Another systematic SCADA vuln If it’s Monday, it must be time for a new SCADA vulnerability: this time, arising through the combination of a popular development environment and bad developer habits. Described in full by Digital Bond researcher Reid Wightman here, as many as 261 manufacturers and heaven-knows-how-many deployed systems may have created …
Bad developer habits, you say?
Incidentally, I have just installed an UPS made by a well-known german manufacturer. There is nothing to say against the hardware, which is built in the staid tradition of Tiger Tanks. However, the software (evidently from a 3rd party) comes with: JRE 6, has its own mind on where it puts its files on a Unix system (looks like cancer imported by developers used to Windows) and demands to run as root to access the serial line to control the UPS (why!!). A rooty webserver and tcpserver are also started. Oh my.
These would be the same Tiger tanks that regularly not just broke down during movement, but whose transmission was actually prone to exploding and setting the inside of the tank on fire?
As good as German engineering can get, I'm not sure I'd use any of their late war tanks for examples.
Which should be none
Correct. I was working on SCADA security almost a decade ago, and part of the reason Symantec started to bring out virus scanning firewalls was exactly to protect such platforms that needed to be reachable, but for reasons of accreditation could not be upgraded/patched (that has changed now, thank God).
However, a firewall doesn't protect you from a local tech jacking in an infected laptop (a very common attack vector in those environments).
Only a complete moron makes these publicly accessible, and his dimwitted cousin would put the SCADA on the same network as the corporate network.
Keep all your SCADA on its own VPN etc so that it is logically isolated. There is absolutely no need for Bob in accounts to be able to access SCADA.
Actually, Bob in accounts may need the total production figures for various production lines. And probably on an hourly basis to ensure raw materials are ordered in time but not too much, so that it is stockpiled. A finely tuned system like that can save a company quite a wad of cash.
As for security, unfortunately, all a SCADA developer can do is advise the customer.
Some may listen, and I've been in many a security meeting with very clued up customers and covered threats from every angle.
But some customers don't. If you push too far, its the last system you will ever supply them with and they still won't tighten up security. But they can be a nice little earner when you get called to clean up the mess.
> Which should be none.
Yes.
But at the same time, the number of applications running as root and exposing a command line on the network interface should also be none[1]. As we can see here, "should be none" is insufficient :-(
I despair of the number of applications that want to be installed setuid or with 777 permissions everywhere; it is almost never the right solution. But far too much code is developed by lazy coders[2] who can't be bothered to think through the security issues...
Vic.
[1] sshd is an exception, of course, but it needs to be set up witha good deal of consideration...
[2] And I use the term quite wrongly.
That's a counsel of perfection, Mike, but it may not be practical. If the component you're protecting is sufficiently* valuable, then an air gap** may be necessary. But if you're supporting a network of transformers (say) you might want the ability for engineers to control them remotely rather than driving 100 miles to throw a switch. And building your own comms network rather than using the Internet may be just too expensive. As Steve says - if you have a robust firewall with a single open port with an ACL behind it, that may reduce your risk to an acceptable level.
* I'd assess sufficiency in terms of whether an attacker might be able to justify targeting a specific attack just for that component. So a power station might well fall into that category, whereas a single transformer probably wouldn't.
** Of course, even an air gap may not suffice if one of your engineers brings in an infected USB stick - ask the Iranians.
Simple answer: If you absolutely have to have remote access, use a dial-back modem.
Call the far end, enter the proper password when prompted, line goes dead, far end calls back to a pre-set telephone number (the one matching the password you entered) and asks for another password, enter second password & you're connected. Use multiple password pairs if you have to connect from multiple connections.
Most of this SCADA shit is controlled by simple text strings ... we were doing it at 1200 baud over thirty years ago. It still works at 1200 baud when I'm managing my personal kit in Sonoma, CA from Fort Bragg, CA (2.5 hours by road the way I drive it, about 130 miles away). The modems in question can do 19.2K (aging Telebit Trailblazers), but the cable-plant in Fort Bragg can rarely manage even 2,400 ... I can usually manage 19.2 from our place in Calaveras County, and 9,600 from our place in Nevada.
