The Stuxnet worm repeatedly attacked five industrial plants inside Iran over a 10-month period, according to new data collected by researchers from antivirus firm Symantec. Three of the undisclosed organizations were targeted once, one was hit twice and one was targeted three times, members of Symantec's Security Response Team …
Israeli Mil Grade ICE Breaker
This stuff could have come straight from Burning Chrome (except there it was Russian).
Maybe The Finn will sell you a copy.
If there was any ICE to break in the first place
SCADA and security. Come on, that is the oxymoron of all oxymorons. Every SCADA system given to the Internet hacking community at large so far has been found to contain multiple buffer overruns, lack of input sanitisation and lack secure coding practices in general.
Siemens is no exemption here. Not like there was any ICE (in Gibson's sense of the word) to break here.
"This stuff could have come straight from Burning Chrome (except there it was Russian).
Maybe The Finn will sell you a copy."
Quite true. And we all remember how well that turned out.
NYT link doesn't work...
All I get is a login page...
Its the legacy
I was surprised to discover just how much industrial code runs on Windows. Up till now its been just a bit of a nuisance, quaint, but by the rule of "if it works don't screw with it" you just put up with it. Management doesn't like to change things either; its not just the cost but the risk that the plant may be down for an extended period. Now they know that the stuff running their plants is terminally unstable and insecure there might be some momentum to get rid of it. The reflex might be to replace Win2K and XP boxes with Win7 but since there's no guarantee that there's no back door into the systems its better to replace it with code that you can control.
That's not good news for Microsoft -- or Siemens, or any one of the 101 outfits who can't be bothered hardening their code "because we've always done it this way".
You might be surprised..
..at how much still runs under DOS. Okay so probably not the high-tech stuff but there's still a fair few DOS-based CAM systems around.
Re: It's the legacy
"Now they know that the stuff running their plants is terminally unstable and insecure there might be some momentum to get rid of it."
Given the choice between commissioning new software (and probably bespoke software at that) for hardware that no-one can source anymore, or gluing up the USB ports to stop tossers poking infected memory sticks into the PC, which do you think management will jump for?
I yield to your unbounded optimism sir.
Meanwhile I'll be stocking up options for AV software because PT Barnum not only said "never give a sucker an even break" he also said "never bet against stupidity."
Win2k? I wish.
Heck we still use Win95/PCDOS kit for consoles. Patching like mad might work for general IT stuff but its not uncommon for SCADA stuff to break when patched. Also, serious revision changes generally result in having to reprove that stuff still works. That can take months to prove for complex configurations. AV is nice but it's not uncommon for it to cause havoc on SCADA servers, RSSQL, WonderWare, and RSView come to mind. When you get down to it SCADA/control stuff was rarely ment to be used outside of a closed system.
Might be flame bait but there is honestly nothing wrong with windows on critical servers. Most of the problems are from shoddy application code. Useally get a couple or three months out of our W2K servers until memory leaks from them get too big.
not flame bait at al
Production servers should be secure - and with limited/no access to any WAN.
But the accountant won't spend the money.
So they should have people on plant who know what they're doing - no chance - too expensive; why get an process/control engineer for £50K tops when you can fudge it with a Production manager and some IT types and the shift leaders ?
Of course when the plant's down - different story - except they still won't spend money on the Process control/automation stuff - oh a fortune on SAP - mega fortune on sales; stupid money on all sorts of optional extras - but invest in the stuff that actually MAKES the money ? That's 'just' engineering; they don't/won't understand it and keep paying for it in all the wrong ways - and the stupidity of running process on windows is because COTS is cheap and MSCE's are good value - the fact they patch a production server and break it - time after time - escapes them.
Bespoke Operator station - 1970 - ish 40K - STILL RUNNING total cost of ownership - about 2K per annum. Something WIndows can't even dream of (either running for 40 years or being so damned cheap)
We still use some DOS based software to control our antennas, written originally 20 years ago. Why change when it works?
