Forgot your password?
typodupeerror
Security IT

Siemens SCADA Flaws To Be Disclosed At Black Hat 101

Posted by timothy
from the infra-infrastructure dept.
itwbennett writes "In May, NSS Labs Researcher Dillon Beresford pulled out of a Dallas hacking conference at the last minute when Siemens was unable to fix problems he'd found in the firmware of its S7 programmable logic controller. Now NSS Labs CEO Rick Moy says Beresford is rescheduled to deliver his talk at Black Hat, which runs Aug. 2-3. Beresford has discovered six vulnerabilities in the S7 that 'allow an attacker to have complete control of the device,' Moy said. Devices like the S7 do things such as control how fast a turbine spins or open gates on dams."
This discussion has been archived. No new comments can be posted.

Siemens SCADA Flaws To Be Disclosed At Black Hat

Comments Filter:
  • Hmm... (Score:4, Funny)

    by fuzzyfuzzyfungus (1223518) on Tuesday June 07, 2011 @07:17AM (#36361012) Journal
    Does Mr. Beresford realize that, in the blasted wasteland that follows the fall of industrial civilization, pasty computer experts are relegated to the status of "slave" or "food source" by psychotic warlords wearing football/BDSM themed armor?

    Make sure that Lord Humongous owes you some favors before Blackhat rolls around, everyone!
    • by dintech (998802)

      pasty computer experts are relegated to the status of "slave"

      How is that different from now? Now get on with it, those pyramids aka 'code releases' aren't going to build themselves.

      psychotic warlords wearing football/BDSM themed armor

      You know, there was this one boss I was always suspicious about...

    • by couchslug (175151)

      "in the blasted wasteland that follows the fall of industrial civilization, pasty computer experts are relegated to the status of "slave" or "food source" by psychotic warlords wearing football/BDSM themed armor?"

      I, for one, find the idea vaguely arousing.

    • by PPH (736903)

      Sounds like a typical day at the office.

  • ... or open gates... (Score:4, Interesting)

    by c0lo (1497653) on Tuesday June 07, 2011 @07:17AM (#36361016)

    Devices like the S7 do things such as control how fast a turbine spins or open gates of doom.

    FTFY

    • by fuzzyfuzzyfungus (1223518) on Tuesday June 07, 2011 @07:21AM (#36361040) Journal
      The various fissures of Mt. Doom are SCADA controlled; but the consequences of merely possessing one of the interface controllers needed to communicate on the.. er.. somewhat sinister legacy ring bus that Sauron uses are so horrific that security through obscurity has proven more than adequate.
      • In Mordor, Token Ring of Power controls You!
      • but the consequences of merely possessing one of the interface controllers needed to communicate on the.. er.. somewhat sinister legacy ring bus that Sauron uses are so horrific that security through obscurity has proven more than adequate.

        Is that Tolkien Ring?

  • I have Siemens hearing aids... does that mean someone is going to hack my head through the aids' wireless (used mostly to communicate between the two)?
    • I have Siemens hearing aids... does that mean someone is going to hack my head through the aids' wireless (used mostly to communicate between the two)?

      Well, if you start hearing mysterious voices, you know that before seeing a psychiatrist, you might first want to check your hearing aid.

      • No they'll just reboot your brain by applying a type of external EMF, called electro-convulsive therapy. After a few reboots, you'll come to understand that the overlord's messages to you are for you and only you, if he wants someone else to know the message or even of his existence, he'll tell them.

    • by munozdj (1787326)
      I think you need another special kind of help
    • If you suddenly hear Never Gonna Give You Up playing in your head, you know they've been pwned.

    • by arth1 (260657)

      I have Siemens hearing aids... does that mean someone is going to hack my head through the aids' wireless (used mostly to communicate between the two)?

      What do you mean "is going to"? That you posted exactly what I wanted you to is proof that the hack already works.

  • by c0lo (1497653) on Tuesday June 07, 2011 @07:23AM (#36361054)

    NSS Labs expects Siemens to issue a patch in the next few weeks, well ahead of the August presentation. "They didn't give any firm timelines," he said. "They said unofficially that they were pretty confident that they'll be able to get their stuff out before then."

