US Warns of Problems In Chinese SCADA Software 95
alphadogg writes "Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued on Thursday (PDF) by the US Industrial Control Systems Cyber Emergency Response Team. The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops SCADA software for a wide variety of industries, including defense, petrochemical, energy, water and manufacturing. Sunway's products are mostly used in China but also in Europe, the Americas, Asia and Africa, according to the agency's advisory. SCADA software has come under increasing attention from security researchers, as the software has often not undergone rigorous security audits despite its use to manage critical infrastructure or manufacturing processes. SCADA systems are increasingly connected to the Internet, which has opened up the possibility of hackers remotely breaking into the systems. Last year, researchers discovered a highly sophisticated worm called Stuxnet that was later found to target Siemens' WinCC industrial control software."
Re: (Score:3, Insightful)
No need to unfairly single out the Chinese. I feel confident to extend that out to pretty much any nation. Wasn't our bestest friend (sarcasm) Israel found to have the biggest [rense.com] espionage [rense.com] ring yet uncovered rigth here in the US of A?
Re: (Score:1)
Re:I've said it before and I'll say it again (Score:5, Informative)
I didn't realize the source was sh*tty (i still have no idea who or what rense is) it happened to be the first 2 or so hits on Google. However this is established that Israel spies on the US just as much, if not more than anyone. If different sources make you feel better:
http://en.wikipedia.org/wiki/Lawrence_Franklin_espionage_scandal [wikipedia.org] http://www.alternet.org/world/130891/breaking_the_taboo_on_israel's_spying_efforts_on_the_united_states/ [alternet.org]
http://www.msnbc.msn.com/id/24256527/ns/us_news-security/t/american-charged-giving-secrets-israel/ [msn.com]
You could list *any* country here. No need to get your vagina's up in arms because someone said something bad about Israel. The point was China is just the next in a long line of countries spying. Now, it might be much worse given how much they make for the US.
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
You can't trust the Internet, so keep your control systems the fuck OFF the Internet, as in "air gap"
Do not run Windows on control systems.
The boss needs to rule users, give orders, and enforce obedience. If you don't want people to mess up (anything) lock it down and lock them down. Discipline doesn't have to be unpleasant, but it is reasonable to expect obedience and punish disobedience.
Re: (Score:2)
Re: (Score:2)
Other OS have vulns, but using an OS that the drones aren't tempted to touch is preferable, as well as one they DO NOT HAVE AT HOME.
The average person is tech-ignorant, that will never change and has never been different. Throw many barriers to entry to discourage them and keep them in their place.
Re: (Score:2)
You just may have given me the argument for management that I need to get away from endlessly trying to "lockdown" Windows.
Re: (Score:2)
Re: (Score:1)
Re: (Score:2)
Re: (Score:1)
what the fuck does trust have to do with shitty code?
"Sunway issued patches for the vulnerabilities on May 20 and thanked Beresford for his research in an advisory. ICS-CERT said there are no known exploits for the vulnerabilities, but computer security experts generally recommend patching software as soon as possible."
Re: (Score:2)
You can't trust an anonymous coward.
Anyone surprised? (Score:5, Informative)
I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.
Re:Anyone surprised? (Score:5, Insightful)
I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.
I'd say that there are flaws in just about every major PLC (Allen-Bradley, Modicon, GE, and so on, to name a few) . Most are just legacy serial protocols that have been wrapped in Ethernet, so these controllers accept arbitrary packets from any source. With protocols like MODBUS, it is fairly easy to construct such packets by hand even.
Re: (Score:2, Insightful)
The solution is simple, Just because they are Ethernet & TCP/IP now does not mean they need to be connected to the Public Internet.
DISCONNECT THE DAMN THINGS FROM THE INTERNET!
If you need remote communication from other sites use WAN links and VPN, Don't use the $20 on-sale special DSL/Cable Internet package of the week. How Fucking hard is this?
Re:Not really the issue. (Score:1)
Stuxnet did not need internet connections to infect centrifuge controllers. The infection vector is humans with thumbdrives or other means of sharing warez with access to 'secure' networks.
