Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bugs In SCADA Software Leave 7,600 Factories Vulnerable

Posted by timothy on from the about-that-skeleton-key dept.

mspohr (589790) writes with this news from the BBC: "The discovery of bugs in software used to run oil rigs, refineries and power plants has prompted a global push to patch the widely used control system. The bugs were found by security researchers and, if exploited, could give attackers remote access to control systems for the installations. The U.S. Department of Homeland Security said an attacker with 'low skill' would be able to exploit the bugs. About 7,600 plants around the world are using the vulnerable software. 'We went from zero to total compromise,' said Juan Vazquez, a researcher at security firm Rapid7 who, with colleague Julian Diaz, found several holes in Yokogawa's Centum CS 3000 software which was first released to run on Windows 98 to monitor and control machinery in many large industrial installations. The researchers also explored other SCADA software: 'We ended up finding over 1,000 bugs in 100 days.'" The vulnerabilities reported are in Yokogawa's Centum CS 300 industrial control software.

70 comments

  1. They all use WIndows 7 anyway by Billly+Gates · · Score: 4, Interesting

    It is a good thing they all use Windows 7 with updates turned by default and are all disconnected from the internet. With a good understanding management mixed in who care about this more than their reports from IE 6 this is not a problem.

    --
    http://saveie6.com/
    1. Re:They all use WIndows 7 anyway by davester666 · · Score: 3, Insightful

      I believe at this point in time, researchers should only shout out about their vulnerability testing of SCADA software if they DON'T find buckets of basic, serious flaws.

      At this point in time, it's like shooting fish in a barrel. Every company with their SCADA system connected to the internet should get daily fines of a percentage of their worldwide revenue.

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:They all use WIndows 7 anyway by symbolset · · Score: 2

      It is thinking like this that fuels my insomnia.

      --
      Help stamp out iliturcy.
    3. Re:They all use WIndows 7 anyway by invictusvoyd · · Score: 2

      We ended up finding over 1,000 bugs in 100 days.'"

      For say $10 per bug, that $100 a day :) . Wow wondoze is profitable for everyone! yay!

    4. Re:They all use WIndows 7 anyway by Anonymous Coward · · Score: 0

      Updates turned on and disconnected from the Internet? Why are people modding up this nonsense?

    5. Re:They all use WIndows 7 anyway by louzer · · Score: 1

      You underestimate the power of software to jump airgaps. Imagine spreadsheets bringing down, everything.

      --
      Heroes die once, cowards live longer.
    6. Re:They all use WIndows 7 anyway by Anonymous Coward · · Score: 0

      Updates turned on and disconnected from the Internet? Why are people modding up this nonsense?

      It was modded as interesting by people who probably didn't get the joke. Personally, I find that paradox quite interesting, I'd like to know how it is made to work.

    7. Re:They all use WIndows 7 anyway by l0n3s0m3phr34k · · Score: 2

      SUS server that it gets updates from?

    8. Re:They all use WIndows 7 anyway by __aaqvdr516 · · Score: 2

      The bugs are in the Centum CS 3000 software that controls the SCADA system, not Windows.

      When these systems were first being introduced, there were multiple competing standards on design and everything was proprietary. That model hasn't really changed. Some manufacturers, like ABB, do offer an upgrade path to transition from an older model to a newer model. If you wanted to transition from one manufacturer to another though, you're SOL. So, if you bought into a system that is now defunct, you'll have to reprogram your entire process from scratch. If the toolsets are different (and they will be, it was all proprietary) then you're going to have a bad time. That's why ancient systems are still running, bugs and all.

    9. Re:They all use WIndows 7 anyway by Anonymous Coward · · Score: 0

      Connecting an industrial control system to a SUS server that is itself connected to the Internet adds one hop. It is not safe.

    10. Re:They all use WIndows 7 anyway by mspohr · · Score: 1

      And as STUXNET shows, it's trivially easy to compromise Windows (all versions) and thereby compromise the SCACA system.

