Forgot your password?
typodupeerror
China Security IT

US Warns of Problems In Chinese SCADA Software 95

Posted by Soulskill
from the not-for-use-in-nuclear-reactors-at-home dept.
alphadogg writes "Two vulnerabilities found in industrial control system software made in China but used worldwide could be remotely exploited by attackers, according to a warning issued on Thursday (PDF) by the US Industrial Control Systems Cyber Emergency Response Team. The vulnerabilities were found in two products from Sunway ForceControl Technology, a Beijing-based company that develops SCADA software for a wide variety of industries, including defense, petrochemical, energy, water and manufacturing. Sunway's products are mostly used in China but also in Europe, the Americas, Asia and Africa, according to the agency's advisory. SCADA software has come under increasing attention from security researchers, as the software has often not undergone rigorous security audits despite its use to manage critical infrastructure or manufacturing processes. SCADA systems are increasingly connected to the Internet, which has opened up the possibility of hackers remotely breaking into the systems. Last year, researchers discovered a highly sophisticated worm called Stuxnet that was later found to target Siemens' WinCC industrial control software."
This discussion has been archived. No new comments can be posted.

US Warns of Problems In Chinese SCADA Software

Comments Filter:
  • Anyone surprised? (Score:5, Informative)

    by Opportunist (166417) on Saturday June 18, 2011 @02:40PM (#36486366)

    I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.

    • by barik (160226) on Saturday June 18, 2011 @03:43PM (#36486622) Homepage

      I mean, there's a security flaw in the Siemens S7. Now let's all take a wild guess what the Chinese copied.

      I'd say that there are flaws in just about every major PLC (Allen-Bradley, Modicon, GE, and so on, to name a few) . Most are just legacy serial protocols that have been wrapped in Ethernet, so these controllers accept arbitrary packets from any source. With protocols like MODBUS, it is fairly easy to construct such packets by hand even.

      • Re: (Score:2, Insightful)

        by bell.colin (1720616)

        The solution is simple, Just because they are Ethernet & TCP/IP now does not mean they need to be connected to the Public Internet.

        DISCONNECT THE DAMN THINGS FROM THE INTERNET!

        If you need remote communication from other sites use WAN links and VPN, Don't use the $20 on-sale special DSL/Cable Internet package of the week. How Fucking hard is this?

        • by Anonymous Coward

          Stuxnet did not need internet connections to infect centrifuge controllers. The infection vector is humans with thumbdrives or other means of sharing warez with access to 'secure' networks.

        • by RobinH (124750)
          Sigh. This is wrong. Yes, they should be kept on separate VLANs, etc., but at some point someone always needs to get software updates or engineering changes on to the machines, which means you're connecting *some* kind of laptop, thumbdrive, or whatever, from an outside source that has likely been connected to a network that has a connection to the public internet. If you keep the control system isolated, then keeping operating system and anti-virus software up-to-date is just that much harder, which mea
    • by kubitus (927806)
      Now lets assume they looked at the design and improved it / eg. removed some vulnerabilities -

      -

      and lets assume this makes the Chinese clones immune. -

      why would the US warn about Chinese products at all?

  • Idiots (Score:5, Insightful)

    by sycodon (149926) on Saturday June 18, 2011 @02:43PM (#36486378)

    Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.

    • by NFN_NLN (633283)

      Whoever bought Chinese software to control industrial plants should be fired and made to work in a Microsoft call center.

      I think that would qualify as both cruel AND unusual punishment.

    • Re:Idiots (Score:4, Informative)

      by GameboyRMH (1153867) <{moc.liamg} {ta} {hmryobemag}> on Saturday June 18, 2011 @02:56PM (#36486436) Journal

      Yeah buy it from an American company...that outsourced the programming to China or India.

      • by thegarbz (1787294)

        While I understand your snyde comments there still remains an issue of oversight. There are a great many things made in China. iPhones for instance. However I trust the quality of an iPhone exponentially more than those Chinese iPhone knockoffs. When you outsource to China there is still a modicum of control which can be just enough to make a difference.

        The same applies to industrial equipment from China. I would greatly prefer buying a valve from a western manufacturer who outsources production to China an

      • by slick7 (1703596)

        Yeah buy it from an American company...that outsourced the programming to China or India.

