back to article Pwned with '4 lines of code': Researchers warn SCADA systems are still hopelessly insecure

Industrial control systems could be exposed not just to remote hackers, but to local attacks and physical manipulation as well. A presentation at last week's BSides London conference by researchers from INSINIA explained how a device planted on a factory floor can identify and list networks, and trigger controllers to stop …

  1. bombastic bob Silver badge
    Linux

    SCADA systems running windows

    well, THERE's your problem!

    last thing we need is having them "up"grade to Win-10-nic as a "solution". Forced updates? "line stop" while we download 4G, spend 30 minutes installing, and add new features, on OUR schedule! Ooops BSOD!

    A proper solution awaits! (see icon)

    1. Anonymous Coward
      Anonymous Coward

      Re: SCADA systems running windows

      Enterprise doesn't have forced updates so you would schedule them. As much of a fan of Linux as I am it's not an option because you already bought the equipment so getting the vendor to re-write the software for Linux would be nigh on impossible and the fact some are using Windows XP makes that point. It's the same problem the NHS have.

      1. Anonymous Coward
        Anonymous Coward

        Re: SCADA systems running windows

        I have a friend who works on a production site and they have a CNC machine which is still controlled by XP. The manufacturer won't upgrade the software for the CNC machine, if they want to use Windows 7, they need to buy a new CNC machine for high six figures, which given that the old one still works fine and it projected to keep working for another half a decade or so, before it needs replacing, that isn't a worthwhile investment.

        That means that she has isolated the XP machine from the production network, which annoys the CNC manufacturers support people. When there is a problem, they say, "open Teamviewer." Which of course doesn't help, because the XP machine is isolated from all networks. The CNC support then tell the customer to put the XP machine in the network, to which the reply is, only when the CNC support provide software that runs on a currnetly supported and patched OS... So the CNC support has to do remote support using the telephone and an engineer sitting in front of the PC describing what is going on on the screen...

        Not ideal, but at least they have the right attitude to the security of such "IoT" devices - known security holes and no patches = no network for you!

        1. Glennda37

          Re: SCADA systems running windows

          About 3/4 years ago my boss went to a very high profile company that make helicopter parts, they still have a CNC machine running Windows 3.1.... it would be took expensive to replace. It was completely off the network.

          1. Inspector71
            Thumb Up

            Re: SCADA systems running windows

            I'll see your Windows 3.1 CNC machine and raise you a BridgePort Wire Eroder running DOS 3.0 running off twin 720k floppies.

            1. hplasm
              Happy

              Re: SCADA systems running windows

              "...BridgePort Wire Eroder running DOS 3.0 running off twin 720k floppies."

              So fairly secure, then?

              1. Anonymous Coward
                Pirate

                Re: SCADA systems running windows

                So fairly secure, then?

                Pretty sure a DOS 3.0 PC has never been successfully attacked over the internet, so you could make the argument it is better than any of the other OSes (Win98, XP, 7, 10, Linux, OpenVMS) mentioned in this thread in that respect...

            2. Chris King

              Re: SCADA systems running windows

              How long before someone starts talking about PDP-11's and yelling "Get off my lawn, young whipper-snappers" ?

              I don't even want to think what 80-year-old SCADA code might look like.

              1. Yet Another Anonymous coward Silver badge

                Re: SCADA systems running windows

                How long before someone starts talking about PDP-11's

                Was it the Eurofighter's engine management system that has a VMS backend ?

              2. big_D Silver badge

                Re: SCADA systems running windows

                I don't even want to think what 80-year-old SCADA code might look like.

                Where I live is famous for its red cloth. The local museum has several working looms, including an original Jaquard Loom, which they run off several metres of cloth every year during guided tours of the place. Very interesting.

              3. vincent himpe

                Re: SCADA systems running windows

                80 yer old scada code is barely a few kilobytes, often hand cratfed assembly for the HAL with some high level language frontend typically compiled using Fortran or Pascal or running interpreted languages like Forth.

                The young whippersnappers can't even write a bootloader that is below 100Kbyte ... These control systems have 8 k rom and 1 or 2k of ram and happily work.

                in the early 90's i was working on an Ion implanter that was driven from a graphical touch screen running on an IBM 286 PC ( a real IBM , not a clone ) using iRMX as its operating system.

                Every control on the screen was its own little executable sending messages to a custom piece of hardware. if the PC developed a problem , for example a control crashing the supervisor program would simply restart an instance of that control , bind it to the target and the machine would keep working. the control would request the last known state and reflect that on screen.

