New Siemens SCADA Vulnerabilities Kept Secret, Says Schneier 119
From the article: SCADA systems -- computer systems that control industrial processes -- are one of the ways a computer hack can directly affect the real world. Here, the fears multiply. It's not bad guys deleting your files, or getting your personal information and taking out credit cards in your name; it's bad guys spewing chemicals into the atmosphere and dumping raw sewage into waterways. It's Stuxnet: centrifuges spinning out of control and destroying themselves. Never mind how realistic the threat is, it's scarier."
What worries Bruce Schneier most is that industry leader Siemens is keeping its SCADA vulnerabilities secret, at least in part due to pressure from the Department of Homeland Security .
Read it before (Score:1)
Re: (Score:3)
Uh oh, this comment looks exactly like this comment. [slashdot.org]
Re: (Score:2)
That was fun! Can we do it again? [slashdot.org]
Re: (Score:3)
Sure! "It's just a jump to the left, and then a step to the riiight..."
Re: (Score:1)
I find the idea (Score:1)
Re: (Score:3)
I'm not so worried about what terrorists might do in a cyber attack, I'm worried about the trolls.
Re: (Score:2)
Yeah, well how would you like incubators for human babies to start spinning out of control and destroying themselves?
Do incubators spin?
Re: (Score:2)
Re: (Score:3, Funny)
Re: (Score:2)
Spinning Incubator Babies would be a really excellent name for a rock band.
Spin, Baby, Spin!
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
We're incubating troll babies?
WAH?
Re: (Score:2)
Yeah, well how would you like incubators for human babies to start spinning out of control and destroying themselves?
Not really an issue here on earth, maybe on a space station it would be a consideration. Or were you thinking of Fetus Harvesters [wikia.com]?
Re: (Score:1)
You all keep on pissing and moaning about Iranian nukes, while part of the new Saudi arms deal is to protect future Saudi nuclear ambitions.. which, by the way, also involves Pakistan [google.com] (had to use google cache to get the whole article)
And what did this clown [foreignpolicy.com] ever do to deserve all those medals?
Hyperbole. "Out of control... destroying" (Score:1)
"spinning out of control and destroying themselves"
The image the author creates is of a machine spinning at such velocity it explodes in a shower of fragments. While that makes for great copy, it's hardly what happened. In reality, Stuxnet caused the affected centrifuges to alter their rotational speed by only a few percent, which resulted in lower material rendering in the cascading purification process. This result has several advantages to a "self-destructing" centrifuge. 1) a destroyed centrifuge is an obvious problem which would trigger immediate inves
If it did cause an accident... (Score:4, Insightful)
Seems like Israel and the US are playing a dangerous game here. Say that Stuxnet caused an accident that released radioactive material into the environment...
Re: (Score:3)
Re: (Score:2)
I think he meant in terms of danger to people's lives, not blowback.
Re: (Score:2)
Government officials care only about their own lives and those of their friends and family. That's why we can have wars. Note that the draft exemptions are generally met by the family of anyone who is involved in mandating a draft.
Re: (Score:3, Interesting)
The Japanese nuclear plant in Fukushima ran on Siemens computers that the Stuxnet worm was programmed to infect- in fact the virus was found in Fukushima systems last year.
Makes you wonder why the cooling system wasn't functioning. Maybe the tsunami caused failures which Stuxnet made the reactors unable to handle.
Failures at four other plants in Japan, German and South African reactors shut down.
Using Siemens systems as well?
Re: (Score:3)
Re: (Score:3)
From what I understand, stuxnet was targeting unrichment facilities, which is very different from what Fukushima is.
Re:If it did cause an accident... (Score:5, Informative)
Stuxnet doesn't "target" anything other than Windows SCADA systems (which should cause concern when you see those three words together...), notably those from Seimens. Anywhere you've got one of those SCADA systems, you've got a possibility of Stuxnet. It's just that Iran was using them for their process control systems for the enrichment plant.
Re:If it did cause an accident... (Score:4, Interesting)
Stuxnet targets a Siemens centrifuge controller that's programmed by an (air-gapped) Windows machine. Unfortunately this same basic pattern repeats itself all over the place.
For any given SCADA system --- regardless of manufacturer --- you're extremely likely to see it connected to a modern PC, typically a windows machine. Even if the Windows machine is just running a terminal program, it's connected.
What Stuxnet showed us is that these Windows boxes are a critical vulnerability, even if they're just an ingredient in the programming chain, even if the box is separated by an air gap. I'm sure Israel/US would have found a way to those centrifuge controllers, but without the Windows infection vector it would have been a whole hell of a lot more difficult.