    Beresford wasn't impressed with that comment. [...]. "Now that they're trying to minimize the impact and do PR damage control, I feel that they're not servicing the public's interest," he said. "I'm not pleased with their response... They didn't provide enough information to the public."

    What if Siemens confidence evaporates and, August time, some of these vulns are not yet patched? Will they allow the presentation?

    • by arth1 (260657)

      Allow? Why would or should they have a say?
      It's in the interest of We, the People, to learn this, so we can take the necessary precautions. It's far more dangerous if we have a false sense of security.
      Our potential future adversaries are bound to study these devices now, in order to find flaws. And they won't let us know. How many severe faults have they found already?

      Yes, reactionaries are going to say that it's in the interest of national security to keep this under a lid, but in reality, that's the m

      • by c0lo (1497653)

        Allow? Why would or should they have a say?

        I agree. However, there is a question missing from your list: why did they have a say?

        In May, NSS Labs Researcher Dillon Beresford pulled out of a Dallas hacking conference at the last minute when Siemens was unable to fix problems he'd found in the firmware of its S7 programmable logic controller. After consulting with Siemens and the U.S. Department of Homeland security, NSS decided that it was simply too dangerous to go public with its information before a patch could be fully developed.

        • Siemens didn't have a say; If you actually read the quotation, you'll note that NSS Labs decided the information was too dangerous to present. Siemens saying "We've not patched it yet! We'll be OMGPOWNIES if you tell everyone!" affected their decision, but it doesn't seem they were strong-armed by Siemens.

          If anything, I'd say it would be more likely the DHS muscled NSS out of the conference, if there was any of that kind of play involved. If not, then they did what any reasonable researcher, and in fact pe
          • by c0lo (1497653)

            Siemens didn't have a say; If you actually read the quotation, ...

            If you actually read my post, you'll note that I didn't say "will Siemens allow the presentation" but "will they allow the presentation". I was thinking to the same DHS.

          • it would be more likely the DHS muscled NSS out of the conference, if there was any of that kind of play involved. If not, then they did what any reasonable researcher, and in fact person, should do; Assess the danger to society caused by withholding the information against the damage done by releasing it.

            This kind of information should always be released. The problem is that people in the DHS think the movie "War Games" is a documentary.

            The real danger is not a random script kiddie connecting to the system to play games. Danger comes from people who have inside knowledge of the system, people who know things like network addresses, which machine does what. There's no way to be obscure here, because the enemy already knows what he needs to enter. Remember stuxnet, everyone seems to agree that it was the work

            • by dkf (304284)

              The real danger is not a random script kiddie connecting to the system to play games. Danger comes from people who have inside knowledge of the system, people who know things like network addresses, which machine does what. There's no way to be obscure here, because the enemy already knows what he needs to enter. Remember stuxnet, everyone seems to agree that it was the work of experts.

              The real problem is that security by obscurity does work, but only for a little while. As soon as someone inside blows the whistle, or someone outside just stumbles over the secret, the security from the obscurity is gone. Anything just protected by just obscurity will appear to be nice and secure, but will not be secure at all, and the people who want it secured won't know the difference until its too late. Real effective security is in depth. Obscurity can be used in the mix, but may only ever be a small

              • by cusco (717999)
                Doesn't need to be from someone inside, most of these types of devices, including access control panels, DVRs, PLCs, alarm panels, fire panels, and the like communicate on their own specific port. I can go into any large company, plug into a random network port in a random meeting room, scan the local subnets and figure out 1) what access control program they use, 2) what the address of the local ISC (intelligent system controller) is, 3) what the address of the local DVR/NVR is, 4) what the address of the
              • Security through obscurity, you say that like the backdoors weren't put there on purpose.

            • by The Moof (859402)
              Responsible full disclosure is a good thing. However, based on the "control how fast a turbine spins" part of the summary, this sounds like the type of software that needs to have rigorous testing and regulations enforced before pushing out to the public. Siemens was notified of the vulnerabilities on May 8th. 3 months might not be enough time to fix, test, and deploy the new firmware (not to mention the testing on the deployment side).