                That thing was virtually crash-proof. I remember getting a phone call from the operator that there was an error message that popped up. The message said it had found a couple of parity errors in ram adress so and so and had marked the memory as 'bad'. The iRMX executive had reloaded new instances of the controls to a different memory offset, relinked them to their target and the machine happily trudged along. months later, during a scheduled service we shut down the pc, popped the hood, removed the 41256 type DRAM chip from its socket ( the address gave us an idea which one it would be) stuck in a new one, booted into system diagnostic, ran the memory test to verify the parity errors were gone and off we went. I know for a fact that machine was still operating in 2012 .... same computer, same software. It booted from a 10 megabyte MFM harddisk made by Nec and had 2 megabyte of ram.

          2. Captain Scarlet Silver badge

            Re: SCADA systems running windows

            "It was completely off the network"

            If it was me I would also disable any I/O ports which werent required by physically disabling them (Unsolder the connector and blank out the slot)

          3. John Brown (no body) Silver badge

            Re: SCADA systems running windows

            "About 3/4 years ago my boss went to a very high profile company that make helicopter parts, they still have a CNC machine running Windows 3.1.... it would be took expensive to replace. It was completely off the network."

            Not a high profile company, but a 3-4 years ago I did some work for a company still using paper tape to programme one of their CNC machines. A couple of others had their programmes uploaded by RS232C from a PC in the office.

        2. Doctor Syntax Silver badge

          Re: SCADA systems running windows

          Not ideal, but at least they have the right attitude to the security of such "IoT" devices

          It makes the manufacturer suffer for their own attitude. I think, even if it's not ideal, it's some sort of local optimum.

        3. John Robson Silver badge

          Re: SCADA systems running windows

          No team viewer...

          That’s fine. They didn’t think about an IP KVM for remote support?

        4. vtcodger Silver badge

          Re: SCADA systems running windows

          my guess would be that at least some of the 'Windows 98' systems are out there because the production floor has some collection of gears, wire-wrap, and relays somewhere that needs a driver that only works under MSDOS. I'm far from convinced that's bad although I suspect that turning on TCP/IP and hooking up a network with internet capability might not be a great idea.

        5. Gerlad Dreisewerd

          Re: SCADA systems running windows

          A friend running a startup machine shop ran into this as well. Got a CNC on a bargain but it required an obsolete CAD program to run. The CNC manufacturer could care less; they wanted to sell new machinery. Ditto for the owner of the CAD system. He finally asked me what to do. I hoisted the Jolly Roger and found a copy of the CAD system on a computer in the Middle East. All I can say to the CNC manufacturer and CAD publisher is that your support will be remembered when future purchases come along.

        6. sitta_europea Silver badge

          Re: SCADA systems running windows

          "I have a friend who works on a production site and they have a CNC machine which is still controlled by XP. The manufacturer won't upgrade the software for the CNC machine ..."

          Until last October I had a customer in exactly the same position with a CNC plasma cutter.

          The supplier of the CNC plasma cutter said exactly the same things, and I did exactly the same thing to the machine's network access. The machine never really performed as advertised anyway.

          But then my customer went bankrupt, and I could breathe a big sigh of relief.

        7. Robert Helpmann??
          Childcatcher

          Re: SCADA systems running windows

          Not ideal, but at least they have the right attitude to the security of such "IoT" devices - known security holes and no patches = no network for you!

          Not a bad attitude, but perhaps a better one might be more simply "IoT device = no network for you!" based on the idea that "IoT device = known security hole".

          I have been through the drill with the 3rd party SCADA vendor being given unauthorized access (by my then-boss) and their using our site as a way to "patch" systems across our network. Patches caused problems I had to fix. I managed to demonstrate what had happened and there were repercussions for the vendor (but not to my boss), but these machines should have been blocked from external access by default. There was no need for them to allow access from across the network and yet there was no hardening done at that level or any level that I could discern.

          It would have made so much sense to keep the SCADA machines on a dedicated network and require a physical step to be taken for any other access. That was my recommendation, but even running a few more cables to existing network kit was considered too expensive much less purchasing a few additional switches.

        8. Snow Wombat

          Re: SCADA systems running windows

          I have had this experience with;

          * CNC machines

          * Industrial truck scales (Running Win 2k. $500K to fix, as we'd have to buy a whole new scale)

          * Hospital HVAC & Medical gas control systems (Win2k again, multi million $$ upgrade cost + Hospital shutdown to fix)

          I could go on...

          This solely lies with the vendors, who are trying to force companies to do complete system replacements, and make a profit off it in the process.

          It's a complete joke.

          1. Olivier2553

            Re: SCADA systems running windows

            "This solely lies with the vendors"

            This lies with the buyers too who signed for something that was not upgradable, even when their technical people raised the issue.

