back to article Legacy kit, no antivirus, weak crypto. Yep. They're talking critical industrial networks

Traffic analysis on 375 industrial networks worldwide has confirmed the extent to which hackers target industrial control systems (ICS). The study by CyberX also found that industrial networks are both connected to the internet and rife with vulnerabilities including legacy Windows boxes, plain-text passwords and a lack of …

  1. Michael H.F. Wilkinson Silver badge
    Facepalm

    I am not surprised, unfortunately

    1. fidodogbreath

      Hacking power control equipment is pretty much the ultimate denial of service attack.

  2. Mayhem

    Endemic to the sector

    It also doesn't help that half the industrial and building management networks are put together by controls engineers who don't understand basic tcp/ip networking. They just repeat what they learned of how the proprietary modbus or similar networks work.

    One site we took over had 17 daisy chained ethernet hubs between the heating system in the basement and the cooling system on the roof, with a roughly 1000-1200ms ping between them. The entire site was channelled through a single cheap 8 port switch in the middle, and it couldn't even handle the fairly low volume of traffic.

    Another had enabled STP to fix their loops but put 29 devices in a ring, so played musical chairs over who got to control the ring.

    In both cases the installers are copying an old legacy system and assuming that TCP/IP works the same way ... and we're not talking about a new network protocol here!

    The other major issue is that the people who look after the industrial systems and the people who look after the IT systems don't ever speak to each other - internal IT doesn't want to touch it with a bargepole and the ops guys don't understand enough to ask the right questions. We're making good money playing translator in between them.

    1. Anonymous Coward
      Anonymous Coward

      Re: Endemic to the sector

      "One site we took over had 17 daisy chained ethernet hubs between the heating system in the basement and the cooling system on the roof, "

      Often they have relatively unprotected remote access too including via say mobile phone. What's the worst someone could do though? Turn off your aircon and fry your IT kit?

      1. Mayhem

        Re: Endemic to the sector

        Oh yes.

        One VERY large corporate HQ we are working with had direct 3G links to the chillers on the roof.

        According to the ops guy : "oh its very secure, only the third party maintenance company knows the phone number". And an admin/admin login.

        <head / desk>

      2. fidodogbreath

        Re: Endemic to the sector

        Often they have relatively unprotected remote access too including via say mobile phone. What's the worst someone could do though? Turn off your aircon and fry your IT kit?

        If the poorly secured HVAC is also connected to the corporate LAN, lots of bad things can happen.

      3. Mark 85

        Re: Endemic to the sector

        Often they have relatively unprotected remote access too including via say mobile phone. What's the worst someone could do though? Turn off your aircon and fry your IT kit?

        Think deeper. Industrial controls.. like blast furnaces, assembly line automation, chemical processes, etc. All are disaster waiting to happen if the wrong people get access. Look at the damage the US did to the NORKS nuke program... or tried to anyway.

    2. Anonymous Coward
      Anonymous Coward

      Re: Endemic to the sector

      Been there, seen that and rewired to place. In doing so we removed the factory and all its associated parts from the internet and the office complex making sure the office wallahs can't get at anything that makes the money (they get the reports delivered to them via CDs - USB ports araldited up).

  3. Anonymous Coward
    Anonymous Coward

    "The study by CyberX also found that industrial networks are both connected to the internet and rife with vulnerabilities including legacy Windows boxes, plain-text passwords and a lack of antivirus protection."

    Well at least in the UK, stuff considered CNI (Critical National Infrastructure) like the National Grid control system is air gapped from external connecting networks. Power companies themselves not so much, but actually changing anything generally relies on electronic instructions sent which are then locally acted upon by a manual activity at each power station control room to change output levels. So a hacker might be able to send a change instruction, but it would likely be quickly spotted and countermanded. There are also backup nomination methods in case computers / comms fail or were taken over. Also to send such an instruction successfully would require a very detailed understanding of how everything works.

    There are no doubt plenty of softer targets out there though. Could anyone realistically cause death / destruction via attacking an industrial control system would be my real question?

