Researcher blasts Siemens for downplaying SCADA bug A security researcher who voluntarily canceled a talk about critical holes in Siemens' industrial control systems has criticized the German company for downplaying the severity of his findings. “The vulnerabilities are far reaching and affect every industrialized nation across the globe,” Dillon Beresford wrote in an email …
(The transfer of magic electrons not withstanding).
Seriously, the concept of SCADA is to provide operator interface to and collect data from a networked control system. I'm not aware of a network that isn't accessible via "sneakernet" regardless of the OS platform(s) on the network.
The root cause here is the long term belief in the systems integration industry that control systems were so specialized that no one would ever make the effort to specifically target it. As such even the simplest of security restrictions were ignored for most of the industry's history. I work in this industry and any "focus" on security is about 5-10 years behind the curve.
Siemens may be unfairly catching the brunt of the publicity (they are by no means the only OEM with security issues), but their special conditions argument is marketing BS.
"Seriously, the concept of SCADA is to provide operator interface to and collect data from a networked control system. "
You appear to equate the internet as the *only* Wide Area Network in existence, and therefor the network *all* SCADA control system *have* to connect to.
If so you're *very* mistaken. SCADA systems have been around since at *least* the 1930s. For most of that time they operated either through leased lines running supplier provided protocols or the telephone system, again running typically proprietary protocols.
It is only *fairly* recently that the mantra lower costs ->standard protocols ->eliminate *private* networks -> transmit/receive *everything* over the internet has spread like a fungus through utility and other networks. While keeping SCADA data on a *physically* separate network (retaining TCP/IP for cost) would not stop *all* of this it would make a hell of a difference.
"I'm not aware of a network that isn't accessible via "sneakernet" regardless of the OS platform(s) on the network"
True, *unless* you disable all exchangeable media and start taking issuing software and data upgrades *seriously*.
"The root cause here is the long term belief in the systems integration industry that control systems were so specialized that no one would ever make the effort to specifically target it. "
That attitude has certainly not helped. Stuxnet *should* have been the wake up call to *all* SCADA suppliers.
Was not Siemens, a decade or so ago, accused of strong-arming the framing of EU specifications for data transmission protocols in industrial control systems? This was said to have put several of their competitors, whose systems consequently became 'non-compliant', at something of a disadvantage.
The trade magazine 'Control and Instrumentation', as I recall, covered this issue in some depth. Do any other readers remember more detail?
But only might.
Depends if he only had the regular installation manuals, or stuff only service engineers have access to.
Depends if he had to crack the case and make hardware changes to accept the hack (not to discover how to do it in the first place).
Which raises an interesting question.
Did they have *details* of what he'd done *before* they asked him to remove his presentation?
If so (and it's *not* serious) why did they ask him to remove it?
If they only had an outline and asked him to *still* postpone it that would suggest they view *all* security breaches (initially at least) as a CMA PR nothing-to-worry-about exercise.
Any supplier whose1st (in fact *only*) line of defense against this is "Whatever you do don't make your SCADA system publicly accessible" is *asking* to be pwnd.
> the bugs “were discovered while working under special laboratory conditions with unlimited access to protocols and controllers.”
So Seimens are complaining that he discovered the flaws because he had access to a controller? That he bought? Did I miss something? Whio cares how he discovered them, it's how they are exploitable that is the issue. If you need to be under lab conditions to exploit then fair do's, however it seems not to be the case.
Next - Nokia sue consumer who discovered his latest phone was crap when he had unlimited access to it (i.e. he took it home from the shop where he bought it)
You might not want to play the Sony security card as it tends to keep you in the headlines for all the wrong reasons. Watch next like Sony instead of fixing their security they will sick their lawyers on the security research community. If it burns when you pee don't tell anyone and it will go away.
That's easy to say, and easy for the certified Microsoft dependent and the PHB to believe, but the reality is that with something more sensible than Window boxes in the SCADA picture, propagating Stuxnet around the world would have been a great deal more difficult.
Something Stuxnet-like may not have been completely impossible on a more robust OS than Windows, especially given some of Siemens particularly flawed practices (default passwords?) but as the saying goes, "every little helps". Getting Windows out of the picture would have been more than a little helpful.
For full details of how Stuxnet propagated and interacted with the Siemens software, have a look at www.langner.com. The PC AV companies (Symantec included) don't have much of a clue about Siemens, even if they are good at PR.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
