US-CERT Warns of Serious Hole In ActiveX Control From Iconics

Trailrunner7 writes "The US's Computer Emergency Response Team (CERT) issued a warning (PDF) to critical infrastructure firms on Wednesday about a serious security hole in products from Massachusetts firm Iconics that could leave critical systems vulnerable to remote attacks. US companies in the electricity, oil and gas, manufacturing and water treatment sectors have been warned about a flaw in an ActiveX control used in two products by Iconics. The software, Genesis32 and BizViz, are Human-Machine Interface (HMI) products that provide a graphical user interface to various types of industrial control systems. The software can control industrial systems used for a variety of purposes including manufacturing, building automation, oil and gas, water and waste water treatment, among other applications."

Controls are a different Beast...

[Rogue974]

I am a Controls Engineer and work with HMI interfaces everyday.

We keep seeing more and more things like this in the controls world. Every few months, we hear, this HMI or this controls software has these vulnerabilities and can be owned this way or that. Properly designed controls systems do not touch the internet or extend beyond the controls world.

Place I work at, we have completely separate hardware then IT. Our own switches, our own computers, etc. We keep everything separate specifically to guard against someone hacking into our system and taking it over. Someone can't sit across the world and hack into our system because it doesn't connect. They would have to penetrate our security perimeter first in order to gain access to our controls system. If they do that, then it doesn't really matter which HMI software we are using, we are owned anyway.

It does scare me when I think about some of the other plants and industries make connections to the intranet for reasons from their controls system and trust that their securities will hold.

WTF?Embedded RealTimeControlSystems, Determinism..

[aaronpeacock]

For the love of God, WHY THE HELL would you EVER EVER EVER EVER EVER EVER consider using ANY product even REMOTELY related to Windows for Industrial Control Systems?????? THIS is not some anti-microsoft rant mind you- its simply that Industrial Control Systems DO NOT USE consumer operating systems but rather HARD REAL TIME OPERATING SYSTEMS. If you do not know what the word "Deterministic" means in relation to Embedded Computing, you should go look it up first. There is a process known as Verification whereby every goddamn functional unit and every goddamn line of code is mathematically proven, is rigorously tested in some kind of Unit Testing Verification Harness software, and you simply would not slap some Windows or even normal Linux on an Industrial Control System. If you have an Industrial Control System using ACTIVEfuckingX you are probably dealing with a developer who is not actually an embedded systems developer, but rather a lazy idiot. Ciao

Re:Controls are a different Beast...

[anchovy_chekov]

You're a very lucky engineer. Back when I was involved in process control - happy days I'm trying to get back to with http://xpca.org/ [xpca.org] - so many engineering depts. were under budgetary and business-political pressure to merge their networks with the corporate network and hand over control of the their systems to the better-budgeted (and more politically savvy) IT departments.

It was madness! Can't control your machinery? Oh, maybe that's because everyone's streaming the Royal Wedding. Too bad.

I think I've told this story here before but the funniest experience was finding a set of cables hidden along an I-beam, asking about it and then getting grabbed by an engineer and told "Ssh! That's *our* network"

Seriously, the industry needs an overhaul. We need to get away from the whole OPC / DCOM / ActiveX craziness before some real disaster happens.

Re:Really?

[Platinumrat]

This is not a suprise to anyone who works in the SCADA industry. For example one leading firm the catch phrase used by the CEO used to be "from Factory Floor to the Boardroom". That phrase pretty much drove the thrust of all development. Nay-sayers were replaced by yes-men where necessary.

Re:WTF?Embedded RealTimeControlSystems, Determinis

[Locutus]

the last year Chief Systems Engineers were included in top level management meeting and relied on to direct the technical direction of products was around 1994. About that time, management was getting comfortable with Microsoft Windows and the semi technical ones or those managing technical staffs were getting gobs of literature all about how Microsoft Windows and Microsoft software could fly them to the moon and back before lunch was over. They were playing with Visual Basic and became expert programmers in their own minds. That is when management started dictating what tools would be used on products and when pressed would tell you that nobody gets fired for choosing Microsoft.

FYI, there was a UNIX based comm system up at LAX which got replaced by a Windows 9x box. When they found out the OS would repeatably crash after 49 days or something like that they solved the problem with a reboot _every_ 30 days. A new guy came onboard, thought hey, things are running fine so why reboot it. CRASH and for about 6 hours LAX has not ground to air nor air to ground communications. Many close calls but no crashes. But the 3fing idiots used a Windows box, Windows 9x even, for a mission critical system. I quit a military contract position when word came down from Command that all UNIX systems would be replaced with Windows. The way I see it, there are idiots making technical choices all around us and until Microsoft fades away, that's not going to change.

I miss the days when the Chief Systems Engineer ran the show and was usually the brightest person in the company and everyone knew it.

LoB

Re:Really?

[ediron2]

... and by 1997, I was using OLE, active-X and IE3 (or was it IE4) on Win NT servers and Win95/98 workstations to create a web interface for serial-attached laboratory equipment: GC's, scales, sensors, automated sample feeds, etc. That was just one component of a rather exhaustive collection of active-x-based webpages that handled a big corporation's little high-tech subsidiary's materials tracking, accounting, contract data, quality monitoring and god knows how many other things.

I was never a fan or an expert, but I thought active-X was entirely a pretty container designed around OLE functionality. It *was* guaranteed that monitoring and controlling these systems was possible from any browser that could reach the web server.

Ironically, users needed so many activex controls registered with their desktop OS that it was as un-WORA as web code could be. That would have kept any outsider from causing trouble. That, and a near-airgap of a corporate firewall mentality (forget web access... just 3% of users had external email access).

(Ah, the things we sometimes have to do for a paycheck)