 0

      For the most part it is. Except for that control unit that you dial into, or other control unit with a radio backhaul, but an attacker would need some special equipment or knowhow to transmit radio signals right?

    5. Re:segmentation by PlusFiveTroll · · Score: 1

      As long as you realize that air-gapping is a weak form of security in itself, air-gapping is ok. One break in the gap and it folds. Too many wireless devices out there these days to ever be sure that your system is really isolated. If your plant network isn't monitored for aberrant traffic patterns and firewalled from internal threats, you'll never know if your air-gap is working.

    6. Re:segmentation by denobug · · Score: 1

      As long as you realize that air-gapping is a weak form of security in itself, air-gapping is ok. One break in the gap and it folds. Too many wireless devices out there these days to ever be sure that your system is really isolated. If your plant network isn't monitored for aberrant traffic patterns and firewalled from internal threats, you'll never know if your air-gap is working.

      Hence it is a standard practice to have ZERO wireless devices within the air-gapped secure network to start. You are correct the traffic monitoring and strict firewall (on an air-gapped network) are still necessary. They should be standard practice in a critical network today, even in SCADA/Control application. There are very little reason not to do so today.

  4. One person's bug... by Anonymous Coward · · Score: 0

    is another's exploit.

  5. No kidding? by Anonymous Coward · · Score: 0

    Anyone who's used some of these SCAD products already knows they're buggy as hell. I'm not the least bit surprised there are security errors.

  6. "Industrial Use" doesn't mean what you think by erroneus · · Score: 3, Interesting

    The industry uses what they use because that's what they use. Their standards are built on their expectactions which are built on their experience. Long ago, computers were machines you didn't turn off. They were reliable and steady. People wrote software which adhered to that mindset. But then the PC industry came and every hobbyist became a programmer. That's when all hell broke loose. But that was fine because these were small system and you just reboot and keep on with whatever you were doing. You were just one person. What did it matter? But the next thing you know "enterprise applications" are being built on a platform intended for single users... bringing with it a whole crapload of lax and shoddy standards.

    Now you know how we got where we are today.

    How do we get out? Linux is built under the same old school priciples of reliability and stability so it tends to be able to run a lot longer than WinTel. But even that's showing signs of relaxing. And Apple? It had a reputation for not having problems... that was until people started to use it.

    So how do we get out? Obvious answer is to go back to what worked. But that's EXPENSIVE. No more "off the shelf solutions" with implied (though EULA denied) guarantees. No more OSes built from single-user, patched and hacked systems. AS/400 for mature systems and service standards come to mind. IT got cheaper with PCs and WinTel. But they also became 10,000 times more risky. People who spend money are constantly lied to by various parties and don't listen to their own IT people about what they should do.

    It's time to go back. It's time to go back.

    1. Re:"Industrial Use" doesn't mean what you think by mcl630 · · Score: 4, Insightful

      Nothing in your rant has anything to do with SCADA.

    2. Re:"Industrial Use" doesn't mean what you think by Crypto+Gnome · · Score: 3, Insightful

      Unfortunately in this risk-vs-reward scenario there's a get-out-of-jail free card which we've ALL seen played fast-n-loose recently.

      If your industry is "to big to fail" the government will step in and throw money at the problem.

      So it's actually a financially viable proposition to invest in crappy workmanship, shoddy systems, and brain dead fundamentally unstable computing systems until A CRISIS LOOMS then wait for The Government so save your sorry ass.

      It's EXACTLY what the banking/finance industry recently did in the US.

      They KNEW perfectly well that what they did, while technically not illegal, was A REALLY REALLY BAD IDEA which *might* (possibly) not blow up in their faces, while making them insanely rich.

      If business are perfectly happy with suchlike RAMPANT STUPIDITY (er I mean UNCONTROLLED GREED) even before the Government had made their "too big to fail" bailout, how much more likely is such behaviour these days?

      Remember folks: if your screwup is BIG enough, there are NO CONSEQUENCES... ANY risk, no matter HOW insane, is worth it - as long as the scale of the potential disaster is large enough.

      --
      Visit CryptoGnome in his home.
    3. Re:"Industrial Use" doesn't mean what you think by Anonymous Coward · · Score: 1

      Nothing in your rant has anything to do with SCADA.

