Research: Industrial Networks Are Vulnerable To Devastating Cyberattacks

← Back to Stories (view on slashdot.org)

Research: Industrial Networks Are Vulnerable To Devastating Cyberattacks

Posted by samzenpus on Wednesday July 29, 2015 @12:25PM from the raise-shields dept.

Patrick O'Neill writes: New research into Industrial Ethernet Switches reveals a wide host of vulnerabilities that leave critical infrastructure facilities open to attackers. Many of the vulnerabilities reveal fundamental weaknesses: Widespread use of default passwords, hardcoded encryption keys, a lack of proper authentication for firmware updates, a lack of encrypted connections, and more. Combined with a lack of network monitoring, researchers say the situation showcases "a massive lack of security awareness in the industrial control systems community."

9 of 76 comments (clear)

Min score:

Reason:

Sort:

Industrial network by hunter44102 · 2015-07-29 12:46 · Score: 3, Interesting

I work in a multiple plant system with geographic separation. Each plant operates independently. But its the geniuses on top that believe we need to some day run all plants from one location. (They also want to be able to see all the plants from anywhere). So we can very secure by keeping each industrial network separated and completely disconnected from each other and the outside world, OR we can make all plants vulnerable by interconnecting them and allowing big shots to see the plant operation from their phone.
1. Re:Industrial network by bobbied · 2015-07-29 12:57 · Score: 2
  
  Follow the money.. Who pays the bills? Do what they say...
  Seriously, keeping your factory's networks separate is a pretty simple firewall issue for someone competent to install and configure it. I'm not sure how this cell phone connection is going to work, but there ARE ways to make cell phones connect to you via VPN's that can be made to require usernames/passwords (not to mention specific devices) before you are allowed to connect. There are solutions out there to do what they ask, they just cost a little bit to acquire, install, and manage.
  So my "follow the money" joke, really should be this. IF the people in charge are asking for it, find and suggest a solution that can do it safely. If they are not willing to pay for your solution, find another, albeit less safe solution and present it with a list of assumed risks. Rinse and repeat until you have a solution they are willing to pay for with risks they are accepting, then do that.
  
  --
  "File to fit, pound to insert, paint to match" - Aircraft Maintenance 101
2. Re:Industrial network by Iamthecheese · 2015-07-29 13:00 · Score: 2
  
  Uptime, heartbeats, and operational error codes can be transferred one-way and offer very little for an attacker to use. And the executives probably don't care whether the condenser is running security patch .0034 or .0036. So I'm thinking the real problem isn't sending out plant data but an unwillingness to invest in security in general.
  
  --
  If video games influenced behavior the Pac Man generation would be eating pills and running away from their problems.
3. Re:Industrial network by khasim · 2015-07-29 15:27 · Score: 2
  
  IF the people in charge are asking for it, find and suggest a solution that can do it safely.
  I'm with you so far.
  
  If they are not willing to pay for your solution, find another, albeit less safe solution and present it with a list of assumed risks. Rinse and repeat until you have a solution they are willing to pay for with risks they are accepting, then do that.
  
  In my experience, any "solution" that you present will be understood to do everything that they wanted.
  Even if you say that they cannot have X at $Y. They will give you $Y and then demand X.
  When you cannot do so, a contractor will be brought in to set up a flawed implementation that will reduce your security BUT will provide X at a price point that you said could not be done.
  Which is why we see this story pop up over and over and over again.
4. Re:Industrial network by fredgiblet · 2015-07-29 16:25 · Score: 2
  
  Problem is that the parent will be blamed for the security failure if it happens. At best he'll have to clean it up, at worst he'll be hung out to dry.
Obligatory "why" post by mattventura · 2015-07-29 12:47 · Score: 4, Insightful

Every time some industrial networking vulnerability gets posted, people ask: "why are these connected to the internet to begin with?", so I'll get it out of the way: Why are these connected to the internet again? If you do need some sort of external access to them, it should be through some sort of application-level gateway so that access can be carefully controlled.
1. Re:Obligatory "why" post by houstonbofh · 2015-07-29 14:13 · Score: 2
  
  So the pointy haired boss can check the stats he does not understand with his smart phone to show other pointy haired bosses.
Robotic Surgeons? by PopeRatzo · 2015-07-29 13:04 · Score: 2

Does it make anyone else uncomfortable that this story about industrial networks being vulnerable to cyberattacks follows immediately after a story about robotic surgeons?

--
You are welcome on my lawn.
obvious solution: by Gravis+Zero · 2015-07-29 13:39 · Score: 2

look, none of this is a problem as long as nobody asks about the worst case scenarios.

--
Anons need not reply. Questions end with a question mark.