Slashdot Mirror

← Back to Stories (view on slashdot.org)

Bugs In SCADA Software Leave 7,600 Factories Vulnerable

Posted by timothy on from the about-that-skeleton-key dept.

mspohr (589790) writes with this news from the BBC: "The discovery of bugs in software used to run oil rigs, refineries and power plants has prompted a global push to patch the widely used control system. The bugs were found by security researchers and, if exploited, could give attackers remote access to control systems for the installations. The U.S. Department of Homeland Security said an attacker with 'low skill' would be able to exploit the bugs. About 7,600 plants around the world are using the vulnerable software. 'We went from zero to total compromise,' said Juan Vazquez, a researcher at security firm Rapid7 who, with colleague Julian Diaz, found several holes in Yokogawa's Centum CS 3000 software which was first released to run on Windows 98 to monitor and control machinery in many large industrial installations. The researchers also explored other SCADA software: 'We ended up finding over 1,000 bugs in 100 days.'" The vulnerabilities reported are in Yokogawa's Centum CS 300 industrial control software.

15 of 70 comments (clear)

  1. They all use WIndows 7 anyway by Billly+Gates · · Score: 4, Interesting

    It is a good thing they all use Windows 7 with updates turned by default and are all disconnected from the internet. With a good understanding management mixed in who care about this more than their reports from IE 6 this is not a problem.

    --
    http://saveie6.com/
    1. Re:They all use WIndows 7 anyway by davester666 · · Score: 3, Insightful

      I believe at this point in time, researchers should only shout out about their vulnerability testing of SCADA software if they DON'T find buckets of basic, serious flaws.

      At this point in time, it's like shooting fish in a barrel. Every company with their SCADA system connected to the internet should get daily fines of a percentage of their worldwide revenue.

      --
      Sleep your way to a whiter smile...date a dentist!
    2. Re:They all use WIndows 7 anyway by symbolset · · Score: 2

      It is thinking like this that fuels my insomnia.

      --
      Help stamp out iliturcy.
    3. Re:They all use WIndows 7 anyway by invictusvoyd · · Score: 2

      We ended up finding over 1,000 bugs in 100 days.'"

      For say $10 per bug, that $100 a day :) . Wow wondoze is profitable for everyone! yay!

    4. Re:They all use WIndows 7 anyway by l0n3s0m3phr34k · · Score: 2

      SUS server that it gets updates from?

    5. Re:They all use WIndows 7 anyway by __aaqvdr516 · · Score: 2

      The bugs are in the Centum CS 3000 software that controls the SCADA system, not Windows.

      When these systems were first being introduced, there were multiple competing standards on design and everything was proprietary. That model hasn't really changed. Some manufacturers, like ABB, do offer an upgrade path to transition from an older model to a newer model. If you wanted to transition from one manufacturer to another though, you're SOL. So, if you bought into a system that is now defunct, you'll have to reprogram your entire process from scratch. If the toolsets are different (and they will be, it was all proprietary) then you're going to have a bad time. That's why ancient systems are still running, bugs and all.

  2. Factories are vulnerable. by Anonymous Coward · · Score: 2, Insightful

    Why did you need factories with direct connections to the internet anyway? Seems like an easy way to have shit go bad to worse.

  3. Incompetent programming in a bad language by Animats · · Score: 4, Insightful

    The code:

    for ( i = 0; v3 != '\n'; ++v2) // Dangerous loop, copying data to a stack buffer, until an end of line is found
    { if ( v3 == '\r' ) break;
    *(_BYTE *)(i + a1) = v3; // Byte copy to the stack, without having destination size into account.
    v3 = *(_BYTE *)(v2 + 1);
    ++i;
    }

    The company that let that code out the door should be sued for gross negligence, and managers fired. That's not the only example; they failed to do basic checks at least three times. This isn't a subtle bug. This is failing C Programming 101.

    (Several times, I've tried to convince the C standards committee to put a "strict mode" in the language and move towards a form of C that's resistant to buffer overflow problems. Maybe I should try again.)

    C - now with over thirty years of buffer overflows.

    1. Re:Incompetent programming in a bad language by AmiMoJo · · Score: 4, Informative

      That looks like library code that the compiler generated. Maybe some kind of strcpy variant. As I'm sure you are aware strcpy does not check buffer sizes, but without knowing the context it is used in it is hard to say how bad this problem is.

      What you have to keep in mind is that this software was written for Windows 98. Windows 98 doesn't even have filesystem permissions or any real user segregation. There is no firewall by default. Chances are it would be running on some industrial equipment anyway, not connected to an external network. Yes, it uses UDP, but that is actually quite a common technique for processes on the same machine to communicate, or devices within a single piece of industrial equipment. We don't have enough context to know.

      I write software for embedded systems. I'm talking microcontrollers, not Windows based. The products I make are complex, but have very few computing resources because they have to run for 10 years on a couple of AA batteries. 16k ram is a luxury. I know that if someone decided to hack one they could do, easily. No through incompetence, through a deliberate decision not to compromise other aspects for extra security. Yeah, we could set up encryption keys on the comms protocol, but then we would need to get the minimum wage morons who deploy these things to understand how to install and use them. We have enough problems already. And no, we can't employ better people, our customers are the ones doing the deployment. They demand features like being able to send a completely unauthenticated text message from a standard phone to a device installed somewhere and have it execute those commands.