    I would be interested from any comments from those in say heavy industry / chemical / oil / gas plants? Are they air gapped? I would hope all such systems are designed fail safe to shutdown if safe ranges are exceeded by say a hacked control device. But maybe safety systems often rely on the same controllers? (Obviously don't name specific companies / targets if identifying any vulnerabilities)

    1. a_yank_lurker

      @AC "Could anyone realistically cause death / destruction via attacking an industrial control system would be my real question?" Having been around chemical plants, I would say yes to causing death & destruction. Mess with temperature settings, holding times, pressures, etc. with the wrong stuff in the the wrong process vessel and watch for a nasty mess. The major 'safety' feature is I doubt most hackers know enough about the processes to cause major mayhem except by pure dumb (bad) luck. How to upset a process to make major problem is specific to the process itself. So knowledge about one process does not usually help with a different process.

      In most processes there are safety interlocks to prevent a major mess but they are not fool proof as the history of recent industrial accidents will show. For example reaching a maximum pressure or temperature might shut the process down.

  4. Palpy

    RE: "...comments from those in [industrial control]..."

    Airgapped? Ours is firewalled. Mostly isolated.

    But data transfer is almost always necessary -- think of load-tracking on an electrical grid, and the need for engineering, planning, and optimization. You can sneaker-net data from the control system to the business network, but not in real time.

    So it depends, to some degree, on the structure of your historical data storage, your analysis and engineering tools, and the interconnections between control-and-raw-data-acquisition and those other structures. They could reside on the control network, but probably don't.

    Think of a plant laboratory analyzing petroleum fractions in a refinery. Are the lab computers connected to the control network? Probably not. But someone wants the lab results to be correlated to the process data coming from the refinery equipment -- temperatures, pressures, cycle times. And then, the engineer designing the new cracking tower installation needs a bunch of control system data too, preferably covering several years of operation.

    So data almost always has to move out of the control system and onto other networks. And therefore many networks will have connections for that purpose, even if the connections are carefully considered, firewalled, and perhaps with "data diode" devices included. Maybe not airgapped, because sneakernet is a problem too. But managed connections.

    "Could anyone realistically cause death / destruction via attacking an industrial control system..?"

    Yeah. Google "Texas City Refinery Explosion". That was not caused by hacking, but I'm sure that someone could cause such events if they gained sufficient access to an industrial control system, and had enough knowledge to misuse it intelligently. The thing is, inside the control network all signals can be tinkered with. Reset the scaling on temperature control X, and now when the operator looks at it he sees 135 degrees, safe, when the temperature is actually 360 and climbing, about to ignite the product. Heck, just put the sensor in calibrate mode -- freezing the reading -- and then dial the burners to 100% until something goes boom.

    My guess would be a nation-state attack team would have that kind of preparation and motive. More likely a profit-motive hacker would just encrypt the system and ask for ransom. But another course of action would be to set a common-language interface (not mentioning names) to iterate through all the control points on a system, and then set them all to 0 at random intervals. Repeat until a ransom is paid.

    Mostly, this hasn't happened yet. And that is a good thing. The hospital ransomware hacks were a wake-up, though.

  5. John Smith 19 Gold badge
    Unhappy

    But who's doing this?

    People out for s**t and giggles?

    State actors? IE Black hats on a pay check working for America's enemy/ies du jour

    Someone planning some kind of extortion?

    This stuff makes great plot lines for action thrillers but IRL, why?

    And remember the words of the anonymous govt source in the film about STUXNET

    "We loved air gapped systems. people thought they were soooo secure."

    1. Paul Crawford Silver badge

      Re: But who's doing this?

      "We loved air gapped systems. people thought they were soooo secure."

      This is often brought up when people point out the risks, but the reality is air-gapped is MUCH harder to jump than some womble's decision to put their machines on t'Internet for ease of access, cost savings, etc. Nothing is perfectly secure, it is all about manageable risk.

      But some of the original points about out-of-date OS, lack of patching, no AV, etc, are all a distraction - in many cases you simply can't change the systems due to the cost and risk for the on-going production process. So you really are back to the old-school approach of not letting every muppet on Earth access your network. There are plenty of ways involving segregated networks, firewalls/VPNs, etc, and that has a cost and effort associated with it, but nothing like that of having your plant rodgered by some ne’er-do-wells who stumbled across your unprotected assets.