Re: (Score:3)
Re: (Score:2)
-
and lets assume this makes the Chinese clones immune. -
why would the US warn about Chinese products at all?
Re: (Score:2, Insightful)
Yeah. I mean, Siemens is a German company, and we would never expect that from the Germans. It's not like they ever started a war, China on the other hand...
Idiots (Score:5, Insightful)
Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.
Re: (Score:3)
Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.
I think that would qualify as both cruel AND unusual punishment.
Re:Idiots (Score:4, Informative)
Yeah buy it from an American company...that outsourced the programming to China or India.
Re: (Score:3)
While I understand your snyde comments there still remains an issue of oversight. There are a great many things made in China. iPhones for instance. However I trust the quality of an iPhone exponentially more than those Chinese iPhone knockoffs. When you outsource to China there is still a modicum of control which can be just enough to make a difference.
The same applies to industrial equipment from China. I would greatly prefer buying a valve from a western manufacturer who outsources production to China an
Re: (Score:2)
Yeah buy it from an American company...that outsourced the programming to China or India.
Look what Israeli programming did to Fukushima.
Re: (Score:2)
I agree, where "Idiots" is defined as all the congresscritters, C*Os, and thinktank wonks who thought our currrent trade policy would be such a great idea.
Chinese Trust = Oxymoron (Score:2)
I won't buy things that contain their software & anyone who does, knows what they may get.
Re: (Score:1)
Re: (Score:2)
This isn't a "Chinese software sucks" problem, it's a "proprietary software sucks" problem.
Which coreboot-compatible motherboard are you using? What video card are you using? Do you have a RAID controller?
Re: (Score:1)
Newsflash: Vulnerabilities on software (Score:3, Insightful)
Is this news? Whatever software you are using has vulnerabilities.
So what if the software came from China? Do you think software from San Jose is any better? I don't see any evidence of some communist party conspiracy here.
Re:Newsflash: Vulnerabilities on software (Score:4, Insightful)
The entire slashdot piece is formulated as an us-vs-them issue. There are thousands of vulnerabilities discovered all the time in all kinds of software, and the submitter just happened to pick one in software sold by a Chinese company and that was discovered by US-based researchers, insinuating that there is something wrong with the Chinese. The nationalities are a red herring. They could have titled the story "Security team warns of problems with SCADA software" but that wouldn't lead to a jingoistic us-vs-them discussion.
Re: (Score:2)
Note that summary: a warning issued by US Industrial Control Systems Cyber Emergency Response Team.
Not that an organization of US-based industrial control software vendors would have any sort dishonest or self-serving motivations to point fingers at Chinese software. Just sayin'
Re: (Score:3, Insightful)
Indeed, I don't think there would be a headline if the software was from, say, Finland. Finding evidence it was put there deliberately, that's a different story.
Re: (Score:1)
Scada systems are under scrutiny currently but there are a lot of PLC controllers with embedded Ethernet ports that use rudimentary or out right flawed IP stacks. Examples of protocols used are Siemens S7, modbus, GE Fanuc SRTP, FTP, HTTP, Global Ethernet Data (GE-Fanuc I believe) and many more. I know some problems with them but these really need ripped apart by experts and the manufacturers goaded in to fixing them. Anon for now.
And the OS? (Score:3)
Several years ago a bean counter decided we could save money so it was recompiled from the trusted Unix platform to Windows.
Not a huge problem as in the day it wasn't exposed to the internet but today it is and now it's not just infected USB drives that do cause trouble.
Sharing (Score:1)
Just more fear propaganda (Score:1)
When I see these kind of articles coming out every other day, I can't help but think that this has more to do with security agencies pushing fear in the media to justify their existence. I'm tired of reading about how China is trying to take us down. We spend and spend with money we don't have. We borrow more from China and then buy the cheapest products from Walmart not even really thinking about the slave labor that produced those products. Are they complaining about working their ass off for almost
Re: (Score:2)
too much dependence on the internet (Score:1)
Re: (Score:2)
I can't think of any reason to have an industrial controls network directly connected to the internet. Maybe there are valid reasons; I'd love to hear them. This is not necessarily a failure of SCADA, but a failure by the engineers to properly consider security.
