back to article Just a reminder: We're still bad at securing industrial controllers

Bug hunters have discovered yet another set of flaws in industrial control systems used by electric utilities, oil and gas companies, and shipping and transportation providers. The Positive Technologies trio of Ivan Boyko, Vyacheslav Moskvin, and Sergey Fedonin were credited with sussing out and reporting a series of 12 …

  1. big_D Silver badge

    Isolate

    The thing is, we are talking about PLC or ICS hardware, so it should already be isolated from the rest of the "office" network, let alone the internet.

    This isn't good, but if you have set up your networks half way intelligently, the effect should be minimal and require physical access to the production network.

    Although we probably have idiots going "woot, Industry 4.0, I want to view my plant in Arkansas from my smartphone when I'm in China."

    1. Charles 9 Silver badge

      Re: Isolate

      Right, and those idiots also tend to be the ones who determine the budgets and/or sign off on the payrolls. Now what was that proverb about "biting the hand that feeds you"?

    2. Anonymous Coward
      Anonymous Coward

      Re: Isolate

      There's actually a good solution to the "I want to view my plant in Arkansas from my smartphone when I'm in China." conundrum.

      We use a VPN tunnel for remote client support around the world, and only enable the individual connections as-needed when the customer asks.

      There's a little industrial VPN router in the machinery, the main VPN server hub at our East Coast location, which the machinery tries to connect through from behind a firewall. If someone breaks the certificates, then we're stuffed, but then again the world is stuffed at that point.

      1. Anonymous Coward
        Anonymous Coward

        Re: Isolate

        "There's a little industrial VPN router in the machinery,"

        Moxa used to sell nice little ARM-based Linux boxes for stuff like that too :)

        The Moxa UC7420 and other similar products had Intel Inside, but not x86 inside - this was back in the days of the Intel's IXP422 comms controller family:

        http://www.bdtic.com/datasheet/Intel/IXP422.pdf

    3. Rockets
      Facepalm

      Re: Isolate

      The thing is, we are talking about PLC or ICS hardware, so it should already be isolated from the rest of the "office" network, let alone the internet.

      Having seen the state of lots of process control networks I couldn't agree more with this. The PLC tech's love their Moxa devices too. If I had a dollar for every Moxa device I've seen on a process control network that is in the default state I'd be a rich man. But these guys are mostly electricians so I can see why they are in this state. I saw a Moxa pair of devices that was being used from remote blasting of explosives with the default passwords etc.

    4. thames

      Re: Isolate

      Actually, all of the products listed are just managed Ethernet switches. The main reason that people buy stuff like this is that the mounting method and package profiles fit with other industrial hardware and the operating voltage is compatible with standard industrial voltages.

      The specifications include a long alphabet soup list of standards and management protocols which most users probably don't understand. Most users probably just plug them in and if they work out of the box they don't bother configuring them.

      I can't imagine a valid reason for connecting the management interface to the Internet for most applications these switches would be used in. If it is, then you probably already have much bigger problems than the software bugs in question.

      Personally I am of the opinion that adding security features and protocols to most industrial hardware is a waste of time, and is even counter productive in most cases as it creates the illusion of security. Industrial control companies are never going to be security experts and industrial control system designers are never going to be IT security specialists. You are probably better off relying upon isolating networks and if you need connections outside the machine boundaries to add IT industry standard hardware which has been configured by someone who does that sort of thing for a living.

    5. Anonymous Coward
      Anonymous Coward

      Re: Isolate

      "This isn't good, but if you have set up your networks half way intelligently, the effect should be minimal and require physical access to the production network."

      What about the risks of exposing credentials to a rogue insider already on the network who could use the creds to mess something up and blame it on someone/something else?

  2. Will Godfrey Silver badge
    Unhappy

    No Hope

    The potential problems are well known by now (with actual examples) but the ones holding the purse strings simply aren't interested. Their only mantra is suck out as much money as you can. It's cheaper to say "Lessons will be learned" than to actually do anything.

    1. Archtech Silver badge

      No skin in the game...

      As Nassim Nicholas Taleb would say.

  3. Anonymous Coward
    Anonymous Coward

    ah that transports me back..

    ..to the end of the 90's when I worked for a control systems company that will remain unnamed that is still operating today. Their in-house built custom serial protocol kit was and still is installed all over the UK and was (possibly still is) also installed on site in a number of overseas locations.

