back to article Everything running smoothly at the plant? *Whips out mobile phone* Wait. Nooo...

The security of mobile apps that tie in with Supervisory Control and Data Acquisition (SCADA) systems has deteriorated over the last two-and-a-half years, according to new research. A team of boffins from IOActive and IoT security startup Embedi said they had discovered 147 vulnerabilities in 34 of the most popular Android …

  1. wheelbearing

    No surprise really

    SCADA systems in general use seem to have security (if at all) as an afterthought, probably because connection via the Internet was just not considered when they were set up. Tightening security on the legacy systems is the real worry, new implementations at least provide an opportunity to put security at the core of the design.

    1. Anonymous Coward
      Anonymous Coward

      Re: No surprise really

      Did someone pay us to add security? Anyone require that our products have it? Want passwords on the HTML UI? No? Then it's surplus to requirements.

      Seriously, as long as nobody sets any legally binding standards (and enforcement, with substantial punishment for non-compliance), then no manufacturer can AFFORD to make their product secure. Security will cost development time (read: money), which raises the minimum sales price, which in turn prevents the sales from happening, since the product is too expensive. Market rules, so lowest bidder wins the contract.

      And yes, my company delivers to powerplants. Hence anonymous.

      1. Anonymous Coward
        Anonymous Coward

        Re: No surprise really @anonymous

        This. I also make SCADA software, and adding proper security is financially unfeasible. At the price I'd need to cover development of any halfway-decent security, factory owners won't buy my product. They'll go buy a cheaper product made by someone who didn't add security instead. The fact that it won't nag them with password requests will actually be seen as a bonus!

        So, as a developer of embarrasingly insecure SCADA software, I say: make it compulsory. Give harsh fines to anyone who doesn't comply. Honestly, I'd *love* to be required by law to make secure software; that's the only way I could sell it (and it would get rid of a whole lot of cowboy competition too).

        1. Anonymous Coward
          Anonymous Coward

          Re: No surprise really @anonymous

          It only needs the air-gap bridge to be secure. The control system can sit underneath it.

          If a control system is only a very small part of your business and doesn't need constant monitoring and you use a service company (a small power generation system, HVAC system, or water treatment plant for instance) then you get a bit limited in how to secure as an IT person.

          The people who service it aren't tech savvy. They need to get alerts and remotely login from anywhere using any device they can get their hands on. There is limited password controls or ability to force our own IT policies on them.

          So direct access to the system is usually given often over a flaky VNC with few if any software updates.

          The firewall has to be opened up to 'anyone external' and security processes go out of the window. Even just a default read-only system with very limited, logged, audited and 'alertable' write access would've been nice, but alas it wasn't possible with the system.

          The best you can do sometimes is run a secured gateway PC in front of the system and manage access to that before it connects to the system.

          1. Filippo Silver badge

            Re: No surprise really @anonymous

            The people who buy it do not want the air gap. They want to control it from their office. From their remote office. Sometimes from their cellphone. There is no convincing them. If you push on this, they'll go to another vendor who won't. Seriously, either security becomes a legal requirement, or it just won't happen.

    2. Christian Berger

      Yes, and...

      SCADA systems typically are fairly trivial at their core, you only need to gather, display and perhaps log data. The logic to act uppon is so simple that most of those systems could be implemented with simple analog cicruity. In the hands of not quite mature programmers that's actually very dangerous as they will try to fill the boredom and come up with terrible ways to do trivial things....

      .... one of those ways is OPC or OPC-UA which offers a highly complex object oriented broker like structure to distribute values and events. It nicely fills the void of boredom and keeps those programmers occupied re-implementing complex interfaces instead of simply pushing around lines of text. This however fills experienced programmers with disgust, so they tend to not want to touch this. The end result is that you have lots of inexperienced programmers trying to solve problems you wouldn't have if they were more experienced in the first place. However most experienced programmers will either leave your project or not even get anywhere close to it.

      Now add mobile apps and you get the intersection between app developers and people who touch SCADA with a not to long stick, and you'll probably get only the worst of developers out there.

      1. Palpy

        Re: Trivial? Hmmm.

        In my experience, many SCADA and DCS are "trivial" in the sense that programming a self-driving car is "trivial".

        For instance, one might need to program X-Y-Z axis motion with millisecond accuracy to control log and saw movement in a sawmill. Or calculate the optimal cuts for the maximum yield from each log as it moves into the line. With safety considerations and failure mitigation built in. And so forth. The problems are not the same as financial analysis or optimizing database I/O, but "trivial" is a matter of opinion.

        I will absolutely agree that using OPC or OPC-UA to implement control if you already have a SCADA or DCS in place is nutty. Why write a PID algorithm when any SCADA system includes well-tested, powerful, and usually very flexible PID algorithms already?

        1. Christian Berger

          Re: Trivial? Hmmm.

          "For instance, one might need to program X-Y-Z axis motion with millisecond accuracy to control log and saw movement in a sawmill."

