Hackers Gain "Full Control" of Critical SCADA Systems

mask.of.sanity writes "Researchers have found holes in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. They also identified more than 150 zero day vulnerabilities of varying degrees of severity affecting the control systems and some 60,000 industrial control system devices exposed to the public internet."

Re:These issues have been flagged for 10 years

[Billly+Gates]

These issues have been flagged for roughly a decade. I have ZERO SYMPATHY for anyone who gets taken over.

MSOBKOW this is your boss.

What do you mean it is a security risk to put this on the internet? Everyone else has no problem doing this and I never heard of anyone being hacked. Like a billion dollar company would ever design such a thing when an internet connection is required to stay activated. Are you telling me that firewall you said we needed doesn't make is impenetrable?! Why can't you secure it? Do I need to hire someone who will?

DUH.

[Lumpy]

Almost ALL of us that have had to deal with SCADA knew this was possible. Most of the time because incredibly stupid managers DEMAND the systems be accessible from the internet.

SCADA systems need to be airgapped completely from any network other than their own. Boo Hoo to the company that needs to buy a second set of computers for the employees to get email on. the SCADA computers are to be used ONLY for SCADA systems.

100% of the security failures lie at the feet of the managers of these facilities. Until we start beating them with sacks of doorknobs nothing will change. and yes, the SCADA infection via usb drives are the fault of management. allowing the use of USB or any other device that has not been secured and low level formatted before use on a known clean machine is the fault of management.

All USB ports should be disconnected or physically inaccessible via lock and key to users.

Re:These systems are a product liability nightmare

Updating breaks now with near certainty. Not updating breaks later with a lower probability. Easy choice,

Sad, but true.

Re:These systems are a product liability nightmare

[dkf]

There is an old-school engineering mentality that is pervasive based on the old adage "if it ain't broke don't fix it".

The problem with that is, by putting it on the internet, they've broken it (even if the breakage hasn't hit home yet). Nobody wants to admit that they've done that, but it's their own damn fault. A good start to fixing things would be to airgap the SCADA network from the internet, and if connecting is necessary at all, to use a good double firewall with hardened DMZ machine in between. The DMZ can be locked down hard and updated carefully, and it doesn't need to ever hold systems that need careful certifying as it should never be in the control loop; just out of band monitoring.

Re:These systems are a product liability nightmare

[cusco]

Normally the SCADA systems **ARE** air-gapped from the corporate backbone, but until we start breeding better managers some idiot will occasionally pull a cable across that gap in order to produce a report or something.