Yeah, doesn't the term "Sunway's ForceControl 6.1 WebServer" (one of the infected items in TFA) send a little electric tingle down your spine?
Re: (Score:2)
One good reason to connect an industrial control network to a network outside the immediate premise would be that it is a remote site that doesn't merit a human being nearby to mind it or is only economically viable if it doesn't require humans nearby. Thus it makes economic sense to network it, but a private network is too expensive, so it goes on the internet (probably with VPN only access).
Private networks are expensive, getting a satellite/whatever internet connection isn't.
Then you are only as secure a
This may be a stupid question... (Score:3)
This may be a stupid question...
What kind of moron connects their factory-internal manufacturing systems to the Internet?
-- Terry
Re: (Score:3)
"DCS is commonly used to handle operations on a single locale, while SCADA is preferred for applications that are spread over a wide geographic location." [wikipedia.org]
The term "SCADA" is specifically used for industrial processes that have to be connected by long-distance networking.
Re:This may be a stupid question... (Score:5, Insightful)
Re: (Score:2)
This doesn't necessarily mean it has to be unsafe. A reasonable implementation is to control SCADA over VPN over TCP/IP. Insert a hardware firewall that is completely autistic to everything except for allowing VPN traffic between actual internet and machine running SCADA.
While it won't be bulletproof, it will certainly limit ability to threaten machines running SCADA with malicious packets and such from internet. There are obviously ways to attack VPN, machine that's connected to other side of VPN and perha
Re: (Score:2)
Or maybe spend a couple bucks and keep it all on leased lines. That way you control all the endpoints. It is not like site to site leased lines are anything new.
Re: (Score:2)
Or maybe spend a couple bucks and keep it all on leased lines. That way you control all the endpoints. It is not like site to site leased lines are anything new.
But. Site-to-site leased lines can be very expensive. And money talks. Give a PHB the choice between saving hard cash and the soft, squishy concept of hacking ("Oh, we have security systems in place, yessir"), which will they pick 9 times out of 10?
Re: (Score:2)
Re: (Score:2)
I know what you are trying to say, but for the very low bandwidth needs of these systems leased lines are plenty reasonable.
Re: (Score:2)
It's worth noting that such SCADA application are usually remote control of production site. This is usually because of outsourcing of these functions to the lowest bidder.
As a result, even a little extra spending on security would be under huge scrutiny from "is this really important? We could lose the contract if our costs go up" aspect.
Re: (Score:2)
Does anyone know of any cases where anyone has been hacked or their data compromised because they're using one of those fake leased lines where you're actually sharing a ring? And if not, isn't that good enough for this purpose? Genuine end to end leased lines are there to bypass problems with communications systems. Of course, they're just as vulnerable to backhoes as anything else...
Re: (Score:2)
Okay, so run your own lines. You will then have:
1. Greater control
2. Greater security
3. Greater uptime (not competing with other users for limited bandwidth)
Oh, but that's right, it might cost a little more to set up a low-bandwidth network. I guess I should be thinking like a manager.
Re: (Score:2)
visiting sites can cost $$$ and be very time consuming...
Re: (Score:2)
This may be a stupid question...
What kind of moron connects their factory-internal manufacturing systems to the Internet?
-- Terry
Those who run uranium enrichment machines. That's who.
Re: (Score:2)
Re:This may be a stupid question... (Score:4, Interesting)
You'd be surprised but I bet many maybe most US manufactures have their shot floor networks connected to the their other networks for one reason or another. Do they firewall the crap out them, well probably but that is no air gap?
In my experience this is how its usually evolved on the networks I've seen
1. Shop floors started off with some proprietary network, not connected to anything else
2. Equipment got upgraded and replaced with cheaper ethernet or token over ethernet solutions
3. Management eventually decides that simplifying and increasing statistics gather and reporting is worth the risk of connecting the shop floor networks to the rest of the corporate networks, even though IT warned them of the potential risks. They tell IT "Just don't let that happen"
4. IT installs good a good firewall with strong rules, and establishes solid procedures around what, how, when, and who connects anything to the shop floor. This works well at time.
