Slashdot Mirror

← Back to Stories (view on slashdot.org)

Researcher Finds Nearly Two Dozen SCADA Bugs In a Few Hours

Posted by samzenpus on from the target-rich-environment dept.

Trailrunner7 writes "It is open season on SCADA software right now. Last week, researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric. And now a researcher at Exodus Intelligence says he has discovered more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours' work."

22 of 104 comments (clear)

  1. Re:WTF is SCADA then? by stpere · · Score: 3, Informative

    Google is your friend, as usual. It's basically a system to monitor and control an industrial site/process remotely (power plant, utilities, etc..).

    http://en.wikipedia.org/wiki/SCADA

  2. When the light turns on... by PlusFiveTroll · · Score: 4, Interesting

    When the light turns on, the roaches scurry. SCADA has been ignored by infosec up till now. Many of these systems are old, or are new systems not designed any different then they were in the 80's or 90's. It's not hard to find low hanging fruit when you're the first person picking it. Give 'the system' a few years and it won't be any different then Linux and Windows bug hunting now.... once you convince everyone to upgrade, that is.

    1. Re:When the light turns on... by vlm · · Score: 4, Interesting

      Give 'the system' a few year

      I've been hearing anti-scada fud for about two decades and it never gets any better.

      I suppose as agitprop the early 1980s movie "wargames" is pretty good anti-scada. Or claims that Kevin Mitnick can whistle into a telephone thus launching nuclear missiles. There was a cheesy hollywood horror/action movie in the late 80s or 90s that could basically be subtitled "misterhouse grows into a skyscraper and has a tantrum killing everyone inside". I distinctly remember a 6-million dollar man or 6-million dollar woman (a late 1970s psuedo-scifi tv show) which had a nuclear power plant scada attack, with a friendly computer that donated a 7400 series TTL logic chip to repair the magic prosthesis that was LOL funny at the time. There is also at least one anti-scada james bond movie, probably 80s era but I can't remember the details. Oh and there was a cheesy 80s "hacking" TV kids show perhaps the "whiz kids" or something that also had a anti-scada plotline.

      There's about 50 zillion star trek episodes and movies which basically show a scada attack on a warship. Most notably when Kirk drops Kahn's shields remotely and pretty much blows his ship up in ST2. But there's about 49 other examples.

      This would be a fun /. article... everybody troll the depths of your memory to build a timeline of anti-scada FUD.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
    2. Re:When the light turns on... by grantspassalan · · Score: 2

      Why does any control system have to be connected in such a way as to be accessible by some hacker in Russia or who knows where?

      --
      A sufficiently advanced simulation is indistinguishable from reality.
    3. Re:When the light turns on... by ArhcAngel · · Score: 3, Informative

      IF you plan to see Skyfall read no further.

      The current Bond is pretty much nothing but a SCADA horror story.

      --
      "A person is smart. People are dumb, panicky dangerous animals and you know it." - K
    4. Re:When the light turns on... by Beardo+the+Bearded · · Score: 3, Insightful

      At first I thought it was pretty silly but then I remembered that the Chinese government had such in-depth control of Nortel's systems that they could control the thermostats.

      So it's really only one step away from something that happened in real life.

      --

      ---
      ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
  3. segmentation by Anonymous Coward · · Score: 4, Insightful

    This is why SCADA needs to be built out separately from your data network.

    1. Re:segmentation by Anonymous Coward · · Score: 5, Insightful

      This is why SCADA needs to be built out separately from your data network.

      While that is indisputably a good idea, it does not cover all the bases. Disgruntled employees, industrial espionage, and state-sponsored sabotage (in the case of critical or defense industries) won't let a silly air gap stop them.

      As Iran learned at its peril.

    2. Re:segmentation by vlm · · Score: 3, Interesting

      False dilemma. One excellent security practice not being the sole practice necessary doesn't mean its not an excellent security practice.

      I've never worked at a place without airgapped or at least tightly firewalled "IT" and "production"/"engineering" networks. I'm sure there exist places where the receptionist can install a toolbar or weatherbug on her windows PC and literally blow up the plant, but I've never personally seen or worked at one.