              I'm all for full disclosure, but this still seems too soon. Then a
              • by cusco (717999)
                Seimens PLCs also run a LOT of medical equipment, and the testing program for that stuff can stretch into (literally) years. What's a "reasonable amount of time" for a device that can control a baby incubator or MRI?
            • by jd (1658)

              Based on the Sony experience and the fact that the lab Manning was working on had passwords to secure accounts stuck on the monitors, War Games *WAS* a documentary...

          • Fsck society! What's it really done for us lately?
        • by nedlohs (1335013)

          Because the researcher in question agreed with them.

      • The question then becomes "Who's National Security? as these controllers are deployed around the world.

      • Allow? Why would or should they have a say? It's in the interest of We, the People, to learn this, so we can take the necessary precautions.

        I'm all for Us having more information, but it's also in Our best interest to fix things before we disclose those types of vulnerabilities. Who exactly do you think is going to take the "necessary precautions"? The manufacturer is the best party to fix the problems, so why release the information into the open before then? Your logic doesn't make sense. If you went on vacation and your house was unlocked and I knew about it, wouldn't you appreciate it if I let you secure the doors before I tell the public?

        • by arth1 (260657)

          Who exactly do you think is going to take the "necessary precautions"?

          Whoever is in charge of a dam with one of these faulty devices should take every step necessary to prevent it from being exploited.
          They won't, because there is no one demanding it from them. Disclosure would force their hands.

          If you went on vacation and your house was unlocked and I knew about it, wouldn't you appreciate it if I let you secure the doors before I tell the public?

          I would appreciate it if you told my neighbours and the police, which would make it a public record.
          I would definitely not appreciate it if I learned that you knew about it, and I had a burglar visit before I came home because you decided to not tell anyone until I could do something

          • Who exactly do you think is going to take the "necessary precautions"?

            Whoever is in charge of a dam with one of these faulty devices should take every step necessary to prevent it from being exploited. They won't, because there is no one demanding it from them. Disclosure would force their hands.

            The operators of equipment using the controllers can't do anything about it. Siemens has to fix the issues, and fixes like these take time. It's not as simple as applying an OS update. That seems to be something people aren't realizing.

            • by arth1 (260657)

              The operators of equipment using the controllers can't do anything about it

              They can, and they should. For example, they can limit the access to the devices, or the protocols that have problems, or disable parts that are vulnerable. And plan for what to do if they all fail.

              Knowing how and why they can fail would help, but Siemens and DHS don't want to tell. Siemens because they naturally want to hush it up, and DHS because they don't realise that they only succeed in keeping the info from those who need it - those with an interest in finding out WILL find out, and now have a res

              • So instead of waiting for a fix from Siemens before the exploit is revealed, owners should now reconfigure their access to the devices and waste money doing so when they could just wait? And who said no-one is taking precautions? You're assuming Siemens is trying to censor the exploits and not deliver a fix. You're also assuming those with an interest don't already know the exploit, and that merely knowing an vulnerability exists means they will figure it out faster than if it was made public.
      • I've been glancing at the S7-1200n easy book and you have too realize this thing has 1 or 2 MB of retentive memory, it's basic idea of digital networking is RS485/RS232 serial lines, ethernet even seems to be an add-on. I'm not sure the concept of security can be applied to a device so simple, I would be surprised if the vectors of attack weren't almost exclusively through windows computers used for running HMI programs. No matter what you do if your firewalls are letting machines talk promiscuously to oth

    • What if Siemens confidence evaporates and, August time, some of these vulns are not yet patched? Will they allow the presentation?

      Who is they? If you mean the conference, well then they wouldn't exactly deserve the title "Black Hat", would they?

      • by c0lo (1497653)

        Who is they?

        DHS, who else?

