Forgot your password?
typodupeerror
This discussion has been archived. No new comments can be posted.

Hackers Gain "Full Control" of Critical SCADA Systems

Comments Filter:
  • I suspect the Siemens and Sietec people are now on a wide-ranging entropy hunt, probably along with the German Federal Security Service (:-))

  • by danheskett (178529) <danheskett@NospAM.gmail.com> on Sunday January 12, 2014 @10:54AM (#45932101)

    I've seen these some of these systems and they are a total nightmare. Of course the worst are running Windows - totally unpatched, unmanaged, and out of control stock Windows desktop builds. The "best" of breed use Windows Embedded (or CE for older devices), but in general they are all still unpatched and unmanaged.

    Another problem is that manufacturers don't really provide for on going maintenance. And of course they go out of business.

    • Re: (Score:2, Interesting)

      by Anonymous Coward

      The best thousand+ ton machinery I've seen, were running haskell code on the latest linux kernel. So cool and up to date.

    • by Z00L00K (682162)

      In that case I wouldn't call it a zero day vulnerability, I would call it vulnerability due to incompetence.

      Hack the systems and make them go down permanently by a hard disk low level format or corresponding. That would raise the security awareness more than a slashdot article.

      Only case to have an unpatched server is when you are running it standalone with no possibility to install anything new on it without opening a padlock.

    • by I_have_a_life (1582721) on Sunday January 12, 2014 @01:29PM (#45932937)
      The problem isn't Windows (not sure if you are implying this or not). It's a convergence of factors which make patching systems a veritable nightmare in the process control systems.

      1. The people who run the plant are trying to squeeze the maximum amount of yield from their plant. Shutting down a SCADA system so that it can be patched and tested may literally cost them millions of dollars per hour. Furthermore, the cost of upgrading is not looked upon kindly unless it's going to help you create more of product X at a lower price. You may argue that the greater good is more important than money but these guys aren't listening to that.

      2. These industries are rife with rules and regulations that further inflate the cost of patching systems. In the pharmaceutical industry the cost of applying a single patch may run well into the millions of dollars because every change has to be meticulously audited.

      3. IT is often outsourced to third parties in order to control costs. The downside of ceding control of your own infrastructure is that even something mundane like changing a firewall rule has a process which costs money and resources.

      4. There is an old-school engineering mentality that is pervasive based on the old adage "if it ain't broke don't fix it". No person involved in the industry wants to find problems. They want the plant to produce and they expect the hardware and software they buy to produce - untouched - for 20-30 years.

      I have seen crazy things at plant floors. Control systems still running on Windows NT, operators sharing credentials, copying files from one system to another using thumb drives because the network does not allow files-haring.
      • There is an old-school engineering mentality that is pervasive based on the old adage "if it ain't broke don't fix it".

        The problem with that is, by putting it on the internet, they've broken it (even if the breakage hasn't hit home yet). Nobody wants to admit that they've done that, but it's their own damn fault. A good start to fixing things would be to airgap the SCADA network from the internet, and if connecting is necessary at all, to use a good double firewall with hardened DMZ machine in between. The DMZ can be locked down hard and updated carefully, and it doesn't need to ever hold systems that need careful certifying as it should never be in the control loop; just out of band monitoring.

        • Normally the SCADA systems **ARE** air-gapped from the corporate backbone, but until we start breeding better managers some idiot will occasionally pull a cable across that gap in order to produce a report or something.

          • by Jeremi (14640)

            Normally the SCADA systems **ARE** air-gapped from the corporate backbone, but until we start breeding better managers some idiot will occasionally pull a cable across that gap in order to produce a report or something.

            This suggests a product idea -- triangular (or otherwise oddly shaped) Ethernet jacks, for use in computers that are not supposed to ever connect to the Internet. All your SCADA machines would have these, and it would be very difficult for the idiot to connect a cable to them that also connects to a non-SCADA machine.

            (Until the inevitable RJ45-to-triangle adapter cable becomes widely available, anyway)

          • by thegarbz (1787294)

            No. Very few SCADA systems for plants that do anything other minor local control are "air-gapped".

            Most normal SCADA systems are part of a virtual network. And that's kind of the point. Small pumping stations, local control systems that none the less need to act as part of a larger system (think power grid) require some kind of network connection.

            Just because it's not the corporate backbone doesn't mean it's not the internet.