        Look what Israeli programming did to Fukushima.

    • by istartedi (132515)

      I agree, where "Idiots" is defined as all the congresscritters, C*Os, and thinktank wonks who thought our currrent trade policy would be such a great idea.

  • I won't buy things that contain their software & anyone who does, knows what they may get.

  • by guanxi (216397) on Saturday June 18, 2011 @02:55PM (#36486434)

    Is this news? Whatever software you are using has vulnerabilities.

    So what if the software came from China? Do you think software from San Jose is any better? I don't see any evidence of some communist party conspiracy here.

    • Re: (Score:3, Insightful)

      Indeed, I don't think there would be a headline if the software was from, say, Finland. Finding evidence it was put there deliberately, that's a different story.

    • by Anonymous Coward

      Scada systems are under scrutiny currently but there are a lot of PLC controllers with embedded Ethernet ports that use rudimentary or out right flawed IP stacks. Examples of protocols used are Siemens S7, modbus, GE Fanuc SRTP, FTP, HTTP, Global Ethernet Data (GE-Fanuc I believe) and many more. I know some problems with them but these really need ripped apart by experts and the manufacturers goaded in to fixing them. Anon for now.

  • by Teun (17872) on Saturday June 18, 2011 @02:58PM (#36486440) Homepage
    I work with a SCADA compatible system, my greatest worry is the OS.

    Several years ago a bean counter decided we could save money so it was recompiled from the trusted Unix platform to Windows.

    Not a huge problem as in the day it wasn't exposed to the internet but today it is and now it's not just infected USB drives that do cause trouble.

  • If I operated linear networks like, say, Caltrans, the California Water Project, any number of river gauges or the California Independent System Operator (electric power broker), I'd probably see this as 'relevant to my interests'.
  • by Anonymous Coward

    When I see these kind of articles coming out every other day, I can't help but think that this has more to do with security agencies pushing fear in the media to justify their existence. I'm tired of reading about how China is trying to take us down. We spend and spend with money we don't have. We borrow more from China and then buy the cheapest products from Walmart not even really thinking about the slave labor that produced those products. Are they complaining about working their ass off for almost

    • "We borrow more from China " The US does not borrow money from China, China purchases US securities and bonds because it is a safe and stable investment. They currently hold only about 6% of all outstanding securities. If China was somehow trying destabilize the US they would lose all of the money they have invested.
  • I can't think of any reason to have an industrial controls network directly connected to the internet. Maybe there are valid reasons; I'd love to hear them. This is not necessarily a failure of SCADA, but a failure by the engineers to properly consider security.
    • I can't think of any reason to have an industrial controls network directly connected to the internet. Maybe there are valid reasons; I'd love to hear them. This is not necessarily a failure of SCADA, but a failure by the engineers to properly consider security.

      Yeah, doesn't the term "Sunway's ForceControl 6.1 WebServer" (one of the infected items in TFA) send a little electric tingle down your spine?

    • by jeffstar (134407)

      One good reason to connect an industrial control network to a network outside the immediate premise would be that it is a remote site that doesn't merit a human being nearby to mind it or is only economically viable if it doesn't require humans nearby. Thus it makes economic sense to network it, but a private network is too expensive, so it goes on the internet (probably with VPN only access).

      Private networks are expensive, getting a satellite/whatever internet connection isn't.

      Then you are only as secure a

  • by tlambert (566799) on Saturday June 18, 2011 @03:23PM (#36486544)

    This may be a stupid question...

    What kind of moron connects their factory-internal manufacturing systems to the Internet?

    -- Terry

    • by interiot (50685)

      "DCS is commonly used to handle operations on a single locale, while SCADA is preferred for applications that are spread over a wide geographic location." [wikipedia.org]

      The term "SCADA" is specifically used for industrial processes that have to be connected by long-distance networking.

      • by Silverhammer (13644) on Saturday June 18, 2011 @03:41PM (#36486618)
        Not necessarily. SCADA is "Supervisory Control And Data Acquisition", which simply means collecting process data for presentation and analysis. Yes, many packages (disclosure: including the one I work on) allow SCADA functions to be performed over TCP/IP networks, but it is not a fundamental part of SCADA. Everything can be done on a single workstation, if that's how you're set up.
        • by Luckyo (1726890)

          This doesn't necessarily mean it has to be unsafe. A reasonable implementation is to control SCADA over VPN over TCP/IP. Insert a hardware firewall that is completely autistic to everything except for allowing VPN traffic between actual internet and machine running SCADA.

