Slashdot Mirror

← Back to Stories (view on slashdot.org)

Hackers Gain "Full Control" of Critical SCADA Systems

Posted by samzenpus on from the protect-ya-neck dept.

mask.of.sanity writes "Researchers have found holes in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. They also identified more than 150 zero day vulnerabilities of varying degrees of severity affecting the control systems and some 60,000 industrial control system devices exposed to the public internet."

6 of 195 comments (clear)

  1. i hope people with SCADA systems learned. by Gravis+Zero · · Score: 5, Informative

    do NOT connect SCADA systems to the internet.

    --
    Anons need not reply. Questions end with a question mark.
    1. Re: i hope people with SCADA systems learned. by ebno-10db · · Score: 4, Informative

      "Proper firewalling" is a pipe dream. ...Keep in mind that many of these systems have hidden backdoors or default admin accounts for maintenance. And the reply "it's OK if it's properly configured" would be true if every system had network admin that was 100% competent. Do you wish to make that claim?

      I think some people used to "conventional" IT don't appreciate how unrealistic it is "properly configure" (in terms of security) every box on a SCADA network. A typical network consists of a plethora of different types of boxes, with different OS's (often just RTOS's, which are usually not that security conscious), and all sorts of configuration, testing and latency requirements that go beyond what's needed in normal IT. Think in terms of making sure that robot arm doesn't smash into anything after your latest security update. Also, these boxes aren't, and realistically can't be, monitored all the time by checking log files and so forth.

      A similar situation occurs in aircraft, including military aircraft. I assure people there aren't firewalls or other security provisions between various avionics boxes. The big concern is reliable, error free and low latency communications between boxes. It's bad news if an actuator/sensor for a flight control surface has trouble, or takes too long, to talk to the main fly-by-wire system. Security is about "don't let it through unless you're sure", which obviously conflicts with the more important goals.

      Want security? Don't connect to the Internet.

  2. Some of them expose to the internet via VNC... by M0HCN · · Score: 5, Informative

    At 30C3 someone ran a portscan on the VNC port of the entire IPv4 internet, with 'interesting' results, highlights of which included a swimming pool chemical dosing control system, various power generation and control systems, building environmental control systems, air handlers, all sorts of wild and whacky things, some of them lacking in even the rudiments of passwords never mind proper crypto....

    The best one looked to me like a medium voltage distribution cabinet where the setpoints on the overload trips looked like they could be reconfigured from the internet!

    Ahh the things you can do in reasonable time with a 100Gb/s of bandwidth, the rsulting slides at the closing event (which is where I ran across it) were very, very scary.

    SCADA on the internet is a really, really bad thing.

    73 M0HCN. :wq

  3. Re:These issues have been flagged for 10 years by Anonymous Coward · · Score: 5, Informative

    It's not about sympathy, it's about the effective destruction of our entire infrastructure without dropping a single bomb. The first sign that China or Russia is at war with us will be all our utilities and factories going dark. This is everyone's concern.

  4. Re:These systems are a product liability nightmare by cusco · · Score: 4, Informative

    The SCADA systems that I have worked with were for electrical generation and distribution and water/sewer systems, and they absolutely were air gapped. Crossing that bridge with a cable was an automatic firing offense, and yes, they canned a manager who thought that no one would notice. That utility covered an entire very large and highly-populated county and tied into the larger national electrical grid. I'll guarantee that most of the SCADA systems nationwide are air gapped, as it's required by FERC and can generate hefty fines if they're not.

    --
    "Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
  5. Re: These systems are a product liability nightmar by Anonymous Coward · · Score: 2, Informative

    My company helps critical infrastructure owners meet data sharing requirements with govt agencies. If you use certain industrial communication protocols that were established pre-internet you may be in luck. In particular, we have a unique connection that is one way, only allows the data you choose to share, and does not require any sharing of your network with the outside world or feds. To be precise, your network and the govt network come within feet of each other and our unique device creates a restricted "bridge" that only passes MB data over serial. Read only.