            • by cusco (717999) <<moc.liamg> <ta> <ybxib.nairb>> on Sunday January 12, 2014 @10:08PM (#45935943)

              The SCADA systems that I have worked with were for electrical generation and distribution and water/sewer systems, and they absolutely were air gapped. Crossing that bridge with a cable was an automatic firing offense, and yes, they canned a manager who thought that no one would notice. That utility covered an entire very large and highly-populated county and tied into the larger national electrical grid. I'll guarantee that most of the SCADA systems nationwide are air gapped, as it's required by FERC and can generate hefty fines if they're not.

              • by thegarbz (1787294)

                Not all SCADA systems can sit and hum away without any external influence control or set-points. Not all SCADA systems can be set up in a way that a technician can easily travel out and download logs or trends.

                The SCADA systems I have worked with are absolutely connected to the "internet". I use inverted commas since it's not connected in a way that you can just fire up it's IP address and be all happy. VPNs, firewalls, and a connection to a specific machine in a specific network only. Why? It's a pumping s

        • by greenbird (859670)

          The problem with that is, by putting it on the internet, they've broken it (even if the breakage hasn't hit home yet). Nobody wants to admit that they've done that, but it's their own damn fault. A good start to fixing things would be to airgap the SCADA network from the internet, and if connecting is necessary at all, to use a good double firewall with hardened DMZ machine in between.

          You know, I've never understood this predisposition towards firewalls. Secure the system such that it only listens on a specific port for specific secured encrypted messages. No need for a fire wall. A firewall just adds more complexity and points of failure. It's much more efficient to secure the system's communications than to try to secure the various access points.

      • This is by no means unique to SCADA systems: I think most people here recognise the symptoms in many fields.

        The people who run the plant are trying to squeeze the maximum amount of yield from their plant.

        Very laudable. That's their job.

        Shutting down a SCADA system so that it can be patched and tested may literally cost them millions of dollars per hour.

        That cost should have been factored into the financials from Day 1. It's usually omitted by managers and accountants because with it, their projections wouldn't look as good.

        Furthermore, the cost of upgrading is not looked upon kindly unless it's going to help you create more of product X at a lower price.

        Bear in mind that the cost of not upgrading may be the end of the company.

        In Economics 1.0, business students get taught that the primary objective of the corporation is to make a profit. Most managers believe this. Wrong. The primary objective of the corporation is to assure continuance, even if that means a couple of years of losses from time to time.

        Failing to recognise this is usually among the early symptoms of eventual failure.

    • by cusco (717999)

      Most of the endpoint devices that I've seen use either Linux (old, unpatched versions) or something akin to Tron or DOS. Management clients are often Windows, and they're unpatched and unmanaged because they're not on the normal Corp network so IT doesn't have access to them. The actual SCADA management system is normally hosted on some flavor of Unix, at least in the power and water industries.

  • by Gravis Zero (934156) on Sunday January 12, 2014 @10:56AM (#45932107)

    do NOT connect SCADA systems to the internet.

    • The air gap is not the solution. Proper isolation, firewalling and virus/malware is.

      • by clovis (4684) on Sunday January 12, 2014 @11:23AM (#45932259)

        Proper isolation? If by proper isolation you mean an air gap, then OK, I agree.

        "Proper firewalling" is a pipe dream. If you have a firewall, then you have external access and a vulnerability right there.
        Whatever port you have open is an access point, and thus a vulnerability.
        Keep in mind that many of these systems have hidden backdoors or default admin accounts for maintenance.
        And the reply "it's OK if it's properly configured" would be true if every system had network admin that was 100% competent. Do you wish to make that claim?

        "virus/malware"? I suppose you mean anti-virus/malware. There is no such thing a 100% effective anti-virus/malware software. They are not even close.
        Keep in mind that the anti-virus software in itself is a vulnerability.

        • by aaarrrgggh (9205)

          An air gap just limits the remote attack capability, and is fairly easy to defeat with local access. At every level you need to limit the attack surface.

        • Re: (Score:2, Insightful)

          by fisted (2295862)

          What use is an air-gapped machine? How do you communicate, how do you control it? Build your own physical network infrastructure (preferrably with blackjack and hookers)?

          • What use is an air-gapped machine? How do you communicate, how do you control it?

