Research: Industrial Networks Are Vulnerable To Devastating Cyberattacks

Patrick O'Neill writes: New research into Industrial Ethernet Switches reveals a wide host of vulnerabilities that leave critical infrastructure facilities open to attackers. Many of the vulnerabilities reveal fundamental weaknesses: Widespread use of default passwords, hardcoded encryption keys, a lack of proper authentication for firmware updates, a lack of encrypted connections, and more. Combined with a lack of network monitoring, researchers say the situation showcases "a massive lack of security awareness in the industrial control systems community."

oh my!

[turkeydance]

default, and hardcoded, and authentication, Oh My!

Re:oh my!

[davester666]

I'm pretty sure this exact report was created 10 years ago, and has been republished every year since.

Is it just a way to steal more federal funding for these "studies"?

The install base is screwed, and nobody wants to spend any money to improve the situation. Profits over everything else.

Re:oh my!

D'oh!

Why didn't someone tell us this earlier?

[Jumunquo]

-- Iran nuclear program

Isn't this old news?

[tarball]

We've seen any numbers of articles over the last couple years concerning this subject. The only thing not often mentioned is lack of network monitoring, but given the rest of the foolishness going on I always figured that would be a given.

Re:Isn't this old news?

[houstonbofh]

It especially is to anyone in the industrial Ethernet market. The selection is just crap! And for the prices they charge, that is amazing! But because there is so little choice, they just rape everyone that comes by.

Re:Isn't this old news?

[gweihir]

It is very old news. And even when it was news, it was no surprise to experts. People need to see a catastrophe close enough that they get scared in order to invest into security. Because if they do not, they can get rich faster, or so they think...

Industrial network

[hunter44102]

I work in a multiple plant system with geographic separation. Each plant operates independently. But its the geniuses on top that believe we need to some day run all plants from one location. (They also want to be able to see all the plants from anywhere). So we can very secure by keeping each industrial network separated and completely disconnected from each other and the outside world, OR we can make all plants vulnerable by interconnecting them and allowing big shots to see the plant operation from their phone.

Re:Industrial network

[bobbied]

Follow the money.. Who pays the bills? Do what they say...

Seriously, keeping your factory's networks separate is a pretty simple firewall issue for someone competent to install and configure it. I'm not sure how this cell phone connection is going to work, but there ARE ways to make cell phones connect to you via VPN's that can be made to require usernames/passwords (not to mention specific devices) before you are allowed to connect. There are solutions out there to do what they ask, they just cost a little bit to acquire, install, and manage.

So my "follow the money" joke, really should be this. IF the people in charge are asking for it, find and suggest a solution that can do it safely. If they are not willing to pay for your solution, find another, albeit less safe solution and present it with a list of assumed risks. Rinse and repeat until you have a solution they are willing to pay for with risks they are accepting, then do that.

Re:Industrial network

[Iamthecheese]

Uptime, heartbeats, and operational error codes can be transferred one-way and offer very little for an attacker to use. And the executives probably don't care whether the condenser is running security patch .0034 or .0036. So I'm thinking the real problem isn't sending out plant data but an unwillingness to invest in security in general.

Re:Industrial network

[Amouth]

Keep in mind there is a major difference between monitoring and controlling. To control/run you have to be able to provide input into the system. It is this input access which opens the door.

Re:Industrial network

[houstonbofh]

So my "follow the money" joke, really should be this. IF the people in charge are asking for it, find and suggest a solution that can do it safely. If they are not willing to pay for your solution, find another, albeit less safe solution and present it with a list of assumed risks. Rinse and repeat until you have a solution they are willing to pay for with risks they are accepting, then do that.

They want easy, and cheap. That limits you slightly...

Re:Industrial network

[khasim]

IF the people in charge are asking for it, find and suggest a solution that can do it safely.

I'm with you so far.

If they are not willing to pay for your solution, find another, albeit less safe solution and present it with a list of assumed risks. Rinse and repeat until you have a solution they are willing to pay for with risks they are accepting, then do that.

In my experience, any "solution" that you present will be understood to do everything that they wanted.

Even if you say that they cannot have X at $Y. They will give you $Y and then demand X.

When you cannot do so, a contractor will be brought in to set up a flawed implementation that will reduce your security BUT will provide X at a price point that you said could not be done.

Which is why we see this story pop up over and over and over again.

Re:Industrial network

[fredgiblet]

Problem is that the parent will be blamed for the security failure if it happens. At best he'll have to clean it up, at worst he'll be hung out to dry.