      --
      I don't read your sig. Why are you reading mine?
  2. Yay! by DrPBacon · · Score: 1

    Who's hiring?

    --
    Spent All My Mod Points
    1. Re:Yay! by Anonymous Coward · · Score: 0

      Insurance companies. No, just kidding.

  3. "Windows" by Anonymous Coward · · Score: 0, Funny

    Well I stopped reading right there.

  4. Factories are vulnerable. by Anonymous Coward · · Score: 2, Insightful

    Why did you need factories with direct connections to the internet anyway? Seems like an easy way to have shit go bad to worse.

    1. Re:Factories are vulnerable. by Anonymous Coward · · Score: 0

      There is a need for the owners to control and monitor the plant remotely.

    2. Re:Factories are vulnerable. by Anonymous Coward · · Score: 0

      Well that's wrong. The owners should play golf while someone on-site controls and monitors the plant.

    3. Re:Factories are vulnerable. by l0n3s0m3phr34k · · Score: 1

      so Skynet can easily re-purpose them to make weapons to destroy us, why else?

    4. Re:Factories are vulnerable. by geogob · · Score: 1

      And why would you need internet for this?

    5. Re:Factories are vulnerable. by Anonymous Coward · · Score: 0

      Because the guy who maintains the software doesn't like to drive in at 3am to make a small change. (Really)

    6. Re:Factories are vulnerable. by hjf · · Score: 1

      Because this is 2014 and we don't use leased lines anymore.

    7. Re:Factories are vulnerable. by sjames · · Score: 1

      Give them a busybox. I doubt they'll know the difference.

    8. Re:Factories are vulnerable. by geogob · · Score: 1

      I beg to differ. For critical applications where down time costs millions, I would use a dedicated line. I'd even consider a dial-in modem interface rather than an Internet connexion. I'd even rethink remote monitoring. Is it really needed? But connecting critical applications to the Internet, especially when you have hardware requirering old OS verions that are full of holes and unsupported, is playing with fire.

    9. Re:Factories are vulnerable. by hjf · · Score: 1

      I'm talking about mobile.

      And I sincerely doubt there are "7600" (as the article states) "CRITICAL" applications. If you ever connect to the vulnerable ones, chances are they will be a small factory no one cares about.

      There is nothing wrong with remote MONITORING, as it happens to be just that: MONITORING. It's not about remotely controlling a process. It's about "the boss" seeing some dumb parameters (production counters). All logic should run in the PLC. Control sould be performed locally, through HMIs. You have to walk 150M inside the factory to set the oven's temp a little lower? Good. It's your job. The boss isn't interested in doing that from his phone.

  5. Incompetent programming in a bad language by Animats · · Score: 4, Insightful

    The code:

    for ( i = 0; v3 != '\n'; ++v2) // Dangerous loop, copying data to a stack buffer, until an end of line is found
    { if ( v3 == '\r' ) break;
    *(_BYTE *)(i + a1) = v3; // Byte copy to the stack, without having destination size into account.
    v3 = *(_BYTE *)(v2 + 1);
    ++i;
    }

    The company that let that code out the door should be sued for gross negligence, and managers fired. That's not the only example; they failed to do basic checks at least three times. This isn't a subtle bug. This is failing C Programming 101.

    (Several times, I've tried to convince the C standards committee to put a "strict mode" in the language and move towards a form of C that's resistant to buffer overflow problems. Maybe I should try again.)

    C - now with over thirty years of buffer overflows.

    1. Re:Incompetent programming in a bad language by mean+pun · · Score: 1

      Nice idea that is long overdue, but perhaps a better way to get this accepted is to implement this in a real high-profile compiler such as llvm/clang.

      I'm afraid, however, that the Real Men Don't Need Bound Checks mentality that is prevalent among C programmers will be a big obstacle.

    2. Re:Incompetent programming in a bad language by Anonymous Coward · · Score: 0

      Hard to agree with this code today, but we don't know when it was written. Thirty years ago it might have seemed kosher.