        • by jd (1658)

          Certainly it is possible DHS could try and stop the talk. IIRC, US authorities acted against a Russian who broke Adobe Acrobat security and gave a talk at Defcon. Whilst, understandably, copyright laws are a higher priority than national security for the government, it is entirely possible that similar action might be threatened should it look likely the talk would go ahead prior to a fix being distributed. And even then, you never know.

          On the other hand, the talk can't be delayed forever. Not necessarily b

    • At some point, unless Siemens has a very nasty legal trump card of some sort, they are going to have to adopt the "fuck it, better that the admins know." approach.

      It isn't as though white hats have anything like a monopoly on security/penetration expertise in this world, and the word is already out about what device the vulnerabilities are in, and(since they are working on a new patch) that it exists in the latest available patch level. Presumably, any blackhats who care about access to such devices are
      • by c0lo (1497653)

        At some point, unless Siemens has a very nasty legal trump card of some sort, they are going to have to adopt the "fuck it, better that the admins know." approach.

        Tell this to DHS! Do you expect a rational reaction? (even now, reading Wikileaks put one's security clearance prospects under question - no matter the whole world reads the Cablegate, DHS seems to need uninformed employees. Err... pardon... on a "need to know basis").

      • by Serpents (1831432)

        but the noobs will hopefully never make it past the gates, and the spammers are unlikely to have an economic incentive to compromise something that makes a lousy bot.

        I think the noobs are not going for such relatively sophisticated/uncommon systems like PLCs and would rather try to "read your e-mail" instead or get their hands on some sensitive data/information to show off.

    • Doing security patches on embedded systems takes a lot of time. The code could be running from ROM chips that must be physically replaced, and the code must be audited to ensure no bugs or new security issues- and you might not have a list of who has your device (they might not know either). When your code runs the flood gates on a major dam you must be very sure it works properly.
  • fearmongering? (Score:2, Informative)

    by Anonymous Coward

    I've worked with Siemens' S7 and SiMotion systems, and i've never seen a single company attach them to a large computer network inside their company.
    The only ways to reprogram S7 or SiMotion is by either connecting to an ethernet / profinet connection the machines are on, or by acquiring physical access and establishing a serial connection.

    • In any control system there's data that needs to be analyzed. Someone has to transfer telemetry from the control system to an engineer's workstation. Today this is normally done by an USB stick, if there's no direct network connection, and that's the weak point.

      I believe a secure network connection is better than the "sneakernet" approach. It's better to have a good firewall allowing only a limited set of ports than to let people plug things into the computers.

      Another good approach would be to transfer the

      • If one is feeling really serious, the so-called "data diode" devices can be used to ensure that the data to be analyzed goes out and nothing goes back in. Since they are sort of a niche market, and the problem of making anything remotely resembling a normal network protocol work unidirectionally is a bit tricky, such hardware is Not Cheap; but neither is having hackers all up in your centrifuges...
        • by c0lo (1497653)

          If one is feeling really serious, the so-called "data diode" devices can be used to ensure that the data to be analyzed goes out and nothing goes back in... such hardware is Not Cheap

          I have some WOM [wikipedia.org] with high FINO [wikipedia.org] rates, that I can provide quite cheap. Are they interested?

          • The cost of ICS (Industrial Control Systems) and IA (Industrial Automation) equipment is never cheap. When you factor in the cost per hour of downtime (or the risk) of anything of significance (oil refineries, water/waste water, electrical power generation, etc.) it is nothing short of staggering. When you factor in startup time from interrupted process, it can hit stratospheric heights in no time.

            Seriously. The last facility where I was working at an interruption to process had a downtime cost of $5M/hour

            • by c0lo (1497653)

              The cost of ICS (Industrial Control Systems) and IA (Industrial Automation) equipment is never cheap.

              If you are a Plant Manager, buying 10 whatsits for $10K a piece isn't a rounding error in your operations budget if your MTBF was reduced by %1 as a result.

              Humor sense is in short supply these days.

              The whatsits you mention (and construct your case against cheapness) are: "Write Only Memory" (guaranteed security, nobody can read them) with a high "First In Never Out" rate (performance matched only by /dev/null).

