A group collaborating with the US Computer Emergency Readiness Team is warning oil refineries, power plants, and other industrial facilities of a bug in a popular piece of software that could allow attackers to take control of their computer systems. The vulnerability in the Genesis32 and BizViz products made by Massachusetts- …
ActiveX? Dumb idea!
Come on boys, you don't have to run Outlook on those industrial control systems so why bother with Windows ? Just because you never saw anything but a Windows PC in your life doesn't mean you shouldn't ask for some advice from someone who knows a few thing about computing.
Oh christ almighty, why?
Scada systems have a much slower turnaround and update rate that general computer systems.
There are still systems in use that were designed in the 70's, someone i know who fixed minicomputer systems before he retired a year or two ago, said that they were still fixing PDP8's, mostly on production lines.
Its not surprising that ActiveX is still being used. It was probably written it that small window of about a year and a half when most people thaught it was a good idea. The people who design and maintain industrial machenery tend to adopt the attitude "If it aint broke, dont fix it".
Define "Ain't broke"
Yes, I was half-joking. I can easily imagine the circumstances in which they were written.
However after Stuxnet I would hope these companies would be making security a hell of a lot tighter and things like using ActiveX would count as "Broke so bloody well fix it"
SCADA connected to the open Internet?
Why not just plug a POTS-connected V.90 modem into a serial port with an open tty, and pray that nobody's wardialing anymore? Would be cheaper, easier and less hassle than getting TCP/IP working ... and you could save bandwidth & CPU cycles ignoring GUI stuff, just dealing with the actual ASCII data that SCADA systems provide/use ... Not that I know anything, of course.
"ActiveX? Oh christ almighty, why?"
Pop over to the Iconics website and you'll see why, in particular the page that says how close they are to Microsoft; support for everything from PocketPC to Windows 7. Even Vista, ffs.
It is indeed madness, but then how would a modern PHB know any better, when surrounded by certified Microsoft-dependent ignoramuses of various kinds.
And did you not read the linked articles, both of which say that a fix has been issued and has been shown to work.
So long as the word "ActiveX" remains in any sentence that includes
the word "SCADA" and which is not specifically stating there are no such controls in the SCADA system, it doesn't matter how many patches have been issued, it still isn't fixed. It is only fixed for the most recently publicly exposed vulnerability.
Not to worry.
After all everyone loves Americans (they just want to be loved after all) and besides any one who *might* be a bit upset at the country couldn't *possibly* figure out a way to use this information in some sort of petty, mean spirited attack against some kind of *imagined* attack on them.
We used to have to
Get a separate phone extension, assigned to the master PLC or PC SCADA controller with a bog-standard modem connection for dial-in purpose. However the actual extension line hung from the ceiling and terminated in a loop and an RJ-13 that was left unplugged. To plug it into the modem required two telephone calls to Security: one from the vendor and one from the engineer responsible for the system. When the work was done, the two phone call routine was repeated and modem unplugged. Kept wardrivers out.