Good. Malicious crackers, please destroy as many non-safety-critical water pumps as it takes for people to take security on these systems seriously. It seems most of the industrial controls industry is used to operating on a proprietary network, and when moving to IP their guess at security is "uh, firewall?".
This is indeed odd. On my home network, I have a firewall at the edge, a firewall on each machine, and every service requires authentication (cryptographic where possible; username+password over SSL otherwise). It took me about a day to set up, and I'm not even a security person.
It's unacceptable that people whose jobs are to secure computer networks do a worse job than I do for the little computer under my TV.
(Yup, all of my machines at home have a public IP address. Convenient!)
“They just figured it’s part of the normal instability of the system,” Weiss told Wired.com. “But it wasn’t until the SCADA system actually turned on and off that they realized something was wrong.”
That's a pretty bad sign that the system is so buggy that at first it seems like a hacking attempt is just "normal" instability.
Anybody that's worked with SCADA systems unfortunately wouldn't bat an eye at this. In my own experience they're horribly issue prone, we've churned through 4-5 different vendors in the last 3 years trying to get past basic stability issues.
"Industrial control systems are used in electric power, water, pipelines, etc. These systems were designed for performance and safety considerations, not security. Traditional IT security technologies, policies, and testing may not apply to these systems. Moreover, there is currently no university with an interdisciplinary program accross multiple engineering disciplines to address control system cyber security. There have already been more than 200 actual control system cyber incidents to date, though most have not been identified as cyber. In the US alone, there have been 4 control system cyber incidents that have killed people, 3 major cyber-related electric outages, 2 nuclear plants shut down from full power, etc. With the advent of Stuxnet, cyber has been introduced as an offensive weapon. The purpose of this presentation is to provide a state-of-the-state view of control system cyber security."
The speaker gets quite a grilling from the academics.
I wonder if the glitches were that they remote people couldn't login. So they kept changing the passwords, and restoring them, and then the hackers just went and got the password again, changed it...
The article mentions that the intrusions involved a security hole in PHPMyAdmin, so, likely neither (unless the attackers just got access to the database through PHPMyAdmin using the default admin password rather than a security hole).
This seems like an exciting decade we are about to enter where hackers can mess with actual physical infrastructure. Sooner or later somebody is going to do something really destructive with that power.
Fortunately it shouldn't be that hard to secure the systems. At the very least use a two factor authentication system, if possible the same way gmail does since it is pretty simple, or just store the passwords in a big physical folder and access as necessary.
Exactly what good does "two factor authentication" do when every verb in the protocol was designed with the assumption that the protocol would only ever be addressed with an authorized client? These things are insecure by design, insecure in implementation, and insecure at deployment. Don't trivialize the problem; it's immense.
Maybe password theft was involved this time, but that's a trivial detail. I don't feel like endorsing feel-good measures. A lot of this code really needs to be forklifted out, which is a fact made especially painful because a lot of this code is already pushing the limits of the 8 bit TI microcontrollers it runs on.
Sadly, that decade was two years ago. It's been well known how broken SCADA systems are, and shouted from the rooftops, but no one cares. We have been on borrowed time now for ages. It finally happened.
[+] [-] mindslight|14 years ago|reply
[+] [-] jrockway|14 years ago|reply
It's unacceptable that people whose jobs are to secure computer networks do a worse job than I do for the little computer under my TV.
(Yup, all of my machines at home have a public IP address. Convenient!)
[+] [-] r00fus|14 years ago|reply
[+] [-] stfu|14 years ago|reply
[+] [-] NathanKP|14 years ago|reply
“They just figured it’s part of the normal instability of the system,” Weiss told Wired.com. “But it wasn’t until the SCADA system actually turned on and off that they realized something was wrong.”
That's a pretty bad sign that the system is so buggy that at first it seems like a hacking attempt is just "normal" instability.
[+] [-] momotomo|14 years ago|reply
[+] [-] jed_s|14 years ago|reply
Control System Cyber Security - State of the State
http://www.stanford.edu/class/ee380/Abstracts/111012.html
"Industrial control systems are used in electric power, water, pipelines, etc. These systems were designed for performance and safety considerations, not security. Traditional IT security technologies, policies, and testing may not apply to these systems. Moreover, there is currently no university with an interdisciplinary program accross multiple engineering disciplines to address control system cyber security. There have already been more than 200 actual control system cyber incidents to date, though most have not been identified as cyber. In the US alone, there have been 4 control system cyber incidents that have killed people, 3 major cyber-related electric outages, 2 nuclear plants shut down from full power, etc. With the advent of Stuxnet, cyber has been introduced as an offensive weapon. The purpose of this presentation is to provide a state-of-the-state view of control system cyber security."
The speaker gets quite a grilling from the academics.
[+] [-] shabble|14 years ago|reply
From the abstract/slides, it seems like it could be quite interesting.
[+] [-] MrEnigma|14 years ago|reply
There are better ways to gain access to systems. But even then, you have to prevent access to your own systems first...
[+] [-] MrEnigma|14 years ago|reply
[+] [-] danso|14 years ago|reply
1) A SQL injection
2) A default admin password
[+] [-] kamkha|14 years ago|reply
[+] [-] InclinedPlane|14 years ago|reply
[+] [-] xorglorb|14 years ago|reply
[+] [-] vahallawalla1|14 years ago|reply
SCADA controls those power systems too ;-)
[+] [-] mrpollo|14 years ago|reply
[+] [-] tomjen3|14 years ago|reply
Fortunately it shouldn't be that hard to secure the systems. At the very least use a two factor authentication system, if possible the same way gmail does since it is pretty simple, or just store the passwords in a big physical folder and access as necessary.
[+] [-] tptacek|14 years ago|reply
Maybe password theft was involved this time, but that's a trivial detail. I don't feel like endorsing feel-good measures. A lot of this code really needs to be forklifted out, which is a fact made especially painful because a lot of this code is already pushing the limits of the 8 bit TI microcontrollers it runs on.
[+] [-] lawnchair_larry|14 years ago|reply
[+] [-] feralchimp|14 years ago|reply