Slashdot Mirror

← Back to Stories (view on slashdot.org)

A Critical Security Flaw in Popular Industrial Software Put Power Plants At Risk (zdnet.com)

Posted by msmash on from the security-woes dept.

A severe vulnerability in a widely used industrial control software could have been used to disrupt and shut down power plants and other critical infrastructure. From a report: Researchers at security firm Tenable found the flaw in the popular Schneider Electric software, used across the manufacturing and power industries, which if exploited could have allowed a skilled attacker to attack systems on the network. It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers. The affected Schneider software, InduSoft Web Studio and InTouch Machine Edition, acts as middleware between industrial devices and their human operators. It's used to automate the various moving parts of a power plant or manufacturing unit, by keeping tabs on data collection sensors and control systems. But Tenable found that a bug in that central software could leave an entire plant exposed.

41 comments

  1. A severe vulnerability? by Anonymous Coward · · Score: 0

    A severe vulnerability in a widely used industrial control software? Go figure. Good thing we don't connect those systems on the internet. Oh, wait...

    Somebody make a useless law to protect these systems! Stat!

    1. Re:A severe vulnerability? by Opportunist · · Score: 1

      How about making it illegal to access such systems with malicious intent? That should solve it, right?

      (I think I play too much with the boys from the legal department recently...)

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
    2. Re:A severe vulnerability? by Anonymous Coward · · Score: 0

      I think I play too much with the boys from the legal department recently...

      Well, as long as they like it...

    3. Re:A severe vulnerability? by Opportunist · · Score: 1

      I usually feel like I need a shower afterwards, though.

      --
      We used to have a Bill of Rights. Now, with the rights gone, all we have left is the bill.
  2. expect more of these stories by Anonymous Coward · · Score: 4, Insightful

    as the manufacturing world connects more and more things to the Internet. This is driven by MBA managers who want to be able to access fancy dashboards from their head offices miles away from the plants. The major marketing push currently going on in the manufacturing world is the IIOT (Industrial Internet of things) and is driven by greedy companies who are taking advantage of middle to upper management's lack of knowledge to sell them on fancy gizmos and gadgets with out actually explaining the potential consequences. When combined with the race to the bottom for cost of I.T in manufacturing, this is a catastrophe just waiting to happen.

    We have already seen examples recently of ski lifts but this was already a problem with remote desktops and all you have to do is search for defcon talks to see hundreds of examples. The only difference is that now the access is baked right into the control software and black hats dont need to worry about looking for vulnerable remote desktops.

    1. Re:expect more of these stories by olsmeister · · Score: 2

      Sometimes you have to break a few eggs to make an omelet. The bottom line is that you're never going to talk management out of buying this type of stuff because the promised results are too attractive to them, and you're never going to stop the claims from the people selling this stuff about a management utopia where all is observable and controllable from your laptop or mobile phone, so until we have some spectacular failures and attacks nothing is going to derail this train. Might as well grab some popcorn and sit back and enjoy the spectacle and hope it happens to someone that isn't your company or someone your company depends on.

    2. Re:expect more of these stories by DontBeAMoran · · Score: 3, Informative

      Systems should be able to tell the outside world about their current state, but they should not be able to be controlled from the outside.

      In short, make those types of systems read-only.

      --
      #DeleteFacebook
    3. Re:expect more of these stories by drinkypoo · · Score: 4, Insightful

      More to the point, attach them to one way communications links. A high speed serial interface with only the RX pin connected on the receiving end can simply not be used to communicate back to the reporting device/gateway. Not every damned thing needs to be on Ethernet.

      --
      "You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
    4. Re:expect more of these stories by dunnomattic · · Score: 4, Informative
      I'm no Schneider expert, but I've worked with guys who are. While I agree with you on the explicit principle that externally-accessible systems should be read-only (or even better, receive data via internal system pushes instead of pulling data through whitelisted IP:port), I think there are two nuances here:
      1. -The middleware itself can't be read-only since it is used to monitor/automate tens of thousands of individual sensors/valves/breakers per site, each of which has multiple registers involved in the monitoring/adjusting communication. If they were read-only, technicians would have to go through hundreds or thousands of steps just to test if one class of device is nominal.
      2. -These critical systems should never be accessed by the outside world. I doubt that anyone who wanted to keep their job would knowingly expose these system interfaces publicly. However, with so many layers of software separating the outside attacker from the critical system, one of them will get the needle threaded at some point to hit the critical system. So now you've got an attacker facing a read/write industrial control system with the vulnerability to bypass authentication. The comm protocol specifications I've seen for these type of systems are well-documented, but they are extensive just due to the variety of devices they need to control. This won't be the last vulnerability in these industrial control systems. They should never be exposed by design.

