Research: Industrial Networks Are Vulnerable To Devastating Cyberattacks

Patrick O'Neill writes: New research into Industrial Ethernet Switches reveals a wide host of vulnerabilities that leave critical infrastructure facilities open to attackers. Many of the vulnerabilities reveal fundamental weaknesses: Widespread use of default passwords, hardcoded encryption keys, a lack of proper authentication for firmware updates, a lack of encrypted connections, and more. Combined with a lack of network monitoring, researchers say the situation showcases "a massive lack of security awareness in the industrial control systems community."

oh my!

[turkeydance]

default, and hardcoded, and authentication, Oh My!

Re:

[davester666]

I'm pretty sure this exact report was created 10 years ago, and has been republished every year since.

Is it just a way to steal more federal funding for these "studies"?

The install base is screwed, and nobody wants to spend any money to improve the situation. Profits over everything else.

Why didn't someone tell us this earlier?

[Jumunquo]

-- Iran nuclear program

Re:

[houstonbofh]

It especially is to anyone in the industrial Ethernet market. The selection is just crap! And for the prices they charge, that is amazing! But because there is so little choice, they just rape everyone that comes by.

Re:

[gweihir]

It is very old news. And even when it was news, it was no surprise to experts. People need to see a catastrophe close enough that they get scared in order to invest into security. Because if they do not, they can get rich faster, or so they think...

Industrial network

[hunter44102]

I work in a multiple plant system with geographic separation. Each plant operates independently. But its the geniuses on top that believe we need to some day run all plants from one location. (They also want to be able to see all the plants from anywhere). So we can very secure by keeping each industrial network separated and completely disconnected from each other and the outside world, OR we can make all plants vulnerable by interconnecting them and allowing big shots to see the plant operation from their phone.

Re:

[bobbied]

Follow the money.. Who pays the bills? Do what they say...

Seriously, keeping your factory's networks separate is a pretty simple firewall issue for someone competent to install and configure it. I'm not sure how this cell phone connection is going to work, but there ARE ways to make cell phones connect to you via VPN's that can be made to require usernames/passwords (not to mention specific devices) before you are allowed to connect. There are solutions out there to do what they ask, they just cost a li

Re:

[houstonbofh]

So my "follow the money" joke, really should be this. IF the people in charge are asking for it, find and suggest a solution that can do it safely. If they are not willing to pay for your solution, find another, albeit less safe solution and present it with a list of assumed risks. Rinse and repeat until you have a solution they are willing to pay for with risks they are accepting, then do that.

They want easy, and cheap. That limits you slightly...

Re:

[pnutjam]

I've configured this sort of system with pfsense, using old PC's or preferably an embedded system, like alix. Stay away from cheap stuff from the big vendors, it's junk. Stick with the Linux/BSD based stuff.

Re:

[bobbied]

So my "follow the money" joke, really should be this. IF the people in charge are asking for it, find and suggest a solution that can do it safely. If they are not willing to pay for your solution, find another, albeit less safe solution and present it with a list of assumed risks. Rinse and repeat until you have a solution they are willing to pay for with risks they are accepting, then do that.

They want easy, and cheap. That limits you slightly...

Understood, but the POINT of this little exercise is to educate the people asking about the true costs and risks they are assuming before you implement anything. Responsible bosses appreciate this kind of iterative process that allows them to choose their level of risk and cost, and if you are dealing with irresponsible bosses who will come back and blame you for failure at a later date, you are going to need the CYA documentation that shows THEY agreed to this and you already told them of the risk.

If the

Re:

[khasim]

IF the people in charge are asking for it, find and suggest a solution that can do it safely.

I'm with you so far.

If they are not willing to pay for your solution, find another, albeit less safe solution and present it with a list of assumed risks. Rinse and repeat until you have a solution they are willing to pay for with risks they are accepting, then do that.

In my experience, any "solution" that you present will be understood to do everything that they wanted.

Even if you say that they cannot have X at $Y

Re:

[nnull]

So then make a firewall. If anyone tells me that's too expensive, they have no idea what they're talking about. The costs are miniscule even on existing systems to do it. A scissor or boom lift, tell the maintenance guy what to do, and you'll be done in a day for even a half a million sqft building. I have it in my own plant, it was trivial to do.

If you have a management that is fighting you for 2-4 thousand dollars of work at most, you have bigger problems to worry about.

Re:

[bobbied]

If that's true, and many times it is, you are playing a loosing hand to start with. You work for people who don't care about you or value what you say and do and it's a BAD place for you.

Best thing to do if you work for people like this is start to plan your departure. Update your resume, get your online profiles updated and start looking at the employment ads. It might be a very good idea to start putting money away for the "rainy day" that's surely coming.

Maybe YOU can be that consultant they hire over

Re:

[fredgiblet]

Problem is that the parent will be blamed for the security failure if it happens. At best he'll have to clean it up, at worst he'll be hung out to dry.