          While it won't be bulletproof, it will certainly limit ability to threaten machines running SCADA with malicious packets and such from internet. There are obviously ways to attack VPN, machine that's connected to other side of VPN and perha

          • by h4rr4r (612664)

            Or maybe spend a couple bucks and keep it all on leased lines. That way you control all the endpoints. It is not like site to site leased lines are anything new.

            • Or maybe spend a couple bucks and keep it all on leased lines. That way you control all the endpoints. It is not like site to site leased lines are anything new.

              But. Site-to-site leased lines can be very expensive. And money talks. Give a PHB the choice between saving hard cash and the soft, squishy concept of hacking ("Oh, we have security systems in place, yessir"), which will they pick 9 times out of 10?

              • Oh, and leased lines are still vulnerable. Not as easily as something directly on the Internet, but you still have to secure them and keep thinking about them. Then the argument of leased line vs. Internet gets even fuzzier. And the PHB is nodding off ....
              • by h4rr4r (612664)

                I know what you are trying to say, but for the very low bandwidth needs of these systems leased lines are plenty reasonable.

                • by Luckyo (1726890)

                  It's worth noting that such SCADA application are usually remote control of production site. This is usually because of outsourcing of these functions to the lowest bidder.

                  As a result, even a little extra spending on security would be under huge scrutiny from "is this really important? We could lose the contract if our costs go up" aspect.

              • by drinkypoo (153816)

                Does anyone know of any cases where anyone has been hacked or their data compromised because they're using one of those fake leased lines where you're actually sharing a ring? And if not, isn't that good enough for this purpose? Genuine end to end leased lines are there to bypass problems with communications systems. Of course, they're just as vulnerable to backhoes as anything else...

      • Okay, so run your own lines. You will then have:

        1. Greater control
        2. Greater security
        3. Greater uptime (not competing with other users for limited bandwidth)

        Oh, but that's right, it might cost a little more to set up a low-bandwidth network. I guess I should be thinking like a manager.

    • by Laser Lou (230648)

      This may be a stupid question...

      What kind of moron connects their factory-internal manufacturing systems to the Internet?

      -- Terry

      Those who run uranium enrichment machines. That's who.

      • by RobinH (124750)
        If you're talking about Stuxnet, it was designed to transmit over USB drives. Plus, even though the machines don't necessarily have ethernet ports, you usually program them from an IDE on a laptop communicating over a serial or other proprietary network, and that laptop moves from machine to machine, and even from plant to plant if you're hiring contractors.
    • by DarkOx (621550) on Saturday June 18, 2011 @06:32PM (#36487282) Journal

      You'd be surprised but I bet many maybe most US manufactures have their shot floor networks connected to the their other networks for one reason or another. Do they firewall the crap out them, well probably but that is no air gap?

      In my experience this is how its usually evolved on the networks I've seen

      1. Shop floors started off with some proprietary network, not connected to anything else
      2. Equipment got upgraded and replaced with cheaper ethernet or token over ethernet solutions
      3. Management eventually decides that simplifying and increasing statistics gather and reporting is worth the risk of connecting the shop floor networks to the rest of the corporate networks, even though IT warned them of the potential risks. They tell IT "Just don't let that happen"
      4. IT installs good a good firewall with strong rules, and establishes solid procedures around what, how, when, and who connects anything to the shop floor. This works well at time.
      5. The vendor, who has never properly documented the communications requirements of their software, sends some techs out to do an upgrade or change or something. Said techs run into problems and lacking any documentation assume its IT's security measures causing them. Management is upset because the line has stopped and they are paying these consultants by the hour on top of that. They demand IT relax the rules.
      6. The consultants get the shop floor running again but they never really circle back and tell IT what the issue was, perhaps it was unrelated, who knows.
      7. You might think IT will sniff packets for awhile and see what actually could be tightened back down but they won't because, they have other problems and have spent a week being interrupted by the consultants already, management wants to see those other projects getting done. All the procedures don't get updated either. The security measures while still in place are mostly ineffective.
       