            If the badly designed systems did not find buyers, the vendors would have to do a better job.

        9. Anonymous Coward
          Anonymous Coward

          Re: SCADA systems running windows

          Pfft, there are still Trumpf laser cutters out there running Windows for Workgroups 3.11 on some of my client's networks and we're talking laser cutters that hack apart sheets of 3mm thick stainless steel as though it's a piece of A4 80GSM...

        10. Dave K

          Re: SCADA systems running windows

          You think that's bad? At a site I work at, we have a lot of CNC machines running Windows 95 still. They are networked, but are on their own VLAN and are *heavily* firewalled with access only permitted to one share on a server for the upload of new models. All other network access to them is blocked at firewall level.

          Of course from the company's point of view, they work, and would cost an absolute fortune to replace, so they keep trucking along. I think the bigger problem is when companies have vulnerable control systems that are just attached to a general network with no extra protection..

      2. Steve Davies 3 Silver badge

        Re: SCADA systems running windows

        Enterprise doesn't have forced updates so you would schedule them

        That is all well and good in a perfect world. Sadly, I've seen industrial control kit controlled by a PC running Windows 'Home' Version (not even Pro) and said kit would stop working if you :-

        1) Upgraded it to 'Pro'.

        2) Applied any patches unless the manufacturer also updated their application for which they charged you a kings ransom.

        Needless to say, the PHB that signed off on the purchase was long gone before this all came to light.

        The good thing is that both companies went out of business 4+ years ago but I suspect that the way that the supplier went about its business is not that uncommon.

      3. Anonymous Coward
        Anonymous Coward

        Re: SCADA systems running windows

        "so getting the vendor to re-write the software for Linux would be nigh on impossible", vendors will provide code for whatever OS the customer is using, that or go out of business. If it is existing kit then someone is going to have to rubber stamp continuing to use insecure systems, thus putting their reputation on the line

        With Governments systems then eventually when every other system is secure except the ones still reliant upon MS then it is going to be hard to justify design decisions that expose your client to hacking.

    2. Anonymous Coward
      Anonymous Coward

      Bonsai Penguins aren't all they're cracked up to be...

      You obviously haven't had to deal with some of the crawling horrors that dare to call themselves "Embedded Linux". Some of them are just as bad as the Embedded Windows and the proprietary Unix SCADA systems I've seen over the years. Hell, I've even seen some OpenVMS boxes set up with default configurations because field circus wasn't told how to set 'em up properly.

      1. big_D Silver badge
        Facepalm

        Re: Bonsai Penguins aren't all they're cracked up to be...

        @AC I've also seen companies rolling out new servers (2015/2016) with the software still running under "SUSE 7.0" from the turn of the century, because they had some libraries that "just worked" an no upgrade path, so they carried on with SUSE 7.0 on new production hardware for their customers, until the software stopped working with newer generations of hardware, where the old RAID controllers were no longer available and the drivers wouldn't work with current generation controllers... Then they had to invest in re-engineering the libraries.

        But the attitude was "it's Linux, it is secure, it doesn't need patching."

      2. Anonymous Coward
        Anonymous Coward

        Re: Bonsai Penguins aren't all they're cracked up to be...

        Home IOT is not SCADA and incorrect configuration is going to be a problem no matter the OS

    3. A Non e-mouse Silver badge

      Re: SCADA systems running windows

      I had to (briefly) work with a Linux based system that was so old it only worked on servers you could buy on eBay.

    4. Joe_the_geek

      Re: SCADA systems running windows

      Honest to God , just when I read ' Ooops BSOD ' in your comment I got the 'Aw Snap' thing on my phone :)

    5. martinusher Silver badge

      Re: SCADA systems running windows

      Its worse than you think because a lot of the versions of Windows have been tweaked to include real time extensions. They don't upgrade.

      A lot of major control environments are based on Windows. There's a lot of resistance to change and Microsoft works with the manufacturers to keep them happy, if not particularly safe. There's no easy solution except to put the "Mother of All Firewalls" between those systems and the Internet (if they really must go onto the net -- it should only be a VPN, though). A 802,.1x enabled switch will also help by locking any unknown devices off a network (it was originally developed for wired networks although we know it as a useful security addition for wireless).

  2. hammarbtyp

    Company selling security consultancy find security flaws shocker

    This reads like company advert. "We did A and we took your network down, if you don't employ us, you could be next"

    Its difficult to know where to start with this one but I'll try

    Godfrey explained that security has never been a design criteria for industrial control kit and this hasn't changed with the advent of IoT in the domain of SCADA systems.