            As hard as it may be to remember these days, it is possible to communicate without the Internet (especially when that communication need only be local).

            • by fisted (2295862)

              As hard as it may be to remember these days, it is possible to communicate without the Internet

              We're talking about systems here, not intersocial communication.
               
              If you air-gap a machine, then you need to hire people to maintain the machine locally. This just does not scale.

              especially when that communication need only be local

              For instance?

          • by Ol Olsoc (1175323) on Sunday January 12, 2014 @01:08PM (#45932831)

            What use is an air-gapped machine? How do you communicate, how do you control it?

            So we ran these machines with no control or communication before the interwebz?

            If you want to run these things on the internet, they will be hacked.

            • by reboot246 (623534)
              You speak the truth. I know a natural gas company right now that is installing a SCADA system. Why do they think they need it? I don't know, but I can tell you that they are a small system and don't need such a system. They operated for decades just fine without it. I think sometimes shiny new technology blinds managers to reality.
            • Right, just like we ran computers before the internet existed. Why don't you just unplug yours and I'll mail you DVDs?

        • by ebno-10db (1459097) on Sunday January 12, 2014 @12:06PM (#45932473)

          "Proper firewalling" is a pipe dream. ...Keep in mind that many of these systems have hidden backdoors or default admin accounts for maintenance. And the reply "it's OK if it's properly configured" would be true if every system had network admin that was 100% competent. Do you wish to make that claim?

          I think some people used to "conventional" IT don't appreciate how unrealistic it is "properly configure" (in terms of security) every box on a SCADA network. A typical network consists of a plethora of different types of boxes, with different OS's (often just RTOS's, which are usually not that security conscious), and all sorts of configuration, testing and latency requirements that go beyond what's needed in normal IT. Think in terms of making sure that robot arm doesn't smash into anything after your latest security update. Also, these boxes aren't, and realistically can't be, monitored all the time by checking log files and so forth.

          A similar situation occurs in aircraft, including military aircraft. I assure people there aren't firewalls or other security provisions between various avionics boxes. The big concern is reliable, error free and low latency communications between boxes. It's bad news if an actuator/sensor for a flight control surface has trouble, or takes too long, to talk to the main fly-by-wire system. Security is about "don't let it through unless you're sure", which obviously conflicts with the more important goals.

          Want security? Don't connect to the Internet.

          • by DarkOx (621550)

            Security is about "don't let it through unless you're sure", which obviously conflicts with the more important goals.

            No security is about, availability, integrity, and authorization. If the system needs low latency communications that is an availability concern; its absolutely part of the security practitioners job to make sure those availability and integrity goals are met. They are not competing goals they are complementary goals.

            Security experts who don't understand that are not in fact experts. People who think security just gets in the way also need to shut up and listen.

      • The air gap is not the solution. Proper isolation, firewalling and virus/malware is.

        No. Firewalling, virus protection, malware detection... all these techniques can be flawed, either by design, because of oversight...
        It is acceptable for most system (because these issues get fixed after a while), but for a SCADA system you don't want a zero-day to be exploitable *at all*. Your system can have a ton of backdoor/vulnerabilities/exploits, if it can't be reached by any other mean than physical access they are not an issue.

        • by whoever57 (658626)

          if it can't be reached by any other mean than physical access they are not an issue.

          Tell that to the people running centrifuges in Iran. Their machines were air-gapped, but they still fell victim to Stuxnet.

      • by greenbird (859670)

        Proper isolation, firewalling and virus/malware is.

        No it isn't. That is a recipe for failure. Simplify and secure the system. Reduce the points of failure to the minimum and make sure the few that are required are secured. Adding more complexity and more points of failure just increase the probability of failure.

    • And do not allow USB-sticks or other media to be inserted into these systems.

      • by Jeremi (14640)

        And do not allow USB-sticks or other media to be inserted into these systems.

        That's going to make installing bug-fixes interesting... perhaps they send a new computer from the factory and swap out the existing one?

    • by Ol Olsoc (1175323)

      do NOT connect SCADA systems to the internet.

      Not bloody likely. We're expanding, with lot's of home surveillance systems, ans coming soon, the "internetted" automobile.

      The great thing is that nothing can go wrong with this sort of stuff.....

    • by satuon (1822492)

      Can't they put a computer before them, that requires SSL/TSL connections, and authenticates any socket before forwarding it to the SCADA computer? A proxy, so to speak.

