Stuxnet Virus Now Biggest Threat To Industry 254
digitaldc writes "A malicious computer attack that appears to target Iran's nuclear plants can be modified to wreak havoc on industrial control systems around the world, and represents the most dire cyberthreat known to industry, government officials and experts said Wednesday. They warned that industries are becoming increasingly vulnerable to the so-called Stuxnet worm as they merge networks and computer systems to increase efficiency. The growing danger, said lawmakers, makes it imperative that Congress move on legislation that would expand government controls and set requirements to make systems safer."
We should thank Israel, or whoever (Score:5, Insightful)
This is a wake-up call to a new vulnerability. There are a helluva lot worse ways to have found out about it than this relatively innocuous version. It also exposes stupid weaknesses like the fact that all Siemens PLC's (programmable logic controllers) have a hard-coded password [wired.com] that was never meant to be changed, and that all the obscure proprietary software in the world on PLC's doesn't mean jack for security--because they all still have to take their orders from a machine running it software on regular old Windows.
We could have realized these vulnerabilities only after a bunch of stuff started exploding.
The solution (Score:5, Insightful)
Don't use Windows for important industrial systems.
Cut the hardlines (Score:4, Insightful)
There's no reason why these machines should be connected to the internet. Maybe some of the top-level communication computers to coordinate between plants, but certainly not the local-area computers/machines.
Funny how the answer is always more government (Score:2, Insightful)
Do you really want the idiots in D.C. telling you how your computer must work? Ask anyone doing IT related stuff under the DoD -- their own security policies cause more outages and problems than anything else. Those policies are from people who supposedly know what's what. Now put clueless politicians in charge.
You DON'T want this, no matter how much you like government control of your lives.
Legislation? (Score:5, Insightful)
Re:We should thank Israel, or whoever (Score:4, Insightful)
this is a wake up call to a new "cyber-vulnerability"! Oh noes! I said the word cyber! It's not a threat, it's a cyberthreat!
yes, this is the hype they want you to believe. Stuxnet is something to be concerned about, but adding the word cyber is just bullshit hype all around.
the rest is just calling into play Siemens shitty programming ethics which are now going to bite them in the ass as businesses and government will probably shy away from business with them until this can be fixed.
Stupidity is the problem, training the solution. (Score:3, Insightful)
This isn't a 'vulnerability' (Score:3, Insightful)
Don't exaggerate the issue. The exploitation of PLC's by Stuxnet is akin to a device on your car vehicles CAN bus issueing commands across the network. Does your cars radio require authentication? Newp. How about your speedometer? Newp.
What StuxNet *does* emphasize is why it's a very, VERY dumb idea to have a network with PLCs connected to an external network of any kind.
"OMFG, I can't believe my cancer test came up negative because some hax0r compromised it. What kind of suck software was RUNNING on that device?"
OOOOOOoorrrrrrr..
"OMFG, you idiots, WTF would you connect a device which is going to tell me if I'm *DYING* to the MTF internet?!?!"
Blowback (Score:3, Insightful)
Re:We should thank Israel, or whoever (Score:5, Insightful)
We also could have foreseen these vulnerabilities.
I used to work in industrial automation - in its pre-windows era, and people did put effort into isolation, access control and validation.
After having made the bad decision to deploy on Windows, when years of evidence that it had a horrendous lack of access control, how did Siemens just continue on? What were they thinking?
Re:We should thank Israel, or whoever (Score:1, Insightful)
Just fucking stop that, okay?
lol the irony (Score:2, Insightful)
Its probably American dollars that paid for stuxnet in the first place (by way of "Aid" to certain countries)
just deserts come to mind
Re:Legislation? (Score:3, Insightful)
Re:industrial control systems? (Score:3, Insightful)
Re:Legislation? (Score:5, Insightful)
No, it isn't. Humans in general and managers in particular are famously bad at correctly estimating the factors of low-probability/high-impact risks. Not always in the same direction - we vastly overestimate the risk of some stuff, and vastly underestimate others. But we're almost always off, and by several orders of magnitude.
And don't forget the human factor - the risk for the manager is not millions of dollars of company assets, that is an abstract figure at best. The risk to him is the loss of his job, which is lower in both value and likelihood than the event itself. However, spending money on security is a 100% loss of profit which will impact the bottom line, profit, quarterly report, etc. with a very high probability of negative impact on his bonus or raise.
Unfortunately, almost everything you learn about management or governance acts as if "the company" would make decisions, and not humans. And ignores that humans have a more personal context that also influences their decisions, and routinely overrides even those cases where the optimal decision can be clearly demonstrated.
Re:We should thank Israel, or whoever (Score:4, Insightful)
No, the problem is that even if your PLC's aren't networked--the laptop that reprograms them may be at some point (and can be infected with a virus). Even if you pull your whole infrastructure off the network, it doesn't ensure security if Jim the IT guy is using the Step 7 laptop to surf the web, or if any yahoo can stick his thumb drive into said laptop and give it a digital STD.