    3. Re:Incompetent programming in a bad language by Animats · · Score: 1

      I'm afraid, however, that the Real Men Don't Need Bound Checks mentality that is prevalent among C programmers will be a big obstacle.

      I've run into that. Usually from second-rate programmers. Programmers who think that way should be put them on maintenance programming for a while. Have them debug program crashes in code written by others.

    4. Re:Incompetent programming in a bad language by Anonymous Coward · · Score: 0

      (Several times, I've tried to convince the C standards committee to put a "strict mode" [animats.com] in the language and move towards a form of C that's resistant to buffer overflow problems. Maybe I should try again.)

      Better yet, maybe you should try to understand why C holds the position it does and that your recommendation would not help it at all.

    5. Re:Incompetent programming in a bad language by AmiMoJo · · Score: 4, Informative

      That looks like library code that the compiler generated. Maybe some kind of strcpy variant. As I'm sure you are aware strcpy does not check buffer sizes, but without knowing the context it is used in it is hard to say how bad this problem is.

      What you have to keep in mind is that this software was written for Windows 98. Windows 98 doesn't even have filesystem permissions or any real user segregation. There is no firewall by default. Chances are it would be running on some industrial equipment anyway, not connected to an external network. Yes, it uses UDP, but that is actually quite a common technique for processes on the same machine to communicate, or devices within a single piece of industrial equipment. We don't have enough context to know.

      I write software for embedded systems. I'm talking microcontrollers, not Windows based. The products I make are complex, but have very few computing resources because they have to run for 10 years on a couple of AA batteries. 16k ram is a luxury. I know that if someone decided to hack one they could do, easily. No through incompetence, through a deliberate decision not to compromise other aspects for extra security. Yeah, we could set up encryption keys on the comms protocol, but then we would need to get the minimum wage morons who deploy these things to understand how to install and use them. We have enough problems already. And no, we can't employ better people, our customers are the ones doing the deployment. They demand features like being able to send a completely unauthenticated text message from a standard phone to a device installed somewhere and have it execute those commands.

      So I imagine in this case it is a closed system, never designed to be connected to a network where it could be attacked with malformed UTP packets. The system has been tested and found to be stable because it never generates such packets itself. The real morons are the ones who tried to network it, presumably against Yokogawa's recommendations.

      This is commercial reality. Just like your car has a massive vulnerability where the passenger can reach over and yank the wheel and cause an accident the manufacturer probably figured that people ignoring their recommendations wasn't their problem.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
    6. Re:Incompetent programming in a bad language by Hamsterdan · · Score: 1

      "but then we would need to get the minimum wage morons who deploy these things to understand how to install and use them. We have enough problems already. And no, we can't employ better people, our customers are the ones doing the deployment."

      So, the minimum wage morons *are* your customers?

      --
      I've got better things to do tonight than die.
    7. Re:Incompetent programming in a bad language by Anonymous Coward · · Score: 0

      What you have to keep in mind is that this software was written for Windows 98.

      It was originally written for Windows 98. Current versions run on XP.

    8. Re:Incompetent programming in a bad language by Anonymous Coward · · Score: 0

      software engineer that used to work in remote telemetry space confirms -- I wrote code that could not only run from a text message somebody composed on their motorola razr, but had a command that would let the RTUs rebroadcast and relay the command to their peers. *Our* slightly better than min wage techs wanted a command that would rebroadcast to all "local" company machines, including across clients...

      Crypto and authentication was not only removed from the spec, but we were instructed not to implement any form of it by management.

      The SCADA space is fucking terrifying.

    9. Re:Incompetent programming in a bad language by mspohr · · Score: 1

      As STUXNET has proven, you don't have to have a SCADA system connected to the Internet to get infected. STUXNET infected Windows machines which were used to program the SCADA system. Internet->Windows->SCADA. You only need to be connected once to get infected (kind of like STDs).