However, we now run it using dosemu on 32-bit Linux, as you can configure it to have direct hardware access so the legacy stuff works (a security and multi-user no-no usually, but this is a special case). Only thing that I don't think is currently emulated well (if at all) is DMA access, but we did not need that.
We even got the dosemu project to accept our patch so dosemu can be configured to keep the NTP-disciplined time of the host, a huge advantage over the old system!
This gives us the advantage of keeping the tried and trusted control software, but with a modern OS with secure remote access via ssh, decent networking, journalling and/or RAID file system, accurate time keeping, etc.
"replace Win2K and XP boxes with Win7"
Except in a lot of cases they can't. Why? Because older systems may only have drivers for w2k, and maybe not signed ones at all, so they won't work under win7. Most likely a whole lot of other niggly differences will mean it just won't work without getting new software for the control system.
And maybe you can't, then what? The original supplier might be out of business (or assimilated in to another and skills lots) or just not supporting your old hardware any more.
So new hardware then? Ah yes, but maybe it is not exactly the same, so now you have to change all of your associated software and hardware to account for the differences, then fully test and debug it before making it live, etc. You do still have the folk who installed and understand your old system fully I hope?
So there you have it, the real cost of a propriety system - they decide when you get stuffed for support. For example, w2k will never be fixed for the thumbnail previewing bug, or dozens of other ones identified recently that hark back to old Windows code. Soon the same fate will befall XP.
Considering a lot of industrial systems are expected to last 10-20 years, it is a joke to use software with typically 10 years or less support and no come-back.
At least with Linux you have the opportunity to fix it yourself, maybe hard to do in cases, but it is possible and no one will wave an EULA telling you you can't do it.
Remember that US Navy destroyer a couple of years ago
that was sitting dead in the water due to MS SQL errors in their main onboard computer system.
Mission critical systems require software that is specifically designed for that.
MS software is just Mickey Mouse.
Ease up there bub!
MS is not Mickey Mouse, it's just designed to be very generic, that's the problem. Software to control mission critical kit should not be knocked up in VB6/.Net for a generic O/S. The O/S used should be build specifically for the task at hand.
That's not even MS fault, they simply produce an adaptable O/S. The problem starts when some "Philbert" decides that it's good enough so they slap on a bit of software that can run a nuclear launch mechanism, 'cos it only took 6 weeks to code in .Net.
I don't like MS stuff that much, being a Linux/Solaris man, but I still respect it's ability to do stuff it was intended to do, be a good all round desktop O/S.
I prefer to string up both MS and the idiot mis-using the software.
The MS software isn't simply failing because it is very generic. MS has made piss-poor security choices even given its generic purpose. Active X being a biggie that comes to mind, especially when it is supported by the browser with no intervening user control.
That being said, the idiot needs to be shot too, because the above hasn't been news since oh, about 1989.
"MS software is just Mickey Mouse"?
Are you sure you went to the right Disneyland?
MS Software is not mission critical
..because it doesn't need to be. What it needs to be is 'good enough for most people' which it clearly is. That's why Windows is so much more prevalent than Linux. Sure things like OEM deals have helped but OEMs do that because they know Windows is a safe bet. Everyone knows how to operate a Windows computer.
Rant and wail all you like. Linux might be technically superior but if you judge an OS on the number of man/machine hours of work it assists then Windows wipes the floor with all the others. From a pragmatic point of view that makes it better.
You Should View It In a Positive Way
..expect quite a few open-source security apps from persian programmers in a short timeframe.
Mr Vlad already decreed Linux. NSA doing SE Linux. FRA, SA and LSE going Linux. Tokio SE already Linux. German diplomatic crypto Linux-based. USN Cyber Defence Ops (Identity mgmt) Linux-based. German flight control Linux-based. Core DISA system Linux-based.
So many bad guys all hardening Linux - there must be a "meaningful" outcome :-)
Less burning chrome and rather more John Brunner's The Shockwave Rider.
A product of "Electric Skillet."*
*Hopefully without their ethically very suspect recruitment policy.