Oh GREAT: Your factory can Heartbleed out Tired of Heartbleed horror? Brace yourself for another round, this time with a "hackers can attack factories" flavour after Siemens shipped coagulant patches for some of its key SCADA kit. In a timely reminder of just how pervasive the vulnerability is, the European vendor says users of its eLAN and WinCC OA products to …
That's easy. The vendor allow it and make it easier to setup than the other options. Cheaper too. For one event I assisted with it was the best option for us to use. Test the systems offsite to confirm they were working. Move the equipment onsite, run the event and three days later take the equipment away again. Not so easy to do with modems and phone lines. And quite frankly these days, I expect it is mostly only us old farts who know what a modem is.
Why it was on the same VLAN as everything else in the store is a whole other issue.
Would you prefer if Siemens had said "we're not going to bother releasing patches to our software that is vulnerable to the heartbleed flaw, because only an idiot would make their SCADA systems internet facing".
There's a known vulnerability in some of the libraries that they use in their SCADA software. They've released a patch. The only head-scratcher is why anyone would think that they shouldn't have bothered!
Because we live in 2014 not 1980?
Why do you connect to the internet? Do you do your banking by going to the branch or over the internet despite the security implications? Should we just dump computers altogether due to the inherent security risk and do everything manually?
There are huge benefits to be gained from connected industrial devices such as prognostics, data analytics, and remote monitoring which make our plants more reliable, efficient and adaptable.
But this comes with a risk which needs to be managed. The embedded world has had some wake up calls on security and we know we need to get better at it and security is always a moving target.
But not do it at all? That is just pointless simplification and posturing, ignoring the huge benefits and realities
I don't agree that online banking and process control with SCADA are comparable. That's comparing apples to oranges.
Of course remote monitoring an managing are useful and some cases pretty much mandatory. That doesn't mean they should be connected to the 'internet'. They should be on tightly controlled private network. If access from the public network is required then surely a decent VPN solution would be better than exposing some vendor interface to the public.
That 'DA' part of SCADA is incredibly important. Data acquisition acts as a coal mine canary and provides information that allows you to identify 'silently escalating' problems, identify and defuse hazardous situations and more. It's all fine and dandy for you to say industrial systems shouldn't be online; but had proper systems been in place at Chernobyl the world would be a much different place and some journalists would have to find a new soapbox.
In the Chernobyl example people outside the plant should have been alerted and able to act long before the operators had the chance to create a catastrophic situation. That's the 'S' part and is in place to automatically defuse hazardous situations and/or allow an offsite person to do so if some numpty has disabled all the safeguards.
It's pretty important that external entities be alerted because you can't count on Humans following proper procedures. Somebody is always going to have discovered a 'short cut' that makes an enormous mess. Industrial facilities don't operate like computers, where 'Toggle B' is disabled unless 'Toggle A' is in position 3. There are always going to be valid reasons for 'Toggle B' to be adjusted independently of 'Toggle A' and that's normally fine, until you discover that a sluice at the damn that controls the flow of water into your plant has not been closed as the status board indicates. Your plant operators were only alerted to the problem by phone. Unfortunately, because that sluice is shown closed the system won't start the cooling pumps (because giant dry pumps are bad) for the furnace unless you flip 'Switch GVXJ31' but if you do that you're going to cut off electricity to the waste water release gates and if those gates aren't opened before the water gets too hot your wife and family will certainly enjoy the new house they bought with your life insurance payout.
That's an extremely simplified example, and there are safeguards on lots of things, but it's quite foolish to think that a factory is a closed system. Large factories have their own internal infrastructure stacked on top of an exterior infrastructure and it all has to work together. The broken sluice up there is just as important to your operations as the products you're making. If it's sending you bad data then situations can spiral out of control extremely fast.
The ensuing chaos would normally have been straightforward to manage, but between the taxi crash, airport delays, road closures, doctor appointments and vacations the only people who knew how to deal with the situation were all gone and that's always going to be the case. The universe will fuck you.
You can always call the people that designed and built your equipment and ask them what to do. I can probably get it sorted, but since some IT security guy made them take their control systems off the Internet I can access the information to make a good decision. All you can do now is run.
See your router...the one from your ISP...is it secure?...you don't know...and it probably isn't.
See your phone...Android is it?..probably not.
Your connected NAS...
Your connected printer...
Basically...any you bought that was "Plug and play" is probably at-risk.
There will be no patches coming, it you want security you will have to go and buy a new phone or router or whatever.
And when *THAT* is found to have a massive security hole that the OEMs won't patch, the cycle will repeat.
Seems that a lot of medical equipment is about as secure as a wet paper bag during the rainy season.
A particularly nasty example is a certain brand of infusion pump (and people wonder why I am blacklisted from working in medicine :-) ) that can be hacked into using just a laptop with WiFi.
STILL not fixed despite multiple emails back and forth to the manufacturers and two firmware updates, the problem is getting people to actually apply and then retest to make sure the patch worked.
Another example recently found is a popular brand of LASIK /LASEK machine that despite having isolated power and backup can be shut down mid-treatment by a simple buffer overflow attack over the comms channel used for the remote handset.
Turns out that because it was made back in the late 1990's and still in use, they never considered mobile 3G interference to be an issue. FAIL!
Obviously turning up the power would also ruin someone's day, I call this one "Eyebleed".
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
