A security researcher who voluntarily canceled a talk about critical holes in Siemens' industrial control systems has criticized the German company for downplaying the severity of his findings. “The vulnerabilities are far reaching and affect every industrialized nation across the globe,” Dillon Beresford wrote in an email …
Phew ! Thought they'd bought the Reg for a while there !
The problem isn't SCADA.
The problem is idiots connecting SCADA systems to networks that the rest of the planet has read and write access to ...
Security starts at home.
r u sure?
stuxnet etc can propagate quite happily without an active outside network connection. Sneakernet?
A much bigger problem is windows-obsessed PHBs.
Re-read mine. If your SCADA system is accessible via sneakernet, it's probably pretty much world read/writeable. How the fuck do you think stuxnet spreads, anyway? Magic?
The world's Redmond/Cupertino obsession is just a symptom of the bigger picture ...
How would you propose to operate a SCADA system without a network?
(The transfer of magic electrons not withstanding).
Seriously, the concept of SCADA is to provide operator interface to and collect data from a networked control system. I'm not aware of a network that isn't accessible via "sneakernet" regardless of the OS platform(s) on the network.
The root cause here is the long term belief in the systems integration industry that control systems were so specialized that no one would ever make the effort to specifically target it. As such even the simplest of security restrictions were ignored for most of the industry's history. I work in this industry and any "focus" on security is about 5-10 years behind the curve.
Siemens may be unfairly catching the brunt of the publicity (they are by no means the only OEM with security issues), but their special conditions argument is marketing BS.
"Seriously, the concept of SCADA is to provide operator interface to and collect data from a networked control system. "
You appear to equate the internet as the *only* Wide Area Network in existence, and therefor the network *all* SCADA control system *have* to connect to.
If so you're *very* mistaken. SCADA systems have been around since at *least* the 1930s. For most of that time they operated either through leased lines running supplier provided protocols or the telephone system, again running typically proprietary protocols.
It is only *fairly* recently that the mantra lower costs ->standard protocols ->eliminate *private* networks -> transmit/receive *everything* over the internet has spread like a fungus through utility and other networks. While keeping SCADA data on a *physically* separate network (retaining TCP/IP for cost) would not stop *all* of this it would make a hell of a difference.
"I'm not aware of a network that isn't accessible via "sneakernet" regardless of the OS platform(s) on the network"
True, *unless* you disable all exchangeable media and start taking issuing software and data upgrades *seriously*.
"The root cause here is the long term belief in the systems integration industry that control systems were so specialized that no one would ever make the effort to specifically target it. "
That attitude has certainly not helped. Stuxnet *should* have been the wake up call to *all* SCADA suppliers.
Here's your problem...
Quit running Microsoft software for plant automation.
Great plan... Yes, blame Microsoft for the problem of a lack of interest in basic security practices in the systems integration industry. Any OS can be targeted - especially if the implementer isn't even remotely concerned about basic security procedures.
Rigging the rules
Was not Siemens, a decade or so ago, accused of strong-arming the framing of EU specifications for data transmission protocols in industrial control systems? This was said to have put several of their competitors, whose systems consequently became 'non-compliant', at something of a disadvantage.
The trade magazine 'Control and Instrumentation', as I recall, covered this issue in some depth. Do any other readers remember more detail?
SIemens *might* have a point
But only might.
Depends if he only had the regular installation manuals, or stuff only service engineers have access to.
Depends if he had to crack the case and make hardware changes to accept the hack (not to discover how to do it in the first place).
Which raises an interesting question.
Did they have *details* of what he'd done *before* they asked him to remove his presentation?
If so (and it's *not* serious) why did they ask him to remove it?
If they only had an outline and asked him to *still* postpone it that would suggest they view *all* security breaches (initially at least) as a CMA PR nothing-to-worry-about exercise.
Any supplier whose1st (in fact *only*) line of defense against this is "Whatever you do don't make your SCADA system publicly accessible" is *asking* to be pwnd.
> the bugs “were discovered while working under special laboratory conditions with unlimited access to protocols and controllers.”
So Seimens are complaining that he discovered the flaws because he had access to a controller? That he bought? Did I miss something? Whio cares how he discovered them, it's how they are exploitable that is the issue. If you need to be under lab conditions to exploit then fair do's, however it seems not to be the case.
Next - Nokia sue consumer who discovered his latest phone was crap when he had unlimited access to it (i.e. he took it home from the shop where he bought it)
You might not want to play the Sony security card as it tends to keep you in the headlines for all the wrong reasons. Watch next like Sony instead of fixing their security they will sick their lawyers on the security research community. If it burns when you pee don't tell anyone and it will go away.
«My personal apartment on the wrong side of town
where I can hear gunshots at night hardly defines a special laboratory.» Mr Beresford seems to live in the Austin, Texas area ; given the situation he describes, one wonders if he might not want to consider removing to a calmer area....
Couldn't happen to a nicer bunch of people.
I've had the misfortune of programming Siemens PLCs. Definitely the worst of a bad bunch :(
Oh, and what's all this talk about securing networks, there is kit out there that is still running on 'raw' RS232!
"Any OS can be targeted"
That's easy to say, and easy for the certified Microsoft dependent and the PHB to believe, but the reality is that with something more sensible than Window boxes in the SCADA picture, propagating Stuxnet around the world would have been a great deal more difficult.
Something Stuxnet-like may not have been completely impossible on a more robust OS than Windows, especially given some of Siemens particularly flawed practices (default passwords?) but as the saying goes, "every little helps". Getting Windows out of the picture would have been more than a little helpful.
For full details of how Stuxnet propagated and interacted with the Siemens software, have a look at www.langner.com. The PC AV companies (Symantec included) don't have much of a clue about Siemens, even if they are good at PR.
- Product Round-up Smartwatch face off: Pebble, MetaWatch and new hi-tech timepieces
- Geek's Guide to Britain The bunker at the end of the world - in Essex
- FLABBER-JASTED: It's 'jif', NOT '.gif', says man who should know
- If you've bought DRM'd film files from Acetrax, here's the bad news
- Microsoft reveals Xbox One, the console that can read your heartbeat