    • by istartedi (132515)

      do NOT connect SCADA systems to the internet.

      Do have employees running around in trucks to check things, or actively monitoring larger systems that need constant attention. Do charge customers more money to support those extra employees. Do make decisions based on daily dumps from mag tapes somebody drove over to the central office. Note, I'm not saying that's a bad idea. I'm just pointing out the trade. I bet a lot of things were done like that up into the 1980s. I have personally driven mag tapes

      • I get your point, but none of that requires the SCADA system to be connected to the Internet. It does require a dedicated network for SCADA completely separate from your LAN/WAN but you can do all of that with technology and not touch the Internet.

  • by msobkow (48369) on Sunday January 12, 2014 @10:58AM (#45932121) Homepage Journal

    These issues have been flagged for roughly a decade. I have ZERO SYMPATHY for anyone who gets taken over.

    • by Anonymous Coward on Sunday January 12, 2014 @11:13AM (#45932201)

      It's not about sympathy, it's about the effective destruction of our entire infrastructure without dropping a single bomb. The first sign that China or Russia is at war with us will be all our utilities and factories going dark. This is everyone's concern.

      • by gmuslera (3436)

        If you use jelly as the basement of your house is your fault that the house is unstable. Putting and approving to put critical infrastructure directly accesible on the open internet, that can have present or future vulnerabilities is bordering criminal behaviour. That people should be the first on the line to be jailed, and now, not when something bad happens.

        And remember, the ones that started with big scale "war" has been the US. Don't start a war of breaking glasses if your entire house is made of (spec

        • by sumdumass (711423)

          Putting and approving to put critical infrastructure directly accesible on the open internet, that can have present or future vulnerabilities is bordering criminal behaviour.

          Lets stop being overly dramatic and think about reality. When a lot of these systems were placed in the open, the entire thought of exploiting them was pretty much non existent. It's like the early Microsoft security models that completely missed the communications implications of the internet and the reason why after windows 98, they s

          • by gmuslera (3436)

            Since the 90's ive seen constantly scanned every internet connection for open ports, vulnerabilities, and common software with flaws. And when something had a known (may not by you, but by the exploiter) vulnerability, and was interesting enough (profit, fun, proof of concept, following political agenda or whatever) it was exploited. It is not the 90's anymore, the whole internet can be scanned in 45 minutes [zmap.io] (and exists scans ready to use [scans.io] if you don't want to spend any time), if something can be used, it wi

            • by sumdumass (711423)

              Interesting you mention a kid causing chaos. Ever hear of a molly guard and how it got it's name?

              Negligence is not criminal though. That was the point of my comment. Negligence that happened in the past without advanced knowledge of the future cannot be criminal. It can be short sighted, stupid, clumsy and a number of other things, but not criminal. Many of these exposed systems were developed before the 90's and switched to using the internet during the 90's to save costs. Many of these systems were put in

          • by lennier (44736)

            When a lot of these systems were placed in the open, the entire thought of exploiting them was pretty much non existent.

            Only "non-existent" to people who weren't thinking and weren't paying attention to the literature. There had been a LOT of academic warnings back to the 1970s about the potential security problems of interconnected networks. Heck, the entire genre of cyberpunk science fiction in the 1980s - Neuromancer was 1984 - didn't come out of thin are but was based around the then-current academic discussions of the security problems of the early Internet. The first IBM PC virus [wikipedia.org] was 1986, the Morris Worm [wikipedia.org] was 1988, pre

    • by Billly Gates (198444) on Sunday January 12, 2014 @11:30AM (#45932277) Journal

      These issues have been flagged for roughly a decade. I have ZERO SYMPATHY for anyone who gets taken over.

      MSOBKOW this is your boss.

      What do you mean it is a security risk to put this on the internet? Everyone else has no problem doing this and I never heard of anyone being hacked. Like a billion dollar company would ever design such a thing when an internet connection is required to stay activated. Are you telling me that firewall you said we needed doesn't make is impenetrable?! Why can't you secure it? Do I need to hire someone who will?

      • by tlambert (566799)

        Why can't you secure it? Do I need to hire someone who will?

        Yes. Yes you do. And when they fail, you should know that my contract rate for you, with the negative discount, is $500/hour, in hour increments.