              • I was referring more to EAL7 Interactive Link Data Diodes (IL-DD) as the "whatsits", but products meeting that Common Criteria spec are mind-farking expensive.

                Doesn't really matter, as Stuxnet showed, sneakernet is still effective as a injection vector. What really matters is having solid incident response, disaster recover and business continuity plans.

        • by thegarbz (1787294)

          such hardware is Not Cheap;

          The cost of such devices often constitutes no more than a rounding error in the case where a SCADA system is critical enough to require online monitoring.

          Unfortunately logic is lost on some people. I remember arguing that ADSL was not the right technology for communicating with an RTU for a transfer pump once. The IT boys kept saying that ADSL is $80/month for a business line and SHDSL was $4000/month. They were completely oblivious to the fact that for every hour the pump doesn't run we lose $80000.

          Cost of

      • What about a physically one-way data connection? That is, it is enforced by hardware that information flows only one way? (Yes, if you have access to the hardware, then you can circumvent this; but then, in that case you could simply install the malware yourself).

        • by mangu (126918)

          The simplest way would be an RS-232 line with only the ground and transmit data wires connected. Unfortunately, no one seems to have something like this.

          • by vlm (69642)

            The simplest way would be an RS-232 line with only the ground and transmit data wires connected. Unfortunately, no one seems to have something like this.

            Oh come on, wire cutters / diagonal cutters and some heat shrink tubing later... Or you can needle nose pliers to remove the, uh, male part of the connector.

            The expensive way is to buy a managed ethernet switch (not a dumb switch) and set up port mirroring or whatever (tm) (c) name they have for the protocol analyzer port feature where you only get to see not touch the traffic.

            The cheap way, is buy a slightly dumber switch, force the port to 10 megs, cut open the ethernet cable, and clip the pair going the

            • by mangu (126918)

              Yes, there are many ways to do it, but the problem is the software.

              I use one system where I work in which the operating procedures are implemented, no kidding, in excel spreadsheets. Worse still, the console workstations don't have excel installed. The engineers have to develop the procedures in their desktop computers and then copy the .xls files to the workstations. The two different parts of the system don't mix, each needs a parallel port dongle and cannot be installed both on the same computer.

              The only

            • by Nethead (1563)

              10 megs used separate pairs for each direction, more modern modulation methods or whatever use all the pairs both ways.

              Some nits picked:

              a) Original 10Mb/s was 10base5 or 10base2 which used a single coaxial cable, effectively "one pair". 10baseT uses two pairs.

              b) 100baseT (Fast Ethernet), like 10baseT, uses one pair in each direction. It's where you get into 1000baseT that really trick shit is going on with 5 different voltages over all four pairs.

              c) IP (TCP/ICMP/UDP) requires bidirectional flow for handsha

        • (Yes, if you have access to the hardware, then you can circumvent this; but then, in that case you could simply install the malware yourself).

          Or hit the actual turbine with a $5 wrench.

  • PLC security? (Score:1, Interesting)

    by Anonymous Coward

    I work with PLCs (Programmable Logic Controllers like the article mentions) and to be honest it's news to me that they even HAVE security.

    Most PLCs will accept any data table read/write, any programming command and any firmware update without any authentication whatsoever. Also the SCADA system (the visualisation system which talks to the plant's PLCs) will typically run on Windows XP, usually without any service packs/patches, no antivirus, and often the Windows firewall disabled. "Security" on a SCADA is

  • Clearly, the real embarrassment here is that the DoD is using these vulnerabilities to kill Iranian centrifuges. I don't have a problem preventing Iran from having nukes, as I think they should not ever have them. However with the recent "cyber security" announcement that digital hacking can be considered an act of war, I wonder if we'd have come to the same conclusion if we were in missile range of Iran.