      So I imagine in this case it is a closed system, never designed to be connected to a network where it could be attacked with malformed UTP packets. The system has been tested and found to be stable because it never generates such packets itself. The real morons are the ones who tried to network it, presumably against Yokogawa's recommendations.

      This is commercial reality. Just like your car has a massive vulnerability where the passenger can reach over and yank the wheel and cause an accident the manufacturer probably figured that people ignoring their recommendations wasn't their problem.

      --
      const int one = 65536; (Silvermoon, Texture.cs)
      SJW, n: "Someone I don't like, and by the way I'm a fuckwit" - AC
  4. "Low Skill" by Tablizer · · Score: 2

    The U.S. Department of Homeland Security said an attacker with 'low skill' would be able to exploit the bugs.

    "That's okay, only high-skilled hackers are interested in our operations." - PHB

    --
    Table-ized A.I.
  5. "IBM PC/AT compatibles" should be warning enough by Trax3001BBS · · Score: 2

    "IBM PC/AT compatibles" being an old term for a PC

    "The Human Machine Interface (HMI) of CENTUM CS 3000 is general-purpose PCs (IBM PC/AT compatibles), running Windows 2000 and Windows XP. Windows 2000 and Windows XP have superb networking functions, and OPC for interfacing with supervisory computers are standard – so supervisory computers can easily access the process, and you can optimize your company at the enterprise level. In addition to OPC for communicating between PCs, we can also provide communication with UNIX machines and the like."

    XP has Data Execution Prevention (DEP), WK2 doesn't, every exploit listed was a buffer overflow; which DEP is there to prevent. http://en.wikipedia.org/wiki/D...

    "CENTUM CS 3000 is a key part of most of Yokogawa’s Enterprise Technology Solutions, and features:
        Open environment for optimizing the whole enterprise,"

    An open environment; which the most ardent supporters for non-proprietary software/hardware have to admit is an entry point for ones exploits, when used with a software interface of WK2, and now XP; (Win98 is never mentioned)

    HOSTS file prevent me viewing the first link but the above is good reason to of checked out the hardware.

    cite: CENTUM CS 3000 Integrated Production Control System System Overview
    http://cdn2.us.yokogawa.com/TI...

  6. Bugs.... by Lumpy · · Score: 2

    I am surprised when I find that SCADA software works properly. Bugs are expected.

    Craptastic SCADA suites like WonderWare are so poorly written and horribly implemented that they barely run. Then you have plant managers that are so stupid they dont understand that you NEVER run anything but the SCADA on the computers, but instead install other software and have them all on the company LAN with internet access...

    They deserve the problems they have, because if the SCADA systems were designed right, and managers and business owners were hit in the face with a sack of nickles when they ask for stupid security rick crap, the bugs would not be a problem as there would be a frontline security defense in place.

    --
    Do not look at laser with remaining good eye.
  7. Re:Oh! I Say! Shocking ! by Lumpy · · Score: 3, Interesting

    SCADA systems NEVER EVER get connected to the internet, not ones that are properly installed by competent engineers.

    --
    Do not look at laser with remaining good eye.
  8. Re:Oh! I Say! Shocking ! by Hamsterdan · · Score: 4, Informative

    "not ones that are properly installed by competent engineers."

    Depends how management (bean counters, PHBs and MBAs) listens to said engineer. You'd be surprised what stupid (and not even cost-cutting in the long term) decisions companies will make to save a dime tomorrow. The biggest Telco in Canada used (not so long ago) to deploy its wireless routers with only WEP and *NO* admin password on the device, even if WEP was broken about 10 years ago.

    It's not like they don't have any competent tech people, but having worked there, yes, that's the kind of stupid decisions management will take.

    --
    I've got better things to do tonight than die.
  9. Re:Oh! I Say! Shocking ! by Mousit · · Score: 2

    If only. Come be a utility in Texas, where ERCOT (the state-wide electric utility authority) seriously considered making their push notification system be Internet-only. As in, you HAD to connect your SCADA system to the Internet (even if through an intermediary server in a DMZ) to be able to receive the (required, if you wanted to be licensed and in business) control signals from ERCOT. Thankfully, for once, the backlash was so bad ERCOT actually listened to it and backed off that plan. That's exceedingly rare.

    Or backed off kinda-sorta anyway. They still have a dual setup, you can receive either via Internet or via private frame-relay between ERCOT's site and yours. We of course opted for the latter, heavily secured and sanitized through multiple hops, but nonetheless that does still mean we have an external connection into our SCADA system, not air-gapped, though I will grant you it doesn't connect to the Internet at large (we hope; who knows what the fuck ERCOT does on their end). And we MUST have it, if we want to actually operate as a licensed utility in Texas. And Texas is FAR from alone in having this bureaucratically-created shit for operating requirements. These types of enforced setups are nationwide.

    That is the sad, stupid state of affairs we live in today.