Re: (Score:2)
Re: (Score:2)
But in all seriousness, the question I would ask is: how many known USB drive infection and privilege escalation vulnerabilities can you download for a 1-year-unpatched* Mac right now. How many can you download for the same Windows machine? In each category many have already been weaponized? How many of these can be tied together with widespread malware vectors that will get them near the machine to be infected?
Of course many of the same vulne
Re: (Score:2)
Re:If it did cause an accident... (Score:4, Informative)
Stuxnet doesn't "target" anything other than Windows SCADA systems (which should cause concern when you see those three words together...), notably those from Seimens.
You might want to do a little more research on the matter.
Stuxnet's code has been picked apart: the trojan was designed to infect SCADA systems, but only to attack very specific hardware configurations.
Stuxnet's payload was designed to (1) spin the uranium centrifuges used by Iran at certain known-to-be-destructive RPMs,
(2) lie to the monitoring software which was supposed to prevent out of bounds conditions and set off alarms if they occur,
and (3) should 1 & 2 not ruin the centrifuges, Stuxnet would go dormant and reawaken to try (1) and (2) again.
Stuxnet is completely harmless unless you happen to attach the exact same hardware the Iranians had plugged into their SCADA controllers.
Just to be very clear: Stuxnet's payload was specifically crafted to attack the known configuration of Iran's uranium centrifuging program
Re: (Score:1)
Re: (Score:2)
Most of the oil rigs in the North Sea and the land plants supporting them are programmed using windows XP machines.
Some of the rigs also have HMI systems (800xA by ABB) that run on win2003 servers.
There really are no modern control systems that do not have a windows component.. not if they have the feature-set required by most customers.
It isnt remotely perfect, but the options to avoid it are extremely limited.
Re: (Score:1)
neglible amounts, if any. the real why it would end up in atmo would have been the faults of the engineers working at the plant. if you don't know how to build control systems, you shouldn't be building a nuke in the first place.
anyhow, scada networks, because of how practically all of them are designed, should be separated from untrusted networks anyways, and preferably all control going through some bridge that wouldn't pass "wrong" things - better yet, all control should pass through a human - but this
Re: (Score:1)
If there was an accident surely all the danger would be in Iran. Why would Israel and the US be playing a dangerous game?
Re: (Score:1)
On the other hand... (Score:2)
... I can see not publicizing vulnerabilities. We don't, for instance, want our military publicly posting our vulnerabilities. Because, they sure as anything aren't going to ask for public patches. Public disclosure only really works if someone in the public can help. On the other hand, if you are running legacy systems in any number of unknown locations, you can't apply the patches anyways.
We always talk about how bad obfuscation is as a security vector. However, it is a vector. Knowledge of a thing
Re: (Score:2)
Jus en Bello.
In the event that a cyber attack did cause collateral damage (unlikely, in this case, but maybe not for future ones), whomever is pressing the launch button better be in uniform.
Why? Military operations against actual targets are legitimate acts of military aggression. The Laws of Armed Conflict (LOAC) are the legal basis for determining whether an act is legitimate act or a war crime.
This is why we don't prosecute fighter pilots for targeting a bus with a JDAM, that is known to be carrying Al
Re: (Score:2)
Civilian casualties are regrettable, but kinetic operations are not going to be shelved on that basis alone.
Wow, that's cold.
It's easy for you to say that when it's not your wife and children on that bus. If they were, you might have a different view on whether or not merely being a uniformed cog in an industrial death machine should allow "regrettable" murders to be shrugged off as if they were heavy rainfall.
Funny thing is, I thought I was taught in high school that the "can't prosecute me, I was just following orders, sir" defence was smashed apart at Nuremberg. Apparently that wasn't the case?
Sometimes a SCADA hack is a good thing (Score:3, Funny)
How do you think Reese's initially got chocolate in their peanut butter?
NO!!!!! (Score:3)
Re: (Score:2)
Call me naive or something, but... (Score:3)
...simply good old network security with hardened OSes (Linux, BSD, OS X) with seriously turned off all other services, firewalls and proxies with filtering won't do a trick?
Who is running industrial systems with direct contact with Internet anyway?
Re: (Score:1)
...simply good old network security with hardened OSes (Linux, BSD, OS X) with seriously turned off all other services, firewalls and proxies with filtering won't do a trick?
Who is running industrial systems with direct contact with Internet anyway?
Stuxnet infected the Iranian nuclear plan through USB.