  • by M0HCN (2981905) on Sunday January 12, 2014 @11:09AM (#45932183)

    At 30C3 someone ran a portscan on the VNC port of the entire IPv4 internet, with 'interesting' results, highlights of which included a swimming pool chemical dosing control system, various power generation and control systems, building environmental control systems, air handlers, all sorts of wild and whacky things, some of them lacking in even the rudiments of passwords never mind proper crypto....

    The best one looked to me like a medium voltage distribution cabinet where the setpoints on the overload trips looked like they could be reconfigured from the internet!

    Ahh the things you can do in reasonable time with a 100Gb/s of bandwidth, the rsulting slides at the closing event (which is where I ran across it) were very, very scary.

    SCADA on the internet is a really, really bad thing.

    73 M0HCN. :wq

    • by gmuslera (3436)
      You can scan the entire internet in less than an hour by now. And there are databases [scans.io] of open ports on all of it already if you want to save that hour. If is critical, should not be even visible on internet.
    • by satuon (1822492)

      What's interesting is, why are news of anyone actually exploiting those vulnerabilities so rare? It seems even though the vulnerabilities are there, nobody is exploiting them.

    • Some ot them are not real. I sometimes start a virtual machine with Vnc wide open on 5800 and use a DOD emblem for wallpaper.

      I've found hackers trying ports 5802 and when I tracert them I get a weird 2900ms delay leaving the last US hop at San Diego headed to the Orient.

  • by Gim Tom (716904) on Sunday January 12, 2014 @11:18AM (#45932227)
    SCADA systems are bad enough, but the push to "THE INTERNET OF EVERYTHING" should make it far more interesting for everyone.

    I remember, far back in the late 1960s, when a popular DJ on a local radio station joked for everyone on a particular Interstate leading into the city to "CHANGE LANES". I was on that road and an amazing number of people did. With TIOE the cars can just do the lane change without having to tell the drivers to do it! Of course most of the drivers did make sure that the lane they were moving to had room for them. I doubt that will be the case next time.
    • Re: (Score:3, Interesting)

      by maxwell demon (590494)

      Indeed, thinking of the smart grid, you could probably get the grid down by issuing a command to sufficiently many household appliances to switch on at the very same time. Those will be even less protected than the power stations, because "who would want to attack my dishwasher?"

      • by Gim Tom (716904)
        Good point. The soft undefended target is the ripe target.

        Another Tao of math: For Electrical Engineers imaginary numbers are real.
      • by Ol Olsoc (1175323)

        Indeed, thinking of the smart grid, you could probably get the grid down by issuing a command to sufficiently many household appliances to switch on at the very same time. Those will be even less protected than the power stations, because "who would want to attack my dishwasher?"

        New Jersey's Governor will be able to more tightly focus his retribution efforts. Instead of old school shutting down lanes of traffic, he'll be able to turn off the electricity to every registered Democrat.

  • are those systems connected to the Internet?

    Plain stupidity or folks managing those don't know what this Internet stuff is?
    • Re: (Score:3, Insightful)

      by M0HCN (2981905)

      Because actually it is really very operationally useful, and USEFUL in normal use trumps security EVERY SINGLE TIME.

      Consider someting simple like a public building heating control system, this is probably a modest PLC from the usual suspects, now if I am the poor sap in charge of the building systems (Nightmare, been there, done that), and the thing alarms at say 2100 on my day off, I have a choice:
      I can go in and clear the (often but not always) unimportant problem, takes me an hour to get there and I was

      • Point taken, but I think the appropriate security/convenience tradeoff needs to be assessed for different situations. Messing up a building's HVAC is going to wreak a lot less havoc that messing up water, power or sewage systems.

        I also have a question. How is connection between PLC's to the Internet handled for such things? Is the PLC directly connected (probably a very bad idea) or is it through a computer that can be used as a firewall?

        • by M0HCN (2981905)

          Security/convinience tradeoff? You try explaining that to a building contractor sometime!

