Researcher Finds Nearly Two Dozen SCADA Bugs In a Few Hours 104
Trailrunner7 writes "It is open season on SCADA software right now. Last week, researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric. And now a researcher at Exodus Intelligence says he has discovered more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours' work."
When the light turns on... (Score:5, Interesting)
When the light turns on, the roaches scurry. SCADA has been ignored by infosec up till now. Many of these systems are old, or are new systems not designed any different then they were in the 80's or 90's. It's not hard to find low hanging fruit when you're the first person picking it. Give 'the system' a few years and it won't be any different then Linux and Windows bug hunting now.... once you convince everyone to upgrade, that is.
"Industrial Use" doesn't mean what you think (Score:3, Interesting)
The industry uses what they use because that's what they use. Their standards are built on their expectactions which are built on their experience. Long ago, computers were machines you didn't turn off. They were reliable and steady. People wrote software which adhered to that mindset. But then the PC industry came and every hobbyist became a programmer. That's when all hell broke loose. But that was fine because these were small system and you just reboot and keep on with whatever you were doing. You were just one person. What did it matter? But the next thing you know "enterprise applications" are being built on a platform intended for single users... bringing with it a whole crapload of lax and shoddy standards.
Now you know how we got where we are today.
How do we get out? Linux is built under the same old school priciples of reliability and stability so it tends to be able to run a lot longer than WinTel. But even that's showing signs of relaxing. And Apple? It had a reputation for not having problems... that was until people started to use it.
So how do we get out? Obvious answer is to go back to what worked. But that's EXPENSIVE. No more "off the shelf solutions" with implied (though EULA denied) guarantees. No more OSes built from single-user, patched and hacked systems. AS/400 for mature systems and service standards come to mind. IT got cheaper with PCs and WinTel. But they also became 10,000 times more risky. People who spend money are constantly lied to by various parties and don't listen to their own IT people about what they should do.
It's time to go back. It's time to go back.
Re:segmentation (Score:4, Interesting)
False dilemma. One excellent security practice not being the sole practice necessary doesn't mean its not an excellent security practice.
I've never worked at a place without airgapped or at least tightly firewalled "IT" and "production"/"engineering" networks. I'm sure there exist places where the receptionist can install a toolbar or weatherbug on her windows PC and literally blow up the plant, but I've never personally seen or worked at one.
Re:When the light turns on... (Score:5, Interesting)
Give 'the system' a few year
I've been hearing anti-scada fud for about two decades and it never gets any better.
I suppose as agitprop the early 1980s movie "wargames" is pretty good anti-scada. Or claims that Kevin Mitnick can whistle into a telephone thus launching nuclear missiles. There was a cheesy hollywood horror/action movie in the late 80s or 90s that could basically be subtitled "misterhouse grows into a skyscraper and has a tantrum killing everyone inside". I distinctly remember a 6-million dollar man or 6-million dollar woman (a late 1970s psuedo-scifi tv show) which had a nuclear power plant scada attack, with a friendly computer that donated a 7400 series TTL logic chip to repair the magic prosthesis that was LOL funny at the time. There is also at least one anti-scada james bond movie, probably 80s era but I can't remember the details. Oh and there was a cheesy 80s "hacking" TV kids show perhaps the "whiz kids" or something that also had a anti-scada plotline.
There's about 50 zillion star trek episodes and movies which basically show a scada attack on a warship. Most notably when Kirk drops Kahn's shields remotely and pretty much blows his ship up in ST2. But there's about 49 other examples.
This would be a fun /. article... everybody troll the depths of your memory to build a timeline of anti-scada FUD.
So I saw the video (Score:4, Interesting)
I tracked the video down to ReVuln - SCADA 0-day vulnerabilities [vimeo.com]
Now can someone tell me what I saw? All I can see is video of some commands being typed into a command window in a older version of Windows, and lots of graphics (and funky music) saying exploit this and exploit that. How do I know that what they are claiming is what is shown on that video?
Note that I am not doubting that SCADA systems are not secure, the've been my bread and butter for a long long time. I just want cold hard facts., not a presentation that looks like it is a sales pitch aimed at scaring SCADA manufacturers.