    That's simply not true. The industry is spending a lot of effort in security, however unlike It where security is the primary concern it has to be balanced with the primary function of safety. Also the long timescales and legacy kit, is another issue that needs resolving

    Historically everything was "air-gapped" but this has changed as the equipment has been adapted to incorporate internet functionality.

    But their attack requires local access. Physical security is as important as cyber security in these situations. If you can just walk in and install a box on a critical infrastructure, cyber security is the least of your woirries

    Industrial control setups certainly don't have the maturity of enterprise environments

    Agreed, but then again enterprise environments have the benefit of constant support and upgrades cycles. Suggest IT can't touch any kit for 2 years and see how mature your systems are then. Saying that our 'mature' enterprise environment is often brought down if someone adds a rogue DHCP server, so perhaps enterprise should not be to smug

    Denial-of-service in industrial control environments is easy and fuzzing (trying a range of inputs to see which causes an undesigned effect) also offers a straightforward way to uncover hacks.

    A lot of systems undergo DoS testing. It depends where you test. The idea is that attacks on the outward facing interfaces should not stop the control system. So we can bring down the scada, but the automation control is retained

    "kill industrial processes with only four lines of code"

    Without knowing what the kill code is, it is impossible to say what happens here, or whether all systems are equally vulnerable. Is it some sort of DoS attack, a specific PLC command, some use of a SCADA protocol. I can think of many ways to do this, but they would be specific to a type of system and not universal

    However there are many defenses that can be put in place such as soning of your network, or network anomaly detection devices. However Stuknet showed that you can only slow not stop a attacker. If you get a nation player with infinite resources, they will get in. Your only hope is to make a) so hard, they won't try and b) limit the damage if they do.

    1. big_D Silver badge

      Re: Company selling security consultancy find security flaws shocker

      My experience so far is that security is still often an afterthought. The other problem is, a lot of the IoT stuff is tacked onto existing hardware, which has often been in the production for over a decade, so it is irrelevant, whether the next generation hardware has some security baked in, the majority of industrial systems are unprotected by design.

      I agree, however, that the wording from Godfrey is a little misleading, there is certainly some work going on in this area, but you only have to look at the **** that is coming out today in cars, for example, where they are online, but the CANBUS is still pretty much unprotected! Industrial PLCs aren't much better, in my experience.

      But their attack requires local access. Physical security is as important as cyber security in these situations. If you can just walk in and install a box on a critical infrastructure, cyber security is the least of your woirries

      We don't know what their remit was. And getting through the firewall and hacking a PC on the network isn't that hard, but might have been outside the remit for the case in question, which would have made it illegal try such a scenario.

      It is also not a "local" attack, which means on the device(s) in question, it was an attack within the network, so internal but not local.

      And the industrial networks tend to be very fragile. I worked for a company producing vulnderability scanners and they had extra documentation and modes for scanning SCADA and PLC networks, so that you don't bring them crashing down during an initial scan. Their systems started in a "light touch" mode and gradually worked up. It was also recommended that the customer make a replica of their production environment to test on, before scanning the real thing.

      1. Anonymous Coward
        Anonymous Coward

        Automotive security

        The owners of cars make it even worse. Next time you are a bored passenger in a car in heavy traffic, pull out your phone and scan for Bluetooth stuff in the area. Won't take long before you find a car with a Bluetooth ODB II module left plugged in. Hands up anyone who thinks Bluetooth is secure, and wouldn't mind driving a car that gives strangers access to their ECM while driving.

        It would be nice if they'd warn you on the package to only connect it for diagnosis, but one of their marketing points is that you can get access to all sorts of data while driving. They just don't tell you the dangers of leaving it plugged in given that Bluetooth security is far from perfect. Or at least there was no such warning on the one I have, which is wifi (for some reason iOS doesn't work well with the Bluetooth ones) And of course while we all like to think wifi is secure, there's a reason we're now waiting for WPA 3 to appear, but even if I had one that was WPA 3 when that standard is finished I wouldn't think it is worth it to leave that plugged in and possibly trust my life to WPA 3 security!

      2. Paul Glavin

        Re: Company selling security consultancy find security flaws shocker

        They described their remit in the talk, it just hasn't been repeated here.

        The remit was pretty much "see if you can take down one of our manufacturing lines"

      3. hammarbtyp

        Re: Company selling security consultancy find security flaws shocker

        My experience so far is that security is still often an afterthought.

        Certainly it used to be, but legislation where there are financial penalties for breaches are making customers and manufacturers more security aware. However the long support times means that this problem will not be fixed overnight.

        you only have to look at the **** that is coming out today in cars, for example, where they are online, but the CANBUS is still pretty much unprotected! Industrial PLCs aren't much better, in my experience.