          As to the interfacing, it depends, sometimes it is a direct link to the plc, sometimes the plc talks CAN or RS485 or such to a windows xp box which runs a web gateway... I personally think the first option is likely more secure, especially when the machine in the corner of the plant room is found by the local security guard to be a good place to browse porn sites and download videos on the night shift (It happened, and

        • by Ol Olsoc (1175323)

          Point taken, but I think the appropriate security/convenience tradeoff needs to be assessed for different situations. Messing up a building's HVAC is going to wreak a lot less havoc that messing up water, power or sewage systems

          True. ALthough there might be some business reasons to do so. Imagine making your competitor's HVAC systems go down during important meetings, or in the dead of winter before a big deadline. ANd considering that we live in a country where American on American attacks are political gold: http://www.latimes.com/nation/la-na-christie-bully-20140111,0,3128420.story#axzz2qD3vqu1x [latimes.com]

          No, I think this is an untapped market of Screwing With Your Competition.

  • by markhahn (122033) on Sunday January 12, 2014 @11:40AM (#45932337)

    These systems are the moral equivalent of leaving your door not just unlocked but ajar. It doesn't change the morality of anyone trespassing to steal or destroy, but it does make the owner much more culpable. We do not face a threat to our cyber-infrastructure, but rather have irresponsibly left the infrastructure unprotected, and should not be surprised that people of varying motives might take advantage.

    We do not need a cyber-infrastructure police force, unless they're actually tiger teams who publicly shame the idiots who leave their systems unprotected...

  • by RotateLeftByte (797477) on Sunday January 12, 2014 @11:46AM (#45932351)

    could someone a lot wiser than me please explain why we need to connect everything and anything to the internet?
    I expect the hackers are rubbing their hands with glee at the prospect of being able to hack all sorts of things. Imagine all the havoc they could cause by making all the freezers in a country suddenly defrost?

    Frankly, I think this drive to connect everything is totally misguided.

     

    • by LoRdTAW (99712)

      Cost.

      Why pay a person to stay on site or make periodic visits to maintain equipment or change settings when a few people can do it remotely? It does sound convenient but it opens a whole can of worms as any one anywhere on earth can potentially wreak havoc on your low cost maintenance systems.

      • That's not the whole answer. First, there were remotely monitored and controlled systems before the Internet (though I'm not sure how the various links were implemented). Second, I suspect that the convenience, or perceived convenience, may be as important as cost. Lastly, anything you can't connect to the Internet seems outdated (whether or not the connection is a good idea).

      • by Lumpy (12016)

        Not Cost.

        Profit.

        Please do not confuse the two as Profit has a higher driving force than Cost does.

      • Have you never heard of Firewalls and VPN's?
        As part of my job I login to sites all over the world via VPN (actually two VPN's). None of the systems I connect to are visible on the internet. Good job too.
        Putting all sorts of devices directly on the Internet as all those IPV6 advocates are so fond of reminding us that there is plenty of address space to do it is just stupid and will eventually cost a lot of lives. Perhaps it will take a major catastrophy to wake people up to the dangers of doing this.

        Having b

        • by DarkOx (621550)

          Tell me, do you split tunnel? if not do you always check the routing table before and after you connect to those VPNs? Because despite what you think those machine might very well be visible on the internet. Just takes the right malware running on your laptop.

          Fundamentally you are mixing a high security domain ( the SCADA network ) with you machine which has been in a low security domain and is in a questionable security state. Even if we want to believe the VPN isolation it self is always perfect and no

    • by fisted (2295862)

      Thats typically because fully air-gapped machines are terribly useful, unless they inherently do not need to communicate for the task they are doing. for example .... uh.

      • by fisted (2295862)

        eh and that should ofc read 'terribly useless'

      • unless they inherently do not need to communicate for the task

        Unless they inherently do not need to communicate beyond the local network.

        for example .... uh

        Most SCADA systems. There are more things in heaven and earth, Horatio, than are dreamt of in your philosophy.

        • by Lumpy (12016) on Sunday January 12, 2014 @12:56PM (#45932761) Homepage

          It is trivial to make a "one way, unhackable" ethernet connection to export data to a unsafe network device.

          you have a machine on the SCADA network with TWO network cards. One connects to another PC on the insecure network via an ethernet cable with ONLY the TX wires connected. no RX lines. set both to a static IP and then UDP broadcast your information from the secure PC to the insecure one.

          There is no hacker or security expert on this planet that can hack that connection and gain access to the SCADA system. Unless they found a way around physics or can teleport things with their mind.

          http://www.stearns.org/doc/one-way-ethernet-cable.html [stearns.org]

          The problem is most places refuse to hire educated IT staff with experience in security. They want low cost MCSE holders that can barely do their job at the lowest cost possible.