Re:Industrial network

And you get laid off as a cost cutting measure. Could not perform the task anyway, so no loss.

Re:Industrial network

[pnutjam]

I've configured this sort of system with pfsense, using old PC's or preferably an embedded system, like alix. Stay away from cheap stuff from the big vendors, it's junk. Stick with the Linux/BSD based stuff.

Re:Industrial network

[nnull]

So then make a firewall. If anyone tells me that's too expensive, they have no idea what they're talking about. The costs are miniscule even on existing systems to do it. A scissor or boom lift, tell the maintenance guy what to do, and you'll be done in a day for even a half a million sqft building. I have it in my own plant, it was trivial to do.

If you have a management that is fighting you for 2-4 thousand dollars of work at most, you have bigger problems to worry about.

Re:Industrial network

[bobbied]

That's why you present your "solution" before implementation and that includes documentation of the provisos and risks they are taking.

It may not save your job when the chips are down, but having a bit of hard documentation that you told them what the risks where and they choose not to spend the money to eliminate that risk is always a good thing. Besides, if they assume the risks, then fire the underling when a risk bites them, you really don't want to work for them anyway because it's just a matter of when they will fire you, not if.

Re:Industrial network

[bobbied]

If that's true, and many times it is, you are playing a loosing hand to start with. You work for people who don't care about you or value what you say and do and it's a BAD place for you.

Best thing to do if you work for people like this is start to plan your departure. Update your resume, get your online profiles updated and start looking at the employment ads. It might be a very good idea to start putting money away for the "rainy day" that's surely coming.

Maybe YOU can be that consultant they hire over your replacement's objections. Charge them lots, collect in advance, and laugh all the way to the bank...

Re:Industrial network

[bobbied]

So my "follow the money" joke, really should be this. IF the people in charge are asking for it, find and suggest a solution that can do it safely. If they are not willing to pay for your solution, find another, albeit less safe solution and present it with a list of assumed risks. Rinse and repeat until you have a solution they are willing to pay for with risks they are accepting, then do that.

They want easy, and cheap. That limits you slightly...

Understood, but the POINT of this little exercise is to educate the people asking about the true costs and risks they are assuming before you implement anything. Responsible bosses appreciate this kind of iterative process that allows them to choose their level of risk and cost, and if you are dealing with irresponsible bosses who will come back and blame you for failure at a later date, you are going to need the CYA documentation that shows THEY agreed to this and you already told them of the risk.

If they don't accept the CYA documentation, then you work for bad people and should be moving on anyway...

Re:Industrial network

For visibility use one or more levels of hardened bastion hosts with simple read-only interfaces. For control from one location, use a couple of nested VPNs.
The problem is not just what you do, it's how you do it. We all saw how Stuxnet pwned "segregated" industrial networks.

Obligatory "why" post

[mattventura]

Every time some industrial networking vulnerability gets posted, people ask: "why are these connected to the internet to begin with?", so I'll get it out of the way: Why are these connected to the internet again? If you do need some sort of external access to them, it should be through some sort of application-level gateway so that access can be carefully controlled.

Re:Obligatory "why" post

[houstonbofh]

So the pointy haired boss can check the stats he does not understand with his smart phone to show other pointy haired bosses.

Re:Obligatory "why" post

So you can sync your network to nist time servers

Buy your own fucking timing source. I guarantee it's pennies by comparison to the overall cost of the systems needing it.

NIST might be a good source, but timing is timing, and doesn't take a room full of scientists and 3 billion dollars to implement.

Re:Obligatory "why" post

[l0n3s0m3phr34k]

my firewall can sync to NTP, and then the DC syncs to the firewall.

Re:Obligatory "why" post

giving you strata 5, plus or minus 10 seconds. duh. may not be good enough.

anyways these days one can build a strata-1 NTP server from GPS and run it on the internal network.

Re:Obligatory "why" post

giving you strata 5, plus or minus 10 seconds. duh. may not be good enough.

First of all it's "stratum" not "strata".

Second, adding one layer between add's exactly one stratum, no less and no more.

Most public time sources (GPS/PPS/...) are between 1-3 and thus claim jumping to stratum 10 with single firewall, let's call it bollocks.

Here's a good short explanation how it works.

anyways these days one can build a strata-1 NTP server from GPS and run it on the internal network.

Building just one doesn't make sense if you take that option. Rule of thumb is that whenever you need local NTP servers, you also need to have 2-3 to provide you enough redundancy and make other important arrangements trying to make sure no single point failure would render them all unusable.