    • by RobinH (124750)

      I've been in dozens of plants. The answer is... all of them, except the ones where they don't even have the know-how to setup a wireless router at home. Every single decent-sized plant I've visited has most of their industrial automation equipment connected to their computer network. Now, some are more sophisticated than others. Some separate plant-floor from office networks with VLANs. Some actually have physically separate networks, though almost every time I've suggested that, the IT guys demand eve

    • by jjp9999 (2180664)
      Yeah, they didn't used to. I spoke with someone on this a bit back - it ties, of course, into metrics and them trying to market themselves.
    • by thegarbz (1787294)

      No one directly. But most SCADA systems somehow have a physical link that gets them all the way to the internet. The place where I work has a one way push to another network which is separated by a strict firewall from our corporate network, which is separated by a weak firewall from the internet. It is in theory possible for an attacker to work their way down, but the critical piece is that this is plainly not needed.

      These vulnerabilities on SCADA systems nearly always work from the PC that is connected to

  • We need to move beyond irony in our global defense community: http://www.pdfernhout.net/recognizing-irony-is-a-key-to-transcending-militarism.html [pdfernhout.net]
    "There is a fundamental mismatch between 21st century reality and 20th century security thinking. Those "security" agencies are using those tools of abundance, cooperation, and sharing mainly from a mindset of scarcity, competition, and secrecy. Given the power of 21st century technology as an amplifier (including as weapons of mass destruction), a scarcity-based

  • We call it a bug...China calls it a feature.

  • by Rogerborg (306625) on Saturday June 18, 2011 @08:29PM (#36487854) Homepage

    Every line of code that we wrote was signed off by an individual chartered engineer. And that means that we printed off the entire source, and a Very Serious Chap sat down and Very Seriously Reviewed it, and if he approved it, he wrote his initials against it. Against every single individual line, using his hand, and a pen. A red pen. And if one line, one single line, didn't have that Very Serious Chap's initials against it, then the software didn't ship. No way, no how.

    And once it shipped, that Very Serious Chap would Very Seriously take full responsibility for it, and for the consequences of using it, in the most literal and legal sense.

    And now to save a penny in the dollar, SCADA systems are sourced from by the Whang Dong Control Systems, Light Industrial Tools and Edible Cuttlefish Products Conglomerate, of Zing Ping Province, China. WITHOUT ANY WARRANTY; WITHOUT EVEN THE IMPLIED WARRANTY OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

    Ain't it marvellous living in the Future?

    • Hopefully, the horrendous quality of all this lowest-bidder outsourced crapware (both hard- and soft-) will leave a market for people to bring manufacturing, and thus jobs, back to first-world nations, and (in my own selfish mind) the US in particular. I don't know about the average consumer, but I'd gladly pay more for a better, more durable product.
    • by RobinH (124750)

      I've been contracting on Industrial Control systems for over 10 years. I've never ever seen what you're talking about. However, there are certain *industries* that I haven't worked in where that might be the case. However, I have worked on a machine in the pharma industry, but even though they had much more stringent testing procedures, they still (a) didn't review every line of code and (b) hadn't caught a very serious bug that I found in the code when I was making some changes. In fact, I'm a P.Eng. (

    • Do not despair. I am sometimes that "Very Serious Chap". I write and review code for a certain type of control systems (allow me to be a little vague on what sort ). People's lives and safety depend on the correct functioning of these systems. The code is exactly as you described and when I have reviewed it and put a yellow highliter through every line (this is the future, after all) I sign my name to it, stamp it with my magic Professional Engineer stamp and take personal and professional responsibility fo
    • by thegarbz (1787294)

      Actually you'll find the code physically running on the controllers still does and likely always will be signed VSC next to each line. The attacks on the systems often come from the lines that were never needed to be signed in the first place, namely the interface lines. Back in the day this meant something like serial modbus, these days it's serial modbus nastily hacked into a TCP/IP wrapper with no implied security just as there was no implied security back in the day either, or even better OPC, or some p

    • they're connecting it to the electronic Wild Wild West, the Internet.

      critical systems should N E V E R be connected to an open network.

      ever.

      that's rule one.

      why aren't the guys making these connections going to jail?

The trouble with opportunity is that it always comes disguised as hard work. -- Herbert V. Prochnow

Working...