Re:

[bobbied]

That's why you present your "solution" before implementation and that includes documentation of the provisos and risks they are taking.

It may not save your job when the chips are down, but having a bit of hard documentation that you told them what the risks where and they choose not to spend the money to eliminate that risk is always a good thing. Besides, if they assume the risks, then fire the underling when a risk bites them, you really don't want to work for them anyway because it's just a matter of

Re:

[Iamthecheese]

Uptime, heartbeats, and operational error codes can be transferred one-way and offer very little for an attacker to use. And the executives probably don't care whether the condenser is running security patch .0034 or .0036. So I'm thinking the real problem isn't sending out plant data but an unwillingness to invest in security in general.

Re:

[Amouth]

Keep in mind there is a major difference between monitoring and controlling. To control/run you have to be able to provide input into the system. It is this input access which opens the door.

Obligatory "why" post

[mattventura]

Every time some industrial networking vulnerability gets posted, people ask: "why are these connected to the internet to begin with?", so I'll get it out of the way: Why are these connected to the internet again? If you do need some sort of external access to them, it should be through some sort of application-level gateway so that access can be carefully controlled.

Re:

[houstonbofh]

So the pointy haired boss can check the stats he does not understand with his smart phone to show other pointy haired bosses.

Re:

[thegarbz]

See comment on application level gateway. I work at a plant where we have access remotely, but no our control system is not connected to the internet. There's layers of VPN, firewalls, and even at the lowest level the final application is a single program served up via citrix.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[l0n3s0m3phr34k]

my firewall can sync to NTP, and then the DC syncs to the firewall.

Re:

[Anonymous Coward]

giving you strata 5, plus or minus 10 seconds. duh. may not be good enough.

First of all it's "stratum" not "strata".

Second, adding one layer between add's exactly one stratum, no less and no more.

Most public time sources (GPS/PPS/...) are between 1-3 and thus claim jumping to stratum 10 with single firewall, let's call it bollocks.

Here's a good short explanation how it works. [endruntechnologies.com]

anyways these days one can build a strata-1 NTP server from GPS and run it on the internal network.

Building just one doesn't make sense if you take that option. Rule of thumb is that whenever you need local NTP servers, you also need to have 2-3 to provide you enough redundancy and make other important arr

Re:

[tlambert]

Corection, kerberos & nfs difference between client and server generally should not be more than 5 seconds, so above should be +/-2.5 second.

That's a protocol design bug.

Specifically, there's actually no reason that protocol traffic wouldn't include a "this is my idea of the current time" in the requests and responses so that delta times could be locally calculated from the packet contents on the receiving end. This would work, no problem, for a protocol like NFS.

Kerberos is more of an issue, but since all parties have to trust the ticket granting system as the trusted third party -- so you might a well trust their timestamp as well, since you'

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[thegarbz]

Why? Just use a GPS disciplined NTP server locally.

Re:

[AHuxley]

So one cheap engineer can watch diverse networks rather than a vast unionized on site workforce per shift, every shift.
In the past low skilled staff would have to be in place, drive to or be on site 24/7.
The cost savings add up for the brand but the quality of the network installed expected correct commands on a private network not a network open to the world.
Years later all the limited networks open to the "net" per nation have been transversed and studied by a long list of people and other nations.
The

Who knew?

[Ol Olsoc]

I think this was even brought up in a hotels.com ad by Captain Obvious.

It's not "industrial," ...

[CaptainDork]

... it's everything.

Security will continue to be a low priority until we assign blame and litigate.

Re:

[houstonbofh]

You obviously have not seen industrial switches. They make 2wire like like a paragon of security!

Re:

[CaptainDork]

I'm in the fucking business, so punt.

Robotic Surgeons?

[PopeRatzo]

Does it make anyone else uncomfortable that this story about industrial networks being vulnerable to cyberattacks follows immediately after a story about robotic surgeons?

Re:

[FrozenGeek]

Not really. If you look at the likelihood of being in surgery when the network goes down, or the surgeon gets hacked, it's pretty much negligible. What does disturb me is the fact that major hacks are frequently reported as are gross vulnerabilities yet nothing seems to get done. -- linquendum tondere

Re:

[houstonbofh]

Not really. If you look at the likelihood of being in surgery when the network goes down, or the surgeon gets hacked, it's pretty much negligible.

Not for that one unlucky guy... Someone will be there.

Letting everyone know won't help.

[Khyber]

This is why Cloudflare got four of its routers wiped out during that last October DDoS. As soon as the network infrastructure was known and exploits located, it was the attack point. Security failure.

And this is only going to get worse.

obvious solution:

[Gravis Zero]

look, none of this is a problem as long as nobody asks about the worst case scenarios.

Re:

[Gravis Zero]

look, none of this is a problem as long as nobody asks about the worst case scenarios.