Re: (Score:2)
And excuse of sticking USB without security protocol (can't execute stuff from USB drives) is...? Still similary stupid to connecting boxes to Internet.
Re:Call me naive or something, but... (Score:5, Insightful)
I'm not sure it would have done much good. The general consensus of opinion is that this was a case of a determined attacker with a lot of resources, not some nutter on the Internet with a copy of the latest Virus Generator Toolkit (TM).
How much weight we should give that opinion is something I'm not going to discuss.
In any case, you think a determined attacker is going to be put off by a small thing like that? Hell, if it boils down to it you either organise double agents to apply for jobs at the target site or you target someone who already works there with a brown envelope full of unmarked, non-sequential notes. The latter is high risk, but find the right person, someone who's in debt up to their eyeballs and has been keeping it from their family for some time perhaps, and away you go.
Re: (Score:2)
Re: (Score:3)
Many systems are remotely accessible, just not over the internet, and no one thought that heavy security would be needed. Even though those networks were getting compromised back in the 60's.
Just pulling the cable when remote access isn't needed is a highly effective, and often neglected, security practice.
Re: (Score:2)
no one thought that heavy security would be needed
Who is this imaginary "no one", that never thinks anything could go wrong? I and all my friends who grew up watching "War Games" are always thinking about how things could go wrong.
It always seemed to me that what "no one" is thinking is not that bad things can happen, but "I'll put in just enough security so that the failure won't happen until after I retire."
Re: (Score:2)
Why would you need heavy security for something that is air-gapped? If the Bad Guys (TM) get physical access you've lost anyway! We didn't even require passwords for access, because the keyboard was locked in the control cabinet. The only time it was networked was when someone hooked up a modem so it could be remotely debugged or upgraded. After which the modem was disconnected.
Re: (Score:3)
Just pulling the cable when remote access isn't needed is a highly effective, and often neglected, security practice.
I tried that, but my screen went black.
UR doin it rong! (Score:2)
Pull the other cable.
Not that one! You'll go blind!
Re: (Score:1)
Re: (Score:1)
I'd imagine it would be because the company that makes the machines that you're controlling only make drivers and control software for their own special computer systems that you have to buy from them. The advantage there is that if any part of the system goes wrong, from computer to end product, you have a single point of contact to get support from. /. make is thinking that everyone is a 'computer guy', where in reality the people running these computers just know h
I think the mistake that many people on
Re: (Score:1)
Re: (Score:2)
Who is running industrial systems with direct contact with Internet anyway?
Here's a thought, why does it matter? So far there has been only one demonstrated attack on a SCADA system, and that attack didn't use the internet as its vector.
SCADA systems benefit greatly from being connected to the world, but not directly. There should be many tiers of security both virtual and physical. It is the physical security here that was lacking. The best airgap in the network doesn't help you if one of your underlings plugs an infected USB stick into a machine on the process control network.
Secure the perimeter (Score:1)
I would leave exposed SCADA interface in the open, after Stuxnet it should be clear that securing SCADA interfaces should be done on a higher level - by putting it in a different VPN etc.
Whether the vulnerabilites are public or not doesn't change the fact that a given setup is secure or insecure by design...
Re: (Score:3)
Now imagine the scenario where you have windows machines on the same network as your SCADA devices because the tools you've bought or built work this way. Someone attaches an unauthorized device to your network and fail, fail.
Now, I think we can probably agree that you can and should take steps to prevent something like that from happening, but there is the issue of getting from point A, where your network is insecure, to point B, which requires at least buying or developing a whole bunch of new software. T
Re: (Score:2)
Now imagine the scenario where you have windows machines on the same network as your SCADA devices because the tools you've bought or built work this way. Someone attaches an unauthorized device to your network and fail, fail.
Aren't those development tools rather than run-time tools? If so, isolate your system and get serious about how you allow stuff to be moved over to it.
Re:Secure the perimeter (Score:5, Informative)
Not really. The process control is done on real-time controllers, but visualization is usually on windows machines. Data historians, configuration databases, OPC servers, etc are often Windows servers. Add to that that hotfixes and service packs have to be vendor approved before putting them on the live system. This means that those systems often run whatever was approved at the time of installation, which can be years out of date.
Many SCADA and DCS systems are also horribly insecure, have default or hard coded administrative passwords, etc. What doesn't help is that they are often managed by people who are good at the actual process stuff, but not necessarily at security or system administration.
Show that things are a-ok on the comfy VB forms (Score:2)
Duh? (Score:2)
What worries Bruce Schneier most is that industry leader Siemens is keeping its SCADA vulnerabilities secret
If you want to prevent the bad guys from exploiting a vulnerability, then don't... um... tell them about the vulnerability? But do tell the affected parties about it.
