Easy remote exploit drops for unpatchable power plant controller • The Register Forums

Tuesday 31st May 2016 06:42 GMT bazza

Sigh, When Will They Learn

As soon as a manufacturer gives something an IP address, they effectively have to cease being a hardware manufacturer and become a fully formed, active and pin-sharp software company that just happens to make stuff.

Or else things like this happen.

Of course making that transition is expensive, which is why many don't, and which is why software companies might end up ruling the world. It's probably easier to learn how to make a car, rocket, heating system, etc. than to learn how to be effective an effective software company.

7 2 Reply

Tuesday 31st May 2016 07:10 GMT Anonymous Coward

Re: Sigh, When Will They Learn

It's probably easier to learn how to make a car, rocket, heating system, etc. than to learn how to be effective an effective software company.

So speaks the true software engineer. :)

The fact is that hardly any software companies try to be effective in the sense of producing robust and secure products, let alone achieving that at launch - the ability to patch defects cheaply has led to a culture of testing features, chucking it out of the door, and fixing defects later, options not really available if you make cars or rockets.

8 0 Reply
1. Tuesday 31st May 2016 07:29 GMT bazza
  
  Re: Sigh, When Will They Learn
  
  So speaks the true software engineer. :)
  
  So speaks a hardware/software/system/RF engineer...
  
  The fact is that hardly any software companies try to be effective in the sense of producing robust and secure products, let alone achieving that at launch - the ability to patch defects cheaply has led to a culture of testing features, chucking it out of the door, and fixing defects later, options not really available if you make cars or rockets.
  
  Well it's about the only way we have to countering vulnerabilities undetected at launch, and no one has ever done a totally correct software system with a version number 1.0.
  
  As for cars rockets, etc. hell yeah they do/did put out cars with faults, and how many rockets have SpaceX and everyone else blown up before they managed to get one to fly? Airliners are pretty good these days, but they're never accepted as "perfect" fresh out of the factory door (787, A380, etc).
  
  1 0 Reply
  1. Tuesday 31st May 2016 08:22 GMT Anonymous Coward
    
    Re: Sigh, When Will They Learn
    
    "As for cars rockets, etc. hell yeah they do/did put out cars with faults"
    
    Yes, but in many of these kinds of industries you also have "Only One Chance" situations where you MUST get it right the first time because it's the ONLY time you have. It's literally Do Or Die. Why can't anyone assume it's Do Or Die every time because one mistake can mean you go under?
    
    1 0 Reply
    1. Tuesday 31st May 2016 10:33 GMT Pascal Monett
      
      Because then you might get beat to the post by someone who didn't consider Do Or Die and just chucked it out to patch it later. That way he gets the problems and the patch issues, but he also gets the money and the market share.
      
      Meanwhile, your company folds.
      
      That is the wonderful world of Capitalism which Americans are so prompt to defend to the teeth. Unless they're the ones standing to lose, in which case they cry out for arbitration (in their favor, of course).
      
      There are people who want to do right the first time. Generally they go into Open Source, I guess, meaning they have to live off something else until the project is done.
      
      3 1 Reply
      1. Tuesday 31st May 2016 11:17 GMT Charles 9
        
        "Because then you might get beat to the post by someone who didn't consider Do Or Die and just chucked it out to patch it later."
        
        Like I said, if the situation REQUIRES right the first time because you only get one shot, the one who tries to get it fast loses because the thing crashes and he gets the blame, losing more than the paycheck pays out. Like getting a rocket contract and losing the payload that's more expensive than the rocket itself.
        
        Sometimes, you just can't get it fast OR get it right. Sometimes, it must be Right AND Fast: All or Nothing.
        
        0 0 Reply
        
        Tuesday 31st May 2016 22:05 GMT Doctor Syntax
        
        "Sometimes, it must be Right AND Fast"
        
        That's OK. It's just that it can't be cheap as well. The Iron Triangle rules.
        
        0 0 Reply
        
        Wednesday 1st June 2016 05:08 GMT Charles 9
        
        Oh yeah? How about RIGHT, FAST, AND UNDER BUDGET, Iron Triangles be damned?
        
        0 0 Reply

Tuesday 31st May 2016 06:57 GMT Ted's Toy

Simple don't have the internet connected to the power control software computers, and or have an isolated web connectivity.

4 0 Reply

Tuesday 31st May 2016 08:24 GMT Anonymous Coward

Not so simple. Remote administration REQUIRES a remote access of some sort, and many times the Internet is the only option. And once you have remote access, SOMEONE's going to find a way in. Even if the connection is not directly through the Internet, someone will bridge it to the Internet eventually. And since remote administration is pretty much a requirement with big power companies these days...

1 0 Reply
1. Tuesday 31st May 2016 22:07 GMT Doctor Syntax
  
  "Remote administration REQUIRES a remote access of some sort, and many times the Internet is the only option...."
  
  .... if it doesn't matter about getting pwned. In which case why are you installing it in the first palce?
  
  0 0 Reply

Tuesday 31st May 2016 07:01 GMT Scott Broukell

Sigh, the internet of pings.

5 0 Reply

Tuesday 31st May 2016 07:16 GMT Paul Crawford

Code space?

"Admins are advised to block port 80, stop using the web interface for device management"

Sigh, so they have enough space to fit a shitty web server in for the interface, but not enough to do it correctly, and so it is no longer supportable?

They can't even deliver a web-serverless version to path this?

4 0 Reply

Tuesday 31st May 2016 08:50 GMT Charles 9

Re: Code space?

Doesn't matter if it uses the web or not. It's the remote aspect that's hackable, but remote admin may be the only option depending on the situation.

1 0 Reply
1. Tuesday 31st May 2016 22:14 GMT Doctor Syntax
  
  Re: Code space?
  
  " It's the remote aspect that's hackable"
  
  Regard a management device that's hackable as not being there because one day it won't be. Or even worse, it'll be there doing something it shouldn't.
  
  So go back to the beginning: we need this device on site managing the xxxx. So what do we have to do to ensure it's there? Do we really, absolutely, have to have remote admin? If so then it really, absolutely can't be on the net, it has to be accessed by some other means. Otherwise you're only pretending it's there, rather like a cylinder lock in a glass panelled door is only pretending to be locked.
  
  0 0 Reply
  1. Wednesday 1st June 2016 05:15 GMT Charles 9
    
    Re: Code space?
    
    Yes, because the upper admins are 2,000 miles away at other plants.
    
    No, no other option is viable that isn't equally vulnerable (and ANY remote means is equally hackable because it's the remote element that makes it hackable). And local presence isn't an option due to the distances.
    
    Oh, and did we mention they've only budgeted so much to you, and pretty much the ONLY thing you have to work with is an untempered, 1/4" thick glass door? And they still expect 100% perfection or else, AND they have an ear with the employment commission meaning if you fail you can pretty much kiss any other job prospects goodbye.
    
    Welcome to the real world. And yes, I've seen it.
    
    0 0 Reply
    1. Wednesday 1st June 2016 09:14 GMT Justicesays
      
      Re: Code space?
      
      "No, no other option is viable that isn't equally vulnerable (and ANY remote means is equally hackable because it's the remote element that makes it hackable). And local presence isn't an option due to the ~~distances~~ cost."
      
      And god knows costs have to be kept low, otherwise how would the company CEO get his huge pay packet and bonuses?
      
      0 0 Reply

Tuesday 31st May 2016 07:19 GMT Richard Jones 1

Put a Front End Processor In?

Do not connect the device to the net. either internet or Intranet. Connect this crappy thing to a front end processor which carries out the authorisation and checking before passing commands to the back end crap device.

Verify which is more cost effective first; a dedicated access control front end or a better designed piece of replacement controller hardware.

Then think about future design requirements for new procurements with a robust Request For Proposals and a 'bomb proof' Specification setting down a minimum lifetime support capability. Make design failures the responsibility of the junk man, sorry manufacturer to fix or replace the tat for its normal Specified lifetime.