Yes, this assumes no hostiles at $telco ...
When substation / unit / process / assembly line / thing X goes haywire, do you want to learn of that event via SMS from the plant floor, or via phone call from VP of Operations?
http://en.wikipedia.org/wiki/Distributed_control_system
Anyone who understands anything about safety-critical systems doesn't want to write them, becuase they are clearly hard to get right and the consequences of mistakes are potentially serious.
So the only people who actually do write code for these things are the ones who don't understand what they are doing.
"Anyone who understands anything about safety-critical systems doesn't want to write them, becuase they are clearly hard to get right and the consequences of mistakes are potentially serious."
I have a different theory on similar lines.
There are people willing to do safety critical work. Some of them are knowledgeable and competent and even reliable and do actually want to Do The Right Thing.
But the PHBs in charge of the overall business these days don't want to hear that "doing it right" will cost money, and may require engineering competences and attitudes which are not readily available from the bargain basement Windows centric gene pool. And "whistleblowing" to the regulators (whose job it is to make sure that bad things don't reach places where they can do damage) doesn't pay the mortgage.
So, the skills and knowledge exist (or existed), but are dying and/or ignored.
Les Hatton, are you following this stuff? Ross Anderson, do your team know about anything outside the financial sector?
Ref: I have a theory/Re: I have a theory [ACs 23:13 GMT/23:26 GMT]
"So the only people who actually do write code for these things are the ones who don't understand what they are doing." ….. The exact opposite though is perfectly true of those people, sterling stirling engines and wannabe immaculate virtual machines, exploiting/discovering/uncovering critical strategic and tactical operating systems vulnerabilities for ……. well, sublime and stealthy anonymous party tasks which in public and private and pirate sectors of internetworking and sensitive information exchange, and that is wisest accepted as best realised as being applicable to any and all knowledge transfer sectors, can be perceived and treated and exercised as advanced persistent threats in what is in the both the reality and virtual reality of the situation and circumstance …. an abiding unknown known.
And whenever that abiding unknown known is knowledgeable and competent and even reliable and is always programmed and programming to actually do The Right Thing. …… "There are people willing to do safety critical work. Some of them are knowledgeable and competent and even reliable and do actually want to Do The Right Thing.
But the PHBs in charge of the overall business these days don't want to hear that "doing it right" will cost money, and may require engineering competences and attitudes which are not readily available from the bargain basement Windows centric gene pool. And "whistleblowing" to the regulators (whose job it is to make sure that bad things don't reach places where they can do damage) doesn't pay the mortgage.
So, the skills and knowledge exist (or existed), but are dying and/or ignored." …… is it catastrophically costly to ignore and deny is a virtual money making machine with ITs Simple Sharing of All Knowledge which Supplies and makes AIDefinite ProVision for Rapid Ethereal Development and Capture of Super IntelAIgent Services Growth for Classy Astute NEUKlearer HyperRadioProActive IT Project Man Management with SMARTR Systems ReProgramming Programs and Projects ……. AIMISSions.
*Or is that to be a Radical Eastern Development with Rapid Ethereal Deployment from behind the sparkling cover of iron curtains rather than a Wacky Western Winner for leaky insider firewall players?
** Of SMARTR Great Game Players and Spooky IntelAIgent Systems and DES Infra-Security Advice Centre type places/spaces which may just be very convenient and able to be extremely expensive ethereal money pits for someone to play with lodes and loadsamoney, if no one is there to competently and cogently reply to queries/defend against systemic zeroday vulnerability exploits which take full advantage of easily corrupted and fatally compromising flaws.
"Anyone who understands anything about safety-critical systems doesn't want to write them, because they are clearly hard to get right and the consequences of mistakes are potentially serious."
The problem is it has to pass three requirements:
1. It has to be reliable. Not just fairly reliable. We're talking 5 9's reliable, since the code will run all day every day.
2. It has to be safe. The equipment that it runs is very big, and very expensive. There can't be any unexpected outcomes, EVER. One unexpected run-time failure could cost more in damage than the coders will make over a career.
In times past, only requirements 1 and 2 were deemed important. Requirements 1 and 2 makes the code insanely expensive to write. That's why one company wrote it, but a lot of companies bought it to avoid risk (more of a myopic PHB problem since they can point fingers if it doesn't work, not realizing that mistakes at this level might be career ending/limiting). Up until recently, there wasn't a 3rd requirement.
3. It has to be secure. This is a new one, and one that the industry is failing at getting resolved. Now an entire industry has to review all of its previous code that was already insanely expensive, and now it costs even more to review and develop so the systems can get cheaper using off the shelf parts.
There is also a big disconnect here between equipment manufacturing companies and equipment operating companies?
The risk belongs to the equipment operating companies. They have to buy equipment from only a handful of manufacturers, and no matter what they demand, they can only get the canned solution from those manufacturers. If it doesn't meet all the 1-3 requirements, who are they going to be able to complain to?
On the equipment manufacturing company side, the coders can't get the PHB's to spend money on the additional development if it doesn't make money.
The big problem is that the power in this ecosystem favors the manufacturers, but the pressure to make things more secure is being placed on the operators.
Remember the US contractor who, when vacationing in the USSR, stoked up his laptop and communicated with a SCADA system, I believe in the Chicago area? All sorts of accusations of Russian spies and the like?
This is the sort of thing that should be unnecessary. Then, it is believed, a Russian technician introduced the virus/malware into the Iranian nuclear material refinement program.
It is heartening, to me to least, to hear that a Indochinese country that is purchasing electricity from China and other neighbours refuses to permit automatic interconnected network controls with these external suppliers.
Furthermore, it has established it's very own fibre network that is 100% dedicated command and control + communications network.which is 'sterile'. There are absolutely no external connections and since the SCADA scandals has even prohibited anyone from connecting any device to it other than through a secure access point.
The US, and Canada, are so incestuously interconnected.
The Northeast blackout of 1965 was a significant disruption in the supply of electricity on 1965 November 9 affecting parts of Ontario in Canada and Connecticut, Massachusetts, New Hampshire, Rhode Island, Vermont, New York, and New Jersey.
It was caused by by an adjustable safety relay being set too low.
The 2003 Northeast blackout widespread power outage that occurred throughout parts of the Northeastern and Midwestern United States and Ontario, Canada, on 2003 August 14, which lasted up to five days in some areas, including parts of Toronto.
You have never, ever seen so many official fingers pointing at each other and even across the Canada/US border. One the heat had cooled it was determined the problem lay in Ohio!
Being profit motivated, i.e. 'cheap', these outfits who formerly ran their own communications networks which included extensive microwave strings over hundreds and thousands of miles, regarded the InterNet as the best thing to come along since Edison.
Down came strings of microwave towers and dishes which were replaced with a pair of wire to the local telco.
The other thing with power and utility companies is that they are frequently technically 'conservative' and having adopted SCADA to find that this new, alien, technology is responsible is responsible for system failures is more than a little disturbing.
One benefit the US phantom war on terrorism has done is to sensitise the authorities to the vulnerabilities they face, even though the general public has to suffer harassment and embarrassments whilst travelling.
Systems are even more interconnected today and the elimination of these computer threats are a matter of national security. Canada and the US, along with many other countries, assume, foolishly, their electrical supplies are immune to attack.
Living in a country where power failure is a regular occurrence does persuade people to look to alternate power sources. My office, and home, have standby battery systems - LED lighting works from 12 volts - as well as standby generators with well-filled fuel tanks.
So we're talking huge plants, some of national security importance, all of them surrounded physically by big fences and barbed wires, with a small army of armed security guards. And with control systems open to the Internet because "Steve on the second floor likes to work from home on Fridays". And that is blamed on the SCADA. Seriously?