        I think we have to be careful in separating things like cars and CNC machines, from critical infrastructure. while someone hacking a car is annoying, someone hacking say the electricity grid is far more serious. The problem is not the CANBus itself, but how it is attached to the other non-critical systems. Embedded protocols are high speed, noise tolerant and deterministic. This goes against things like security practices such as encryption.

        It is also not a "local" attack, which means on the device(s) in question, it was an attack within the network, so internal but not local.

        Generally anything within a DMZ on the LAN is called local. Most security at present is based around a DMZ with remote access being in theory carefully controlled. Also getting through a properly managed and configured firewall should be hard, that's what they are there for. Most of the problems we see are when IT decide to bypass the firewall thorough negligence or ignorance. However if you have 'local' access there are all sort of things you can do which are hard to stop such as modifying the hardware itself

        And the industrial networks tend to be very fragile

        Yes they can be, because they are highly customised and tuned for maximum performance. One of the problems at present is most security solutions are based on IT best practice, which really don't work on industrial systems. We need a different set of solutions specific to the industrial space.

        These are coming and the area has changed vastly in the last 5 years, but their is a long way to go. Part of the issue is the entire diversity of the industrial offerings unlike IT, who generally have to deal with a small set of protocols and OS.

        Security in the IT area did not come from no where, but was a constant evolution. Industrial control security solutions will have to follow the same path

        1. big_D Silver badge

          Re: Company selling security consultancy find security flaws shocker

          I think we have to be careful in separating things like cars and CNC machines, from critical infrastructure. while someone hacking a car is annoying, someone hacking say the electricity grid is far more serious.

          So, hacking a car and causing it to swerve off the road (Fiat/Jeep by Charlie Miller 2015) or change the engine management, disable braking/ABS or disable the motor whilst the vehicle is in motion is only annoying? :-O

    2. Rob D.
      Joke

      Re: Company selling security consultancy find security flaws shocker

      > Agreed, but then again enterprise environments have the benefit of constant support and upgrades cycles.

      Benefit? Of constant support and upgrade? Hey, that's a good one. I'm saving that for the pub tonight at half time in the match when we will all need to laugh hysterically if the team is 1-0 down to Tunisia.

    3. Anonymous Coward
      Anonymous Coward

      Re: Company selling security consultancy find security flaws shocker

      "Historically everything was "air-gapped" but this has changed as the equipment has been adapted to incorporate internet functionality.

      But their attack requires local access. Physical security is as important as cyber security in these situations. If you can just walk in and install a box on a critical infrastructure, cyber security is the least of your worries"

      You are correct, but from my experience in working labs and petro-chemical stores the physical security of the premises also takes second place to the safety of the people working there.

      This results in very inconsistent levels of security, for example one of the emergency gates in work has a large red button just inside it to trip the fire alarm and de-activate the magnetic locks. This particular button takes less than 8lbs of pressure to trip and can be reached with a straightened out coat-hanger.

      Its not hard to get inside these kinds of places

  3. James O'Shea

    Back in the day

    i had a job running a large SCADA system. It controlled multiple remote sites. We were an electric utility, we had to control the various substations from System Control, 24/7. It was very secure, mostly by accident. We used Harris H800 24-bit (you read that correctly, 24-bit, they only cost half a million each...) supermini computers and communicated to the substations using powerline carrier over transmission lines. If anyone wanted to hack us, they had to either get into computer room at System Control, past the locked door. The locked doors, actually, the door to the computer room was locked and the door to building was locked. We had crashbars on the doors, you could always get out, but to get in either you had a key or someone inside IDed you using the camera outside the door and buzzed you in. And there was an armed guard at the gate to the property. We had _great_ physical security. Or they had to climb a utility pole and play with 138,000 volts at 100 to 200 amps. Good luck with that. None of our signals went over PSTN. A would-be hacker _could_ break into a substation (climb the fence or get a copy of the substation gate key and then break into the substation's control room... and he'd have control of that substation, nothing more. If he could figure out how to send the correct commands. If he survived playing with multiple 138 and 24 kV systems. And System Control would spot the problem almost immediately and send some linemen out to have a look.

    I suppose that it was security by obscurity, but 138 kV at 100 amps makes for excellent security. Our heroes here might well have been able to pwn the system, if only they could touch it without being fried.