That stuff is not normally consumer grade fluff that is junked when fashions change.

10 0 Reply

Tuesday 31st May 2016 08:02 GMT chivo243

Re: Put a Front End Processor In?

"Then think about future design requirements"

Therein lies the rub, future ready. One of my mantras, but rarely heeded by mgmt....

I really hate playing catch up... I'd like to be ready for tomorrow today ;-}

1 0 Reply
Tuesday 31st May 2016 08:03 GMT David Roberts

Re: Put a Front End Processor In?

FEP?

Ah, takes me back to mainframe communications in the '70s.

Have an up vote.

1 0 Reply
Tuesday 31st May 2016 08:26 GMT Charles 9

Re: Put a Front End Processor In?

"Do not connect the device to the net. either internet or Intranet. Connect this crappy thing to a front end processor which carries out the authorisation and checking before passing commands to the back end crap device."

Don't you get it? They'll just hack the front end. Remote admin is pretty much require these days yet at the same time is inherently vulnerable to hacking. You lose either way.

0 4 Reply
1. Tuesday 31st May 2016 10:36 GMT Pascal Monett
  
  Re: Don't you get it ?
  
  Don't you ?
  
  The front end can be hardened. It can be logged. It can be blessed with a SWAT team if necessary.
  
  Yes, the hacker will try his damnedest. While he's wasting time raising alarms there, the job can continue to run smoothly.
  
  At least I hope so.
  
  2 0 Reply
  1. Tuesday 31st May 2016 11:15 GMT Charles 9
    
    Re: Don't you get it ?
    
    It can also be IMPERSONATED. How do you harden a remote admin against a hacker that gleans a real admin's credentials?
    
    0 3 Reply
    1. Tuesday 31st May 2016 13:15 GMT Anonymous Coward
      
      Re: Don't you get it ?
      
      Well for starters you can use 2FA as the most basic method of stopping a "hacker that gleans a real admin's credentials" along with a dozen other proven methods.
      
      2 0 Reply
      1. Tuesday 31st May 2016 18:13 GMT Charles 9
        
        Re: Don't you get it ?
        
        If the guy stole his wallet, he probably stole the second factor (usually the phone) along with it. Plus one can hack the phone to redirect a second factor. Try again.
        
        Remember, we're talking high-profile stuff, the kind of stuff an enemy organization might make the effort to scout out and target a whole-identity-theft attack for.
        
        0 2 Reply
2. Tuesday 31st May 2016 22:19 GMT Doctor Syntax
  
  Re: Put a Front End Processor In?
  
  "Don't you get it?"
  
  Yes, we get it. You need some sort of management device to be there when it's needed. So install one that will be there when it's needed. If you go along with the "it'll be hacked anyway" line of thought then you're effectively saying you won't bother to put one there, otherwise you're not meeting the spec.
  
  0 0 Reply
Wednesday 1st June 2016 05:22 GMT Charles 9

Re: Put a Front End Processor In?

"Then think about future design requirements for new procurements with a robust Request For Proposals and a 'bomb proof' Specification setting down a minimum lifetime support capability. Make design failures the responsibility of the junk man, sorry manufacturer to fix or replace the tat for its normal Specified lifetime."

You can't truly "future-proof" anything because the future is unpredictable. It's like what Douglas Adams once said about fools: the moment you make something "bomb-proof" someone comes along and makes a anti-bomb-proof bomb (like a high-penetration bomb). Try to future-proof something and the future swerves in another direction and opens unpredicted and unpredictable avenues of attack (say being able to significantly influence electric currents from afar). And no manufacturer will accept the liability, meaning the plant either needs to lower the standard or go without, the latter of which may not be acceptable if there's a pressing need and a time limit.

0 0 Reply

Tuesday 31st May 2016 07:20 GMT Anonymous Coward

This is typical of the results we get when MBAs take over from engineers. It can also be the result of off-shoring but then again that is the result of MBAs getting involved.