"Oh look this machine has a big red EMERGENCY STOP button, this is a vuln because anyone with access to the control room could stop the system!"
D'uh.
Hardly a SCADA vuln. These system were never meant to even come close to the internet.
So the question becomes: How do you allow remote access to SCADA resources, even on the field, without leaving a big fat bullseye on your network. Especially since any computer that connects to or is connected by it can potentially break down any firewall? And yes there's money involved since travel costs money.
Security is like an onion -- it's made up of layers.
Layer 1: ensure that the software itself only runs with necessary permissions.
Layer 2: ensure that any command-line interfaces are behind authentication methods.
Layer 3: ensure that all communications are encrypted
Layer 4: ensure that the system only allows connections from authorized devices and networks.
Layer 5: ensure that the system does not broadcast its capabilities or existence.
etc.
You'll never be 100% secure, just as you'll never have 100% uptime.
You forgot something.
Security starts with 2 things:
1. Get your developers to understand security.
2. Get your developers to care about security.
I mean in many situations, encryption isn't necessary. Think of railway control systems, all the information is public. The concern is that someone might inject messages. Making sure nobody can inject or alter messages is a totally different problem than encryption.
Then instead of putting a full blown computer somewhere, it can be more sensible to just use a tiny little purpose built machine which will just read a bit of text from a serial line and act upon it.
The main problem is that those systems are usually made by total idiots. Those are the people who write software for PLCs running on Windows and needing an SQL server. Those are the people who invent things like "OPC" OLE for Process Control, an OLE and DCOM based system doing about the same as SNMP, but at a somewhat higher complexity and without proper tools.
The problem is that engineers aren't taught proper computer systems. You can now get a degree in electronics without ever having used a Unix command line.
@Christian Berger
Making sure nobody can inject or alter messages is a totally different problem than encryption.
No, it really isn't. Certainly it's a different use case, but it can be and usually is solved by the same methodologies, especially for communications that have to be made via a public medium. Hence the use of encryption technologies for certificate and message signing on the internet.
"And if you MUST have an external source because the device involved is not very easy to reach (involving time- and money-consuming procedures or lengthy travel)?"
Then rethink your organization. The control center for a big plant is NOT supposed to be easy to reach; it is however supposed to be SECURE. In that very case when choosing between ease of access and security, security should ALWAYS take precedence. When it comes to really important installations the only security worth anything at all is strong PHYSICAL security, as any full nose. That is why these facilities are packed with redundant PHYSICAL securities measures: fences, cameras, security guards, controlled-access doors etc.
By contrast, any system connected to the Internet is to be considered insecure, by design.
All SCADA system that I know of are designed with that in mind; so of course some may be vulnerable if a halfwit connects them to the wild Internet.
"The CoDeSys runtime .. offers a TCP listener service .. as well as a command-line interface. Neither the command-line interface nor the file transfer functionality requires authentication"
Connect the CoDeSys to the Internet through an embedded VPN circuit, use passwords on the command-line interface, shoot the original developers ...
Shooting developers is, unfortunately, illegal in Germany. Then again most bosses greatly overestimate their ability to judge programmers.
And as one poster already mentioned, those who actually know about software development don't develop such software as they don't think they could do it. Even if they tried, they wouldn't survive the culture of idiocy there. The people still there either don't know any better or just go into "don't care" mode, and do whatever their bosses tell them to do.
" go into "don't care" mode, and do whatever their bosses tell them to do."
What else are they supposed to do? Seriously?
It's not like there's a Hippocratic-style oath, for software engineers to swear on K+R or the Ada LRM that they'll only do nice fluffy things, is it? Is there really any meaningful support for whistleblowers who are brave/daft enough to commit the ultimate in career-limiting moves?
How "thoughtful" of them.
I'm not *quite* sure what a perfect storm in computer security would look like but how about something like.
Oligopoly of suppliers who own 90% of the market looking to cut costs/raise profits.