  6. Anonymous Coward
    Anonymous Coward

    Whats the opposite of air-gapped?

    Government lab in the mid 90s

    We had a separate LAN for classified stuff, separate cabling with red sockets and everything.

    Of course people needed email / file / print etc so there was also an unsecured office LAN.

    And so each PC had 2 network cards, one to the secure lan and one to the office lan.

    100 machines running Windows bridged the 2 lans ......

  7. Anonymous Coward
    Anonymous Coward

    Vendors

    Part of the blame also lies with the equipment vendors.

    One vendor I'm aware of allows for an annual patch update using their approved patches each year.

    You can patch it yourself, but if it breaks, the options are to fix it yourself, restore a known good image or have the vendor reinstall everything for you as a chargeable extra. Or do nothing. Given the choices and that many of the systems are important 24x7, guess what option the business took?

    So airgap/firewall/do whatever to keep these systems off the Internet while supporting any tools that help (AV...) as much as possible.

  8. jake Silver badge

    As I posted here on ElReg, 22 Mar 2011 ...

    It's only been a matter of time.

    Most SCADA hardware still ships with default passwords ... but the folks who deal with SCADA day-to-day have no clue about "off-site" networking capability.

    And then they plug the hardware into TheInternetAtLarge[tm] ... Remember the early days of Sun Microsystems (c.1982)? Any Sun box plugged into the 'net was accessible to anyone who knew the "as shipped" root password ... That's where SCADA is today ...

    We tugged on their capes, and were shrugged off. We tapped 'em on the shoulder & were elbowed away. We tugged on their shirts, and were thrust aside. Some even kissed their boots, and were trodden upon. Our message was always "Please, PLEASE, **PLEASE**!! don't connect SCADA to publicly available networking systems!"

    But did they listen? No. They did not. The idiots.

    On the bright side, those of us with a clue are making a pretty penny in our retirement, cleaning up the resulting mess :-)

    (Here's the original post. Nothing has changed.)

  9. TrumpSlurp the Troll
    Mushroom

    Least complicated route

    Take your eye off the ball for a few minutes and sales/marketing will have plugged a cheapo wireless AP into the LAN so that they can use their iThings instead of those nasty non-trendy PCs the company has supplied.

    Security used to have to walk round the outside of the building on a regular basis checking for Wi-Fi signals. This was in a company with some security awareness.

    1. Anonymous Coward
      Anonymous Coward

      Re: Least complicated route -- scenario playing out --

      -- right now where I work. Officially, administrators "moving our workforce into the 21st century" by accessing SCADA over wireless Surface tablets ("the platform Microsoft may or may not support next year").

      Anonymous Coward because, well, office politics. 12 months to retirement, I may well be gone before it happens.

      Nota bene for those who take over: a copy of the SCADA project database will be left on a cloud account after I retire. You get hacked, minced, and encrypted, that's your last-good fallback. The account details are taped to the underside of my (pre-retirement) desk drawer.

  10. Aodhhan

    ICSs are everywhere, including where you work.

    Industrial control systems cover a lot more items than most get. It isn't just specialty items you find in electrical power plans. Rather it includes items in most commercial buildings/infrastructure.

    Systems include:

    - Elevator controls/monitoring

    - Indoor/Outdoor lighting

    - Fire sensor and suppression

    - Alarm sensors and monitoring

    - Security monitoring cameras/recording

    - Physical security locks and door controls (access control)

    - Electrical outlet control

    - Manufacturing equipment cooling systems

    - etc.

    So reevaluate where you work. These items just aren't in HVAC, power, petroleum, water etc. plants. They are likely part of the very building you work in. All of these systems are likely in place where you work and you have no idea they're there, because it's never occurred to you to search for them, and building management didn't know they should tell you they installed them. Many of these systems go back to the Windows 3.x days. It isn't exactly brand new technology.

    Being air gapped can bring extra problems because of the false sense of security and lack of patching. It should be looked at as a part of defense-in-depth, just like if you added a security switch/router. Air gapped systems are still open to insider threats, people hooking pwnd laptops into them, etc. So the same AV and other security software still needs to be applied and required. So test and assess accordingly.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon