I'm not sure how much this kit is actually used in industry. I've bought and installed a lot of Siemens industrial control hardware, but I've never even seen any of their industrial networking (not counting Profibus or Profinet) hardware. Users seemed to go for either IT type equipment, or they used other industrial brands. The Siemens stuff always seemed to be massively overpriced for what you got, and there's really no perception that their kit is any better quality (at least not these days).
Siemens sighs: SCADA bugs abound
Another security advisory covering Siemens industrial kit has reached the public, this time covering wireless industrial networking hardware. ICS-CERT advises that the Ruggedcom range of 802.16e (Wimax, for those with long memories) switches from the company carries a range of vulnerabilities that let attackers scam admin …
COMMENTS
-
-
Thursday 5th February 2015 05:11 GMT Christian Berger
Yes, but that's not the point to learn from this
The point is, that where ever you look for bugs in that field, you will find them. It's just not an area where people work who have grown up with well designed systems. It's more or less an echo chamber where bad ideas re-inforce themselves.
Plus Siemens can't do software/firmware. I've been at a daughter of Siemens and the state of the art of software design is truly bad, both with what get shipped to the customer and what's used internally.
-
Thursday 5th February 2015 07:04 GMT big_D
Re: Yes, but that's not the point to learn from this
Yeah, I had a Siemens ISDN TA with DECT and it needed Windows XP for its control software - for a piece of kit still being sold in 2012! Windows 7 + XP Mode wouldn't work, because the software didn't use the USB bus properly and the virtual USB drivers wouldn't allow access to the ISDN TA. I had to recomission an old XP laptop just to administer the thing! Since then, we've moved onto a pure VOIP system and don't need the ISDN TA any more.
Likewise, at work, we have a key-card entry system. We bought that in 2011 and it would only run on XP at the time and couldn't be installed on a terminal server.
The same for the telephone system we have at work, a Siemens HiPath, the software looks like it hasn't been updates since 1995.
-
Thursday 5th February 2015 09:15 GMT Kris Akabusi
Re: Yes, but that's not the point to learn from this
Likewise, at work, we have a key-card entry system. We bought that in 2011 and it would only run on XP at the time and couldn't be installed on a terminal server.
Doesn't that show a lack of forward thinking on whoever bought the key card system?
-
-
-
Thursday 5th February 2015 11:57 GMT Dan 55
Re: Yes, but that's not the point to learn from this
It's SCADA, it's incompetence.
Before SCADA hardware was controlled over its own dedicated network which afforded some level of security (through obscurity) then some bright spark decided it would be a good idea to just to stick it all on TCP/IP. And so a field little prepared for security issues suddenly had to deal with them.
-
Thursday 5th February 2015 23:12 GMT Fatman
Re: Yes, but that's not the point to learn from this
Before SCADA hardware was controlled over its own dedicated network which afforded some level of security (through obscurity) then some
bright sparkbrain dead MBA looking to "Increase Shareholder Value" decided it would be a good idea tojust to stick it all on TCP/IPconnect this shit to the internet without a complete understanding of the ramifictions of such OPEN and UNSECURED ACCESS.FTFY!!!
-
-
-
-
-
Thursday 5th February 2015 09:58 GMT jake
SCADA is only an issue when manglement runs[1] the network, instead of network engineers..
If you have clues, you roll out your own scripts to handle the hardware that your systems need. Note that ALL SCADA kit can be controlled with simple scripting, it doesn't need anything resembling a GUI.
[1] For values of "runs" that means "must purchase Redmond and/or Cupertino, or we will DIEEEEE!!!!11!!00!one0!!zero010etc".
-
Thursday 5th February 2015 23:15 GMT Fatman
Re: SCADA is only an issue when manglement runs[1] the network, instead of network engineers..
You have left out an important letter in this statement:
SCADA is only an issue when manglement runs[1] the network, instead of network engineers..
The corrected version (missing letter included) is:
SCADA is only an issue when manglement ruIns[1] the network, instead of network engineers..
There! better!
-