Slashdot Mirror
Hackers Gain "Full Control" of Critical SCADA Systems
mask.of.sanity writes "Researchers have found holes in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. They also identified more than 150 zero day vulnerabilities of varying degrees of severity affecting the control systems and some 60,000 industrial control system devices exposed to the public internet."
Comment removed based on user account deletion
do NOT connect SCADA systems to the internet.
Anons need not reply. Questions end with a question mark.
At 30C3 someone ran a portscan on the VNC port of the entire IPv4 internet, with 'interesting' results, highlights of which included a swimming pool chemical dosing control system, various power generation and control systems, building environmental control systems, air handlers, all sorts of wild and whacky things, some of them lacking in even the rudiments of passwords never mind proper crypto....
The best one looked to me like a medium voltage distribution cabinet where the setpoints on the overload trips looked like they could be reconfigured from the internet!
Ahh the things you can do in reasonable time with a 100Gb/s of bandwidth, the rsulting slides at the closing event (which is where I ran across it) were very, very scary.
SCADA on the internet is a really, really bad thing.
73 M0HCN. :wq
It's not about sympathy, it's about the effective destruction of our entire infrastructure without dropping a single bomb. The first sign that China or Russia is at war with us will be all our utilities and factories going dark. This is everyone's concern.
These issues have been flagged for roughly a decade. I have ZERO SYMPATHY for anyone who gets taken over.
MSOBKOW this is your boss.
What do you mean it is a security risk to put this on the internet? Everyone else has no problem doing this and I never heard of anyone being hacked. Like a billion dollar company would ever design such a thing when an internet connection is required to stay activated. Are you telling me that firewall you said we needed doesn't make is impenetrable?! Why can't you secure it? Do I need to hire someone who will?
http://saveie6.com/
Indeed, thinking of the smart grid, you could probably get the grid down by issuing a command to sufficiently many household appliances to switch on at the very same time. Those will be even less protected than the power stations, because "who would want to attack my dishwasher?"
The Tao of math: The numbers you can count are not the real numbers.
Because actually it is really very operationally useful, and USEFUL in normal use trumps security EVERY SINGLE TIME.
Consider someting simple like a public building heating control system, this is probably a modest PLC from the usual suspects, now if I am the poor sap in charge of the building systems (Nightmare, been there, done that), and the thing alarms at say 2100 on my day off, I have a choice:
I can go in and clear the (often but not always) unimportant problem, takes me an hour to get there and I was on my way in to see a show when it went off, or I can log in over the internet from my phone, see that the problem is that the number two AHU intake filter is showing high backpressure, clear the alarm and make a mental note to replace the filter next time I am in.
Same thing if the office phone up wanting me to change the setpoint on the air in the art gallery because some conceptual art is made of butter and is tending to melt (I kid you not, really happened).
Remote access to these systems is USEFUL, and nobody considers security until it bites them.
Further plant engineers still think in terms of 'ladder logic' which is essentially logic consisting conceptually of relays and coils and the connections between them, they are not by and large networking folk, and plugging the plc into a port on the external side of the firewall makes everything work where plugging it in inside the firewall makes the remote control not work properly....
Regards, Dan.
Almost ALL of us that have had to deal with SCADA knew this was possible. Most of the time because incredibly stupid managers DEMAND the systems be accessible from the internet.
SCADA systems need to be airgapped completely from any network other than their own. Boo Hoo to the company that needs to buy a second set of computers for the employees to get email on. the SCADA computers are to be used ONLY for SCADA systems.
100% of the security failures lie at the feet of the managers of these facilities. Until we start beating them with sacks of doorknobs nothing will change. and yes, the SCADA infection via usb drives are the fault of management. allowing the use of USB or any other device that has not been secured and low level formatted before use on a known clean machine is the fault of management.
All USB ports should be disconnected or physically inaccessible via lock and key to users.
Do not look at laser with remaining good eye.
It is trivial to make a "one way, unhackable" ethernet connection to export data to a unsafe network device.
you have a machine on the SCADA network with TWO network cards. One connects to another PC on the insecure network via an ethernet cable with ONLY the TX wires connected. no RX lines. set both to a static IP and then UDP broadcast your information from the secure PC to the insecure one.
There is no hacker or security expert on this planet that can hack that connection and gain access to the SCADA system. Unless they found a way around physics or can teleport things with their mind.
http://www.stearns.org/doc/one-way-ethernet-cable.html
The problem is most places refuse to hire educated IT staff with experience in security. They want low cost MCSE holders that can barely do their job at the lowest cost possible.
If updates to SCADA software are needed, "most are not in reality" you use write once media such as a DVD or BluRay created on a machine that has nothing to do with the SCADA system and based on an OS that is drastically different to further reduce the chances of homogenous OS infection vectors. If it's important, then the files are inspected byte by byte on a security computer designed to look for infections and injection. then after full and careful inspection you apply the updates.
THIS is how you run a critical system SCADA network. and 99% of them out there are not ran this way as the people in charge of it have zero education in security let alone networking and IT.
Do not look at laser with remaining good eye.
The problem isn't Windows (not sure if you are implying this or not). It's a convergence of factors which make patching systems a veritable nightmare in the process control systems.
1. The people who run the plant are trying to squeeze the maximum amount of yield from their plant. Shutting down a SCADA system so that it can be patched and tested may literally cost them millions of dollars per hour. Furthermore, the cost of upgrading is not looked upon kindly unless it's going to help you create more of product X at a lower price. You may argue that the greater good is more important than money but these guys aren't listening to that.
2. These industries are rife with rules and regulations that further inflate the cost of patching systems. In the pharmaceutical industry the cost of applying a single patch may run well into the millions of dollars because every change has to be meticulously audited.
3. IT is often outsourced to third parties in order to control costs. The downside of ceding control of your own infrastructure is that even something mundane like changing a firewall rule has a process which costs money and resources.
4. There is an old-school engineering mentality that is pervasive based on the old adage "if it ain't broke don't fix it". No person involved in the industry wants to find problems. They want the plant to produce and they expect the hardware and software they buy to produce - untouched - for 20-30 years.
I have seen crazy things at plant floors. Control systems still running on Windows NT, operators sharing credentials, copying files from one system to another using thumb drives because the network does not allow files-haring.
Updating breaks now with near certainty. Not updating breaks later with a lower probability. Easy choice,
Sad, but true.
I ran a part of the process plant by hand during the commisioning phase for the last automation project I was on. Working together with an operator I could barely keep up with one fifth of full capacity for four hours and we were both completely drained afterwards.
The complexity of modern process plants is mind-bogling to people who haven't seen them - and even when they've seen them they don't understand that all the valves, pumps, heat exchangers, etc., around them are doing a finely choregraphied balet behind the scenes. The manpower needed for running a process plant by hand is in the neighborhood of 10-20 times that of running an automated plant, and even then the throughput will be less and the quality of the resulting product lower.
There is an old-school engineering mentality that is pervasive based on the old adage "if it ain't broke don't fix it".
The problem with that is, by putting it on the internet, they've broken it (even if the breakage hasn't hit home yet). Nobody wants to admit that they've done that, but it's their own damn fault. A good start to fixing things would be to airgap the SCADA network from the internet, and if connecting is necessary at all, to use a good double firewall with hardened DMZ machine in between. The DMZ can be locked down hard and updated carefully, and it doesn't need to ever hold systems that need careful certifying as it should never be in the control loop; just out of band monitoring.
"Little does he know, but there is no 'I' in 'Idiot'!"
The people who run the plant are trying to squeeze the maximum amount of yield from their plant.
Very laudable. That's their job.
Shutting down a SCADA system so that it can be patched and tested may literally cost them millions of dollars per hour.
That cost should have been factored into the financials from Day 1. It's usually omitted by managers and accountants because with it, their projections wouldn't look as good.
Furthermore, the cost of upgrading is not looked upon kindly unless it's going to help you create more of product X at a lower price.
Bear in mind that the cost of not upgrading may be the end of the company.
In Economics 1.0, business students get taught that the primary objective of the corporation is to make a profit. Most managers believe this. Wrong. The primary objective of the corporation is to assure continuance, even if that means a couple of years of losses from time to time.
Failing to recognise this is usually among the early symptoms of eventual failure.
Normally the SCADA systems **ARE** air-gapped from the corporate backbone, but until we start breeding better managers some idiot will occasionally pull a cable across that gap in order to produce a report or something.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin
The SCADA systems that I have worked with were for electrical generation and distribution and water/sewer systems, and they absolutely were air gapped. Crossing that bridge with a cable was an automatic firing offense, and yes, they canned a manager who thought that no one would notice. That utility covered an entire very large and highly-populated county and tied into the larger national electrical grid. I'll guarantee that most of the SCADA systems nationwide are air gapped, as it's required by FERC and can generate hefty fines if they're not.
"Think about how stupid the average person is. Now, realise that half of them are dumber than that." - George Carlin