Slashdot Mirror
Hackers Gain "Full Control" of Critical SCADA Systems
mask.of.sanity writes "Researchers have found holes in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. They also identified more than 150 zero day vulnerabilities of varying degrees of severity affecting the control systems and some 60,000 industrial control system devices exposed to the public internet."
Comment removed based on user account deletion
do NOT connect SCADA systems to the internet.
Anons need not reply. Questions end with a question mark.
These issues have been flagged for roughly a decade. I have ZERO SYMPATHY for anyone who gets taken over.
I do not fail; I succeed at finding out what does not work.
At 30C3 someone ran a portscan on the VNC port of the entire IPv4 internet, with 'interesting' results, highlights of which included a swimming pool chemical dosing control system, various power generation and control systems, building environmental control systems, air handlers, all sorts of wild and whacky things, some of them lacking in even the rudiments of passwords never mind proper crypto....
The best one looked to me like a medium voltage distribution cabinet where the setpoints on the overload trips looked like they could be reconfigured from the internet!
Ahh the things you can do in reasonable time with a 100Gb/s of bandwidth, the rsulting slides at the closing event (which is where I ran across it) were very, very scary.
SCADA on the internet is a really, really bad thing.
73 M0HCN. :wq
SCADA systems are bad enough, but the push to "THE INTERNET OF EVERYTHING" should make it far more interesting for everyone.
I remember, far back in the late 1960s, when a popular DJ on a local radio station joked for everyone on a particular Interstate leading into the city to "CHANGE LANES". I was on that road and an amazing number of people did. With TIOE the cars can just do the lane change without having to tell the drivers to do it! Of course most of the drivers did make sure that the lane they were moving to had room for them. I doubt that will be the case next time.
These systems are the moral equivalent of leaving your door not just unlocked but ajar. It doesn't change the morality of anyone trespassing to steal or destroy, but it does make the owner much more culpable. We do not face a threat to our cyber-infrastructure, but rather have irresponsibly left the infrastructure unprotected, and should not be surprised that people of varying motives might take advantage.
We do not need a cyber-infrastructure police force, unless they're actually tiger teams who publicly shame the idiots who leave their systems unprotected...
could someone a lot wiser than me please explain why we need to connect everything and anything to the internet?
I expect the hackers are rubbing their hands with glee at the prospect of being able to hack all sorts of things. Imagine all the havoc they could cause by making all the freezers in a country suddenly defrost?
Frankly, I think this drive to connect everything is totally misguided.
I'd rather be riding my '63 Triumph T120.
Because actually it is really very operationally useful, and USEFUL in normal use trumps security EVERY SINGLE TIME.
Consider someting simple like a public building heating control system, this is probably a modest PLC from the usual suspects, now if I am the poor sap in charge of the building systems (Nightmare, been there, done that), and the thing alarms at say 2100 on my day off, I have a choice:
I can go in and clear the (often but not always) unimportant problem, takes me an hour to get there and I was on my way in to see a show when it went off, or I can log in over the internet from my phone, see that the problem is that the number two AHU intake filter is showing high backpressure, clear the alarm and make a mental note to replace the filter next time I am in.
Same thing if the office phone up wanting me to change the setpoint on the air in the art gallery because some conceptual art is made of butter and is tending to melt (I kid you not, really happened).
Remote access to these systems is USEFUL, and nobody considers security until it bites them.
Further plant engineers still think in terms of 'ladder logic' which is essentially logic consisting conceptually of relays and coils and the connections between them, they are not by and large networking folk, and plugging the plc into a port on the external side of the firewall makes everything work where plugging it in inside the firewall makes the remote control not work properly....
Regards, Dan.
The best thousand+ ton machinery I've seen, were running haskell code on the latest linux kernel. So cool and up to date.
In that case I wouldn't call it a zero day vulnerability, I would call it vulnerability due to incompetence.
Hack the systems and make them go down permanently by a hard disk low level format or corresponding. That would raise the security awareness more than a slashdot article.