          Yes, but a millisecond is a long time in a computer, and any cheap microprocessor will guarantee you timing that precise easily. In the end 99% of it is nothing more than control loops with the desired input changing at times. The actually complex stuff is not done by the SCADA people, the complex stuff is done by the people working out the best processes. Whatever they find out usually is just a bunch of numbers the SCADA people code into their software. (or have as settings)

          1. imanidiot Silver badge

            Re: Trivial? Hmmm.

            You seem to have a weird/wrong/misunderstood idea about what "SCADA people" and the systems they work on actually do. Working out the complex stuff like process flow, yield optimization, process interactions and dependancies, etc, etc IS the work of "SCADA people".

            In my humble opinion however, SCADA systems should simply never be connected to a smartphone app or other hard to control access mechanism. If it needs a SCADA system it should be monitored onsite or through an audited, checked and rechecked remote login option to get a secure laptop or something bridged into the system. Most of the stuff that is vulnerable doesn't really need a direct internet connection to begin with, but it's done "for convenience".

          2. big_D Silver badge

            Re: Trivial? Hmmm.

            @Christian Berger a computer can only guarantee that sort of precision if it is locally attached and if it is running a RT kernel. Standard Linux/UNIX/Windows kernels aren't real time and can't guarantee the response times required.

            If the computer isn't doing anything else, it might work most of the time. But it just needs a delayed disk write to mess things up.

            At a previous employer, we actually did real time control of the PLC, reading RFID tags and setting gates on the line depending on an algorithm that took into account the quality of the meat and the customers processing requirements. That worked very well, but needed local computers and a lot of know-how to get the system to run fast enough and reliably fast enough to receive transponder information and pass the decisions back to the PLC.

      2. ForthIsNotDead

        Re: Yes, and...

        It's worse than that, Jim... Much worse...

        The youngsters have got bored of OPC-UA. I mean, why do something in a few bytes (MODBUS, DNP3, PROFIBUS/NET) when you can do it with a few hundred (OPC)?

        No, we've moved on from that... Now it's XML/SOAP, and... the latest one on the block... JSON.

        I'm getting old.

        1. AdamWill

          Re: Yes, and...

          wait, what? people are running industrial control systems using an interchange format which is notable for no-one entirely agreeing on what the hell it means?!

          http://seriot.ch/parsing_json.php

          getting closer and closer to moving to a cave in the woods, here...

    3. big_D Silver badge

      Re: No surprise really

      They were designed to be air-gapped. Putting them on the Internet is just plain silly.

  2. Scott Broukell
    Stop

    JUST STOP IT NOW!

    Perhaps this is an area which seriously requires a regulator, harsh financial penalties and vetting (of both equipment and software) - anybody caught using insecure hardware/software that does not appear on the `approved' list should be taken out and shot!

    1. Charles 9

      Re: JUST STOP IT NOW!

      Until you learn the demands for remote administration come from up top (like C-level), and these people tend to have connections...

  3. Palpy

    Industrial automation tends to be conservative --

    -- in the sense that taking down a refinery because you implemented a cool new gee-whiz algorithm causes huge distress. Therefore SCADA and DCS programming tends to move more slowly than, say, innovations like Microsoft's move from 7 to 8 to 8.1 to 10. Let alone the changes from Blaster to WannaCry, or Sircam to Locky. That's part of the reason security appears to be an afterthought in SCADA: changes come slowly, and the security landscape changes fast.

    But anyone who uses an Android app from the Google Play store to access an industrial control system needs to be re-assigned to the custodial crew and have his or her phone incinerated.

    1. Anonymous Coward
      Anonymous Coward

      Re: Industrial automation tends to be conservative --

      The big problem is the fact that MBA office wallahs have taken over from engineers in a lot of heavy industry.

      While the engineers were used to actually going and seeing the office wallah can only think of reaching for his/her phone as a way of finding anything out. Tell them to actually go out on site and look for themselves and hear the squeals of fright.

      It is because of that office mentality that we end up with security problems and it will get worse unless the engineers and sys admins apply their collective boots to the rear of the office wallahs.

      1. peter_dtm
        Mushroom

        Re: Industrial automation tends to be conservative --

        And this is not helped by the IT wallahs pontificating from absolute ignorance about what Industrial Automation and Process Control systems actually do; and the constraints under which they operate.

        It would have been so nice if the IT crowd did not run a mile every time Automation and Process people ask for help; or the odd ones who do respond seem to think they are playing with some trivial office network not a Critical Control Network.

        Example - the insistence that it is more important to safeguard the office network than the Critical Control Network just for starters. Most factories/refineries/power stations/warehouses/ports etc can actually survive loss of office computer function and inter connectivity for several hours if not days or weeks. NO factory can afford to sit idle because the Critical Control Network is compromised and not working. If the factory is idle then there is no need for the IT department or any of their fancy toys.

        Yet that is what I see in company after company; site after site.

        This is the reality - no control system : no anything else; and yet we are lucky to get cast off rubbish with snide comments and pointless lectures.