      --
      "Science flies us to the moon. Religion flies us into buildings." - Victor Stenger
  4. "Industrial Use" doesn't mean what you think by erroneus · · Score: 3, Interesting

    The industry uses what they use because that's what they use. Their standards are built on their expectactions which are built on their experience. Long ago, computers were machines you didn't turn off. They were reliable and steady. People wrote software which adhered to that mindset. But then the PC industry came and every hobbyist became a programmer. That's when all hell broke loose. But that was fine because these were small system and you just reboot and keep on with whatever you were doing. You were just one person. What did it matter? But the next thing you know "enterprise applications" are being built on a platform intended for single users... bringing with it a whole crapload of lax and shoddy standards.

    Now you know how we got where we are today.

    How do we get out? Linux is built under the same old school priciples of reliability and stability so it tends to be able to run a lot longer than WinTel. But even that's showing signs of relaxing. And Apple? It had a reputation for not having problems... that was until people started to use it.

    So how do we get out? Obvious answer is to go back to what worked. But that's EXPENSIVE. No more "off the shelf solutions" with implied (though EULA denied) guarantees. No more OSes built from single-user, patched and hacked systems. AS/400 for mature systems and service standards come to mind. IT got cheaper with PCs and WinTel. But they also became 10,000 times more risky. People who spend money are constantly lied to by various parties and don't listen to their own IT people about what they should do.

    It's time to go back. It's time to go back.

    1. Re:"Industrial Use" doesn't mean what you think by mcl630 · · Score: 4, Insightful

      Nothing in your rant has anything to do with SCADA.

    2. Re:"Industrial Use" doesn't mean what you think by Crypto+Gnome · · Score: 3, Insightful

      Unfortunately in this risk-vs-reward scenario there's a get-out-of-jail free card which we've ALL seen played fast-n-loose recently.

      If your industry is "to big to fail" the government will step in and throw money at the problem.

      So it's actually a financially viable proposition to invest in crappy workmanship, shoddy systems, and brain dead fundamentally unstable computing systems until A CRISIS LOOMS then wait for The Government so save your sorry ass.

      It's EXACTLY what the banking/finance industry recently did in the US.

      They KNEW perfectly well that what they did, while technically not illegal, was A REALLY REALLY BAD IDEA which *might* (possibly) not blow up in their faces, while making them insanely rich.

      If business are perfectly happy with suchlike RAMPANT STUPIDITY (er I mean UNCONTROLLED GREED) even before the Government had made their "too big to fail" bailout, how much more likely is such behaviour these days?

      Remember folks: if your screwup is BIG enough, there are NO CONSEQUENCES... ANY risk, no matter HOW insane, is worth it - as long as the scale of the potential disaster is large enough.

      --
      Visit CryptoGnome in his home.
    3. Re:"Industrial Use" doesn't mean what you think by erroneus · · Score: 2

      It has EVERYTHING to do with SCADA.

      http://accelconf.web.cern.ch/accelconf/ica99/papers/mc1i01.pdf

      See the paper above. In the first two pages it describes what SCADA is and what its architecture generally consists of. The most important statement is that while SCADA used to be based on other OSes, it is now primarily based on Windows though there is a Linux based SCADA vendor out there.

      My rant points out that In addition to evolving from a single user OS, Windows brings along with it unprofessional coding standards both within the OS and within the applications. This is "very unpopular speech" here on Slashdot, but the reality is what it is. There is a LOT of shoddy Windows software out there and it's all due to the culture which was built around DOS/Windows.

    4. Re:"Industrial Use" doesn't mean what you think by erroneus · · Score: 2

      Fuck you!!!!!

      You're right... but fuck you.

  5. firewalls! by pointyhat · · Score: 4, Informative

    Everyone knows about the holes, including the manufacturers. They're designed to operate on controlled, private networks. Every time someone gets hacked, they should go after the implementors, not the vendors as they should factor security onto their site designs. I'm not excusing the manufacturers, just people need to know this is engineering and not infosec - people buy black boxes which do stuff and that's all that matters to them.

    1. Re:firewalls! by tlhIngan · · Score: 5, Insightful

      Everyone knows about the holes, including the manufacturers. They're designed to operate on controlled, private networks. Every time someone gets hacked, they should go after the implementors, not the vendors as they should factor security onto their site designs. I'm not excusing the manufacturers, just people need to know this is engineering and not infosec - people buy black boxes which do stuff and that's all that matters to them.

      The problem is even airgapped networks can be broken into. See stuxnet and flame - they exploited several machanisms to install themselves onto airgapped networks. It also went to show that even airgaps can be broken into if you don't need much in the way of return information - you just need to get onto the network, and not send data back out. Heck, the USAF had their UAV computers infected with a virus.