      Yes, but he praises Linux and bashes Wintel, so that's more than enough for the un-intelligentsia to give him a +5 anyway.

      Slashdot: news for wannabe nerds; stuff that panders

    4. Re:"Industrial Use" doesn't mean what you think by erroneus · · Score: 2

      It has EVERYTHING to do with SCADA.

      http://accelconf.web.cern.ch/accelconf/ica99/papers/mc1i01.pdf

      See the paper above. In the first two pages it describes what SCADA is and what its architecture generally consists of. The most important statement is that while SCADA used to be based on other OSes, it is now primarily based on Windows though there is a Linux based SCADA vendor out there.

      My rant points out that In addition to evolving from a single user OS, Windows brings along with it unprofessional coding standards both within the OS and within the applications. This is "very unpopular speech" here on Slashdot, but the reality is what it is. There is a LOT of shoddy Windows software out there and it's all due to the culture which was built around DOS/Windows.

    5. Re:"Industrial Use" doesn't mean what you think by erroneus · · Score: 2

      Fuck you!!!!!

      You're right... but fuck you.

    6. Re:"Industrial Use" doesn't mean what you think by Nefarious+Wheel · · Score: 1

      It has EVERYTHING to do with SCADA.

      ... The most important statement is that while SCADA used to be based on other OSes, it is now primarily based on Windows though there is a Linux based SCADA vendor out there...

      The RTUs (Remote Terminal Units) that form the sensor/control layer of a SCADA network are individual programmable units, which generally have their own minimalist platform and programming language for their specific embedded systems. A control network of these may be infectable, but the individual end-terminal units - the ones that do the actual control - are a wee bit esoteric for your average (or not so average) script kiddie. It would be like connecting your PC across the network to a strange device, and discovering it was written in ICL or CDC3150 assembler. Your only meaningful dialogue would consist of "WTF?". And these FPU's can be set to ignore re-flashing from the net. "Change the shutdown temperature by +100 degrees? Piss off!"

      --
      Do not mock my vision of impractical footwear
    7. Re:"Industrial Use" doesn't mean what you think by Errol+backfiring · · Score: 1

      That is why there was a petition in Germany to force nuclear power plants to have an insurance. Because they simply have not as it would be far too expensive and any disasters are the problem of the inhabitants anyway. If nuclear power plants had an insurance, the energy would not be so deceptively cheap with respect to clean energy.

      --
      Nae king! Nae laird! Nae yurrupiean pressedent! We willna be fooled again!
    8. Re:"Industrial Use" doesn't mean what you think by erroneus · · Score: 1

      The compromises which have occurred on SCADA systems have compromised the Windows portions. Once the Windows portions are infected, the network is compromised. If these SCADA programable units are set to accept command and control from these Windows machines, the game is over. And I believe that has been the case in every documented SCADA system compromise.

  7. firewalls! by pointyhat · · Score: 4, Informative

    Everyone knows about the holes, including the manufacturers. They're designed to operate on controlled, private networks. Every time someone gets hacked, they should go after the implementors, not the vendors as they should factor security onto their site designs. I'm not excusing the manufacturers, just people need to know this is engineering and not infosec - people buy black boxes which do stuff and that's all that matters to them.

    1. Re:firewalls! by Anonymous Coward · · Score: 0

      Exactly, There is zero reason important control systems (nuclear power, industrial manufacturing, other big ass machines that can kill) should be on the damn internet or any network that can be on the internet.

      You do not a shiny iApp to control a 5-ton industrial machine from your smart-phone just because you can.

      If it needs some form of remote accessibility private WAN links have been around for years (ISDN, T1, Fiber for whatever bandwidth needed)

    2. Re:firewalls! by tlhIngan · · Score: 5, Insightful

      Everyone knows about the holes, including the manufacturers. They're designed to operate on controlled, private networks. Every time someone gets hacked, they should go after the implementors, not the vendors as they should factor security onto their site designs. I'm not excusing the manufacturers, just people need to know this is engineering and not infosec - people buy black boxes which do stuff and that's all that matters to them.