    Releasing these hacks could have unintended consequences. Imagine if some hacker group used them for the

  • by currently_awake (1248758) on Tuesday June 07, 2011 @08:47AM (#36361752)
    A fundamental principle of security: critical infrastructure (flood gates, nuclear power plants...) doesn't connect to the internet. Any design that violates this basic principle of security should be considered proof of criminal negligence. (I'm not a lawyer). You are not responsible for what happens when you release details of serious security vulnerabilities if you've told them about the problem and given a reasonable amount of time given to repair the fault.
    • by Viol8 (599362)

      "You are not responsible for what happens when you release details of serious security vulnerabilities if you've told them about the problem and given a reasonable amount of time given to repair the fault."

      I'm sorry , what? Seriously?

      So you release details of a vulnerability which you've discovered and its "not your fault" if someone then uses it after you've decided on some arbitrary length of time the manufacturer needs to fix it?

      Okay, riiight.

      You my friend need to take off your rose coloured teen hacker

    • by Tweezer (83980)

      I hate to break it to you, but that horse left the barn years ago. The data from these systems is much too valuable and companies that would follow your advice would be at a large competitive disadvantage. That being said, these systems should still be protected with multiple layers of security. I work on SCADA systems and there are multiple security measures such as no default gateways and no less than three firewalls between the SCADA system and the Internet, but it is required that it be connected. F

    • I think that Stuxnet permanently put the rest the idea that disconnecting your critical systems from the internet was sufficient to secure them. Sure, you need to do it, but you also need to (somehow) prevent your users from moving contaminated media into your secure systems.
    • by cusco (717999)
      doesn't connect to the internet

      This statement always annoys me, because people seem to be assuming that the only way into a network is through the web server or something. If I wanted into someone's network I'd plug into the guard shack at the gate, or a meeting room if I could get into the building. To attack a SCADA system all I would need to do is jump a fence into a substation. No one is watching those cameras, they're for forensics to go after copper thieves.

      Want to get into most supposedly '
      • I have worked in several of these types of facilities in my long and chequered history. Your scenarios are utter complete bullshit. if you really want access you need to find an unattended laptop in an unattended boardroom, switch off the alarm, sneak around and then wake up with sticky sheets. I call shenanigans on you.
        • by cusco (717999)
          I set up security systems for a living. The problem is always the wetware, and it's only getting worse as companies skimp on training.
  • by formation (2241238)
    Check to see if your Company name is available http://bit.ly/m2IHF4 [bit.ly]
  • These folks need to go open source.. for the safety of the world!
    In fact.. go one step further and have all governments of the world require all public infrastructure to only be run on open source systems. This is our only hope of staying ahead of terrorists. This same type of problem (and need) has also been seen in the problems with US electronic Voting Booth. The recent RSA seed + proprietary algorythm lead has proven that closed source = security risk. Wake up politicians!

    Tweeks

  • I am thinking of the Modicons and Allen Bradley PLCs around the world.

    On the PLC5 and the SLC-500, security (if set) was generally an afterthought and then normally used to keep factory floor folk out of the PLC. I know because I knew where to find the text-encoded password in the memory dump files.

    The ControlLogix was a similar open book - rarely if ever secured. Then again, you could get on the backplane via the ENBT adapter and then talk directly to any card in the system including the SERCOS cards an

    • Security in IA (Industrial Automation) land has traditionally been isolation ("We are an island. No data comms in or out.") and physical (To keep out those pesky tool using primates).

      It doesn't help that critical infrastructure (CI) is also forklift upgraded anywhere between 10-25 years, depending upon the environment. Infosec was not even on the radar back in the day.

      Things are changing for the better, but there is still a significant gap between the current state of affairs and where it should be. The big

      • by cusco (717999)
        Until very recently a former employer used to keep a pile of 386 laptops around because the control software for their half million dollar radio tower wouldn't run on any other CPU and the original manufacturer had been gobbled up. I see the pile is gone now so they must have upgraded in the last year or two.
  • Could Arduino be a "cheap" hardware upgrade from what we are currently using? Would Arduino be more secure? Subquestion... Is there software/firmware upgrades that could be used to fix these flaws? Yesterday?

Little known fact about Middle Earth: The Hobbits had a very sophisticated computer network! It was a Tolkien Ring...

Working...