Only case to have an unpatched server is when you are running it standalone with no possibility to install anything new on it without opening a padlock.
If builders built buildings the way programmers wrote programs, then the first woodpecker would destroy civilization.
Almost ALL of us that have had to deal with SCADA knew this was possible. Most of the time because incredibly stupid managers DEMAND the systems be accessible from the internet.
SCADA systems need to be airgapped completely from any network other than their own. Boo Hoo to the company that needs to buy a second set of computers for the employees to get email on. the SCADA computers are to be used ONLY for SCADA systems.
100% of the security failures lie at the feet of the managers of these facilities. Until we start beating them with sacks of doorknobs nothing will change. and yes, the SCADA infection via usb drives are the fault of management. allowing the use of USB or any other device that has not been secured and low level formatted before use on a known clean machine is the fault of management.
All USB ports should be disconnected or physically inaccessible via lock and key to users.
Do not look at laser with remaining good eye.
Security/convinience tradeoff? You try explaining that to a building contractor sometime!
As to the interfacing, it depends, sometimes it is a direct link to the plc, sometimes the plc talks CAN or RS485 or such to a windows xp box which runs a web gateway... I personally think the first option is likely more secure, especially when the machine in the corner of the plant room is found by the local security guard to be a good place to browse porn sites and download videos on the night shift (It happened, and I bet we were not the first, I found out when we got a phone call from the ISP about something on our network abusing port 25 outbound).
Generally security is not mentioned in the contracts for the installation of this stuff, and is at best an afterthought by non specialist developers, the effectiveness of this is left as an excersize for the reader.
Note also that the support contract with the installer often specifies that no software is to be installed on the user control computer except by their engineers (Who might come out once a year and then forget to do it) and this includes updates for security fixes.
73 Dan.
Point taken, but I think the appropriate security/convenience tradeoff needs to be assessed for different situations. Messing up a building's HVAC is going to wreak a lot less havoc that messing up water, power or sewage systems
True. ALthough there might be some business reasons to do so. Imagine making your competitor's HVAC systems go down during important meetings, or in the dead of winter before a big deadline. ANd considering that we live in a country where American on American attacks are political gold: http://www.latimes.com/nation/la-na-christie-bully-20140111,0,3128420.story#axzz2qD3vqu1x
No, I think this is an untapped market of Screwing With Your Competition.
The shepherds did so well protecting the flock that the sheep no longer believed that wolves existed.
The problem isn't Windows (not sure if you are implying this or not). It's a convergence of factors which make patching systems a veritable nightmare in the process control systems.
1. The people who run the plant are trying to squeeze the maximum amount of yield from their plant. Shutting down a SCADA system so that it can be patched and tested may literally cost them millions of dollars per hour. Furthermore, the cost of upgrading is not looked upon kindly unless it's going to help you create more of product X at a lower price. You may argue that the greater good is more important than money but these guys aren't listening to that.
2. These industries are rife with rules and regulations that further inflate the cost of patching systems. In the pharmaceutical industry the cost of applying a single patch may run well into the millions of dollars because every change has to be meticulously audited.
3. IT is often outsourced to third parties in order to control costs. The downside of ceding control of your own infrastructure is that even something mundane like changing a firewall rule has a process which costs money and resources.
4. There is an old-school engineering mentality that is pervasive based on the old adage "if it ain't broke don't fix it". No person involved in the industry wants to find problems. They want the plant to produce and they expect the hardware and software they buy to produce - untouched - for 20-30 years.
I have seen crazy things at plant floors. Control systems still running on Windows NT, operators sharing credentials, copying files from one system to another using thumb drives because the network does not allow files-haring.
Updating breaks now with near certainty. Not updating breaks later with a lower probability. Easy choice,
Sad, but true.
There is an old-school engineering mentality that is pervasive based on the old adage "if it ain't broke don't fix it".