    It'd have been different if we were dealing with something less rambunctious than 138 kV, but no, we were hackproof. The boys who ran the main computer system at company HQ, now, _they_ could be hacked. And were. There was a reason why we didn't let those bozos near our system. My fav example was the time that a quarter million worth of truck tires vanished from the Stores inventory. It was pretty clear who had liberated them, but as there was no record of their ever having been company property, not any more, there wasn't much which could be done. At least not up until the time I left the company, about two years later.

    1. Doctor Syntax Silver badge

      Re: Back in the day

      "you read that correctly, 24-bit"

      I started out on ICL 1900 so 24-bit seems perfectly normal.

  4. Duncan Macdonald

    Stop using the Internet

    For many of the older control systems there is only one way to provide some security - DO NOT CONNECT TO THE INTERNET. This is not a perfect fix but with large industrial equipment it is often not practical to replace old control systems due to the cost of downtime. (And in many cases the original design documents have long been lost!!!)

    For more modern systems - use a dedicated firewall PC running linux with all unnecessary services disabled to receive data from the control system and feed it to the operators. All internet communication MUST be encrypted (HTTPS, SSH etc). Do NOT use Windows for process control (or control of medical devices that could cause injury). (Microsoft's own documentation stated that it was not suitable for critical control.)

    If you have a malicious insider then virtually all control systems are at risk (old or new) - hardwired (non-computerised) safety systems are your best hope.

    1. Rob D.

      Re: Stop using the Internet

      That might be a marketing problem though - if you can upsell a bunch of new features by connecting something to the Internet (buy the new remote monitoring module and we can offer some underpaid lackeys in Manila at a small extra charge as well), or even shift capital ownership to ongoing purchase of a service (instead of owning the air pump, you buy the service that delivers air), then it is much quicker to realise revenue and profit by not worrying too much about whether such a connection is technically secure. Great for the shareholders and likely enables the sales folk to move on before anything untoward happens.

      This is all about risk/reward. It's easy enough to introduce basic security protections to give the illusion of safety sufficient for a tick box in the RFP, but if there is value in compromising a system then the motivated attackers will supply/find the method and the means. If having a malicious insider is itself the threat and represents a significant impact (death, loss of vital social service, significant existential risk to company) then the system needs suitable threat protection for that as well.

    2. Mark 65

      Re: Stop using the Internet

      I read this bit

      Mike Godfrey, chief exec at INSINIA, told El Reg that industrial control kit has long been developed with safety, longevity and reliability in mind. Historically everything was "air-gapped" but this has changed as the equipment has been adapted to incorporate internet functionality. This facilitates remote monitoring without having to physically go around and take readings and check on devices, which are often as not in hazardous environments.

      and instantly thought "and therein sits the problem". Connecting to the corporate network using a VPN between sites and having all SCADA kit sitting on a segregated LAN is one thing, just putting shit online any old how so old mate doesn't need to get off his arse is another.

  5. Mage Silver badge
    FAIL

    Problem isn't Windows.

    The issue isn't Windows as such, but the entire philosophy of Industrial control. The equipment even in 1980s might have had no passwords or security, relying on being in a secured plant, All communication was assumed to be on internal networks or on direct point to point links.

    There are so many issues that basically:

    a) Only computers with dual interfaces and firewall and security should connect to the industrial or SCADA gear.

    b) Those computers need dedicated external firewall(s) to rest of networks and/or internet.

  6. Filippo Silver badge

    The "4 lines of code" attack, as described in the article, relies on physically hooking up a fake PLC to the targeted plant. I'd argue that if you have hostiles able to add a PLC to your plant undetected, then network security is not really your main problem.

    1. John Brown (no body) Silver badge

      "The "4 lines of code" attack, as described in the article, relies on physically hooking up a fake PLC to the targeted plant. I'd argue that if you have hostiles able to add a PLC to your plant undetected, then network security is not really your main problem."

      Depends how they corporate network is set up. I might be as simple as plugging the device into any spare network port in the foyer. I'm sure some networks will be that poorly set up.

    2. Paul Glavin

      But they were able to. The talk was based around an end to end exercise to see if they could attack a single line at a car plant (with permission)

      They scoped the site, found security weaknesses, identified what kit was being used, found CCTV blind spots and were able to deploy the code onto the site and leave without being caught.

      Taking out one of the lines cost 1.2m, all 4 could have been targeted but their scope was restricted to one of the lines.

      The problem with PLCs and the like is they trust implicitly. All it takes is them receiving a command. there's no authentication built into most of the protocols. You have to cover every eventuality with things like this, unfortunately most sites are built around an inherent trust model instead of trusting nothing.