4 0 Reply

Tuesday 31st May 2016 13:18 GMT Christian Berger

I think there is a certain limit to how much "thought" you can get done

After all you have only a limited number of people with a limited amount of intelligence. Even if you add more people, the additional friction might cancel out the amount of additional work you get done.

So you have lots of things to consider when designing such a system. For example it needs to do its basic function. If it doesn't work, the project certainly has failed. Then you have other things you need to do, examples are the user interface to set it up and security considerations. Adding to that there are self-made tasks, for example trying out a new feature of your language, or adding licensing measures. This all has to be done on a limited work budget.

The big problem with this comes when you have inexperienced people. Those people will only know certain types of technology. For example when it comes to configuration many people think of having an embedded web server. After all that's how their home router is configured. Those people have never seen simple console based configuration interfaces, or file formats that can be read from an SD-card and written with a text editor. They don't know what the alternatives are, therefore they effectively waste work on things they could have done simpler.

0 0 Reply

Tuesday 31st May 2016 15:05 GMT Anonymous Coward

I'm not defending these....

...but maybe, just maybe they don't expect them to be put in with a direct internet feed, but have something hefty put in place.

We have plenty of devices with web interfaces, but they will never see an internet connection in their life.

0 0 Reply

Tuesday 31st May 2016 18:15 GMT Charles 9

Re: I'm not defending these....

"We have plenty of devices with web interfaces, but they will never see an internet connection in their life."

Don't be so sure. What if it gets accidentally BRIDGED?

0 3 Reply
1. Tuesday 31st May 2016 22:22 GMT Doctor Syntax
  
  Re: I'm not defending these....
  
  "What if it gets accidentally BRIDGED?"
  
  If you're in charge of it it's your job to make sure it doesn't get bridged, accidentally or otherwise. Not wringing your hands is part of the job description.
  
  0 0 Reply

Tuesday 31st May 2016 21:07 GMT Anonymous Coward

No available code space?

Replace the ROM chip then! One at a time, since you should be using redundant systems anyway.

1 0 Reply

Wednesday 1st June 2016 02:30 GMT Anonymous Coward

Unknown component function Session Handler

What was the name of the Operating System and how do they know it affects an unknown function and who wrote it?

0 0 Reply

Topics

Special Features

Vendor Voice

Resources

COMMENTS

Sigh, When Will They Learn

Re: Sigh, When Will They Learn

Re: Sigh, When Will They Learn

Re: Sigh, When Will They Learn

Code space?

Re: Code space?

Re: Code space?

Re: Code space?

Re: Code space?

Put a Front End Processor In?

Re: Put a Front End Processor In?

Re: Put a Front End Processor In?

Re: Put a Front End Processor In?

Re: Don't you get it ?

Re: Don't you get it ?

Re: Don't you get it ?

Re: Don't you get it ?

Re: Put a Front End Processor In?

Re: Put a Front End Processor In?

I think there is a certain limit to how much "thought" you can get done

I'm not defending these....

Re: I'm not defending these....

Re: I'm not defending these....

No available code space?

Unknown component function Session Handler

POST COMMENT House rules

Enter your comment

Add an icon

Other stories you might like

JetBrains keeps mum on 26 'security problems' fixed after Rapid7 spat

Got an unpatched LG 'smart' television? It could be watching you back

Microsoft squashes SmartScreen security bypass bug exploited in the wild

Easy-to-use make-me-root exploit lands for recent Linux kernels. Get patching

Ivanti commits to secure-by-design overhaul after vulnerability nightmare

Nvidia's newborn ChatRTX bot patched for security bugs

US government excoriates Microsoft for 'avoidable errors' but keeps paying for its products

Microsoft slammed for lax security that led to China's cyber-raid on Exchange Online

Malicious xz backdoor reveals fragility of open source

Rust rustles up fix for 10/10 critical command injection bug on Windows in std lib

Hotel check-in terminal bug spews out access codes for guest rooms

Feds probe alleged classified US govt data theft and leak

About Us

Our Websites

Your Privacy