      ...and yes, DeleteFacebook.

      --
      ...when everything is a crime, everyone is a criminal.
    5. Re:expect more of these stories by Anonymous Coward · · Score: 0

      Asshole, engineers need to see this data not MBAs - we are not colocated at every plant site. It is also heavily firewalled and NERC security requirements if followed are good enough.

      Don't speak until you know what the fuck you are talking about.

    6. Re:expect more of these stories by Spy+Handler · · Score: 2

      This is driven by MBA managers who want to be able to access fancy dashboards from their head offices miles away from the plants.

      We used to have a technology that solved this problem with little or no increase in security risk. How it worked was, you have a remote site with its own airgapped internal LAN. A dedicated PC would fetch data from the internal server and use a dial-up modem to connect to a machine at corporate HQ. It would then transmit data to corporate HQ via advanced protocols such as Kermit or XMODEM.

      The modem at the remote site would be configured to ignore (not answer) incoming calls for security reasons. It would only dial out, and only to the phone number at the corporate HQ.

      This way China hackers can't access the remote site (at least not easily), and corporate HQ still gets their hourly update on their fancy dashboards.

    7. Re:expect more of these stories by HiThere · · Score: 1

      Well, for the inner layer...usually. But that means someone's got to be able to get to the machine to throw a switch or turn a dial. So it's not always going to be possible.

      Additionally, you generally want to protect the inner layer from even being read by someone unauthorized. So you need multiple layers of security with different restrictions.

      OTOH, that's just how it should be done this year. As interfaces and machines get smaller, it will be less practical to have human sized switches on the machines, which means it's going to be necessary to not depend on "read only" electronic access. So it's time to start getting electronically controllable machinery properly secured. Whatever that means. But that won't happen as long as the incentives remain perverse.

      --

      I think we've pushed this "anyone can grow up to be president" thing too far.
    8. Re:expect more of these stories by Anonymous Coward · · Score: 0

      Asshole, engineers need to see this data not MBAs - we are not colocated at every plant site. It is also heavily firewalled and NERC security requirements if followed are good enough.

      Don't speak until you know what the fuck you are talking about.

      Most people who do commercial and residential IT have no idea how much of a different beast Industrial IT is. It is a place where security, redundancy and uptime truly do matter and companies are willing to pay for it.

      I had walked away from IT in disgust years ago and now want to get back into it on the Industrial side after becoming a Controls Engineer and seeing what real network infrastructure looks like.

    9. Re:expect more of these stories by Anonymous Coward · · Score: 0

      Don't kid yourself. They look to pinch every penny too. It's just every now and again they'll invest in fancy hardware with the expectation that they're going to use it for 25 years.

    10. Re:expect more of these stories by Anonymous Coward · · Score: 0

      Many of the companies that install these systems are not concerned with security. There are most likely numerous plants /utilities that could have the most secure HMI (human machine interface like Intouch) in the world while leaving the hardware controller (PLC) wide open to the internet to be reprogrammed or have commands sent directly to it.

    11. Re:expect more of these stories by Anonymous Coward · · Score: 0

      I don't know where you worked in IT. I've seen the worst examples of IT standards on the industrial side and have seen many IT employees leave that cluster@#$& to work in the commercial field.

    12. Re:expect more of these stories by Mashiki · · Score: 1

      There's two types of things in industrial control. There's the one you mentioned, but even then you can "soft" block it from the outside requiring access via a private LAN, problem lot of companies don't want to create a side-by-side corp net and IC net, they see it as too expensive. That'll change as soon as some nut figures out that they can cause serious damage to infrastructure or hold company for ransom. The second, is the type that uses PLC's for adjustment and control of plant controls. The latter can absolutely be set into a "read-only" state. Since the PLC can be programmed to deal with absolute issues, and if something falls out of bounds automatically trip the shutdown of the affected control system. Those? They're pretty safe, and they're used all over the place from water treatment plants to natural gas pressure stations.

      You just have to hope with 3 things on PLC's. That the person who wrote the ROM didn't leave any backdoors. That the PLC doesn't have any backdoors(I'm looking at you mitsubishi you fucks), that you don't have someone with a fucking grudge and is smart enough that they can pull the ROM module and replace it with one of their in a maintenance state and fuck everyone.