      --
      I don't read your sig. Why are you reading mine?
    10. Re:Incompetent programming in a bad language by Anonymous Coward · · Score: 0

      so fix all these issues and release a new model and sell it for 10 times as much for the non-morons

    11. Re:Incompetent programming in a bad language by Animats · · Score: 1

      That looks like library code that the compiler generated. Maybe some kind of strcpy variant.

      Read the analysis of the code. It's not. It is, however, decompiled assembly code; the people doing the analysis don't have access to the source.

      What you have to keep in mind is that this software was written for Windows 98.

      Irrelevant. This code is vulnerable on any OS that lets it get UDP packets.

      We don't have enough context to know.

      Read the actual vulnerability report. There's enough context there.

      The real morons are the ones who tried to network it, presumably against Yokogawa's recommendations.

      You have to assume today that if it has an Internet-accessable interface, an attacker will find a way to get to it from the public Internet. Because, in practice, attackers do.

  6. "Low Skill" by Tablizer · · Score: 2

    The U.S. Department of Homeland Security said an attacker with 'low skill' would be able to exploit the bugs.

    "That's okay, only high-skilled hackers are interested in our operations." - PHB

    --
    Table-ized A.I.
  7. Say HELLO to the Internet by Anonymous Coward · · Score: 0

    now that you have come out from under your rocks.

    By the way, we have security for you, at a price.

    KaChing!

  8. "IBM PC/AT compatibles" should be warning enough by Trax3001BBS · · Score: 2

    "IBM PC/AT compatibles" being an old term for a PC

    "The Human Machine Interface (HMI) of CENTUM CS 3000 is general-purpose PCs (IBM PC/AT compatibles), running Windows 2000 and Windows XP. Windows 2000 and Windows XP have superb networking functions, and OPC for interfacing with supervisory computers are standard – so supervisory computers can easily access the process, and you can optimize your company at the enterprise level. In addition to OPC for communicating between PCs, we can also provide communication with UNIX machines and the like."

    XP has Data Execution Prevention (DEP), WK2 doesn't, every exploit listed was a buffer overflow; which DEP is there to prevent. http://en.wikipedia.org/wiki/D...

    "CENTUM CS 3000 is a key part of most of Yokogawa’s Enterprise Technology Solutions, and features:
        Open environment for optimizing the whole enterprise,"

    An open environment; which the most ardent supporters for non-proprietary software/hardware have to admit is an entry point for ones exploits, when used with a software interface of WK2, and now XP; (Win98 is never mentioned)

    HOSTS file prevent me viewing the first link but the above is good reason to of checked out the hardware.

    cite: CENTUM CS 3000 Integrated Production Control System System Overview
    http://cdn2.us.yokogawa.com/TI...

  9. Oh! I Say! Shocking ! by golodh · · Score: 1, Funny
    I mean ... I had always understood that SCADA vulnerabilities were caused by amateurish system design (connecting SCADA systems to the Internet using cheapo consumer-grade routers, without precautions like stealth, VPN's, whitelist callbacks, etc.) and shoddy system management (factory default passwords, obvious passwords, dictionary passwords, no passwords).

    And now this! In some cases the actual software seems to have security holes too. Shocking, shocking, shocking!

    1. Re:Oh! I Say! Shocking ! by Lumpy · · Score: 3, Interesting

      SCADA systems NEVER EVER get connected to the internet, not ones that are properly installed by competent engineers.

      --
      Do not look at laser with remaining good eye.
    2. Re:Oh! I Say! Shocking ! by Hamsterdan · · Score: 4, Informative

      "not ones that are properly installed by competent engineers."

      Depends how management (bean counters, PHBs and MBAs) listens to said engineer. You'd be surprised what stupid (and not even cost-cutting in the long term) decisions companies will make to save a dime tomorrow. The biggest Telco in Canada used (not so long ago) to deploy its wireless routers with only WEP and *NO* admin password on the device, even if WEP was broken about 10 years ago.

