not on the LAN, no need to worry
I believe that's what the Iranians thought too - the easiest way into a LAN network is <deleted> too many to list actually.
General Electric plays down industrial control plant vulnerabilities
General Electric (GE) has pushed out an update to its industrial control systems following the discovery of vulnerabilities that create a way for hackers to steal SCADA system passwords. Potential exploits based on the vulnerabilities could be abused to cause process flow disruptions in power stations, utility providers and …
-
Friday 20th January 2017 19:06 GMT Anonymous Coward
Oh jeez...
Ever since 1999 everyone has known the greatest weakness of power stations is their absurd inability to stop flying motorcycles entering and blowing up the external security booths.
Further to that we also learnt that nmap is installed on the most important machine in the building and that tool alone is enough to cut the power to an entire city block.
I think they're regardless of the situation if they dont resolve the above issues.
-
Friday 20th January 2017 20:19 GMT John Smith 19
From the film "Zero Day" the stuxnet infection tactic seemed to be
Infect machines on the networks of suppliers near to the facility.
Wait till it infects their whole network.
Wait till someone plugs in a device that's going to be plugged into the centrifuge control network.
Device plugged into centrifuge control network.
Boom
The "Pro tip" "No system is really air gapped."
-
Friday 20th January 2017 21:14 GMT Anonymous Coward
Re: From the film "Zero Day" the stuxnet infection tactic seemed to be
Off by one/buffer truncation error? The film readers may want to look for is "Zero Days".
http://www.zerodaysfilm.com/
Anyone seen a review/preview?
For those who may be unaware of (or have forgotten about, deliberately or otherwise - hey, it's ages ago, right?) Stuxnet, here's a ten minute non-geeky video on Stuxnet from my preferred source on the Stuxnet subject:
https://www.ted.com/talks/ralph_langner_cracking_stuxnet_a_21st_century_cyberweapon
Stuxnet was only the first. Probably won't be the last.
-
-
-
Saturday 21st January 2017 16:38 GMT Anonymous Coward
Re: "The film readers may want to look for is "Zero Days"."
"It can be found on the BBC iPlayer website"
For readers whose UI to iPlayer is as bad as my set top box's, they'll have to search for Storyville (under whose banner this item went out), because searching for Zero Day, with or without the s, doesn't find it. The Web interface does find it, if I click on "show all results". Marvellous what you can (and can't) do with a computer these days, innit.
-
-
Sunday 22nd January 2017 17:35 GMT Stuart Castle
Hmm
"A spokeswoman for GE Digital played down the vulnerabilities, which she said can't be exploited remotely. Only a local hacker in a plant or facility would have been in a position to run an attack, she said, adding that there had been no signs of exploitation."
I realise she can only say what the company tells her, and being a spokeswoman, she isn't going to say "Sorry, our security is crap. We'll fix it ASAP", but while it's likely that their software does not expose the bug to the outside world, saying it cannot be exploited assumes that the machine running it is sufficiently airgapped (or otherwise protected). All it would need is for some custom written malware to get on to the machine (such as Stuxnet) or for someone to enable access via a remote command/desktop system (Microsoft Remote Desktop, SSH or VNC for instance), as any company looking to outsource support may well do.
-
Sunday 22nd January 2017 19:48 GMT bombastic bob
Re: Hmm
"saying it cannot be exploited assumes that the machine running it is sufficiently airgapped (or otherwise protected)."
I did a little (indirect) work for GE a while back, on their SCADA system in fact [adding a feature that used the analysis software from the company I was doing work for at the time], and their SCADA system ran on Windows. WINDOWS. Yeah, THERE's your security problem!
Other than that it seemed to be to be a pretty good SCADA system, so just have them tighten it up a bit more and we should be ok, right? THAT and port it to *LINUX* or *BSD*.
-
-
Sunday 29th January 2017 20:20 GMT Anonymous Coward
Re: "would just had work harder to make stuxnet work?"
When there's a choice between an easy option (Windows and a few zero days) and other harder riskier options (be they Linux or be they something altogether different, e.g. getting some reliable on-site people), why would anyone *not* choose the easy option?
-
-
Tuesday 31st January 2017 23:17 GMT Anonymous Coward
Re: "assumes that it was bug in the OS"
"That assumes that it was bug in the OS and not in the SCADA software."
No it doesn't. It is known from analysis (which perhaps you haven't read) that Stuxnet used multiple bugs, in the OS *and* elsewhere. Would it have been as easy without the bugs in the OS? Seems unlikely.
-
-
-
-
-
-
Sunday 22nd January 2017 22:11 GMT -tim
Nothing to see here, move along...
Of course there are no exploits in industrial systems. A number of steal plants have managed to have their emergency shutdown systems activated in such a way that results in their core furnaces ending up as a giant block of steel and the emergency shutdown systems broken in such a way as that was the only safe way to shut down is purely a coincidence. Nothing to see here, no industrial sabotage or hacking going on here, just move along.
-
Monday 23rd January 2017 15:37 GMT Anonymous Coward
Industrial Systems
Although it's a good few years since I worked on systems operating machinery via PLCs etc. I doubt much has improved in terms of security.
There would sometimes be air-gapped assumption / initial config.
However in these cases there would usually be insistent whining from someone important that they needed to get some info off the control system from their machine, and drearily inevitable security reduction be it allowing USB device to be plugged into a machine so data could be copied to the USB device, linking control machines to high up bods local network, allowing remote access to control network machine(s) etc.
More typically the approach would be the scary, it's all inside our building with restricted access so it's safe, no worries.
a/c for obvious reasons
-
Monday 23rd January 2017 16:01 GMT Anonymous Coward
Hmmm...
Used to be a GE employee.
There used to be enforced air gaps in their systems, then someone high up decided that IoT looked good and that they should interconnect everything that could be interconnected.
2015 was a year of management telling all SW engineers that they had to sort out security and connect everything (even legacy stuff), but no extra fleshy resource was allowed and the normal development had to go on unaffected! More of it was successfully modified than you would expect and I suspect that it was all sorted by mid-2016. However, you then have to get it into all the nooks and crannies of the customers systems, and many of them have no idea what they have embedded in their systems.
Biting the hand that feeds IT
