Slashdot Mirror
Thousands of SCADA Devices Discovered On the Open Internet
Trailrunner7 writes with news of the continuing poor state of security for industrial control systems. From the article: "Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That's mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States. It's not a pretty picture. The duo ... have with some help from the Department of Homeland Security (PDF) pared down an initial list of 500,000 devices to 7,200, many of which contain online login interfaces with little more than a default password standing between an attacker and potential havoc. DHS has done outreach to the affected asset owners, yet these tides turn slowly and progress has been slow in remedying many of those weaknesses. ...The pair found not only devices used for critical infrastructure such as energy, water and other utilities, but also SCADA devices for HVAC systems, building automation control systems, large mining trucks, traffic control systems, red-light cameras and even crematoriums."
Part of the problem is the engineers designing them. They don't understand the sandbox they're playing in. It isn't in their culture and they don't know that they should secure them much less how to. I'm starting to see organizations hire product security engineers now to try and institute this stuff into the products but they seem way behind the curve IMHO.
Two factors have caused this - one, the assumption that those with the knowledge to cause havok have better things to do with their time, and two, the assumption by manufacturers that factory floor equipment will be physically seperated from the public (and by implication, the Internet).
All the changes that have resulted in this situation or probably very recent (10 years), and are in situations where legacy networks and equipment have been bolstered by or re-connected with new stuff by young IT-types, not engineers, who probably had no idea all the industrial stuff wasn't secured!
This tagline was transcoded to result in at least one smirk. If you experience failure to smirk, please consult your Gen
I have worked for a large world wide organisation where SCADA and similar on-line systems are very prominent. After raising concerns and asking ports to be locked down or default passords to be changed, there was a lot of departmental fighting over who's responsibility and usually after the battle royal of e-mails everyone would forget until the issue was brought up again.
Too much of a not broke don't fix attitude in smaller companies and bureaucracy in larger companies over responsibility.
Pay a couple more people to go through the list regularly and poke around, turn things on and off. Make it hotter on cold days and colder on hot days. Take pictures of cars running green lights, shut down all but one elevator, etc...
Just being mindful not to hurt anyone.
It'll soon be cheaper to fix the problem than to waste resources cleaning up the mess.
Hey guys, no worries, I went in and changed the passwords.
USA USA USA
---
ECHELON is a government program to find words like bomb, jihad, plutonium, assassinate, and anarchy.
I saw a gas station and one of the pumps there was in "maintenance mode" or something. Anyway, it wasn't working and on a little LCD display on its body there was an IP address. It wasn't a private IP so I noted it down and when I got to work I tried accessing it through HTTP. Well, what do you think? A nice web-based username+password interface popped up.
Now I ain't a hacker and I really didn't try anything, but I'm sure a skilled security professional would have hacked right through that interface. It's really amazing how many poorly secured interesting devices are out there.
...gis sdrawkcab (usually not responding to ACs; don't bother posting as AC)
Don't blame me, I'm just the guy that wrote the specification and the software.
- Management told me to remove security. Too much effort (what's a linter? Stop using it. Shorter passwords. Private network? Can't we just use a cable modem? "Fuzzing" ? Takes too long... turn it off)
- Management told me to remove encryption. Too hard to read and debug over-the-wire for the field tech, who might have to run a program and click a button to decode traffic. Or worse, move a jumper to "debug".
- Management had me source the cheapest possible components, and try to use software to recover from their faster and bizarre failures.
- Management had me install DHCP support into the SCADA devices, so it could be hooked onto the easiest possible network.
- Management had me unlock the cellular modem so it would connect to any tower.
- Management had me use public DNS in my SCADA system, because running our own would have cost an afternoon.
- Management had me write a 4 digit backdoor PIN into all hardware, that could not be turned off.
- Management had me specify, design, and write a remote firmware flash interface supporting and utilizing most of the above.
- Management had me write a remote reverse serial console proxy available by pointing your web browser at the right URL.
- Management had me use public rdate servers rather than pay for an accurate internal clock.
Look, I'm just a software engineer. I know a bit of hardware. I let people know when things are dangerous. I quote them times and estimates and costs.
I quote them expected failure rates.
They settle on the cheapest most disease-ridden stray cat they can find starving in a ditch and sell it as a liger. And your engineers somehow buy it.
Look, I may not know everything about securing them -- but most of these problems aren't caused by inept engineers, they're caused by management and sales cutting corners to buy their third porsche.
I'd *LOVE* to see a reverse bounty program. Sell the management induced bugs in your software to a company client for legal protection against lawsuit, and five years of contractual consulting rates to clean it up.
From the program in it, I guess it was a demo, not running anything.
I found it completely by accident by searching for the part number of one of the modules that happened to be in the chassis with the controller and the ethernet bridge. The ethernet bridge has its own web page which automatically displays the contents of the chassis, with links to the modules.
I added a controller-scoped tag to it called "ICanSeeYouFromTheInternet", and a tag description of "Please put your ENBT on a private network"
A couple days later it was gone.
"Reality is that which, when you stop believing in it, doesn't go away." - Philip K. Dick
For those not overly up to date on their acronyms: "SCADA (supervisory control and data acquisition) is a type of industrial control system (ICS). Industrial control systems are computer controlled systems that monitor and control industrial processes that exist in the physical world. SCADA systems historically distinguish themselves from other ICS systems by being large scale processes that can include multiple sites, and large distances." http://en.wikipedia.org/wiki/SCADA
Three Squirrels
As a SCADA/Integration guy, I can say that most controls engineers cringe at the thought of their networks being open to the internet. It's usually managers and bean counters who demand real-time global data reporting who drive this lunacy. It's not as simple as it appears.
Scruting the inscrutable for over 50 years.
My name is Jake Brodsky. I worked with Bob Radvanovsky and others to create this experiment.
The formal announcement of this project is here.
Nearly fifty percent of all graduates come from the bottom half of the class!
I worked as a Controls Engineer for 6 years designing, installing, and commissioning PLC / SCADA systems. The clients were anything from large steel mills, manufacturing plants, government, and even propulsion systems for naval vessels. My company was contracted to install these systems and sometimes train the customer's personnel to then handle problems or make additions to the control system if necessary.
The personnel were more often than not your normal plant electricians and if we were lucky an actual engineer, but usually not one with much IT ability. Today's controls systems almost always have a normal Ethernet network sometimes utilizing commercial OTS network switches. This is a big change from 10-15 years ago when the communication media was mostly proprietary for control networks.
When a problem arose I've seen these guys just unplug and plug in CAT5E Cale's wildly in the hopes of rectifying a problem that brought a process line or machine to a hault without much thought as to where the issue lies. Other times the plant manager will want to view the SCADA data from his office so he will instruct an employee to just bridge the control network to the business / office network.
It's really not the fault of the people designing the systems. In the end the company that owns it takes the blame. The vast majority of customers will not pay extra to have their employees trained on these systems and I've never seen one concerned with security. My company sent me to Certified Ethical Hacking training in order to try and make our systems more secure, but in the end the systems integrator's hands are tied.