Umm... you mean what's the worst that can happen?

dammit man, haven't you ever seen a disaster movie?!

Re:

[MiniMike]

In a worst case scenario, this would make all politicians of all parties at least minimally competent and decent human beings (again, at least minimally), would solve the national debt and at least one major societal issue...

(waiting)....

(waiting).......

(waiting)...........

Oh well, it was worth a shot.

Different approach

[QuietLagoon]

Since nearly everything connected to a network nowadays seems to have some manner of easy-to-exploit vulnerability due to lax security design, maybe it would be easier for the /. editors to publish articles on devices and systems that are secure instead of those that are not.

Re:

[plover]

There is this piece of Cat 5 that isn't remotely hackable. Unless it's tapped, or if someone puts an inductor on it, or if they use TDR to estimate the length of the wire to figure out the distance between routers and discover where the Intrusion and Detection Systems are located.

Re:

[AHuxley]

A fence, trusted staff on site, limited internal networks that are not connected to the outside world works well and are not that expensive.
But that wont get a cyber security contract long term to "fix" the system after every expensive logged intrusion.
The new networks have one good plus, wealth creation for the support, upgrade aspect.

Air gaps don't have backdoors

[Anonymous Coward]

"Backdoors also exist in the form of hidden accounts originally created for maintenance that can provide cover for attackers. In particularly insecure facilities, antiquated and unencrypted connections to the Internet that allow engineers remote access to their networks act as pathways an attacker anywhere in the world can take toward the network in her crosshairs."

Air gaps as much as you can, air gaps between you control networks, and your mail/office/facebook network. Don't trust vendor kit, its riddled w

Re:

[houstonbofh]

Really? http://www.theregister.co.uk/2... [theregister.co.uk]

If there had been cyberattacks in the early days

[shoor]

When networking of smart devices was still on a relatively small scale, a cyberattack wouldn't have done much harm, but afterwards, manufacturers, and more importantly, their customers, might have wised up. Stuxnet was a warning, and I think it has to some extent been heeded, but already by then the existing infrastructure was so vast that a major overhaul would have required a commitment and leadership that isn't there.

Re:

[nnull]

That's because a lot of these places don't hire anyone competent anymore to fix or repair this stuff. You have plants with a maintenance staff that doesn't know a thing other than knowing how to tighten a bolt but the management expect miracles from them. I don't see any plants that will hire seasoned engineers for such cases anymore. There's no more engineering teams at these plants. Owners want the cheapest nowadays and if they can find the word "Maintenance" and "Minimum wage", they're hired expecting hi

Good luck fixing it too.

[Anonymous Coward]

I work in a small manufacturing company, all it would take is one malicious person to get on the network, send some specially crafted EIP packets to some of our PLC's and production is fucked. I keep saying we need to segment and isolate the industrial network from our poorly managed corporate network, but it gets ignored because "3000 is a lot of money to spend on some computer stuff."

Re:

[Bob the Super Hamste]

I hope you saved those e-mail chains so when management comes looking for some one to hang you can prove they need to be the ones wearing the noose.

Re:

[pnutjam]

Some of those systems will crash if you do something like plug a tone generator in to locate a wire.

Re:

[nnull]

Like I said earlier before. If you have management that can't spend a few thousand dollars to separate the network, you got bigger problems to worry about. I'm surprised more malicious stuff doesn't happen at these places. Or it probably does we just don't hear about it. It's so trivial to cause huge destruction and mayhem with these machines.

Re:

[account_deleted]

Comment removed based on user account deletion

We're not showing lack of awareness...

[thegarbz]

It's not a case of lack of awareness, it's a case of mostly not giving a shit. We don't use most of the encryption features or hardening available between control systems on our site either because quite frankly we don't expect to and we don't need to. Actually I was quite critical at the last Schneider conference where they were talking about the encryption they are adding allowing you to connect multiple SCADA systems together directly via the internet. My comment to the presenter was "Why should I care a

New research shows massive lack of security ..

[nickweller]

"New research into Industrial Ethernet Switches .. showcases "a massive lack of security awareness in the industrial control systems community."

New research - new research ? - this has been known about for at least a decade ref [huffingtonpost.com]. and the solution is, don't connect your switches directly to the Internet, connect them through VPN [techterms.com]s running on embedded hardware.

So how about...

[TheRealSync]

Are Industrial Networks also Vulnerable To non-devastating Cyberattacks?

How is this news?

[undefinedreference]

This has been true for at least 20 years.

The industrial controls industry is the most backward corner of the tech world, inhabited by an old guard that mostly doesn't even understand networking, let alone security. The newer recruits generally come from an EE background, so they also generally have no knowledge of how to secure critical infrastructure. Most started in the era where inter-device/machine communication was via serial and all these systems were simple air-gapped (not for security, but because t

It's a very fine line

[cyberchondriac]

between negligent complacency and paranoid hysterics. Especially where terrorism of any kind is involved.