Playing* with GPS's devices isn't usually needed, unless you are in some special area of business which needs very accurate time (astronomy, telecoms, stocks-echange, ...).

Good working option is usually having 3 internal ntp servers, each syncing trough firewall (server mode) from internet national time base provider and perhaps or if not avail public ntp pool could work for many too. Then rest those three internal servers provide time for all other internal servers and workstations etc. and DHCP and other management solutions (satellite etc.) provision configuration for clients & servers company wide.

*) most who bring up that they have a GPS/PPS or the like time source have it for pure geek value, nothing more. I've had it too at home for a decade but retired it couple of years ago, on duty i've built and run time sources and ntp-services for decades (among many other things) for a very large university and couple of years nation wide telecoms for tens of millions people at time.

Ordinary office environments (AD, *nix file shares & kerberos) are happy anything with +/-5 sec, the router/firewall proposed above is good enough for that.

Re:Obligatory "why" post

Ordinary office environments (AD, *nix file shares & kerberos) are happy anything with +/-5 sec, the router/firewall proposed above is good enough for that.

Corection, kerberos & nfs difference between client and server generally should not be more than 5 seconds, so above should be +/-2.5 second. Should have read better before I posted above. The router/firewall/couple of internal ntp servers syncing from outside sources (stratum 1-2), you easily get time accuracy within 1 second. Ergo, no need for local GPS device that case.

Re:Obligatory "why" post

[thegarbz]

See comment on application level gateway. I work at a plant where we have access remotely, but no our control system is not connected to the internet. There's layers of VPN, firewalls, and even at the lowest level the final application is a single program served up via citrix.

Re:Obligatory "why" post

[thegarbz]

Why? Just use a GPS disciplined NTP server locally.

Re:Obligatory "why" post

[AHuxley]

So one cheap engineer can watch diverse networks rather than a vast unionized on site workforce per shift, every shift.
In the past low skilled staff would have to be in place, drive to or be on site 24/7.
The cost savings add up for the brand but the quality of the network installed expected correct commands on a private network not a network open to the world.
Years later all the limited networks open to the "net" per nation have been transversed and studied by a long list of people and other nations.
The "why" was to get costs down and remove staff while staying compliant with less on site experts.
It works but for the "internet" been allowed in as part of the trusted network.

Re:Obligatory "why" post

[tlambert]

Corection, kerberos & nfs difference between client and server generally should not be more than 5 seconds, so above should be +/-2.5 second.

That's a protocol design bug.

Specifically, there's actually no reason that protocol traffic wouldn't include a "this is my idea of the current time" in the requests and responses so that delta times could be locally calculated from the packet contents on the receiving end. This would work, no problem, for a protocol like NFS.

Kerberos is more of an issue, but since all parties have to trust the ticket granting system as the trusted third party -- so you might a well trust their timestamp as well, since you've already established a trust chain dependency on the third party. You mode the protocol to send the timestamp within the security association, and you are golden (regardless of whether you are running an adjusted or monotonic clock).

This is how DCE RPC handles byte order: receiver translates to local byte order -- if the byte order is different. If it's not, then there's no need for translation, and it saves CPU on both ends of the connection. Receiver translates to a delta time from which the timestamps are derived, and timesync is no longer a problem.

Who knew?

[Ol+Olsoc]

I think this was even brought up in a hotels.com ad by Captain Obvious.

It's not "industrial," ...

[CaptainDork]

... it's everything.

Security will continue to be a low priority until we assign blame and litigate.

Re:It's not "industrial," ...

[houstonbofh]

You obviously have not seen industrial switches. They make 2wire like like a paragon of security!

Re:It's not "industrial," ...

[CaptainDork]

I'm in the fucking business, so punt.

Re:It's not "industrial," ...

I'm in the fucking business

We welcome all kinds on Slashdot, even porn stars and prostitutes.

Robotic Surgeons?

[PopeRatzo]

Does it make anyone else uncomfortable that this story about industrial networks being vulnerable to cyberattacks follows immediately after a story about robotic surgeons?

Re:Robotic Surgeons?

[FrozenGeek]

Not really. If you look at the likelihood of being in surgery when the network goes down, or the surgeon gets hacked, it's pretty much negligible. What does disturb me is the fact that major hacks are frequently reported as are gross vulnerabilities yet nothing seems to get done. -- linquendum tondere

Re:Robotic Surgeons?

[houstonbofh]

Not really. If you look at the likelihood of being in surgery when the network goes down, or the surgeon gets hacked, it's pretty much negligible.

Not for that one unlucky guy... Someone will be there.

tag this one..

