Become a fan of Slashdot on Facebook

 


Forgot your password?
Close
typodupeerror
×
Security

New Siemens SCADA Vulnerabilities Kept Secret, Says Schneier 119

Posted by Roblimo from the watch-those-centrifuges-spin-out-of-control dept.
From the article: SCADA systems -- computer systems that control industrial processes -- are one of the ways a computer hack can directly affect the real world. Here, the fears multiply. It's not bad guys deleting your files, or getting your personal information and taking out credit cards in your name; it's bad guys spewing chemicals into the atmosphere and dumping raw sewage into waterways. It's Stuxnet: centrifuges spinning out of control and destroying themselves. Never mind how realistic the threat is, it's scarier." What worries Bruce Schneier most is that industry leader Siemens is keeping its SCADA vulnerabilities secret, at least in part due to pressure from the Department of Homeland Security .
This discussion has been archived. No new comments can be posted.

New Siemens SCADA Vulnerabilities Kept Secret, Says Schneier More

New Siemens SCADA Vulnerabilities Kept Secret, Says Schneier

Comments Filter:

  • Re:Secure the perimeter (Score:5, Informative)

    by Interfacer ( 560564 ) on Tuesday May 24, 2011 @10:10AM (#36227498)

    Not really. The process control is done on real-time controllers, but visualization is usually on windows machines. Data historians, configuration databases, OPC servers, etc are often Windows servers. Add to that that hotfixes and service packs have to be vendor approved before putting them on the live system. This means that those systems often run whatever was approved at the time of installation, which can be years out of date.

    Many SCADA and DCS systems are also horribly insecure, have default or hard coded administrative passwords, etc. What doesn't help is that they are often managed by people who are good at the actual process stuff, but not necessarily at security or system administration.

  • Open Secret (Score:5, Informative)

    by adavies42 ( 746183 ) on Tuesday May 24, 2011 @10:11AM (#36227526)

    I did my master's thesis on SCADA security. tl;dr: there isn't any. We're talking about an industry that uses unencrypted radio links in their control systems....

  • Re:If it did cause an accident... (Score:5, Informative)

    by Svartalf ( 2997 ) on Tuesday May 24, 2011 @10:39AM (#36227854) Homepage

    Stuxnet doesn't "target" anything other than Windows SCADA systems (which should cause concern when you see those three words together...), notably those from Seimens. Anywhere you've got one of those SCADA systems, you've got a possibility of Stuxnet. It's just that Iran was using them for their process control systems for the enrichment plant.

  • Re:If it did cause an accident... (Score:4, Informative)

    by TubeSteak ( 669689 ) on Tuesday May 24, 2011 @12:50PM (#36229540) Journal

    Stuxnet doesn't "target" anything other than Windows SCADA systems (which should cause concern when you see those three words together...), notably those from Seimens.

    You might want to do a little more research on the matter.
    Stuxnet's code has been picked apart: the trojan was designed to infect SCADA systems, but only to attack very specific hardware configurations.

    Stuxnet's payload was designed to (1) spin the uranium centrifuges used by Iran at certain known-to-be-destructive RPMs,
    (2) lie to the monitoring software which was supposed to prevent out of bounds conditions and set off alarms if they occur,
    and (3) should 1 & 2 not ruin the centrifuges, Stuxnet would go dormant and reawaken to try (1) and (2) again.

    Stuxnet is completely harmless unless you happen to attach the exact same hardware the Iranians had plugged into their SCADA controllers.
    Just to be very clear: Stuxnet's payload was specifically crafted to attack the known configuration of Iran's uranium centrifuging program

Slashdot Top Deals

He has not acquired a fortune; the fortune has acquired him. -- Bion

Close