          If updates to SCADA software are needed, "most are not in reality" you use write once media such as a DVD or BluRay created on a machine that has nothing to do with the SCADA system and based on an OS that is drastically different to further reduce the chances of homogenous OS infection vectors. If it's important, then the files are inspected byte by byte on a security computer designed to look for infections and injection. then after full and careful inspection you apply the updates.

          THIS is how you run a critical system SCADA network. and 99% of them out there are not ran this way as the people in charge of it have zero education in security let alone networking and IT.

          • by fisted (2295862)

            Administration of said machine is a staff-intensive mess then.

            • Administration of said machine is a staff-intensive mess then.

              I bet Iran wishes they'd taken that approach with their enrichment centrifuges :)

              I'm old enough to remember when nobody used the Internet for remote administration. While less convenient, and slightly more expensive, it's not that big of a deal for SCADA. You have to remember that most of the boxes in a SCADA system are not like say, web servers, which are computers talking to other computers and doing only computerish stuff. SCADA controls actual physical equipment, that can't be be remotely monitored or m

    • by PPH (736903)

      I'm already creeped out by how much a Nest Thermostat [engadget.com] looks like HAL 9000.

  • people and companies with big salaries and/or contracts still putting critical systems on the open internet. And that will keep their salaries, contracts and continuing to do so even after this is exploited.
    • by Lumpy (12016)

      It's because they hire management that are dumb as boxes of rocks or a small salad bar. Educated managers are not wanted, only ones that can schmooze.

  • DUH. (Score:5, Insightful)

    by Lumpy (12016) on Sunday January 12, 2014 @12:45PM (#45932695) Homepage

    Almost ALL of us that have had to deal with SCADA knew this was possible. Most of the time because incredibly stupid managers DEMAND the systems be accessible from the internet.

    SCADA systems need to be airgapped completely from any network other than their own. Boo Hoo to the company that needs to buy a second set of computers for the employees to get email on. the SCADA computers are to be used ONLY for SCADA systems.

    100% of the security failures lie at the feet of the managers of these facilities. Until we start beating them with sacks of doorknobs nothing will change. and yes, the SCADA infection via usb drives are the fault of management. allowing the use of USB or any other device that has not been secured and low level formatted before use on a known clean machine is the fault of management.

    All USB ports should be disconnected or physically inaccessible via lock and key to users.

    • Most of the time because incredibly stupid managers DEMAND the systems be accessible from the internet.

      How does this not drive their insurance premiums through the roof? It should, and it's not, so something is broken in the process.

      Do they have government protection from liability?

      • by cusco (717999)

        Do you think there is anyone in the entire insurance industry that has a clue? Having done physical security for a number of insurance company clients, as fare as I can tell the insurance industry is where IT talents go to die.

    • Why can't they do it the way that satellites do - all control operations are sent encrypted.

      • by dkf (304284)

        Why can't they do it the way that satellites do - all control operations are sent encrypted.

        Because the SCADA vendor probably had encryption as an option that you had to pay extra for, and management wanted to chisel another few bucks off the setup costs.

      • by Jeremi (14640)

        Why can't they do it the way that satellites do - all control operations are sent encrypted.

        Or put in a data diode -- insecure machines (including the entire Internet if that's what you want) can monitor the system, but only a secure/air-gapped machine can send data to the SCADA system.

  • Maybe these systems dont actually need all the bells and whistles of networking to communicate their state. Maybe an output-only serial communications solution would be perfect for some of these systems. They can alert when they have a problem without exposing a bi-directional communications channel through tcpip. In fact, you could even cut the pins on the serial and guarantee that nothing comes in. Its the ultimate one-way firewall.
    Im not saying that all of the systems can run this way, but I be

  • Let get the media to over react. That will be fun, more government rules, more government oversight. I know we have multiple "SCADA" systems on my site, except most of them aren't control, they are monitoring. (Oh my! the B4-12 SquareD power meter is reading too low!! That groups power bill will be to low next month.) The other LAN connected SCADA systems on site, that I know of, would fail safe. The worst you could do is cause some experiments to fail. Part of the power of PLCs these days is having them on
  • what moron would hook these things straight to an internet connection? in the private sector, stuff like this would get you fired on the spot.

1 Mole = 007 Secret Agents

Working...