5. The vendor, who has never properly documented the communications requirements of their software, sends some techs out to do an upgrade or change or something. Said techs run into problems and lacking any documentation assume its IT's security measures causing them. Management is upset because the line has stopped and they are paying these consultants by the hour on top of that. They demand IT relax the rules.
6. The consultants get the shop floor running again but they never really circle back and tell IT what the issue was, perhaps it was unrelated, who knows.
7. You might think IT will sniff packets for awhile and see what actually could be tightened back down but they won't because, they have other problems and have spent a week being interrupted by the consultants already, management wants to see those other projects getting done. All the procedures don't get updated either. The security measures while still in place are mostly ineffective.
Re: (Score:2)
I've been in dozens of plants. The answer is... all of them, except the ones where they don't even have the know-how to setup a wireless router at home. Every single decent-sized plant I've visited has most of their industrial automation equipment connected to their computer network. Now, some are more sophisticated than others. Some separate plant-floor from office networks with VLANs. Some actually have physically separate networks, though almost every time I've suggested that, the IT guys demand eve
Re: (Score:1)
Re: (Score:2)
No one directly. But most SCADA systems somehow have a physical link that gets them all the way to the internet. The place where I work has a one way push to another network which is separated by a strict firewall from our corporate network, which is separated by a weak firewall from the internet. It is in theory possible for an attacker to work their way down, but the critical piece is that this is plainly not needed.
These vulnerabilities on SCADA systems nearly always work from the PC that is connected to
Re: (Score:2)
Given that China is hellbent on kicking the ass of every nation..
He says on a US-centric site. Oh, Irony, thou hast been outdone!
What goes around (Stuxnet), comes around (SCADA) (Score:2)
We need to move beyond irony in our global defense community: http://www.pdfernhout.net/recognizing-irony-is-a-key-to-transcending-militarism.html [pdfernhout.net]
"There is a fundamental mismatch between 21st century reality and 20th century security thinking. Those "security" agencies are using those tools of abundance, cooperation, and sharing mainly from a mindset of scarcity, competition, and secrecy. Given the power of 21st century technology as an amplifier (including as weapons of mass destruction), a scarcity-based
I guess it all depends on definitions (Score:2)
We call it a bug...China calls it a feature.
I worked on SCADA systems back in '97-'98 (Score:3)
Every line of code that we wrote was signed off by an individual chartered engineer. And that means that we printed off the entire source, and a Very Serious Chap sat down and Very Seriously Reviewed it, and if he approved it, he wrote his initials against it. Against every single individual line, using his hand, and a pen. A red pen. And if one line, one single line, didn't have that Very Serious Chap's initials against it, then the software didn't ship. No way, no how.
And once it shipped, that Very Serious Chap would Very Seriously take full responsibility for it, and for the consequences of using it, in the most literal and legal sense.
And now to save a penny in the dollar, SCADA systems are sourced from by the Whang Dong Control Systems, Light Industrial Tools and Edible Cuttlefish Products Conglomerate, of Zing Ping Province, China. WITHOUT ANY WARRANTY; WITHOUT EVEN THE IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
Ain't it marvellous living in the Future?
Re: (Score:1)
Re: (Score:2)
I've been contracting on Industrial Control systems for over 10 years. I've never ever seen what you're talking about. However, there are certain *industries* that I haven't worked in where that might be the case. However, I have worked on a machine in the pharma industry, but even though they had much more stringent testing procedures, they still (a) didn't review every line of code and (b) hadn't caught a very serious bug that I found in the code when I was making some changes. In fact, I'm a P.Eng. (
Re: (Score:2)
Re: (Score:2)
Actually you'll find the code physically running on the controllers still does and likely always will be signed VSC next to each line. The attacks on the systems often come from the lines that were never needed to be signed in the first place, namely the interface lines. Back in the day this meant something like serial modbus, these days it's serial modbus nastily hacked into a TCP/IP wrapper with no implied security just as there was no implied security back in the day either, or even better OPC, or some p
and they're doing WHAT with this stuff? (Score:2)
they're connecting it to the electronic Wild Wild West, the Internet.
critical systems should N E V E R be connected to an open network.
ever.
that's rule one.
why aren't the guys making these connections going to jail?