      The problem is even airgapped networks can be broken into. See stuxnet and flame - they exploited several machanisms to install themselves onto airgapped networks. It also went to show that even airgaps can be broken into if you don't need much in the way of return information - you just need to get onto the network, and not send data back out. Heck, the USAF had their UAV computers infected with a virus.

      The weakest part of an airgapped network is the maintenance thereof - add some new PLCs to the network? Well, they have to be configured to work with everything else, so someone has to plug something into it to configure it. And that something is unknown - it could be a technician's laptop, it could be a thumb drive, etc.

      The thing is, an airgapped network has to be maintained, and it's really hard to do so without at some point having to plug something in-between the gap. (For Stuxnet, it was a software update or other thing, for the USAF, it was... map updates). And at some point, data has to be transported across

      Heck, even the thumbdrive isn't invulnerable - it could for example be infected during manufacturing.

      In the end, all networks are interconnected. Some less so than others, but eventually they will have to be in some shap or form.

    3. Re:firewalls! by OzPeter · · Score: 1

      Wanna take bets on that?

      ProficySCADA By GE Intelligent Platforms, Inc.

      (all though all it seems to be is link to the existing CIMPLICITY webserver component)

      --
      I am Slashdot. Are you Slashdot as well?
    4. Re:firewalls! by ControlsGeek · · Score: 1

      Back in the day when the IT folks wanted to gather data from my Modicon PLC's I put a seperate PLC on Modbus Plus Network and used Ladder commands to transfer what they wanted to it. Then I put a Gateway in between with custom built ROM that disabled the Modbus commands that could change or write to that PLC and left them with only Read Register (4xxxx).

    5. Re:firewalls! by interval1066 · · Score: 1

      They're designed to operate on controlled, private networks.

      WRONG. Their designed WITHOUT security whatsoever. Period. http://twittech.wordpress.com/2012/04/25/industrial-automtion-news/

      --
      Python: 'And then suddenly you have a language which says "we're all stuck with whatever the whiniest coder wants".'
    6. Re:firewalls! by joe_frisch · · Score: 1

      There are huge maintenance advantages to having your SCADA system connected to the internet: as an example it allows your experts to debug problems from home, rather than wasting time to drive in. This leads to the (quite reasonable) desire to connect the systems but implement various types of security to prevent unauthorized access. Of course even if that is done correctly, the "authorized" person may themselves be the unintentional source of the hack - just because someone knows how to tune the parameters of an oil refinery doesn't mean that they are an expert in resisting hacks.

      Some classified computer systems really are kept isolated, but it is a huge hit to the efficiency of work done there, and in many cases the added cost isn't worth the extra security. Even that won't protect against hacks at the manufacturer end......

    7. Re:firewalls! by Darinbob · · Score: 1

      And Stuxnet managed to get past this air gap. However that was a piece of malware designed with an enormous amount of resources too.

      The problems here are large. SCADA systems involve many different devices all from different manufacturers all jury rigged to work together. Putting a lot of security best practices in place is difficult. And to be fair, security actually scares a lot of people here. They are worried that they'll be unable to control the network like they used to, worry that once they flip the switch to turn on security for one group of devices that the whole thing will come crashing down, worry that they'll have to rip it all out and build it back up again with new equipment, worry about a Terry Childs sort of incident, etc.

    8. Re:firewalls! by AF_Cheddar_Head · · Score: 1

      And just as many security disadvantages. Yes you get the immediate savings of lights out management but no bean counter ever takes into the long-term and hard to quantify costs of all the additional security necessary to protect your convenience.

  8. it looks like by M0j0_j0j0 · · Score: 0

    In a few hours??!!! it's a SCANDAL!!

  9. tomhudson programmed for siemens by Anonymous Coward · · Score: 0

    it explains the bugs they have right there. tomhudson also goes by Barbara, not Barbie, and webmistressrachel around here.

  10. So I saw the video by OzPeter · · Score: 3, Interesting

    I tracked the video down to ReVuln - SCADA 0-day vulnerabilities

    Now can someone tell me what I saw? All I can see is video of some commands being typed into a command window in a older version of Windows, and lots of graphics (and funky music) saying exploit this and exploit that. How do I know that what they are claiming is what is shown on that video?