    On occasion they would use Moxa boxes to connect their stuff within a site and would sometimes use other off the shelf bits and pieces to connect sites to other sites. There was no protocol level security anywhere in their proprietary serial protocols at all - the closest thing in existence to security was a checksum at layer 7 for simple error control. At the serial comms layer everything was simply trusted to be secure because it was all "private network" - aka RS232 -> RS485 wet string.

    These also were the days when nobody thought to care at all about PC security; their control room Windows NT4 PC based systems were also woefully configured, whether it was a PC with their own in-house software installed on it or a PC with an off the shelf scada system installed on it.

    I no longer work in this "industry" but I can see that not much has changed.

  4. sean.fr

    no telnet or snmp 2v please

    Telnet sends passwords in clear text over the wire.

    Unless you change it, snmp have the default passwords public and private.

    Assuming using the popular version v2c, rather than version3. passwords in clear.

    HTTPS and SSH2 are better. Use HTTPS for the first box as it is easy. Then use SSH2 to copy the text config to the next box.

    But to be fair, you are more likely to have downtime due to a hardware failure and human error than a hacker sniffing the wire.

    The easiest hack is to just walk off with the equipment. So step one, is sort out physical access.

    1. Sir Runcible Spoon Silver badge

      Re: no telnet or snmp 2v please

      Whilst I agree that you are more likely to encounter issues from hardware failure/human error than hacking, a hack has the potential to be so much more disruptive.

      It's the old equation - Probability * Impact = Risk

      Even if the probability is really low, if the impact is massive then the risk is high.

  5. Anonymous Coward
    Anonymous Coward

    IMHO

    I believe most of these networks are already compromised by serious actors in the (national) security field.

    The reason they haven't been taken advantage of so far is that you don't play your Ace's until you actually need them, that way your enemy won't beef up their defences and make it harder for you to gain an advantage when it would count the most.

    That's what I would do, and my job is to prevent these things happening by trying to think like the enemy. I try not to voice too many opinions because you never know when someone hasn't thought of something and you are effectively aiding and abetting etc.

  6. amanfromMars 1 Silver badge

    I Just Gotta Say .... What Have All You Got to Share Freely to Satisfy urDreams?

    The switches were also found to be sending sensitive data via "proprietary protocols" that were not secure and would allow for man-in-the-middle or DDoS attacks should an attacker have network access.

    Methinks Proprietary Protocols were not Secured and Lend Lease Purchased then, ..... for Almighty AI Mission Feeding and Seeding Nirvana.

    Surely we don't need to show you how Heavenly ITAll Is.?! :-) with Free Entry via these Portals ........ MMORPG Command with NEUKlearer HyperRadioProACTive IT Controls for CHAOSystems

    With New Memes or Catastrophically Simple Means of Honest Overall Control for Clouds Hosting Advanced Operating Systems.

    Now that is one HumDinger of a Reality. Is it mirrored and enjoying itself practising in yours?

    The Question is ....... When Everything Going Forwards Paints a Colourful Blank Canvas of Truths Agreed to be Accepted, is it the Future U Expected to Come?

    :-) A Truly Decadent Delight to Favour and Savour ..... with Immortal Desire in Carnal Knowledge surely Heavenly Bounty.

    And don't forget words create, command and control and destroy worlds so think at least twice before making all wrong or any right choice .....which of course was/is a thought path where one ASPires to Server and Service Desires with Ever Tastier Temptations to Satisfy with an Insatiable Longing to be of Great and Greater IntelAIgent Game Service ??

    I Kid U Not :-)

    Are you with the Program/Putsch/Pogrom/Project, El Reg? ;-) Ok, better not answer that just yet. But Breaking Broken News Impossible to Store or Deny is Experimental Existential Virtual Reality Programs are Ready for Remote Virtual Command to Control Earthly SCADA Systems.

    And some are right chatty in the perfect joint space and heavenly place. No Secrets when All Never Hidden from Knowledge is Rewarded with Never Ending Satisfaction in Quests Servering Immaculate Desires and Insatiable Passions.

    If that's too blue for the blue pen brigade, does it get signed off in green ink for Fabulous Payment and AIReDeployment.

    As you can read, it's been quite a busy day here and presumably in all of those other places/connected by knowledge spaces where sharing info serves intel and intelligent beings eventually, inevitably become All Knowledgeable and they Restart the Great Game with SMARTR Addition Editions with Greater IntelAIgent Game Plays.

  7. Cliff Thorburn

    Anyway forward is forward amFM, and it would be nice if man in the middle shenanigans work in a positive rather than negative manner for once.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019