      --
      Om, nomnomnom...
  3. In other news.... by unixcorn · · Score: 1

    That's it, there is no other news. Exploit found, manufacturer fixed in a timely manner. I would say that whatever ad-hoc system that is in place for identifying software vulnerabilities, whether it's a reward or just the coolness factor of having one's name in an article, seems to be working. I did like the picture of the Nuke plant in the article though. I am making a wild guess that any software running internally in a nuclear plant is not accessible from outside, not even through a firewall. But I could be wrong. Think Homer Simpson.

    1. Re:In other news.... by Anonymous Coward · · Score: 0

      Posting anonymously because I read the report

      Air gaped, not on the internet. Not even close. How does running on general purpose PCs sound? Also the operators are downloading movies and music on those machines and browsing the web. We had a major power outage in North America in 2003 caused by Ohio not trimming trees back but one of the reasons it wasn't contained was the crap on some of the operations machines.

  4. Mitigation by Anonymous Coward · · Score: 1

    1. Don't put any control hardware on the internet. Air-gap everything. This is already best practice. For monitoring, do an RS-232 link to an internet-connected machine, from an embedded machine with no network stack.

    2. Lock down the machines running the control software. Physically isolate the machines. Make the web-based client machines thin clients running a locked-down browser.

    3. Lock down the control network. Use MAC filtering and IP authentication, which I believe is part of the industrial IP standard.

    1. Re:Mitigation by Anonymous Coward · · Score: 0

      Don't worry, this would only effect the US power grid (which we've been told is ready to collapse anyway). Europeans buried all of their transmission lines so the hackers can't get to them.

    2. Re:Mitigation by Anonymous Coward · · Score: 0

      That's nice, but 1. Engineers need data from the control system, partner entities require data from the control system, regulatory bodies require information from the control system. Makes it kind of hard to air gap. 2. Secure data centers are a thing. The physical access isn't usually the problem. And yes, you can lock it down using standard hardening methods. It's dragging software vendors off of FORTRAN and IE 6 (activex) that's the problem. Old versions of third party software because the new ones aren't compatible and no one requires the vendor to make it compatible. Don't like it? Feel free to spend millions to switch between 3 vendors who provide the software you need who are all approximately just as concerned about security as the one you're currently with. 3. Spoofing a MAC address is trivial it's not really that helpful from a security standpoint. IP authentication is a good idea but everyone's paranoid about an expired certificate locking everyone ( including the administrators) out of the system. These are the real issues facing the ICS space. You can have NERC CIP and audit controls / processes all day long but it doesn't improve security when you have the sorts of issues outlined above.

    3. Re:Mitigation by Anonymous Coward · · Score: 0

      That list covers whatever you are talking about. Industrial solutions are not updated to handle security concerns. They themselves will tell you that they recommend isolating the network so that they are not liable. The data being passed by industrial machines is not that big. RS-232 / 485 is fine for this. Once the data is transferred out, and in some database, you are now in the normal computer world where people do care about security. It can then go to your datacenters and what-have-you.

  5. APC UPS? by Anonymous Coward · · Score: 0

    Schneider makes the APC UPS line. Monitoring software uses a USB connection. Hopefully similar bug isn't present in that.

  6. It's ok we have a no homers rule at our plant by Joe_Dragon · · Score: 1

    It's ok we have a no homers rule at our plant

  7. Russian hackers... by Anonymous Coward · · Score: 0

    ... aren't the only hackers in the world.

    Fix it by all means - but not every security risk should be used as a "Two Minutes of Hate" sort of drill.

  8. Is this ... by PPH · · Score: 2

    ... vulnerability present in the Linux version? Or only Windows?

    --
    Have gnu, will travel.
    1. Re:Is this ... by Anonymous Coward · · Score: 1

      "InduSoft Web Studio (or IWS, for short) is a powerful, integrated tool that exploits key features of Microsoft operating systems and enables you to build full-featured SCADA (Supervisory Control and Data Acquisition) or HMI (Human-Machine Interface) programs for your industrial automation business."

      "InTouch Machine Edition is a natural extension of the current Wonderware HMI portfolio and the perfect complement for customers who already own Wonderware System Platform... Wonderware System Platform runs on most versions of Windows 7 or later, supports Windows Server 2012 or later, Microsoft SQL Server 2008 or later and Microsoft .Net Framework 4.5.1 or later."

    2. Re:Is this ... by Anonymous Coward · · Score: 0

      The industrial world is for the most part Windows based. I've seen a couple things run on OpenVMS.... like to this day.

    3. Re:Is this ... by PPH · · Score: 1

      Sorry. I forgot the <sarcasm></sarcasm> tags.