    Note that I am not doubting that SCADA systems are not secure, the've been my bread and butter for a long long time. I just want cold hard facts., not a presentation that looks like it is a sales pitch aimed at scaring SCADA manufacturers.

    --
    I am Slashdot. Are you Slashdot as well?
    1. Re:So I saw the video by Anonymous Coward · · Score: 0

      ummmm..no video here, or kickin beats, but if your really interested in hard cold facts a good place to start is NIST SP 800-82.
      http://www.nist.gov/el/isd/ics-062111.cfm

  11. SCADA wasn't designed for internet connections. by Vellmont · · Score: 1

    SCADA was supposed to be an industrial control system, where nobody thought "hey... let's suddenly connect this incredibly important system that could literally kill people if it were compromised..... to the internet".

    So it shouldn't be surprising the thing is full of vulnerabilities. It wasn't designed to be a secure system from smart and incredibly skilled people trying to attack it. It was designed to be secure through physical security and lack of access in the first place. The problem is that everyone expects data all the time now, even reporting from their industrial processes. So some higher up demands it, and the IT department is forced to connect these systems to the net... opening up a huge amount of problems.

    Duh.

    --
    AccountKiller
    1. Re:SCADA wasn't designed for internet connections. by findoutmoretoday · · Score: 1

      I looked recently at Siemens S7. It's with internet and it is much more fun than the old systems I programmed 20 years ago.

    2. Re:SCADA wasn't designed for internet connections. by ColdWetDog · · Score: 1

      That might have been an OK excuse 5 years ago, but it's been rather a long time (in Internet time) since SCADA started getting hooked into the Internet. We've had a bunch of discussions about this exact issue for quite awhile. The industry has a set of best practices (air gap, data diodes, etc). The manufacturers of SCADA gear have had plenty of time to revamp their designs.

      If you believe TFA, they haven't done a particularly good job of the latter.

      --
      Faster! Faster! Faster would be better!
    3. Re:SCADA wasn't designed for internet connections. by Anonymous Coward · · Score: 0

      There's a human problem too. I got put in charge of a SCADA network that still had the default admin password AND was internet facing.

    4. Re:SCADA wasn't designed for internet connections. by bytesex · · Score: 1

      And you consider 5 years a long time? I think that just shows that you don't work with SCADA systems.

      --
      Religion is what happens when nature strikes and groupthink goes wrong.
    5. Re:SCADA wasn't designed for internet connections. by Anonymous Coward · · Score: 0

      1. Machines needs to be connected to the internet to get orders from sales if you want an effecient warehousemanagement.

      2. Machines have control systems (PLCs snd SAFETY PLCs) that prevents the machine from killing anyone even if the SCADA is compromised.

      A correct implementation of SCADA means that when SCADA gets hacked the culprit can do whatever the managers could do. Basically s/he could make bad products. If the machine is a powerplant this means that some people will lose access to power. If the machine produces medicine the IEC standards protects the medicine. If the machine produces hammers you might get lousy hammers.

      It's not as easy as many here try to make it.

      Even with full access to any SCADA I commission you will *not* be able to make the industrial robot move while the door to the robot cell is open. That just isn't within the SCADAs power.

    6. Re:SCADA wasn't designed for internet connections. by ModelX · · Score: 1

      Factories don't work on internet time. Once a large expensive piece of industrial equipment is installed it's there for a loooong time. I used to work on upgrading some software for four machines that were 15 years old at the time. Two new machines were ordered (with a price tag of around 4M) and they wanted the control software to be compatible with the old machines. That was about a decade ago. The plan was not to upgrade until old control computers start failing. As far as I know they are still working.

  12. How do you get a SCADA system to test? by GGardner · · Score: 1

    So, if I'm a random security researcher, how do I get my hands on these SCADA systems to test them? They certainly aren't open source, and I'm guessing they aren't cheap. I doubt you can just type a credit card number into GE's web site and download one. How do they get one to look at?

    1. Re:How do you get a SCADA system to test? by dj245 · · Score: 1

      So, if I'm a random security researcher, how do I get my hands on these SCADA systems to test them? They certainly aren't open source, and I'm guessing they aren't cheap. I doubt you can just type a credit card number into GE's web site and download one. How do they get one to look at?