      It's not like they don't have any competent tech people, but having worked there, yes, that's the kind of stupid decisions management will take.

      --
      I've got better things to do tonight than die.
    3. Re:Oh! I Say! Shocking ! by Anonymous Coward · · Score: 0

      Oh, the engineers didn't connect it...

      stupid managers, on the other hand, will.

    4. Re:Oh! I Say! Shocking ! by Anonymous Coward · · Score: 0

      AMEN. There are ways to establish a VPN type connection for sending alarms to maintenance people, in an outgoing manner, so you don't have a server sitting out there, waiting to get exploited.

    5. Re:Oh! I Say! Shocking ! by mspohr · · Score: 1

      I don't believe that Iran's SCADA systems were connected to the Internet but were infected anyway by a compromised Windows machine (Stuxnet) which was used to transfer the program to the SCADA system.
      From the Wikipedia STUXNET page: The reason for the discovery at this time is attributed to the virus accidentally spreading beyond its intended target (the Natanz plant) due to a programming error introduced in an update; this led to the worm spreading to an engineer's computer that had been connected to the centrifuges, and spreading further when the engineer returned home and connected his computer to the internet.

      --
      I don't read your sig. Why are you reading mine?
    6. Re:Oh! I Say! Shocking ! by Mousit · · Score: 2

      If only. Come be a utility in Texas, where ERCOT (the state-wide electric utility authority) seriously considered making their push notification system be Internet-only. As in, you HAD to connect your SCADA system to the Internet (even if through an intermediary server in a DMZ) to be able to receive the (required, if you wanted to be licensed and in business) control signals from ERCOT. Thankfully, for once, the backlash was so bad ERCOT actually listened to it and backed off that plan. That's exceedingly rare.

      Or backed off kinda-sorta anyway. They still have a dual setup, you can receive either via Internet or via private frame-relay between ERCOT's site and yours. We of course opted for the latter, heavily secured and sanitized through multiple hops, but nonetheless that does still mean we have an external connection into our SCADA system, not air-gapped, though I will grant you it doesn't connect to the Internet at large (we hope; who knows what the fuck ERCOT does on their end). And we MUST have it, if we want to actually operate as a licensed utility in Texas. And Texas is FAR from alone in having this bureaucratically-created shit for operating requirements. These types of enforced setups are nationwide.

      That is the sad, stupid state of affairs we live in today.

    7. Re:Oh! I Say! Shocking ! by Dare+nMc · · Score: 1

      >SCADA systems NEVER EVER get connected to the internet
      Easy for the clueless to say. But often not connecting a SCADA system (through a firewall) to the internet has more payoff than risk. Worked in a factory with 24 hour operations, having a competent engineer on staff at all times just isn't practical (good engineers don't like to work off shifts, just in case.) So when the meat of the operations go down costing $1000's a hour, allowing the system to be troubleshoot remotely without waiting for a hour drive in for the closest engineer, is more valuable than the risk of being targeted by a hacker who compromised a PC on the network.

  10. Some can some shouldn't by chuckugly · · Score: 1

    Some people can't be trusted with pointy tools and should only eat with a spoon, but I still want a knife and fork as well. Many people are capable. For the rest, they have Java.

    1. Re:Some can some shouldn't by DamonHD · · Score: 1

      Hmm, I prefer Java over C and assembler because although I can write highly stable and secure code in C/asm, the effort to sustain the required level of paranoia and navel-gazing is for most code better directed elsewhere to visible benefits. I write code that actually has respected security crazies and bank auditors telling me to lighten up a bit, yes really!, but I'm still perfectly capable of making a mistake.

      However, I'm inclined to think that whoever wilfully lets code out the door without appropriate bounds checking and incredible scrutiny of all input should face some kind of punishment.

      (I dislike C++ because it combines the traps of C/asm with some novel ones of its own, but fools programmers into thinking that they are in a safe programming environment... Yes, I did a lot of C++ design and coding in mission-critical applications too!)

