Italian Hacker Publishes 0day SCADA Hacks 106
mask.of.sanity writes "An Italian security researcher, Luigi Auriemma, has disclosed a laundry list of unpatched vulnerabilities and detailed proof-of-concept exploits that allow hackers to completely compromise major industrial control systems. The attacks work against six SCADA systems, including one manufactured by U.S. giant Rockwell Automation. The researcher published step-by-step exploits that allowed attackers to execute full remote compromises and denial of service attacks. Auriemma appeared unrepentant for the disclosures in a post on his website."
Common Thread (Score:1, Interesting)
Windows is the COmmon thread to all the threats. STUX was a windows exploit. When can folks get it through their head that Windows belongs on the bosses desk running excell and project and NOT on the factory floor running production.
Re:Its not that hard! (Score:4, Interesting)
2003 SP1? HA! I've seen stuff running on Win98, because the electric engineers in charge are out of their league when it comes to computers, and win98 "just works"
I took some PLC introduction course in 2006 or 2007 and the guy was bitching about linux, because linux doesn't have support. And he liked linux because it's stable, but manufacturers only support Windows, and the only way to be SURE that your software is going to work AND last for many years, is to use a not-so-new computer. I'm glad that guy only does small things like cooling control and wood drying facilities.
But at least he got one thing right: All the control LOGIC has to be in the PLCs. The SCADA is for a nice GUI and logging ONLY. You should add enough buttons, switches and lights to make the system fully usable even if all the SCADA computers are down. And that doesn't mean "manual override", which is something else you should have too.
I doubt there are applications where a SCADA system should be making decisions.