      --
      Have gnu, will travel.
    4. Re:Is this ... by Anonymous Coward · · Score: 0

      Only Windows as far as I can tell. But the the OS isn't to blame - the vulnerability comes from the application software.

  9. BILLIONS in deferred maintenance far more dangerou by Anonymous Coward · · Score: 0

    But Kanye needed a tax cut yo! Shithole cuntry is falling apart, BIGLY.

  10. Slash-bots. by SlashGodet · · Score: 1

    Slashdot on Facebook uses an automated 'bot in its messenger system. Who points the finger at the finger pointer?

  11. Not as scary as it sounds by nomadicGeek · · Score: 1

    I figured that I would chime in here, since I've worked on these types of systems, and in this type of environment for nearly 30 years.

    It is common to see these types of alerts for all kinds of HMI software, PLC's, and DCS's. They all have security vulnerabilities discovered, just like any software-based systems do. In the electric utility environment in the US, these systems fall under NERC CIP regulations. There will be someone at the utility tasked with keeping track of these alerts and making sure that systems are patched. For really old systems, they will be planning upgrades.

    These Industrial Controls Systems (ICS) will be firewalled from the business networks, which will again be firewalled from the Internet. It is common to have a data historian pushing data out of the secured ICS network onto a system on the business networks. This allows managers, engineers, and anyone else who needs the data for analysis and reporting to do so without having to be inside the plant. These days it is common to have a mechanical engineer working on something from across the country through these historian systems.

    The firewalled connection pushing the data out of the network may just be a connection between two servers over a particular TCP port that must be initiated from inside the ICS network as an example of the simplest, and probably the most common example. It is more common these days for the data to be pushed to a DMZ server, which then passes it to the business system, making it even more secure. It is also common to use a data diode, where there is only a fiber optic transmitter on the inside and a receiver on the outside, so you can't even physically pass a signal into the ICS network.

    I'm not an expert in these particular Schneider systems, but the alert seems to be for HMI software used in the control room to operate the equipment. These systems would be on the firewalled ICS network and not exposed to the business network, so it is unlikely that someone would be able to access them from the company's business network, much less the Internet.

    Security of these ICS networks is taken pretty seriously, and the visibility and attention to security have increased greatly in the last ten years. It certainly isn't as far along as it could be, but the ominous picture of cooling towers, which most people equate to nuclear plants, although they are common in large coal units as well, makes this look much worse than it probably is. I can assure you that there are none of these Schneider systems connected to the Internet controlling a nuclear reactor anywhere.

    I'm not trying to paint a rosy picture here, merely suggesting that in all probability there will be some engineers patching some firewalled HMI systems in the coming weeks, while they continue to beef up the security at their plants, and not a nuclear meltdown as some script kiddie exploits this hole in a nuclear control system sitting on the Internet with this hole in it.

    1. Re:Not as scary as it sounds by Anonymous Coward · · Score: 1

      InTouvh machine edition is for remote HMIs for field operators. Likely a OPC connection.

      OPC is the biggest shit show that exists on industrial systems, and im sure you have run into this issue over you're years...

      to transfer data between computers, both computers use DCOM and must have the same local account WITH THE SAME PASSWORD.

      its a joke. its DCOM.

  12. do not connect safety systems to external networks by Anonymous Coward · · Score: 0

    do not connect safety systems to external networks.

    do not connect safety systems to external networks.

    do not connect safety systems to external networks.

  13. Is "a software" a thing? by Anonymous Coward · · Score: 0

    Every time I see "a software" it irks me. Seems ignorant to say things like "I have three softwares!". It's not enumerable.

    Software is like knowledge - you don't talk of having "three knowledges", for example. It encompasses all you know, just as "software" encompasses all the programs on your machine. It can be qualified: "operating system software", like "software development knowledge", but not counted.

  14. Critical Security Flaw in industrial software .. by najajomo · · Score: 1

    Have they ever considered not connecting their industrial plant directly to the Internet.

  15. Anonymous for a reason. by Anonymous Coward · · Score: 0

    I am an industrial engineer, and I have significant international experience consulting on - you guessed it - physical and cybersecurity for power plants and other critical infrastructure.

    The amount of fucks that most of the owners and financiers gives is basically zero. Unless there is a regulation (with teeth) that prohibits or requires something, they won't spend one centavo. While some plant managers or equivalent might be stupid or ignorant, the people with real power and oversight almost always know that having a SCADA system that will only run on a narrow patch range of an antique operating system hooked up directly to the Internet is a terrible idea. The problem is, when high power consultants come in and tell them what it's actually going to cost to modernize, they shit their pants.

    Technological debt is real debt.