      Rgds

      Damon

      --
      http://m.earth.org.uk/
    2. Re:Some can some shouldn't by sjames · · Score: 1

      Some operations are never the right answer, such as trusting input not to overrun the buffer.

  11. Hey don't worry, companies can police themselves. by Anonymous Coward · · Score: 0

    Catastrophic failure as an excuse to declare bankruptcy is MBA 101. Who coulda known!

  12. "first released to run on Windows 98" by jcr · · Score: 0

    Seems to me that if you care about securing your software, you shouldn't be deploying it on Windows in the first place.

    -jcr

    --
    The only title of honor that a tyrant can grant is "Enemy of the State."
    1. Re:"first released to run on Windows 98" by Anonymous Coward · · Score: 0

      That is so tired argument already.

    2. Re:"first released to run on Windows 98" by Anonymous Coward · · Score: 1

      If you were REALLY serious about security you would deploy your sofware on a banana, no one has ever hacked a banana before.
       
      That's how your argument sounds in 2014. It's easy for even the most novice users to maintain and run so its popular, if they started people on *NIX in grade school everybody would run *NIX and it would have 1000 new security exploits every month because it is the bigger target. Obscurity is not security.

    3. Re:"first released to run on Windows 98" by Anonymous Coward · · Score: 0

      Sorry - bananas have been hacked since nearly forever.

      One or two hacks with a machete and they come crashing down... unless someone catches them on the way. :)

    4. Re:"first released to run on Windows 98" by Anonymous Coward · · Score: 0

      I think their point is more anachronistic than anything to do with your point - which is also a fallacy.

      In 1998 people used windows and didn't really feel that badly about it. If they were ahead of the computing curve they used Sun or CGI or... VAX even, back then. Digital Unix. Are you really going to get a setup like that in 1998 for 1 mil $ when you can hook up a 2k$ computer with win98 for the same spiel?

      Oh yeah, linux goes back to 1991 or whatever. No one had heard of it until like 2000.

  13. Bugs.... by Lumpy · · Score: 2

    I am surprised when I find that SCADA software works properly. Bugs are expected.

    Craptastic SCADA suites like WonderWare are so poorly written and horribly implemented that they barely run. Then you have plant managers that are so stupid they dont understand that you NEVER run anything but the SCADA on the computers, but instead install other software and have them all on the company LAN with internet access...

    They deserve the problems they have, because if the SCADA systems were designed right, and managers and business owners were hit in the face with a sack of nickles when they ask for stupid security rick crap, the bugs would not be a problem as there would be a frontline security defense in place.

    --
    Do not look at laser with remaining good eye.
  14. Re:Minnowboard Max: Open-Source Computer from Inte by K.+S.+Kyosuke · · Score: 1

    Yes, but does it run SCADA?

    --
    Ezekiel 23:20
  15. Dumbasses by Runaway1956 · · Score: 1

    Boys and girls, SCADA IS A FRIGGING BUG!!

    Let's think about this for just a second or ten. I own a corporation that has produced products for a century or more. In the old days, people did EVERYTHING by hand. Then, along came the assembly line - making things easier and faster. Then came automation. At each stage, my corporation has been pretty secure. Then, along comes this newfangled internet thing. Every Tom, Dick, and Javier in the world can get on this internet thing, and play Hack-a-Day with any device they can possibly connect to.

    Suddenly, all the investors expect me to connect all my robots and crap to this INTERNET?!?!?! What are they, frigging CRAZY? They expect me to expose my hardware to this huge-ass Hack-a-Day game?

    No thanks. Those bugs for brains executives and investors who think this is a good idea are all security risks, and I need to boot their asses OUT!!

    --
    "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    1. Re:Dumbasses by hjf · · Score: 1

      You, sir, are an idiot.

      SCADA is a reporting tool. SCADA is for your manager. If your managers want access, you provide them with access. Because if you're not a fucking incompetent idiot, you can make a secure system that will let management see factory data in real time.