Re: (Score:1)
Yeah, security by obscurity. That works great. Keeps the world safe.
Re:Duh? (Score:5, Insightful)
or fix it, that works really well too.
Re:Duh? (Score:5, Insightful)
That is exactly what will not happen.
The ones who should tell their Customers about the problem is Siemens. But they will play the problem down because it might affect the sales of the next batch of stuff.
The evil hacker will just buy a bunch of systems, analyze it and find the vulnerabilities. This completely independent of the disclosure. Stuxnet was developed before this disclosure and I think the vulnerabilities used by Stuxnet are still there.
This is why security by obscurity does not work in the real world.
Re: (Score:2)
Most definitely. Comments about someone not being able to afford to buy the devices not withstanding, it is very much what someone would do if they were to attack a system or come up with a new Stux
Re: (Score:2)
Re: (Score:2)
That is exactly what will not happen.
The ones who should tell their Customers about the problem is Siemens. But they will play the problem down because it might affect the sales of the next batch of stuff.
Speaking of real world this is something that doesn't happen on a typical control systems vendor. Your typical vendor releases pages of errata. Your typical vendor knows what you have purchased and your typical vendor typically comes running in with a fix be it hardware or software, or a temporary workaround while they are coming up with the fix.
This has happened to us on many occasions. One instance a certain series of commands issued on the display graphic would cause an alarm manager to stop responding.
Re: (Score:2)
If you want to prevent the bad guys from exploiting a vulnerability, then don't... um... tell them about the vulnerability? But do tell the affected parties about it.
I think nuclear power plants and the like warrant something a bit more than security through obscurity...
Re: (Score:2)
Re: (Score:2)
That's specifically not what they're doing...telling the affected people about it. They're keeping that information to themselves- because it might reveal the exploits in question. As for not disclosing because the bad-guys might figure it out...heh...keep fooling yourselves folks. The bad-guys almost always KNOW about them- it's why they call 'em "0-dayz".
DHS probably wants the security holes (Score:4, Insightful)
Actually it's probably the CIA, NSA and other TLA's that truly want the security holes. They're just using the DHS as the mouthpiece to convince the companies to keep quiet and not plug the holes. After all, without those holes, Stuxnet (and likely other woms/viruses/trojans) wouldn't be as effective as they apparently have been.
Re:DHS probably wants the security holes (Score:5, Insightful)
If all SCADA systems become deeply vulnerable, who loses more? Industrial or post-industrial societies with high levels of complexity that could be on the edge of collapse with a few days of supply chain disruption, or the dusty low-GDP countries of the world where disenfranchised hackers, cheap laptops(and/or exploits provided by friendly powers using them as proxies) are still easily available?
Re: (Score:2)
So what the TLAs want isn't always their intended purpose.
Re: (Score:2)
If the CIA etc really wanted to infect these things, why wouldn't they just infect the machines at the factory then use a front company to sell them to IRAN or whoever on the cheap.
I remember seeing a JAG episode once where the spooks deliberatly allowed some bad guys to steal an F-14 and extract its control software (knowing that the software was to be given to IRAN for an upgrade of its F-14s and knowing that the software was deliberatly defective) and I see no reason it couldn't happen in the real world.
Re: (Score:2)
Didn't the CIA do something like this to the USSR concerning oil pipeline control software?
Responsible Disclosure (Score:3)
Last I checked, 'responsible disclosure' meant giving the company time to fix the vulnerabilities before you released the info to the public.
Am I missing the part where we've gone beyond that point?
Re: (Score:1)
So the companies stalled and never fixed the vulnerabilities, tried to sue the researchers, etc.
Responsible disclosure came to mean giving the company a set amount of time to fix the vulnerabilities before you released the info to the public.
So the companies kept threatening researchers, called the grace period "extortion" and such, stalled for more time to "test", and didn't fix the
Perfect example (Score:1)
Sounds like exactly the sort of thing Wikileaks exists for.
Lifetime of a bug/hole (Score:2)
Hole/bugs lifetime is forever. If you find a bug or a hole, and you choose to ignore then, it will not go away. It will be there waiting for his moment to ruin your morning. Maybe bug/holes are not as important as people dedicated to the racketeer industry think. So if you can't fix then on the morning, you can fix then after the tea, if you fix then today.
Open Secret (Score:5, Informative)
I did my master's thesis on SCADA security. tl;dr: there isn't any. We're talking about an industry that uses unencrypted radio links in their control systems....