#noshitsherlock

Letting everyone know won't help.

[Khyber]

This is why Cloudflare got four of its routers wiped out during that last October DDoS. As soon as the network infrastructure was known and exploits located, it was the attack point. Security failure.

And this is only going to get worse.

obvious solution:

[Gravis+Zero]

look, none of this is a problem as long as nobody asks about the worst case scenarios.

Re:obvious solution:

look, none of this is a problem as long as nobody asks about the worst case scenarios.

Umm... you mean what's the worst that can happen?

Re:obvious solution:

[Gravis+Zero]

look, none of this is a problem as long as nobody asks about the worst case scenarios.

Umm... you mean what's the worst that can happen?

dammit man, haven't you ever seen a disaster movie?!

Re:obvious solution:

[MiniMike]

In a worst case scenario, this would make all politicians of all parties at least minimally competent and decent human beings (again, at least minimally), would solve the national debt and at least one major societal issue...

(waiting)....

(waiting).......

(waiting)...........

Oh well, it was worth a shot.

Different approach

[QuietLagoon]

Since nearly everything connected to a network nowadays seems to have some manner of easy-to-exploit vulnerability due to lax security design, maybe it would be easier for the /. editors to publish articles on devices and systems that are secure instead of those that are not.

Re:Different approach

[plover]

There is this piece of Cat 5 that isn't remotely hackable. Unless it's tapped, or if someone puts an inductor on it, or if they use TDR to estimate the length of the wire to figure out the distance between routers and discover where the Intrusion and Detection Systems are located.

Re:Different approach

Don't forget TEMPEST.

Re:Different approach

[AHuxley]

A fence, trusted staff on site, limited internal networks that are not connected to the outside world works well and are not that expensive.
But that wont get a cyber security contract long term to "fix" the system after every expensive logged intrusion.
The new networks have one good plus, wealth creation for the support, upgrade aspect.

Re: Different approach

Security is an assumption...

It's beginning to look as if security designed and deployed by primates is an NP hard problem.

Can't wait for our robotic quantum computer overlords to design something exotic.

Air gaps don't have backdoors

"Backdoors also exist in the form of hidden accounts originally created for maintenance that can provide cover for attackers. In particularly insecure facilities, antiquated and unencrypted connections to the Internet that allow engineers remote access to their networks act as pathways an attacker anywhere in the world can take toward the network in her crosshairs."

Air gaps as much as you can, air gaps between you control networks, and your mail/office/facebook network. Don't trust vendor kit, its riddled with backdoors (example below from 2013).

http://www.news.slashdot.org/story/13/07/11/2349201/hp-keeps-installing-secret-backdoors-in-enterprise-storage

Re:Air gaps don't have backdoors

[houstonbofh]

Really? http://www.theregister.co.uk/2...

If there had been cyberattacks in the early days

[shoor]

When networking of smart devices was still on a relatively small scale, a cyberattack wouldn't have done much harm, but afterwards, manufacturers, and more importantly, their customers, might have wised up. Stuxnet was a warning, and I think it has to some extent been heeded, but already by then the existing infrastructure was so vast that a major overhaul would have required a commitment and leadership that isn't there.

Good luck fixing it too.

I work in a small manufacturing company, all it would take is one malicious person to get on the network, send some specially crafted EIP packets to some of our PLC's and production is fucked. I keep saying we need to segment and isolate the industrial network from our poorly managed corporate network, but it gets ignored because "3000 is a lot of money to spend on some computer stuff."

Re:Good luck fixing it too.

[Bob+the+Super+Hamste]

I hope you saved those e-mail chains so when management comes looking for some one to hang you can prove they need to be the ones wearing the noose.

Re:Good luck fixing it too.

[pnutjam]

Some of those systems will crash if you do something like plug a tone generator in to locate a wire.

Re:Good luck fixing it too.

[nnull]

Like I said earlier before. If you have management that can't spend a few thousand dollars to separate the network, you got bigger problems to worry about. I'm surprised more malicious stuff doesn't happen at these places. Or it probably does we just don't hear about it. It's so trivial to cause huge destruction and mayhem with these machines.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Comment removed

[account_deleted]

Comment removed based on user account deletion

We're not showing lack of awareness...

