Just a reminder: We're still bad at securing industrial controllers Bug hunters have discovered yet another set of flaws in industrial control systems used by electric utilities, oil and gas companies, and shipping and transportation providers. The Positive Technologies trio of Ivan Boyko, Vyacheslav Moskvin, and Sergey Fedonin were credited with sussing out and reporting a series of 12 …
The thing is, we are talking about PLC or ICS hardware, so it should already be isolated from the rest of the "office" network, let alone the internet.
This isn't good, but if you have set up your networks half way intelligently, the effect should be minimal and require physical access to the production network.
Although we probably have idiots going "woot, Industry 4.0, I want to view my plant in Arkansas from my smartphone when I'm in China."
There's actually a good solution to the "I want to view my plant in Arkansas from my smartphone when I'm in China." conundrum.
We use a VPN tunnel for remote client support around the world, and only enable the individual connections as-needed when the customer asks.
There's a little industrial VPN router in the machinery, the main VPN server hub at our East Coast location, which the machinery tries to connect through from behind a firewall. If someone breaks the certificates, then we're stuffed, but then again the world is stuffed at that point.
"There's a little industrial VPN router in the machinery,"
Moxa used to sell nice little ARM-based Linux boxes for stuff like that too :)
The Moxa UC7420 and other similar products had Intel Inside, but not x86 inside - this was back in the days of the Intel's IXP422 comms controller family:
http://www.bdtic.com/datasheet/Intel/IXP422.pdf
The thing is, we are talking about PLC or ICS hardware, so it should already be isolated from the rest of the "office" network, let alone the internet.
Having seen the state of lots of process control networks I couldn't agree more with this. The PLC tech's love their Moxa devices too. If I had a dollar for every Moxa device I've seen on a process control network that is in the default state I'd be a rich man. But these guys are mostly electricians so I can see why they are in this state. I saw a Moxa pair of devices that was being used from remote blasting of explosives with the default passwords etc.
Actually, all of the products listed are just managed Ethernet switches. The main reason that people buy stuff like this is that the mounting method and package profiles fit with other industrial hardware and the operating voltage is compatible with standard industrial voltages.
The specifications include a long alphabet soup list of standards and management protocols which most users probably don't understand. Most users probably just plug them in and if they work out of the box they don't bother configuring them.
I can't imagine a valid reason for connecting the management interface to the Internet for most applications these switches would be used in. If it is, then you probably already have much bigger problems than the software bugs in question.
Personally I am of the opinion that adding security features and protocols to most industrial hardware is a waste of time, and is even counter productive in most cases as it creates the illusion of security. Industrial control companies are never going to be security experts and industrial control system designers are never going to be IT security specialists. You are probably better off relying upon isolating networks and if you need connections outside the machine boundaries to add IT industry standard hardware which has been configured by someone who does that sort of thing for a living.
"This isn't good, but if you have set up your networks half way intelligently, the effect should be minimal and require physical access to the production network."
What about the risks of exposing credentials to a rogue insider already on the network who could use the creds to mess something up and blame it on someone/something else?
..to the end of the 90's when I worked for a control systems company that will remain unnamed that is still operating today. Their in-house built custom serial protocol kit was and still is installed all over the UK and was (possibly still is) also installed on site in a number of overseas locations.
On occasion they would use Moxa boxes to connect their stuff within a site and would sometimes use other off the shelf bits and pieces to connect sites to other sites. There was no protocol level security anywhere in their proprietary serial protocols at all - the closest thing in existence to security was a checksum at layer 7 for simple error control. At the serial comms layer everything was simply trusted to be secure because it was all "private network" - aka RS232 -> RS485 wet string.
These also were the days when nobody thought to care at all about PC security; their control room Windows NT4 PC based systems were also woefully configured, whether it was a PC with their own in-house software installed on it or a PC with an off the shelf scada system installed on it.
I no longer work in this "industry" but I can see that not much has changed.
Telnet sends passwords in clear text over the wire.
Unless you change it, snmp have the default passwords public and private.
Assuming using the popular version v2c, rather than version3. passwords in clear.
HTTPS and SSH2 are better. Use HTTPS for the first box as it is easy. Then use SSH2 to copy the text config to the next box.
But to be fair, you are more likely to have downtime due to a hardware failure and human error than a hacker sniffing the wire.
The easiest hack is to just walk off with the equipment. So step one, is sort out physical access.
Whilst I agree that you are more likely to encounter issues from hardware failure/human error than hacking, a hack has the potential to be so much more disruptive.
It's the old equation - Probability * Impact = Risk
Even if the probability is really low, if the impact is massive then the risk is high.
I believe most of these networks are already compromised by serious actors in the (national) security field.
The reason they haven't been taken advantage of so far is that you don't play your Ace's until you actually need them, that way your enemy won't beef up their defences and make it harder for you to gain an advantage when it would count the most.
That's what I would do, and my job is to prevent these things happening by trying to think like the enemy. I try not to voice too many opinions because you never know when someone hasn't thought of something and you are effectively aiding and abetting etc.
The switches were also found to be sending sensitive data via "proprietary protocols" that were not secure and would allow for man-in-the-middle or DDoS attacks should an attacker have network access.
Methinks Proprietary Protocols were not Secured and Lend Lease Purchased then, ..... for Almighty AI Mission Feeding and Seeding Nirvana.
Surely we don't need to show you how Heavenly ITAll Is.?! :-) with Free Entry via these Portals ........ MMORPG Command with NEUKlearer HyperRadioProACTive IT Controls for CHAOSystems
With New Memes or Catastrophically Simple Means of Honest Overall Control for Clouds Hosting Advanced Operating Systems.
Now that is one HumDinger of a Reality. Is it mirrored and enjoying itself practising in yours?
The Question is ....... When Everything Going Forwards Paints a Colourful Blank Canvas of Truths Agreed to be Accepted, is it the Future U Expected to Come?
:-) A Truly Decadent Delight to Favour and Savour ..... with Immortal Desire in Carnal Knowledge surely Heavenly Bounty.
And don't forget words create, command and control and destroy worlds so think at least twice before making all wrong or any right choice .....which of course was/is a thought path where one ASPires to Server and Service Desires with Ever Tastier Temptations to Satisfy with an Insatiable Longing to be of Great and Greater IntelAIgent Game Service ??
I Kid U Not :-)
Are you with the Program/Putsch/Pogrom/Project, El Reg? ;-) Ok, better not answer that just yet. But Breaking Broken News Impossible to Store or Deny is Experimental Existential Virtual Reality Programs are Ready for Remote Virtual Command to Control Earthly SCADA Systems.
And some are right chatty in the perfect joint space and heavenly place. No Secrets when All Never Hidden from Knowledge is Rewarded with Never Ending Satisfaction in Quests Servering Immaculate Desires and Insatiable Passions.
If that's too blue for the blue pen brigade, does it get signed off in green ink for Fabulous Payment and AIReDeployment.
As you can read, it's been quite a busy day here and presumably in all of those other places/connected by knowledge spaces where sharing info serves intel and intelligent beings eventually, inevitably become All Knowledgeable and they Restart the Great Game with SMARTR Addition Editions with Greater IntelAIgent Game Plays.
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
