Researcher Claims Siemens Lied About Security Bugs 46
chicksdaddy writes "A month after an unknown gray hat hacker calling himself 'pr0f' used a three character password to hack his way onto Siemens software used to manage water treatment equipment in South Houston, Texas, a security researcher working for Google is accusing the company of trying to cover up the existence of other, more serious vulnerabilities in its products. Billy Rios has disclosed a range of vulnerabilities in Siemens SIMATIC software on his blog. The holes could allow a remote attacker to gain access to the Simatic user interface without a user name and password. Rios claims that he has disclosed the hole to Siemens and that the company has acknowledged the problem, only to deny its existence when a reporter asked for more information about the vulnerability."
Re:pr0f exploit a hoax? (Score:3, Informative)
That was a different water-treatment event; in fact, it's the one that prompted pr0f to pull his attack, because nobody was taking the security holes seriously: http://nakedsecurity.sophos.com/2011/11/22/interview-with-scada-hacker-pr0f-about-the-state-of-infrastructure-security/ [sophos.com]
Re:Um, no, that's a BAD idea (Score:4, Informative)
You are ignoring the essential role of HMI in SCADA systems. A SCADA can acquire data and coordinate components without a UI, but operators cannot monitor a plant or take corrective action without an HMI.
The HMI is graphical and allows the operator to override normal operation in order to respond to abnormal situations. It needs all the input and output devices a normal workstation requires.
You are also ignoring the issue of data storage by SCADA systems, and the generation of reports on that data which are used by various business departments in real-time. A Manufacturing Execution System may provide real-time reports for sales staff so that they can give customers accurate estimates of completion/delivery dates. Orders are added to a queue and will be automatically executed by the SCADA. Stores will receive low-stock notices for just-in-time ordering. Line stops exceeding 2 hours will result in automatic escalation to the COO.
This level of automation brings huge business benefits. The business is more responsive to customer needs, and there are fewer manual steps involved in completing an order (leading to fewer mistakes, less waste, fewer unsatisfied customers). The downside is that the business network is directly connected to the MES and the SCADA in a manner that allows at least some commands to be issued (as opposed to having read-only access to a database). An air-wall is not possible.
So now you have PCs on the business network able to interact with a MES which is necessarily able to access the network with the SCADA and HMI. And there's a 100% chance that the business PCs have e-mail access, which means that somewhere there is a physical cable to the outside world.
Yeah, because they have extensive expertise in OS development and oodles of cash to throw at the problem, and as we well know the available commercial and free embedded OSes never have bugs.
The problem is that the environment is not conducive to upgrades/patches and is hard to isolate logically. The economic reality is that for any given SCADA environment the risk* inherent in regular upgrades is larger than the risk of a malicious attack (for now).
* = (likelihood of event) x (cost of event), where cost includes recovery plus the direct and opportunity costs of downtime.