      The weakest part of an airgapped network is the maintenance thereof - add some new PLCs to the network? Well, they have to be configured to work with everything else, so someone has to plug something into it to configure it. And that something is unknown - it could be a technician's laptop, it could be a thumb drive, etc.

      The thing is, an airgapped network has to be maintained, and it's really hard to do so without at some point having to plug something in-between the gap. (For Stuxnet, it was a software update or other thing, for the USAF, it was... map updates). And at some point, data has to be transported across

      Heck, even the thumbdrive isn't invulnerable - it could for example be infected during manufacturing.

      In the end, all networks are interconnected. Some less so than others, but eventually they will have to be in some shap or form.

  6. Re:WTF is SCADA then? by RobbieCrash · · Score: 5, Funny

    Where's the lazy editing? It's not like this is the first SCADA story on /.. Are we going to start defining every non-everyday term in a summary?

    "Researchers have identified a hole (an overlooked security concern) in the TCP (Transmission Control Protocol a system of information transmission that aids in reliable data transfer) layer (a metaphorical layer in a sandwich of other layers each of which pertain to certain elements of the network stack (the combination of hardware (physical parts of a computer) and software (the computer code that resides on a computer's storage that makes up a computer program) that allow a computer to /talk/ to another computer over a network)) of Windows (a computer operating system (a complex computer program that coordinates and translates software requests into hardware actions))."

    --
    Keep on knockin'
    https://robbiecrash.me
  7. So I saw the video by OzPeter · · Score: 3, Interesting

    I tracked the video down to ReVuln - SCADA 0-day vulnerabilities

    Now can someone tell me what I saw? All I can see is video of some commands being typed into a command window in a older version of Windows, and lots of graphics (and funky music) saying exploit this and exploit that. How do I know that what they are claiming is what is shown on that video?

    Note that I am not doubting that SCADA systems are not secure, the've been my bread and butter for a long long time. I just want cold hard facts., not a presentation that looks like it is a sales pitch aimed at scaring SCADA manufacturers.

    --
    I am Slashdot. Are you Slashdot as well?
  8. Re:WTF is SCADA then? by Trepidity · · Score: 3, Funny

    Glad to see another Extraterrestrial Life researcher on Slashdot!

    --
    10 PRINT CHR$(205.5+RND(1)); : GOTO 10
  9. You can get read-only access by davidwr · · Score: 2

    If the Big Bosses want to know the status of their machines and run reports on that status 24/7, fine.

    Just have the equipment log to a write-only device that is in turn read by equipment the Big Bosses can access.

    There's still the very serious risk of highly sensitive data leaking out and being used against the company or its SCADA devices in a USB- or social-engineering-based attack, but at least the equipment that can kill people will not be directly write-able from the Internet.

    It's not SCADA, but back in the day I knew a corporate Unix sysadmin who had the console on a hardcopy teletype long after teletypes were out of fashion. He had it print a heartbeat every 15 minutes and the time at regular intervals. When the teletype was silent for too long or if the time was too old when he walked into the room, he knew the machine crashed and about when it crashed. This also told him when the computer lost power and when it came back up if there was a power failure.

    --
    Knowledge is how to play a game, intelligence is how to win, wisdom is knowing what game to play.
  10. Re:How do you get a SCADA system to test? by mrbcs · · Score: 2
    Vestas VOB scada to run windmills has a $6000. dongle.

    Our network just got moved off the internet. It had some advantages, but legally I think we're now obligated to protect the scada systems as much as we can. The cardlock doors are coming next month

    --
    I'm not anti-social, I'm anti-idiot.
  11. To give you an impression _how_ bad it is by Casandro · · Score: 2

    Some of those systems are based on a technology called OPC. That's OLE for Process Control. Over the network it runs on DCOM. Of course unencrypted and usually without authentication because it's already hard enough to get it running somehow.
    Of course those are Windows-only solutions. And of course, those systems are often so complex and badly made that updates are next to impossible.

    There is currently no knowledge about security in those companies. They simply don't understand it. I've been in companies which had that problem, and believe me, it's very frustrating and fruitless to talk to such people. Their strategy simply seems to come up with the most breathtaking "arguments" to keep you silent. Common "arguments" are, "Windows 9x is secure as nobody writes malware for it anymore", or "NetBEUI is secure because it's not routable".

    What we need is a cultural change in SCADA implementations, but that's not easy to do.