      PLC locks are weak, the interlocks are not much better. They're designed around human stupidity, not wilful attackers

    3. Pim

      I'd like to add a couple observations:

      - All industrial (medical) equipment should be on its own LAN, with remote access tightly controlled and monitored. By their very nature specialised equipment cannot be patched regularly and there should be no expectation of such. Browsing the internet on a machine running 3.11 is bad, controlling some ancient machine is just fine.

      - Any "attack" that involves physical access to a plant is just security people looking for work. If I have physical access to your server room: I can switch off or destroy your stuff, even if it is running the latest OS with all security features enable. Their arduino is not more effective than a hammer with "0 lines of code".

      1. Anonymous Coward
        Anonymous Coward

        "Their arduino is not more effective than a hammer with "0 lines of code"."

        It IS more effective if you're aiming to (a) do it on the QT so you get away with it, and/or (b) be able to do it repeatedly for force magnification. Part of the talk mentioned that vulnerable systems usually can't be mitigated completely, meaning an exploit in deep enough can hit the system repeatedly with no real remedy possible apart from (expensive) replacement.

    4. Anonymous Coward
      Anonymous Coward

      I'd argue that if you have hostiles able to add a PLC to your plant undetected, then network security is not really your main problem.

      Never underestimate the power of looking like you belong, especially in a large facility where people don't necessarily know everyone. It's easy to determine a plant's schedule and observe how employees dress for work in various parts of a facility. Then pick a chaotic time like a big shift change to make your move. Appropriate dress and some social engineering ("I just started yesterday and I don't remember how to get to X, can you help me?") will get you into a lot of places.

  7. Rob D.

    Responsibility and risk awareness

    Maybe something like H&S legislation is needed for critical infrastructure where the responsibility is incurred regardless of how loudly the company proclaims it was someone else who let the team down. E.g. the working at height regulations apply to the person receiving the service regardless of how daft the person actually on the ladder might be.

    Whether the company chooses to see the risk or not, they are responsible for proper planning and investment to avoid the outcome, and carry a measure of legal liability for the impact.

  8. my fingers stuck

    SCADA

    in Greek SCADA means "shit "

  9. Luiz Abdala
    Stop

    Do not put these systems online then?

    Why would you have any of these systems online? Just don't.

    Put them at an USB pendrive of distance of an online PC, but do not hook them to an online machine. Use wi-fi, use ethernet cabling, but don't hook them directly to online machines. Ever.

    And only allow system admins near them with said USB storage devices.

    Go the BOFH way, and run stuff from a Command Center, not online. It is a hassle, true, but it is safe.

    1. Charles 9

      Re: Do not put these systems online then?

      But tell that to the top brass who can overrule you AND are seeking to reduce head counts (and associated labor costs, pleasing the investors) with remote management.

      1. Anonymous Coward
        Mushroom

        Re: Do not put these systems online then?

        They can fire me, then have escorted off the premises. They can't overrule me. On some things (safety hazards of all sorts), I have absolutely no give and that's always been the case, from a very young age, long before I started learning all things nuclear. Which was probably why I was picked for that job. Hell, I've chewed out an Admiral one day. Rightfully. Never heard a word back from the chain of command.

    2. Anonymous Coward
      Anonymous Coward

      Re: Do not put these systems online then?

      Put them at an USB pendrive of distance of an online PC, but do not hook them to an online machine.

      Which is exactly how Stuxnet infiltrated the air-gapped PLC controls for the Iranian centrifuges, IIRC.

      If any Internet-connected computer is used to prepare any USB stick for the PLC system, the air gap can still be remotely bridged.

      1. Charles 9

        Re: Do not put these systems online then?

        No Internet connection is even needed to taint the USB stick if you have an insider, which for something like a state-sponsored infiltration can never be ruled out. Neither can SneakerNet.

        PS. If they fire you, THEN they can overrule you. Safety and security take second place to just bloody getting the job done. If you can't get the job done, you no longer have a reason for existing, end of. And NO ONE's going to tell a JFDI client, "You can't get there from here"; it'd be business suicide.

  10. Cynic_999

    You're looking at the wrong area

    The OS (if any) that a CAM machine uses is irrelevant. It's just a part of the machine, same as the belts and cogs. You don't get people demanding that machines are updated with metric nuts and bolts, or gears must have protection against people deliberately jamming a spanner in the teeth.

    Security consists of preventing unauthorised people from getting access to the machinery rather than demanding that machines be built to thwart a sabotage attempt by bad people who have managed to gain access to the factory floor.

    It's not the job of the machine manufacturer to protect the machine against unauthorised physical access, and I submit that it's the same regarding unauthorised digital access. Machine manufacturers are not, and are not expected to be security experts in either case. The company should ensure that its internal LAN is secured from outside access just as it is responsible for using security fences and guards etc. to secure against unauthorised physical access.