Geographically dispersed companies with multiple *large* assets that need remote management who want to cuts costs/raise profits.
Clueless developers raised on an ethos of "all users have *full* privileges all the time and so should their software."
The first tends to create a "monoculture" within specific companies. work out how to infect one, you've got them all.
The 2nd means you *have* to talk to the outside world and do it *cheaply*. But how often? If your local node cannot run on its own for even a *minute* does it even *deserve* to be a PC? Some things do change on a sub second basis but seriously how many really need that *level* of SCADA?
The 3rd will ensure (regardless of what's needed) that the lowest spec'd bit of hardware will allow an intruder to form a bridgehead into the system.
Proper systems administration (not someone whose *sole* qualification is the passing of the Windows 8 admin certificate) *may* act as a 2nd line of defense (all ports closed by default, which includes FTP, email and damm near everything else IMHO) but that only delays the inevitable as some clueless dev, under pressure from some equally clueless PHB implements what Marketing *swear* is the SCADA worlds next "must have" feature.
As to *why* someone would do this the poliss generally work on a)money (IE ransom) b)sex (not quite sure how that works but there are some strange humans about) c)revenge. But we should not forget the great IT motivator "because I can."
As to *why* someone would do this the poliss generally work on a)money (IE ransom) b)sex (not quite sure how that works but there are some strange humans about) c)revenge. But we should not forget the great IT motivator "because I can." ... John Smith 19 Posted Monday 29th October 2012 09:30 GMT
Please be reliably and truthfully advised, John Smith 19, that b)sex (not quite sure how that works but there are some strange humans about) should be more specifically refined and further defined, should the poliss, or anybody you might like to imagine for that matter, wish to have any chance at all of being anywhere near where they might want to be, in order to be able to do anything they might be thinking they need to do, as the love of sex, ideally to excess. Such CodeXSSXXXX Applications in Live Operational Virtual Environment Fields are Effortlessly Overwhelmingly Controlling and that is Raw Power from Life's Original Base, and now with AICored Universal Lode Nodes, which are not new, for they have always been there, but Mankind has proven itself slow to appreciate the realms of virtual reality readily available for immediate media presentation with SCADA Command and Remote Virtual Control of Internetworking in IntelAIgent Community Enterprises and Communicating IT Systems.
If everything you are being told is wrong, because systems would be trying to conceal for excessive exclusive personalised gain, and not have generally revealed, the truth, is one then living in a virtual reality which is scripted for you to follow daily, in a series of increasingly complex and destructively conflicted programs/Corrupt and Perverse Great Game Plays in which all leading executive players lose everything all at once, unless deservedly saved from certain catastrophic ruin by a Fabless Proxy White Knight and AIMaster Pilot.
Would an honest assurance that you are not wrong, be an acceptable assist, John Smith 19?
And if the case be that it has always been and is intelligently designed to always be more intelligent, then are we getting more intelligent too, and that is most encouraging whenever there is so much to do and so much time in these novel space places to do IT and to lead practically everything with nothing more substantial than freely shared fabulous fabless ideas for SMARTR Presentations, which deliver the Future rather than pay hollow and barren homage to the Past and Pasts which are only really interested in retaining and maintaining the Status Quo with its current impotent crop of sitting pretty, but oh so very vulnerable, intellectually challenged and creatively bankrupt, power brokering elites, who are never ever gonna make it with/in IT and Media as Command and Control AESThetans/Virtually Secure Protected Titans in the CyberIntelAIgent Domain.
Knock, knock, Holywood. Is there anybody real future smart in the new puzzle palace there, or is it a great white elephant of a presently failed operations center, although poorly used would be a kinder rebuke if there be aspirants to great gaming greatness languishing there?
""OPC" OLE for Process Control, an OLE and DCOM based system doing about the same as SNMP, but at a somewhat higher complexity and without proper tools."
OPC was, iirc, invented by Microsoft marketeers (though the design and code may not have been written by marketing people). What could possibly go wrong?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