Re: (Score:1)
Re: (Score:2)
Re: (Score:3)
Heh... They're "thinking" about using crypto on things like the radio links. They're "concerned" about things like "latency" (Here's a hint, if you're worried about injecting a 1-2 character's worth of transmission time delay at 9600 baud, you're doing it wrong.) so the industry's been reticient at trying to at least lock down some aspects of the remote links. Biggest problem is the downtime of some systems in addition to the overall expense of things while they retrofit to higher data rates, end-to-end
Re: (Score:1)
Wait a second. Unencrypted *radio* links? Seriously? I sure hope it's for controlling the ice cream and chocolate factories of the world and not something important.
Re: (Score:1)
Master's Thesis on SCADA Sec? Really? Published anywhere?
SCADA security isn't. I'm sorry but it's true. And the entire "security industry" is talking just like all the slashtards commenting.
Doing security right in this environment is non-trivial. The SCADA/ICS vendor community isn't providing it because SCADA/ICS customers aren't asking for it. The downside of course is that the SCADA/ICS customer is NOT the individual who is going to suffer when the screwups happen. The SCADA/ICS vendors and customers hav
Re: (Score:2)
Master's Thesis on SCADA Sec? Really?
Yes, the cite would be something like
Published anywhere?
Astonishingly, yes, at least if you count ProQuest [umi.com]. Not that I'd bother reading it (or at least anything but the background material) if I were you--it was basically about hooking up a SCADA emulator to Snort and an alert correlator to make a testbed you could deploy potential attacks against to see if your filter configuration worked. I have no idea if
Re: (Score:2)
Long ago, I worked as an IT admin for a grocery company that owned it's own bakery, ice cream, drink, etc plant. The "industrial control systems" I saw in use were the worst engineered pieces of junk I've ever encountered. I am talking unpatched Windows 95 systems running a crappy VB 4 UI, that talked to a poorly written VxD to control the ice cream mixer, which was a massive piece of equipment that could easily kill someone standing too close to it.
I just got one of those TI $4 embedded development kits an
Re: (Score:2)
There's no practical way to defend the embedded system from the device which programs it. So while it's true that the tools use to program embedded systems are often primitive, it has little to do with attacking them.
IIRC, th
Re: (Score:2)
As the person on site somewhat responsible for managing encryption keys for wireless telemetry and wireless process control systems on my site I call bullshit. Either that or you did your thesis in the 80s oldtimer.
computer systems that control the real world? (Score:2)
"SCADA systems -- computer systems that control industrial processes -- are one of the ways a computer hack can directly affect the real world".
Only if you connect the SCADA systems directly to the Internet and run them on top of Windows [wired.com]. Instead of running them behind a secure VPN connection running on embedded hardware.
Re: (Score:2)
The problem with such systems is that they can be 'infected' through the programming platform. In the case of Stuxnet [wikipedia.org] it was the PCs used to program the PLCs that were infected. And one of the vectors of infection was the use of infected USB flash drives on these (Windows) systems. Programming PLCs is often done through a direct cable connection, so while keeping industrial control systems off 'The Internet' may be a good idea, it isn't sufficient to prevent such an attack.
Re: (Score:2)
This types of attacks should happen regardless of the OS.
These are specifically targeted attacks, the manly take advantage of human trust.
And yes, the SCADA systems need to be isolated, and then need to only allow access from specific machines.
OTOH, that level of security is expensive, and for some reason everyone thinks infrastructure programs don't cost money. and all money the government gets is 'waste'.
They shuod keep then secret (Score:2)
there should also be strict government oversight to ensure the vulnerabilities are being fixed.
Re: (Score:2)
there should also be strict government oversight to ensure the vulnerabilities are being fixed.
... And that the fixes don't make it to other governments. See: VUPEN's alleged Chrome exploit.
VUPEN released a video of the exploit in action to demonstrate a drive-by download attack that successfully launches the calculator app without any user action.
VUPEN, which sells vulnerability and exploit information to business and government customers, does not plan to provide technical details of the attack to anyone, including Google.
Guess it depends on who you think the "bad guys" are. I say, show the world and let the good 'n malicious duke it out -- hint: Bug fixes are often easier to code than full exploits.
Call Jack Bauer (Score:1)
More information about the reported weaknesses (Score:1)
Re: (Score:2)
Seeing as you're the only one commenting on this, and I can't see it either, it's probably YOU that's infected, or you clicked something you didn't mean to.
Hell, there aren't even any banner ads on that page at all.