      I believe you have just nailed their security through obscurity philosophy. Only organizations with a small pile of cash, the right connections, or existing industry experience are able to play with these toys. This isn't something script kiddies can do.... yet. Sure you can break into a Duke Energy's VPN, and maybe they are stupid enough to still have control software on their internal non-control network. But you probably wouldn't know how to get started with controlling anything unless you had prior industry experience.

      If you have prior industry experience, companies are practically falling over themselves to give you a 6 figure paycheck so illegal activities aren't that appealing.

      --
      Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
    2. Re:How do you get a SCADA system to test? by mrbcs · · Score: 2
      Vestas VOB scada to run windmills has a $6000. dongle.

      Our network just got moved off the internet. It had some advantages, but legally I think we're now obligated to protect the scada systems as much as we can. The cardlock doors are coming next month

      --
      I'm not anti-social, I'm anti-idiot.
    3. Re:How do you get a SCADA system to test? by dj245 · · Score: 1

      $6000 for a dongle is pretty bad but arguably there is some special sauce or secret things inside the dongle. Any salesperson could concoct a convincing argument justifying it somehow. Until recently, our steam turbine controllers had a $400 backup battery for the memory. It was a 3.6v lithium AA-sized battery with a fancy connector soldered to both terminals and shrink wrapped. It became such a sore point that some more customer-oriented salespeople just pointed the customers to the correct digikey part.

      --
      Even those who arrange and design shrubberies are under considerable economic stress at this period in history.
  13. You can get read-only access by davidwr · · Score: 2

    If the Big Bosses want to know the status of their machines and run reports on that status 24/7, fine.

    Just have the equipment log to a write-only device that is in turn read by equipment the Big Bosses can access.

    There's still the very serious risk of highly sensitive data leaking out and being used against the company or its SCADA devices in a USB- or social-engineering-based attack, but at least the equipment that can kill people will not be directly write-able from the Internet.

    It's not SCADA, but back in the day I knew a corporate Unix sysadmin who had the console on a hardcopy teletype long after teletypes were out of fashion. He had it print a heartbeat every 15 minutes and the time at regular intervals. When the teletype was silent for too long or if the time was too old when he walked into the room, he knew the machine crashed and about when it crashed. This also told him when the computer lost power and when it came back up if there was a power failure.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  14. Hours??!!! by Anonymous Coward · · Score: 1

    I DO work with those suckers, and let me tell you, they start spitting bugs at you just after the installer ends!

    1. Re:Hours??!!! by Anonymous Coward · · Score: 0

      I can say that this man definitely works with SCADA systems. I however don't, I work next to the team that does.

  15. To give you an impression _how_ bad it is by Casandro · · Score: 2

    Some of those systems are based on a technology called OPC. That's OLE for Process Control. Over the network it runs on DCOM. Of course unencrypted and usually without authentication because it's already hard enough to get it running somehow.
    Of course those are Windows-only solutions. And of course, those systems are often so complex and badly made that updates are next to impossible.

    There is currently no knowledge about security in those companies. They simply don't understand it. I've been in companies which had that problem, and believe me, it's very frustrating and fruitless to talk to such people. Their strategy simply seems to come up with the most breathtaking "arguments" to keep you silent. Common "arguments" are, "Windows 9x is secure as nobody writes malware for it anymore", or "NetBEUI is secure because it's not routable".

    What we need is a cultural change in SCADA implementations, but that's not easy to do.

    1. Re:To give you an impression _how_ bad it is by AmiMoJo · · Score: 1

      Those systems are supposed to be secured physically, not via software. They should have physical access restrictions, and never be connected to anything other than a dedicated network with no other devices on it.

      That is standard practice for all sorts of critical equipment. I used to write software for fire alarm systems, and the control panel was protected by a locked glass-fronted cabinet. If someone opened it they could turn on sprinklers, open vents, break stuff and generally make sure that if a fire started the system wouldn't work. What else are you going to do though? Fire fighters need access to the panel and if the key can't be found you need to be able to smash the glass.

      Even if a huge effort to secure these systems was made would you really want them connected to the internet? You can never be sure there are no bugs or undiscovered exploits.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    2. Re:To give you an impression _how_ bad it is by Casandro · · Score: 1

      Well yes of course. Those should never be connected to anything else, but...

      a) That software is often so bad/insecure it doesn't work reliably.
      b) Many software vendors in that area require you to have license keys... which come in the form of files.... which opens the USB attack vector.

