Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Hackers Gain "Full Control" of Critical SCADA Systems

Comments Filter:
  • by Gravis Zero (934156) on Sunday January 12, 2014 @11:56AM (#45932107)

    do NOT connect SCADA systems to the internet.

  • by M0HCN (2981905) on Sunday January 12, 2014 @12:09PM (#45932183)

    At 30C3 someone ran a portscan on the VNC port of the entire IPv4 internet, with 'interesting' results, highlights of which included a swimming pool chemical dosing control system, various power generation and control systems, building environmental control systems, air handlers, all sorts of wild and whacky things, some of them lacking in even the rudiments of passwords never mind proper crypto....

    The best one looked to me like a medium voltage distribution cabinet where the setpoints on the overload trips looked like they could be reconfigured from the internet!

    Ahh the things you can do in reasonable time with a 100Gb/s of bandwidth, the rsulting slides at the closing event (which is where I ran across it) were very, very scary.

    SCADA on the internet is a really, really bad thing.

    73 M0HCN. :wq

  • by Anonymous Coward on Sunday January 12, 2014 @12:13PM (#45932201)

    It's not about sympathy, it's about the effective destruction of our entire infrastructure without dropping a single bomb. The first sign that China or Russia is at war with us will be all our utilities and factories going dark. This is everyone's concern.

  • by ebno-10db (1459097) on Sunday January 12, 2014 @01:06PM (#45932473)

    "Proper firewalling" is a pipe dream. ...Keep in mind that many of these systems have hidden backdoors or default admin accounts for maintenance. And the reply "it's OK if it's properly configured" would be true if every system had network admin that was 100% competent. Do you wish to make that claim?

    I think some people used to "conventional" IT don't appreciate how unrealistic it is "properly configure" (in terms of security) every box on a SCADA network. A typical network consists of a plethora of different types of boxes, with different OS's (often just RTOS's, which are usually not that security conscious), and all sorts of configuration, testing and latency requirements that go beyond what's needed in normal IT. Think in terms of making sure that robot arm doesn't smash into anything after your latest security update. Also, these boxes aren't, and realistically can't be, monitored all the time by checking log files and so forth.

    A similar situation occurs in aircraft, including military aircraft. I assure people there aren't firewalls or other security provisions between various avionics boxes. The big concern is reliable, error free and low latency communications between boxes. It's bad news if an actuator/sensor for a flight control surface has trouble, or takes too long, to talk to the main fly-by-wire system. Security is about "don't let it through unless you're sure", which obviously conflicts with the more important goals.

    Want security? Don't connect to the Internet.

  • by cusco (717999) <brian.bixbyNO@SPAMgmail.com> on Sunday January 12, 2014 @11:08PM (#45935943)

    The SCADA systems that I have worked with were for electrical generation and distribution and water/sewer systems, and they absolutely were air gapped. Crossing that bridge with a cable was an automatic firing offense, and yes, they canned a manager who thought that no one would notice. That utility covered an entire very large and highly-populated county and tied into the larger national electrical grid. I'll guarantee that most of the SCADA systems nationwide are air gapped, as it's required by FERC and can generate hefty fines if they're not.

  • by Anonymous Coward on Monday January 13, 2014 @02:16PM (#45941741)

    My company helps critical infrastructure owners meet data sharing requirements with govt agencies. If you use certain industrial communication protocols that were established pre-internet you may be in luck. In particular, we have a unique connection that is one way, only allows the data you choose to share, and does not require any sharing of your network with the outside world or feds. To be precise, your network and the govt network come within feet of each other and our unique device creates a restricted "bridge" that only passes MB data over serial. Read only.

Cobol programmers are down in the dumps.

Working...