Feeds

back to article Stuxnet-style SCADA attack kept quiet after US gov tests

Security researchers decided to cancel a planned demonstration of security holes in industrial control systems from Siemens following requests from the German manufacturer and a security response team. Dillon Beresford, a security analyst at NSS Labs, and independent security researcher Brian Meixell were due to make a …

COMMENTS

This topic is closed for new posts.
FAIL

Security via obscurity

Works every time

1
1
Bronze badge
Coat

Dillon & Brian

If they can find flaws, so can the bad guys (Mr Rusty), especially now they know they are easy to find.

Connecting any PLC to an outside network has always been risky, they weren't built with security in mind.

Time for bed said Zebede - mine is the one with the ladder diagram in the duvet.

2
1

never directly...

I doubt it was connected directly, that would be madness. IF it came in via an external link then it would almost certainly have had to be via an MIS bridge or something.

I think the common thinking is that Stuxnet was propagated by using memory sticks plugged into the SCADA server.

2
0
Silver badge
Thumb Up

Neurotoxin in your research center? I's more likely than you think.

Sounds like reasonable behaviour all around for once.

If the bugs ain't fixed but are in the process of being so, wait a bit.

We don't want Sony-Sized Events with industrial hardware. No, we don't.

0
0
Terminator

industrial grade malware

"We will also present how to write industrial grade malware without having direct access to the target hardware"

Would this `industrial grade malware' work if the SCADA units were behind a VPN and each node running on different types of hardware & software?

0
0
Gold badge
Thumb Up

Delay the announcement.

But don't stop it.

The knowledge they have a *limit* on how long they can keep it quiet before they have to do something *might* encourage them to do something about it.

Thumbs up for the responsible behaviour, but don't let it go.

0
0
Silver badge
Unhappy

@ Monty Burns

Actually...

I know of at least one major printing press manufacturer who *does* put the systems directly on-line. I don't *think* they can actually control the presses remotely, but they certainly grab a lot of info about what they are doing - production speed, idle time, plate changes, shut-downs, and a lot more. In fact enough to be able to tell when roller sleeves etc. need replacing and predict mechanical failures.

The print industry is fiercely competitive so I would imagine this information could be quite useful to a competitor, ready to step in the instant a press goes down.

0
0
Gold badge

You must understand process control..

The world of process control doesn't quite work at the same speed as the PC world you're used to - kit can stay in place for a solid decade without ever be touched. This has implications for the speed with which deficiencies can be updated - fixes have to be checked very, very thoroughly..

I saw the first SCADA deficiencies about 8 years ago..

1
0
Bronze badge
Pint

"a solid decade"

and the rest. My favourite machine runs win NT under the hood. It works great (the operator sees a custom gui). It is not even connected using sneakernet, mainly as a security barrier. The manufacturer gave us a modem, and the machine has a networking port, but I am paranoid so never used it to connect directly.

0
0
Gold badge

Thank God..

.. that nobody has had the idea yet to use Windows on the ESD side. Imagine a BSOD when you really, really need to start a kill sequence. A frozen Emergency Shutdown is *scary*..

0
0
Anonymous Coward

What was proposed at Olkiluoto then?

What was proposed at the much delayed vastly overbudget Olkiluoto then? The controls supplier (Areva????) had proposed a combined safety shutdown and operational control system, despite the long standing European regulatory requirement for two independent systems. Not surprisingly the regulator took a dim view. Anyone know the current picture? Anyone know any examples outside modern nuclear where a single integrated control and safety/shutown system is acceptabe? References welcome (it certainly wasn't acceptable in the days of the Magnox refurb mid 1990s).

0
0
Anonymous Coward

"memory sticks plugged into the SCADA server"

"propagated by using memory sticks plugged into the SCADA server."

That is an obvious possibility for those who are unfamiliar with the way these things often work in practice, but unfortunately eliminating that possibility typically does not eliminate the risk of viruses crossing the airgap in this picture.

In many cases the PLCs and their supervisory systems are indeed on a plant network airgapped (or at least firewalled) from the IT LAN.

The PLCs will be programmed by a portable computer, historically referred to as a programming panel, which spends part of its time on the plant network doing programming stuff, and part of its time on the IT LAN doing other stuff (e.g. contacting the automation vendor for whatever reason).

In recent years a "programming panel" would tend to be a Window box of some flavor and therefore it is liable to get infested with a zero-day while it is on the IT LAN. The infested panel is then physically disconnected from the IT LAN and connected to the plant LAN, which it proceeds to knacker in the now-traditional way.

No USB sticks needed, just PHBs fixated on Window boxes.

www.langner.com has all the info you need about Stuxnet. Ignore most of what the Windows AV folks have had to say.

0
0
FAIL

Wopper

I guess none of the guys working for these equipment manufacturers ever saw war games. Put all your stuff on the web. What could happen? It makes it convenient for us. Microsoft keeps finding this out the hard way. They'd include all these features to make it easier for programmers to do cool stuff easily, and a**hats found it easy to screw up people's computers.

B

0
1
Alert

What air gap?

Many in the field have known for years that firewalls are often effectively transparent and airgaps are routinely crossed via many routes. Modern PLCs cannot be fully isolated, because new code must be downloaded by way of PLC programming software the must itself be maintained up-to-date (as I argued over at InformIT and in a new article in Cutter IT Journal).

All the way back in 2003, I designed a Stuxnet-style attack on the U.S. power infrastructure that became the plot driver for the Lior Samson thriller, Web Games (Gesher Press, 2010). I have long argued that bright and determined hackers could pull of a real, devastating attack--no nation-state or clandestine services needed. It's nice to finally be validated, but also a bit unsettling. How long before the attack scenario leaves the field of fiction (as in Web Games) and becomes dangerous reality?

1
0
This topic is closed for new posts.