back to article Remember Stuxnet? You'll endure its hated-by-critics sequel if you don't patch your holey Siemens industrial kit

Industrial control software vulnerabilities, which would be perfect for next-gen Stuxnet-style worms to exploit, are as prevalent as ever, apparently. A report out this week from Tenable outlined a series of CVE-listed security holes in the products of four of the largest industrial control system (ICS) makers, including …

  1. Anonymous Coward
    Anonymous Coward

    "Too big to fail...."

  2. Anonymous Coward
    Anonymous Coward

    Why are they using Windows and Siemens proprietary stuff anyway?

    Like, if you've mastered the necessary engineering to build a uranium centrifuge, I'm pretty damn sure you could figure out how to wire it up to an arduino and some breadboard and get it talking to linux :P Not exactly rocket science...

    (that's the building next door)

    1. big_D Silver badge

      Re: Why are they using Windows and Siemens proprietary stuff anyway?

      It is a lot more than Arduino and Linux. For a start, Linux is not a real-time OS, it is interrupt driven, in its standard form. That means that it isn't ideal for many industrial settings.

      If you need answers in the millisecond spectrum, waiting for a disk IO to complete before reading an analogue register is too long and you have missed your opportunity.

      There are some applications, where a normal system would work, but you still need to write the control interfaces and drivers for the equipment being used, And, yes, there are some RTOS versions of Linux on the market, but they usually have propriatary compenents as well. And mixing analogue and digital registers isn't always easy, there is a reason why the hardware and software is so expensive.

      It isn't ideal, but it also isn't as easy to replace as you seem to think.

  3. Anonymous Coward
    Anonymous Coward

    Vulner what? Just getting a RSLInx connection without some DRM idiocy even when pleading / swearing / muttering right next to it should be enough of a challenge to ward off the bad guys. Perhaps Siemens could make their comms as bad so their users have fewer problems. Failing that a few hours / years spent talking to tech support (quote "turn off your firewall" & "buy another license") should break them. Shame really as the hardware is solid.

    1. Palpy

      Ah, that really takes me back.

      Indeed -- the initial setup, and subsequent troubleshooting, can make strong techs weep like schoolchildren. Before I retired I got to watch a factory tech slog into the bowels of an installation, muttering, to crouch like a balding gargoyle over his laptop whilst trying to get the SULFUROUSLY DAMNED Allen-Bradley PLC to take instruction. For... days.

      That said, and as you say, once it is up and running the hardware is solid. Well, mostly. Unless the power supply gets jiggy.

      And for those who say air-gap, air-gap: Yes, well, tell it to the vendors. Tell it to management. I tell ya, vendors are pushing online-everything -- diagnostics, data collection, remote troubleshooting, etc -- and management wants it all. So do the vendor's techs, 'cos house calls are so very twentieth-century. "Nobody does that anymore. Come on, plug in the ethernet and let us remote in!" Even if the equipment is spinning uranium isotopes at very high speeds.

      1. Claverhouse Bronze badge

        Re: Ah, that really takes me back.

        They have to allow lonely machines access to Facebook.

      2. Archtech Silver badge

        Re: Ah, that really takes me back.

        Maybe if managers were *shot* for allowing break-ins...

        Just sayin'. Pig, chicken.

        1. phuzz Silver badge

          Re: Ah, that really takes me back.

          "Maybe if managers were *shot* for allowing break-ins"

          I'm sure they are in North Korea.

          In Iran, possibly? Can you imagine being the sysadmin who fucked up your country's nuclear program?

      3. big_D Silver badge

        Re: Ah, that really takes me back.

        I know of one manufacturer locally, they have a CNC machine whose control software still runs on Windows XP. They have air-gapped it, because the CNC-manufacturer wants 7 figures to "upgrade" the software - well, the new software is already there, but only works with a newer model, which costs 7 figures. Given the old machine is still going strong, the just air-gapped.

        The tech support always want to use TeamViewer to look at the machine. The IT manager remains firm, update the software to work on a supported platform and they can get TeamViewer access, otherwise they have to remote control the machine operator over the telephone.

  4. Walter Bishop Silver badge
    Facepalm

    Attacker could execute arbitrary commands through websockets

    CVE-2019-10915,::“The vulnerability is an authentication bypass in the TIA Administrator server. An attacker could execute arbitrary application commands through websockets on the node.js server which is externally exposed by default.”

    Nobody in their right mind uses a web server/web browser to control their industrial controllers.

    1. NetBlackOps
      Facepalm

      Re: Attacker could execute arbitrary commands through websockets

      Well, I wouldn't and I'm legally insane. [Truth.] But, apparently doing exactly that is something done all the time in The Real World. Go figure.

    2. amanfromMars 1 Silver badge

      Re: Attacker could execute arbitrary commands through websockets

      Nobody in their right mind uses a web server/web browser to control their industrial controllers. .... Walter Bishop

      Oh yes they do ....... and also to command and control the industry of others, WB.

      And that is what is so terrifying to the likes of a Microsoft Windows type Operation, for they be undoubtedly responsible and surely accountable for presentation and maintenance of the portal/utility/facility?

    3. katrinab Silver badge
      Flame

      Re: Attacker could execute arbitrary commands through websockets

      Have you ever met a director who is in their right mind?

    4. LDS Silver badge

      "Nobody in their right mind uses a web server/web browser to control their industrial controllers."

      Today everything must be a web app - and just wait for the mobile app plus IoT industrial controllers cloud-managed....

    5. big_D Silver badge

      Re: Attacker could execute arbitrary commands through websockets

      Nobody should use such a controller on a network attached to the local office network, let alone the Internet!

  5. This post has been deleted by a moderator

  6. amanfromMars 1 Silver badge

    Re Abiding Achilles Heels ....... with Filthy Rich Honey Pots

    And of course, quite naturally, will such vulnerabilities/opportunities continue to exist and deploy despite the following MS Windows System Instructions/Terms of Use/Virtual Agreement .......

    Do not attempt to gain unauthorised access to, use or attempt to interfere with or compromise the normal functioning, operation or security of any network, system, computing facility, equipment, data or information, including but not limited to any attempt to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures without the express authorisation of the owner of the system or network. This includes using sniffers or SNMP tools to gain such unauthorised access.

    Do not attempt to circumvent user authentication or security of any host, network or account (a.k.a. "cracking"). This includes, but is not limited to, accessing data not intended for you, logging in to or making use of a server or accounts that you are not expressly authorised to access or probing the security of other networks.

  7. Lee D Silver badge

    That's okay, we all learned to put industrial controls on a managed and controlled and isolated and monitored internal network, with no direct access to the Internet, via firewalls and proxies and whatever else necessary to ensure they stay isolated from everything else and, where possible, even each other after the last thing like this.

    Right?

    1. Anonymous Coward
      Anonymous Coward

      @Lee D - Don't forget human factor

      It seems the Stuxnet attack against Iran benefited from the modest contribution of an insider who offered to help the pest cross the air-gap. However since he was executed he couldn't claim the reward so the operation cost the Westerners almost nothing. Like someone was saying, it's good to be king.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019