[thegarbz]

It's not a case of lack of awareness, it's a case of mostly not giving a shit. We don't use most of the encryption features or hardening available between control systems on our site either because quite frankly we don't expect to and we don't need to. Actually I was quite critical at the last Schneider conference where they were talking about the encryption they are adding allowing you to connect multiple SCADA systems together directly via the internet. My comment to the presenter was "Why should I care at all about your encryption? Why should I trust you to do something out side your competency? We buy your gear because it's good at controlling equipment, we buy Juniper or other networking gear because they are good at networks. Your lack of encryption has never stopped me from connecting disperse systems. "

In all installations I have worked on we consider the network the device itself. If you touch the network then it's already game over, hardcoded passwords or not. Equipment is setup within private LANs, behind very strict firewalls. Physical access is prevented by means of lock and key, as well as privilege to even be in the same room as equipment. Where a connection is made over an outside network it is done only via an approved firewall / VPN method. We are aware of the security issues, we just work around them.

Now on the flip side this makes it incredibly hard to bring data onto or off from the network, but physical security is one of the best defenses. And no hardcoded passwords / encryption keys are not a good idea. But even if they didn't exist the industry has a lot to prove before I would trust any of them to create a secure system that I wouldn't lock down physically.

Yes really

Read past the headline, you need to first backdoor the PC, the airgap reference is just a reference to how to transmit data *out* across an airgap AFTER you've already installed your hack on it.

Re: Yes really

Can't access facebook if you're AIR-GAPPED.

funny note, swiped suggested shortfall instead of airgap.

Vlad should call his homeboy Kim

And upgrade everything to Red Star Linux.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Horse, beating

Beating a dead horse.

Safety Critical Systems?

The article gives stuxnet blowing up centrifuges as an example. Fair enough, it is scary, but looks at some of the facts. It took 4 zero-day exploits to get to the centrifuge control systems. If anything this proves that industrial systems are well designed.

Now to influence the control systems of a nuclear reactor is at least an order of magnitude more difficult than centrifuges. For example even if the main control systems were somehow taken under control, there are completely separate safety critical systems, most likely in triplicate w/ diverse technology and design, that are continually monitoring the health of the reactor ready to snap it into a safe state at a moments notice.

This sort of safety system is an absolute requirement of current standards, being IEC 61508/61511 for general industrial and IEC 61513 for nuclear.

So you -might-, with extraordinary effort, be able to shut down a power plant. That sucks, but it isn't exactly a nuclear catastrophe.

Personally, I'm far more worried about a big wave, a bloke with a fake badge and some explosives, an asteroid or a bomb dropped from a plane...

Re: Safety Critical Systems?

It took four zero days and an outsider to penetrate their network/secrecy/seclusion/isolation.

NOT their industrial control system.

The US have the highest cyber warfare capabilities

And the US weaponized the internet first. Thank you World Police for keeping us safe!

New research shows massive lack of security ..

[nickweller]

"New research into Industrial Ethernet Switches .. showcases "a massive lack of security awareness in the industrial control systems community."

New research - new research ? - this has been known about for at least a decade ref. and the solution is, don't connect your switches directly to the Internet, connect them through VPNs running on embedded hardware.

As opposed to non devastating cyberattacks?

Why all the sensationalist click bait?

So how about...

[TheRealSync]

Are Industrial Networks also Vulnerable To non-devastating Cyberattacks?

How is this news?

[undefinedreference]

This has been true for at least 20 years.

The industrial controls industry is the most backward corner of the tech world, inhabited by an old guard that mostly doesn't even understand networking, let alone security. The newer recruits generally come from an EE background, so they also generally have no knowledge of how to secure critical infrastructure. Most started in the era where inter-device/machine communication was via serial and all these systems were simple air-gapped (not for security, but because there was no way or reason to connect them).

The reason this situation has changed is that more and more businesses want to be able to see what is happening in real time, so the engineers just connect them to other relatively-insecure networks, which ultimately leads to breaches. The suits don't care as long as they can see what they want to see.

It would be very expensive and difficult to correct this problem, between the extra manpower, retraining, and delays this would cause.

It's a very fine line

[cyberchondriac]

between negligent complacency and paranoid hysterics. Especially where terrorism of any kind is involved.

If its made by man......

....then it can be broken by man.

Is something I live by.

Re:If there had been cyberattacks in the early day

[nnull]

That's because a lot of these places don't hire anyone competent anymore to fix or repair this stuff. You have plants with a maintenance staff that doesn't know a thing other than knowing how to tighten a bolt but the management expect miracles from them. I don't see any plants that will hire seasoned engineers for such cases anymore. There's no more engineering teams at these plants. Owners want the cheapest nowadays and if they can find the word "Maintenance" and "Minimum wage", they're hired expecting him to be a miracle worker like a 20 year experienced engineer.

Then when shit hits the fan, you get what you get.