The problem with that is, by putting it on the internet, they've broken it (even if the breakage hasn't hit home yet). Nobody wants to admit that they've done that, but it's their own damn fault. A good start to fixing things would be to airgap the SCADA network from the internet, and if connecting is necessary at all, to use a good double firewall with hardened DMZ machine in between. The DMZ can be locked down hard and updated carefully, and it doesn't need to ever hold systems that need careful certifying as it should never be in the control loop; just out of band monitoring.
"Little does he know, but there is no 'I' in 'Idiot'!"
The people who run the plant are trying to squeeze the maximum amount of yield from their plant.
Very laudable. That's their job.
Shutting down a SCADA system so that it can be patched and tested may literally cost them millions of dollars per hour.
That cost should have been factored into the financials from Day 1. It's usually omitted by managers and accountants because with it, their projections wouldn't look as good.
Furthermore, the cost of upgrading is not looked upon kindly unless it's going to help you create more of product X at a lower price.
Bear in mind that the cost of not upgrading may be the end of the company.
In Economics 1.0, business students get taught that the primary objective of the corporation is to make a profit. Most managers believe this. Wrong. The primary objective of the corporation is to assure continuance, even if that means a couple of years of losses from time to time.
Failing to recognise this is usually among the early symptoms of eventual failure.
Normally the SCADA systems **ARE** air-gapped from the corporate backbone, but until we start breeding better managers some idiot will occasionally pull a cable across that gap in order to produce a report or something.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Most SCADA stuff is in the private sector.
Probably is! I worked for a company manufacturing hazardous area heaters, in oz, for the oil and gas industry and many places were still using very old systems. Sure, they worked, but it didn't look like they were designed with the idea of a remote attack in mind, as they generally predated the internet.
No. Very few SCADA systems for plants that do anything other minor local control are "air-gapped".
Most normal SCADA systems are part of a virtual network. And that's kind of the point. Small pumping stations, local control systems that none the less need to act as part of a larger system (think power grid) require some kind of network connection.
Just because it's not the corporate backbone doesn't mean it's not the internet.
The SCADA systems that I have worked with were for electrical generation and distribution and water/sewer systems, and they absolutely were air gapped. Crossing that bridge with a cable was an automatic firing offense, and yes, they canned a manager who thought that no one would notice. That utility covered an entire very large and highly-populated county and tied into the larger national electrical grid. I'll guarantee that most of the SCADA systems nationwide are air gapped, as it's required by FERC and can generate hefty fines if they're not.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
Not all SCADA systems can sit and hum away without any external influence control or set-points. Not all SCADA systems can be set up in a way that a technician can easily travel out and download logs or trends.
The SCADA systems I have worked with are absolutely connected to the "internet". I use inverted commas since it's not connected in a way that you can just fire up it's IP address and be all happy. VPNs, firewalls, and a connection to a specific machine in a specific network only. Why? It's a pumping station. It needs a remote start command and it also needs the ability to log any local issues trips, fire deluge activations etc and report them back.
Air-gapping is not the answer in many cases. This goes especially for hazardous materials plants where the legal requirement to keep offsite data of the process may be at odds with your desire to have a stand-alone airgapped system. Though if you have the money you can always run a cable. That's what our electrical industry does. If you're going to use a helicopter to pull 6, 12 or more HV cables you may as well drag a run of fibre along while you're at it.
Government regulations keep changing. The local hydro system here was so antiquated that they used simplex 1200 baud modem communication on the SCADA system. In modernizing, they initially had an isolated network, but the government wanted monitoring capabilities, since they have rules like no more than 1/2 inch of downstream water height variance (because natural rivers never fluctuate) and assorted other lunacy. I don't know which way the wind has blown with regulators lately, but it seemed to be a mess only exacerbated by federal dabbling.
vi? Who's that?
My company helps critical infrastructure owners meet data sharing requirements with govt agencies. If you use certain industrial communication protocols that were established pre-internet you may be in luck. In particular, we have a unique connection that is one way, only allows the data you choose to share, and does not require any sharing of your network with the outside world or feds. To be precise, your network and the govt network come within feet of each other and our unique device creates a restricted "bridge" that only passes MB data over serial. Read only.