The Interent is not the only WAN (Score:3, Insightful)
Seriously, who TF came to the idea that all WANs are to be extinguished and only the Internet can be used for site-to-site networks? Maybe I'm showing my age, but I don't care: when I was working in IT (before returning to academia), private WANs were the norm, and nobody even dreamt of connecting any part of a company network, no matter how unimportant, to the Internet. Somehow, common sense wasn't snuffed entirely. Oh, and we did have e-mail, shockingly enough, which was nicely routed to the Interent (if the e-mail address was an Internet e-mail address).
Re:Funny how the answer is always more government (Score:4, Insightful)
When the last time the government solved the problem that it told you it was trying to solve?
Re:We should thank Israel, or whoever (Score:3, Insightful)
Every time someone suggests a Windows based system in _any_ critical situation plenty of people come out shouting how it will undoubtedly lead to the end of the world. Hindsight doesn't even come into it - the possibility of these scenarios was predicted, brought to people's attention and dismissed.
'Captain Hindsight' parodies people who appear out of the woodwork to say what is now blindingly obvious, not people who had the foresight to predict these problems but were ignored.
Re:industrial control systems? (Score:3, Insightful)
For the love of god! You cannot create another Chernobyl, it had ZERO core containment. US reactors have 12 feet thick concrete surrounding the core! It *may* melt down, but then it's entombed in tons of concrete, so there isn't much to worry about! Equating a meltdown to Chernobyl is naive.
As an AC this post will never see the light of day, but I really wish people would stop being so afraid of nuclear power, it's really our only hope to get off fossil fuels any time soon.
Re:We should thank Israel, or whoever (Score:4, Insightful)
Yep, you and the GGP post are correct, this was a foresight issue. I too was in a position where I was asked to replace reliable, effective, and secure Unix control systems with Windows based systems.
It was a ridiculous play for the new eye-candy, and "usability" (why do you need general application usability on machines that should be running only ONE program?). Just the fact that there were now Windows machines on the production floor led to enormous headaches. All kinds of access controls and system policies and restrictions and processes needed to be put in place to keep these machines functioning even reasonably well, where the Unix boxes (and X-terminals) they replaced were ROCK SOLID.
Now the industry will pay for using the quick and easy and VULNERABLE hardware to run their process control systems.
Re:We should thank Israel, or whoever (Score:3, Insightful)
Everything, everything, is a reason for "new government controls" these days. If the TSA groping 3-year-old girls isn't a wakeup call to the gradual march of fascism we seem to embrace, I don't know what is.
"Threat"? I don't care. "Cyber-threat"? I don't care. I don't care what the threat is any more. I have more than enough government, and I want less! The biggest threat by far is our government, and it's time to de-fund the whole stinking mess.
Re:We should thank Israel, or whoever (Score:4, Insightful)
Wake up call? new?
Lots of IT pros have been screaming for a DECADE that only complete fucking morons put a SCADA system on anything that is connected to an external network. Let me repeat that. ONLY A COMPLETE MORON will hook up a scada system to a pc that bridges the internet and the secured network, OR puts the whole damn thing on a unsecured network.
Guess what, Complete morons are the managers of these places, these complete morons do not want to buy extra pc's so they have the employees check their email ON THE SCADA computers. OR they do something stupid and not lock them down and allow the users to install and run software on them.
This is not a new problem. Those of us in IT have known about it and have been yelling at the idiots in charge for a long time now. IT's just this is the first real "BITE THEM IN THE ASS" that has happened and got a lot of publicity.
Re:The solution (Score:3, Insightful)
Re:The solution (Score:3, Insightful)
Why?
I solved this a decade ago when I was into SCADA programming Entire SCADA system is isolated NO connection to outside network, no apps other than the Control software.
Need to have data go to the administrator for stupid reports? easy solution.
Rs232. Rs232 TX and Gnd only hooked to the Scada system and set to output all stats in a streaming basis. Supervisors PC hooked to that RS232 to monitor all he likes. Infect his pc with nasty kil lyou all virus and it CAN NOT infect the SCADA system unless it can run a RX wire and Solder. it onto the connector.
Rs232 at 115bps was fast enough for a water filtration plant that had only 11,000 sensors and control-points. to be real time on the supervisors monitor.
Re:We should thank Israel, or whoever (Score:3, Insightful)
No, some retarded fringe protest is the opposite of what we need. What we do need is people to wake up to the gradual increase in totalitarianism, and stop being OK with it. We still have a functioning democracy, and any every intrusive government agency can be destroyed entirely with a stroke of a pen. Every single world event is an excuse to make out government stronger and more intrusive if we let it be so, but we can just as easily decide that enough is too much, and put and end to it.
Re:We should thank Israel, or whoever (Score:3, Insightful)
All of the above. Less government funding. Less government taxing (except we can't in practice, but it's still desireable). Fewer government employees, especially at the federal level. But all of that is secondary: less government intrusiveness in my daily life is the main thing.
Here's a clue: roads and NASA and pretty much everything else that the feeral government does that's actually productive is down to less than 20% of the budget. The vast majority of the budget consists of money taxen from less-politically-favored individuals, and handed directly to more-politically-favored individuals.
But even that's just money. The money part is only interesting because were out of it, and can't borrow any more. The real problem is the continuous growth of the government having a say-so every action in my daily life. We have a name for this: totalitarianism. And we seem to grow more accepting of it every day, allowing both political parties to continue to encroach on daily life.