        Here is another reality - most Process Control and Automation engineers never wanted to be Network Engineers; hate having to be Windows Engineers and are fed up with the refusal by the IT crowd to try and understand what the issues are. So what do the IT crowd do ? Refuse to understand even the basics; treat the engineers like shit because they know little about IT especially what should be an obscure discipline called Network Security - whose proponents can not even manage to keep wannacry out of the world. Whose sheer inability to communicate with the real world means the IoT is a nasty horrible security nightmare. Who still haven’t done jack about securing household ADSL boxes SAFE OUT OF THE BOX. And of course know even less about Control systems than Process and Automation engineers know about general IT theory and practice.

        So before the lot of you start moaning about the state of SCADA and DCS systems (and how many of you even know the difference; never mind what they do) I would suggest you look to your own house and start asking the Process and Automation engineers how you can HELP instead of running away whilst making snide comments.

        As usual; the comments in this thread just reveal the IT sector’s total ignorance of what should be allied disciplines (yes Mr IT person; Process Control and Automation are two differnet things). </rant>

        1. Anonymous Coward
          Anonymous Coward

          Re: Industrial automation tends to be conservative --

          peter I couldn't agree more with what you are saying, in fact we walked away from one possible contract because the company wanted to put the office ahead of security for the plant and machine tools. As you say the head office IT people didn't have a clue and there was no way we could work with them.

    2. peter_dtm

      Re: Industrial automation tends to be conservative --

      Ah yes

      DCS - life expectancy 15 to 20 YEARS

      Yes; that is YEARS - not days or months.

      Which is why there are plants still running on NT4

      If IT can not provide sufficient stability to allow factories to have proper investment in decent kit you will get what we have now.

      It should be trivial to maintain support for older kit; even mechanics can manage this with pre microprocessor controlled unrepairable cars; and most civil servants seem to survive doing things the same way as their great grandfathers did (badly; inefficiently; and with as much disruption to the tax payer as possible :-) )

      So when you are spending a couple of million quid to build your infrastructure (factory) then if you don’t want the social justice idiots whinging about ‘excess’ profits; then you need to be able to write that investment off over a decently long period.

  4. Aodhhan

    ICS Fun

    Industrial Control Systems is an area which started taking advantage of networking in a very quiet and shadowy manner. Wireless technology makes installing sensors and other items much quicker, easier, cheaper and more convenient than drilling holes between walls and floors and pushing wires through conduit.

    So this unsecure technology was grabbed and purchased by many organizations to control lights, security cameras/devices, electrical outlets, elevators, alarms, fire sensors, HVAC, etc.

    Building maintenance and information technology had never interacted in the past, so both are ignorant of each other's existence and requirements. It's not uncommon for ICS products to be the biggest shadow-ware out there.

    For anyone who has never administered, installed or tested ICS applications and equipment... you're in for one heck of a shock once you do. Then you're in for a fight when you have to secure it and possibly remove all wireless devices.

    Good luck!

  5. inmypjs Silver badge

    Will Andrew Orlowski....

    Ever take his nose out of Huawei's butt hole?

    Posted in the next article along because he would censor it.

    1. Anonymous Coward
      Anonymous Coward

      Re: Will Andrew Orlowski....

      Pillock

  6. doke

    SCADA systems should never be connected to the internet. The vast majority of them have someone in a control booth 24x7. The boss can just call and ask "Is everything workiing?" If they insist on a status display, that should be done in a one-way export-only fashion, where the protected systems send status updates to an external web server. There's seldom that much status data to update, you could even do it with an RS-232 serial line, with the RX wire clipped.

    1. Anonymous Coward
      Anonymous Coward

      To all the armchair industrial control experts out there (again)

      This comes up tediously often so here is my post from 6 years ago:

      To all the armchair industrial control experts out there

      Given the two options:

      1. Connect your instrumentation to the corporate network. Be able to check status and diagnose from your office desktop (The same office PC I use for err.. essential research). Find it trivially easy to fix issues before they lead to production stops.

      Or

      2. Make a 400 mile round trip everytime you or a production manager suspects that there is an issue with your kit. Face hostile questions about your expenses and the need to travel at all

      What would you rather do ?

      It is very easy to say "keep your industrial control gear off the internet", rather harder in practice.

      1. Anonymous Coward
        Anonymous Coward

        Re: To all the armchair industrial control experts out there (again)

        What ever happened to (3) just have someone on site to deal with the issues...and keep the G-men busy come unannounced inspection time (avoiding fines and downtime should make it all worthwhile, shouldn't it?)?

  7. Will Godfrey Silver badge
    Facepalm

    I woud like to say I'm surprised

    Really, I would like to.

    But I prefer to tell the truth.

  8. Egghead & Boffin

    Things have not 'deteriorated', they were always this bad. I was part of a team that looked at the security of these things and some of the PC tools about 6 or 7 years ago.They were truly awful then and I see no difference now. Avoid.

    1. Charles 9

      And if given a Do It or Else (DIE) order?

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like