      But you're an idiot who just forwards the SCADA web access port to the internet with no password.

      The problem with industrial automation "vulnerabilities" is not SCADA, it's not software, it's not anything you're thinking of. The problem with it is that these programs are designed for MECHANICAL ENGINEERS. They're decided for the really clever people that come up with those amazing designs. Who happen to be a fucking LOT better than most slashdotters at it. They're not "geeks", they're not sitting down in a computer all day. They don't understand (and don't have to) how the internet works.

      I know this because I've been in both sides. I currently do some automation jobs (programming PLCs) and I don't know SHIT about mechanics (I didn't know that 3-phase motors could be wired different to work in different voltages, but that's something you learn in first year in TECHNICAL HIGH SCHOOL). But I can program a PLC, and connect the SCADA to the internet SAFELY.

      It's not about being a smug idiot, thinking everyone else is stupid, and management is wrong. That attitude won't get you far in life. It's about convincing management that there are different skill sets involved and it's dangerous to do what they are doing. And offer a solution.

    2. Re:Dumbasses by Runaway1956 · · Score: 1

      No, you, sir, have chosen not to understand. I am MOCKING every moron in the world who wants all that information to flow out over the intarwebs in real time. The "managers" at my plant choose passwords like "1234abcd". They think it's witty or something.

      The fact is, our nation worries itself sick about cyberattacks, when there is no need to worry.

      JUST DISCONNECT ALL THAT CRAP FROM THE WEB!!

      As for passwords, encryption, or any other security measures, recent events have pretty much demonstrated that the government works against all of our best interests. Do they really have backdoors into encryption methods, do they really have the source code to popular operating systems? Can they really waltz into your network, undetected, at will? And, if gubbermint can do it, why can't anyone else?

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    3. Re:Dumbasses by hjf · · Score: 1

      I just use VPN. Android and iPhone both can dial in. I even use it for my house CCTV. Give them a strong certificate, then let them have any dumb password they want when they are inside the LAN.

    4. Re:Dumbasses by Runaway1956 · · Score: 1

      And, what happens with a MIM? Someone spoofs a cell phone tower, and intercepts your communications. They get the strong certificate, and they are in. Wireless communications (radio) has been known to be inherently insecure by the armed forces since the days of the first radios.

      http://www.wired.com/2010/07/i...

      --
      "Windows is like the faint smell of piss in a subway: it's there, and there's nothing you can do about it." - Charlie Br
    5. Re:Dumbasses by hjf · · Score: 1

      It all comes down to what kind of facility you're working with.

      If it's a nuclear power plant, or a missile factory, then there is no need to "dial in". No employee should need to monitor anything remotely.

      If it's a small bread factory and you use SCADA to monitor the production line, who cares? No one is going to want to hack you so badly.

      Really, this is all a non-issue.

  16. Re:Minnowboard Max: Open-Source Computer from Inte by allaunjsilverfox2 · · Score: 1

    Yes, but does it run SCADA?

    It appears that openSCADA would. (http://openscada.org/downloads/)

    --
    Restore the madness of youth's lechery
  17. How many years are we going to see SCADA? by msobkow · · Score: 1

    Just how many years are we going to see postings/articles on how buggy and security-hole-ridden SCADA is?

    Near as I can recall, people have been bitching about this steaming pile of shit for over a decade.

    --
    I do not fail; I succeed at finding out what does not work.
  18. Scadais garbage because Scada is mostly Winbloze by Anonymous Coward · · Score: 0

    Scadais garbage because Scada is mostly Winbloze, the most defective process software ever conceived.

  19. executives will be shocked and outraged by asjk · · Score: 1

    My prediction is the executives of any compromised oil rigs, refineries and power plants will assure us they will not stop until they bring to light any shortcoming that caused any resultant catastrophe. They will go on to say that no one could have foreseen this happening and they are laser focused on keeping our infrastructure safe.