      Physical security sounds like a good idea on paper, but then again it's of no use when you press the "brake" button and the system simply will not respond within a second. As on the new ICE-3 designed by Siemens.

  16. Updates? by Casandro · · Score: 1

    How do system updates or license updates work then?
    Keep in mind those systems often are Windows systems running huge amounts of software on them like SQL-servers or .net frameworks. And the software often has 1990s style licensing systems running which might need regular license keys to stay up to date. This was apparently the most common infection vector for Stuxnet.

    Todays SCADA systems are less and less designed to allow for that. Another obvious point would be that those systems need to boot from read-only memory. Sounds trivial yes, but just try that with Windows.

  17. Some explanations by Casandro · · Score: 1

    OK, unfortunately the video is not really informative.
    Remote execution means that the attacker was able to tell the other system to run commands. One common method (stack overflow) works like this:
    (In C) you have a local variable, for example to hold a string. Imagine it's 10 characters long, and you want to write 20 characters into it. It's obvious that you overwrite something. Since local variables are on the stack, you overwrite parts of it. The stack also stores the return address of the function call. If you overwrite this, you can make the function "jump back" to wherever you want... even to the string you just gave it. So instead of the function returning to the main program, it executes the machine code you gave it in your string.
    The standard article on this is:
    http://phrack.org/issues.html?issue=49&id=14#article

    Sometimes particularly badly designed systems will even just take a command and execute it, but that is rare.

    Heap Spraying is to get strings into the memory, for example to be executed by the stack overflow method. It's useful since on some systems the simple method doesn't work.

    Arbitrary File Download means that the attacker was somehow able to tell the victim to arbitrarily download a file. This can be used to overwrite files (e.g. the screensaver, or configuration files) or to make life easier for the attacker.

    Session hijacking means that you can take over a session, for example of a logged in user. So you are able to impersonate the logged in user.

  18. Home Pregnancy Tes by healthandmedication · · Score: -1

    Home Pregnancy Test http://goo.gl/DJx0v Home pregnancy test, If you think you are pregnant, you may want to test yourself at home with a home pregnancy test. Home pregnancy tests have been most women's first choice to confirm their suspicion they might be pregnant.

  19. How to derail a thread .. by Anonymous Coward · · Score: 0

    There does seem to be a concerted effort here to derail the thread, a prime example being the above and similar comments.

  20. SCADA and the Blackout by dgharmon · · Score: 1

    Microsoft Windows SQL virus takes down SPDS safety system in Nuclear power plant

    Blaster worm linked to severity of blackout

    Engineers Befuddled by Blackout

    --
    AccountKiller
  21. Me too... by Anonymous Coward · · Score: 0

    I found half a dozen in the GE product this year, in a few hours also. The same bugs were present in an old version and the new release, so I'd suggest their SDLC is flawed and they are in no hurry to fix security problems.

    Shoddy.

  22. This is news? by undefinedreference · · Score: 1

    16 years ago I worked on/developed industrial control systems and the fact this industry hasn't moved anywhere on the security front is not surprising. At the time development was still 1970s-80s style, save the punch cards. Most of the software developers had never learned structured programming and would still argue against it a solid decade after their mainstream ilk gave up the fight. Their code style was pure 70s at best and pure chaos at worst when written by the EEs. The newest code was all written in a language that I thought was already in the dustbin of history 5 years before I got there. Network security was completely foreign to everyone there.

    The equipment was extraordinarily-buggy on top of our highly-questionable software. I remember numerous long nights isolating and writing workarounds for bugs or code that defended them from the user. These black boxes were all selected by either EEs for electrical characteristics, MEs for physical mounting/environmental characteristics, or some combination of the two. Their prices were high and therefore they gained a strange aura among non-programmers for being infallable objects with exceptional engineering.

    The funny thing is the last time I heard from a contact there my software was still in use cooking up parts and the company was still selling injectors using the same crappy DOS-based interfaces we had back then. Mind-boggling. Today I can hardly fathom software that remains unchanged for even a couple years due to the pace of change on the internet.