Security researchers decided to cancel a planned demonstration of security holes in industrial control systems from Siemens following requests from the German manufacturer and a security response team. Dillon Beresford, a security analyst at NSS Labs, and independent security researcher Brian Meixell were due to make a …
Security via obscurity
Works every time
Dillon & Brian
If they can find flaws, so can the bad guys (Mr Rusty), especially now they know they are easy to find.
Connecting any PLC to an outside network has always been risky, they weren't built with security in mind.
Time for bed said Zebede - mine is the one with the ladder diagram in the duvet.
I doubt it was connected directly, that would be madness. IF it came in via an external link then it would almost certainly have had to be via an MIS bridge or something.
I think the common thinking is that Stuxnet was propagated by using memory sticks plugged into the SCADA server.
Neurotoxin in your research center? I's more likely than you think.
Sounds like reasonable behaviour all around for once.
If the bugs ain't fixed but are in the process of being so, wait a bit.
We don't want Sony-Sized Events with industrial hardware. No, we don't.
industrial grade malware
"We will also present how to write industrial grade malware without having direct access to the target hardware"
Would this `industrial grade malware' work if the SCADA units were behind a VPN and each node running on different types of hardware & software?
Delay the announcement.
But don't stop it.
The knowledge they have a *limit* on how long they can keep it quiet before they have to do something *might* encourage them to do something about it.
Thumbs up for the responsible behaviour, but don't let it go.
@ Monty Burns
I know of at least one major printing press manufacturer who *does* put the systems directly on-line. I don't *think* they can actually control the presses remotely, but they certainly grab a lot of info about what they are doing - production speed, idle time, plate changes, shut-downs, and a lot more. In fact enough to be able to tell when roller sleeves etc. need replacing and predict mechanical failures.
The print industry is fiercely competitive so I would imagine this information could be quite useful to a competitor, ready to step in the instant a press goes down.
You must understand process control..
The world of process control doesn't quite work at the same speed as the PC world you're used to - kit can stay in place for a solid decade without ever be touched. This has implications for the speed with which deficiencies can be updated - fixes have to be checked very, very thoroughly..
I saw the first SCADA deficiencies about 8 years ago..
"a solid decade"
and the rest. My favourite machine runs win NT under the hood. It works great (the operator sees a custom gui). It is not even connected using sneakernet, mainly as a security barrier. The manufacturer gave us a modem, and the machine has a networking port, but I am paranoid so never used it to connect directly.
.. that nobody has had the idea yet to use Windows on the ESD side. Imagine a BSOD when you really, really need to start a kill sequence. A frozen Emergency Shutdown is *scary*..
What was proposed at Olkiluoto then?
What was proposed at the much delayed vastly overbudget Olkiluoto then? The controls supplier (Areva????) had proposed a combined safety shutdown and operational control system, despite the long standing European regulatory requirement for two independent systems. Not surprisingly the regulator took a dim view. Anyone know the current picture? Anyone know any examples outside modern nuclear where a single integrated control and safety/shutown system is acceptabe? References welcome (it certainly wasn't acceptable in the days of the Magnox refurb mid 1990s).
"memory sticks plugged into the SCADA server"
"propagated by using memory sticks plugged into the SCADA server."
That is an obvious possibility for those who are unfamiliar with the way these things often work in practice, but unfortunately eliminating that possibility typically does not eliminate the risk of viruses crossing the airgap in this picture.
In many cases the PLCs and their supervisory systems are indeed on a plant network airgapped (or at least firewalled) from the IT LAN.
The PLCs will be programmed by a portable computer, historically referred to as a programming panel, which spends part of its time on the plant network doing programming stuff, and part of its time on the IT LAN doing other stuff (e.g. contacting the automation vendor for whatever reason).
In recent years a "programming panel" would tend to be a Window box of some flavor and therefore it is liable to get infested with a zero-day while it is on the IT LAN. The infested panel is then physically disconnected from the IT LAN and connected to the plant LAN, which it proceeds to knacker in the now-traditional way.
No USB sticks needed, just PHBs fixated on Window boxes.
www.langner.com has all the info you need about Stuxnet. Ignore most of what the Windows AV folks have had to say.
I guess none of the guys working for these equipment manufacturers ever saw war games. Put all your stuff on the web. What could happen? It makes it convenient for us. Microsoft keeps finding this out the hard way. They'd include all these features to make it easier for programmers to do cool stuff easily, and a**hats found it easy to screw up people's computers.
What air gap?
Many in the field have known for years that firewalls are often effectively transparent and airgaps are routinely crossed via many routes. Modern PLCs cannot be fully isolated, because new code must be downloaded by way of PLC programming software the must itself be maintained up-to-date (as I argued over at InformIT and in a new article in Cutter IT Journal).
All the way back in 2003, I designed a Stuxnet-style attack on the U.S. power infrastructure that became the plot driver for the Lior Samson thriller, Web Games (Gesher Press, 2010). I have long argued that bright and determined hackers could pull of a real, devastating attack--no nation-state or clandestine services needed. It's nice to finally be validated, but also a bit unsettling. How long before the attack scenario leaves the field of fiction (as in Web Games) and becomes dangerous reality?