    Basically, if you need an access card or door key to physically access a machine, then you should need a password or other form of authorisation to access the machine over the LAN.

    If the manufacturer needs to service or troubleshoot, then temporary access can be granted by the company's IT security on a secure temporary basis - maybe a PW to get access though a VPN, or a temporary router "pinhole" to a single designated IP address. And all "Teamviewer" activity is monitored. Just the same as a visiting technician would be given a temporary visitor's pass if attending in person, and perhaps be accompanied by an employee at all times.

  11. Boris the Cockroach Silver badge

    4 lines of code?

    Heck I could do 250k worth of damage just by changing a + into a -

    Might be extremely dangerous to the operator.. or some other poor guy standing by the machine.. but who cares, I'm 5000 miles away in darkest <insert the name of this week's enemy>

    And thats by owning the machine used to store the robot programs......... which is why its wi-fi is turned off..... and a big notice saying "DO NOT CONNECT THISLAPTOP OR THE MACHINES TO THE NETWORK" is over it.

    And before the "update update update and you'll be safe" crowd arrive, the machines have notices in the manuals saying "The OS should not be updated and machine manufacturer bears no responsibility if the OS is updated and the machine breaks down/goes mad and kills everyone"

    So either security is baked into the controls from the start, or you air gap

    Mind you, put the wrong command into the robot's PLC and it goes on a killing spree anyway

  12. Will Godfrey Silver badge
    Facepalm

    Don't tell the politicians

    Or the next thing you'll hear is that Arduinos have been made illegal - That's sure to stop the bad guys.

    /s

  13. Anonymous Coward
    Anonymous Coward

    Historically everything was "air-gapped"

    'Historically everything was "air-gapped" but this has changed as the equipment has been adapted to incorporate internet functionality.'

    I feel like I'm stuck in some kind of a version of Groundhog Day, where the same thing keep happening over-and-over again. As in the Register posts a story (2003) on SCADA not being secure and I post on the solution being to use end-to-end encrypted using VPNs running on embedded hardware.

    "security has never been a design criteria for industrial control kit .. As a result, issues such as default hard-coded credentials and lack of encryption abound."

    And running your SCADA systems on top of Microsoft Windows with a direct connection to the Internet.

    "Worse yet, most systems are running either old or hopelessly obsolete versions of Windows. Most terminals are running Windows 7 but some run Windows 98"

    Nobody in their right mind would run critical infrastructure on Microsoft Windows.

    1. ForthIsNotDead

      Re: Historically everything was "air-gapped"

      There are ways to run critical infrastructure on Windows. It's actually very easy. You move the intelligence to the edges (using PLCs and RTUs) and have them run autonomously as much as possible. Furthermore, every SCADA I've worked on has a dual-server configuration where one server is "main" and the other is hot-standby. This gives very good reliability indeed. Our Windows servers are rebooted every month (when we run the security updates) and thus the duty server changes over every month, giving plenty of opportunity to address issues that may arise on one of the servers. It's simply a matter of managing your infrastructure, and the assets that make up that infrastructure in a responsible manner.

  14. bishbut13

    Technology the best thing since sliced bread. ???Is it ?? Is it really safe to use at all ??

  15. ForthIsNotDead

    Somewhat scaremongery...

    I've watched a few of these security "presentations" and I find quite a few of them to be rather scaremongerish, and stretching plausibility to sometimes ridiculous levels. Fact is, if someone can get into the factory to install a fake PLC, then network security is the least of your problems.

    Hell, If I can get into your factory, then I don't need ANY equipment at all to completely ruin your production cycle. All I have to do is open a panel (because nobody locks them), locate a switch, and change two RJ45 cables over in a multi-port switch or router. Good luck sorting that one out.

    Failing that, turn some breakers off.

    I'm getting rather tired of this "fucking hell, SCADA is soooooooo fucked" mantra, quite frankly. I work with SCADA day in, day out (water industry). All our systems are heavily secured, restricted access to physical locations, CCTV, audited entry systems, heavily secured networks with intrusion monitoring systems, the whole nine yards. If you wanted to attack us, our SCADA system would NOT be the way to do it. You'd drop a barrel of chlorine into a drain or sewer and walk away.

    It's NOT 1991, and SCADA system operators now that very well, thank you very much.

  16. Uberior

    A magnet & a sock...

    "Part of INSINIA's BSides London demo showed how home and small office safes could be opened using only a magnet and a sock."

    Two items needed to open a small electronic safe?

    Who needs such luxury. Most can be opened with a firm slap, or at most with a single strike to the top from a hard-back book.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon