US-CERT Warns of Serious Hole In ActiveX Control From Iconics 87
Trailrunner7 writes "The US's Computer Emergency Response Team (CERT) issued a warning (PDF) to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks. US companies in the electricity, oil and gas, manufacturing and water treatment sectors have been warned about a flaw in an ActiveX control used in two products by Iconics. The software, Genesis32 and BizViz, are Human-Machine Interface (HMI) products that provide a graphical user interface to various types of industrial control systems. The software can control industrial systems used for a variety of purposes including manufacturing, building automation, oil and gas, water and waste water treatment, among other applications."
Controls are a different Beast... (Score:4, Interesting)
I am a Controls Engineer and work with HMI interfaces everyday.
We keep seeing more and more things like this in the controls world. Every few months, we hear, this HMI or this controls software has these vulnerabilities and can be owned this way or that. Properly designed controls systems do not touch the internet or extend beyond the controls world.
Place I work at, we have completely separate hardware then IT. Our own switches, our own computers, etc. We keep everything separate specifically to guard against someone hacking into our system and taking it over. Someone can't sit across the world and hack into our system because it doesn't connect. They would have to penetrate our security perimeter first in order to gain access to our controls system. If they do that, then it doesn't really matter which HMI software we are using, we are owned anyway.
It does scare me when I think about some of the other plants and industries make connections to the intranet for reasons from their controls system and trust that their securities will hold.
WTF?Embedded RealTimeControlSystems, Determinism.. (Score:2, Interesting)
Re:Controls are a different Beast... (Score:4, Interesting)
It was madness! Can't control your machinery? Oh, maybe that's because everyone's streaming the Royal Wedding. Too bad.
I think I've told this story here before but the funniest experience was finding a set of cables hidden along an I-beam, asking about it and then getting grabbed by an engineer and told "Ssh! That's *our* network"
Seriously, the industry needs an overhaul. We need to get away from the whole OPC / DCOM / ActiveX craziness before some real disaster happens.
Re:Really? (Score:4, Interesting)
Re:WTF?Embedded RealTimeControlSystems, Determinis (Score:4, Interesting)
FYI, there was a UNIX based comm system up at LAX which got replaced by a Windows 9x box. When they found out the OS would repeatably crash after 49 days or something like that they solved the problem with a reboot _every_ 30 days. A new guy came onboard, thought hey, things are running fine so why reboot it. CRASH and for about 6 hours LAX has not ground to air nor air to ground communications. Many close calls but no crashes. But the 3fing idiots used a Windows box, Windows 9x even, for a mission critical system. I quit a military contract position when word came down from Command that all UNIX systems would be replaced with Windows. The way I see it, there are idiots making technical choices all around us and until Microsoft fades away, that's not going to change.
I miss the days when the Chief Systems Engineer ran the show and was usually the brightest person in the company and everyone knew it.
LoB
Re:Really? (Score:4, Interesting)
... and by 1997, I was using OLE, active-X and IE3 (or was it IE4) on Win NT servers and Win95/98 workstations to create a web interface for serial-attached laboratory equipment: GC's, scales, sensors, automated sample feeds, etc. That was just one component of a rather exhaustive collection of active-x-based webpages that handled a big corporation's little high-tech subsidiary's materials tracking, accounting, contract data, quality monitoring and god knows how many other things.
I was never a fan or an expert, but I thought active-X was entirely a pretty container designed around OLE functionality. It *was* guaranteed that monitoring and controlling these systems was possible from any browser that could reach the web server.
Ironically, users needed so many activex controls registered with their desktop OS that it was as un-WORA as web code could be. That would have kept any outsider from causing trouble. That, and a near-airgap of a corporate firewall mentality (forget web access... just 3% of users had external email access).
(Ah, the things we sometimes have to do for a paycheck)