Siemens Fixes SCADA Flaws

itwbennett writes "Siemens has fixed a pair of bugs in its S7-1200 controller, which is used to control machines on factory floors, power stations and chemical plants. The bugs were discovered earlier this year by NSS researcher Dillon Beresford, who planned to disclose the bugs at Black Hat in August. The US Department of Homeland Security said that Siemens' patches fix 'a portion' of the problems Beresford has discovered and that it 'continues to work with Siemens and Mr. Beresford on the other reported problems.'"

Cool

[SheeEttin]

Cool. Glad to see they fixed it in short order. I am anxiously awaiting the time when these fixes are put in place. I'll set my clock for... 7 years. That should be enough.

Re:

[jhoegl]

But... but thats when the 2024 bug scare will start.
No one wants to see robotic arms start killing humans because they think its 1924 and they should exist, thus making them go crazy.

Re:

[slashqwerty]

I am actually quite surprised. I fully expected Siemens to hand the guy some hush money so he would cancel his presentation. This could be the first time in years that the black hat conference has run without canceling a controversial presentation.

Re:

[datapharmer]

This isn't their first opportunity. They've had since May at the least: http://www.prweb.com/releases/2011/5/prweb8458069.htm [prweb.com]

Re:

[drinkypoo]

Cool. Glad to see they fixed it in short order

Do I detect a note of sarcasm? Say, wasn't this talk already delayed to give Siemens time to find their ass with both hands and a map?

Firewalls

[IntentionalStance]

SCADA networks are usually on a completely separate domain from the corporate network. It'll be behind two sets of firewalls controlled by anal retentive engineers

Re:

[Anonymous Coward]

so...not an air gap, then.

Re:

[aix tom]

Good luck getting Windows to run on 2560k, which is the memory the biggest of those things have.

I also have seen Windows for x86, x86_64, Itanium and in the NT4 days for Alpha processors. Never for, say, 315T-2 DP processors.

The most likely attack vector here would not be a network to the device itself, it would be something that infects the windows (or still DOS in some cases) notebook that is carried around the plant and plugged in the serial port for software updates and maintenance.

Re:

[sjames]

The SCADA controllers are managed by software that runs on a Windows box. That box is connected to the SCADA network. Often, that box is also connected to the internet through a firewall. Better hope they don't poke too many holes in the firewall for the convenience of management, such as, allowing remote desktop.

Re:

[DarthBart]

That's not "completely separate domain". That's "same domain with some sandboxing".

There's still the chance of some prick tossing sand in from the other box.

Re:Firewalls

[thegarbz]

There's still the chance of some prick tossing sand in from the other box.

If there is then you haven't set it up properly. These aren't enterprise firewalls designed to allow maximum user friendlies while limiting a small set of nasties from entering from the outside. These are default deny all, and on a very select case by case basis allow one way data back out to certain machines on certain ports.

This is several layers deep in a corporate network, the firewall gear is not part of the standard package, the data historian or other products that rely on data from the process networks are not part of a standard package, so you'd need to penetrate in at least that far just to see what you're up against next. To get through something like this you would need to know details beforehand.

For any attack like this to be feasible you would need rather large amounts of inside information. If you're that close to the inside information chances are you're within touching distance of the control system itself, in which case nothing is usually safe

Re:

[IntentionalStance]

Correct

The default position will be that nothing and I mean nothing in the corporate domain will be able to open a TCP connection to anything in the SCADA domain.

and the guys in charge of this will take it all the way to senior management if you even look like you are thinking of breaking this rule.

and you'll have to sign some serious career limiting documents before the guys in suits will sanction this.

or at least that's how it's been at place I have worked where they have SCADA networks and my spe

Re:

[jroysdon]

That's correct. The executives with their neck on the line won't go for it because if it is a misstep NERC/FERC will be all over them with fines and audit spot checks forever.

The best solution is to not connect SCADA systems with IP to any external network, firewall or not. Serial-based RTUs are totally acceptable to pass data and isolate networks from IP and most of the problems there.

The next level of protection needed in SCADA is protocol specific command-by-comamnd firewalling (ICCP, DNP3, etc.) of ke

Re:

[thegarbz]

Serial is fine for many smaller projects such as control of a couple of turbines but breaks down quickly as the data points scale up. For a small partial-upgrading refinery you won't have the bandwidth to get the required data out of of the DCS into a historian and a protocol that can run over TCP becomes close to your only option, the most popular being OPC.

Re:

[Anonymous Coward]

In my experience vendors of SCADA management tools are never able to exactly tell me which firewall ports need to be open to enable their applications to work. Most firewalls will end up looking as Swiss cheese (enabling all communications from one IP address to another).

Good luck with your security ... It usually takes about 2 firewall hops to go from the internal Internet connected network to the SCADA network.

Most of those management servers are now web-based (or web services based), but are never tested

Re:

[DerPflanz]

When we install S7's (with our own SCADA/visualisation solution) we insist that we have VPN access from our offices, to ensure the SLA and reaction time guarantees.

So, yes separate networks, but certainly not completely off the internet. The separation of networks is mostly a performance and reliability measure (you don't want NETBIOS, ERP and webbrowsing trafic on the industrial LAN), not about security.

Re:

[RobinH]

SCADA networks are usually on a completely separate domain from the corporate network. It'll be behind two sets of firewalls controlled by anal retentive engineers

Thanks for making me snort my coffee. Two problems: a Siemens S7 PLC is a PLC, not a SCADA system. They are extremely different things. It's like confusing a toaster and a kitchen. Everyone seems to miss this. Problem two: while up until a few years ago, PLC's didn't have network connectivity, so they couldn't be connected to ethernet (they now are routinely), SCADA systems are almost all ethernet capable, and in my experience, they are rarely even put on a separate VLAN, much less behind a firewall.

It must of been difficult.

[iiiears]

Thousands of lines of code on likely more than one type of hardware. (Did they audit their compiler?) We are obliged to rely on technology from womb to tomb i hope they get better quality assurance in place.

"Some"

[symbolset]

The headline is missing the word "some" somewhere in it.

Re:

[iiiears]

Funny. It escaped me that some flaws are beneficial. This was leveraged to save lives. - Technology is surprises.

Re:

[symbolset]

Stop that. We like to pretend.

S7-1200 is a very low end plc, and only very new.

[Anonymous Coward]

The S7-1200 would never be used in a power station, it's too low end, and very new.
I wouldn't use it anything more that a packaging machine.
It's the model that is less than $1000 US.