A Critical Security Flaw in Popular Industrial Software Put Power Plants At Risk (zdnet.com) 41
A severe vulnerability in a widely used industrial control software could have been used to disrupt and shut down power plants and other critical infrastructure. From a report: Researchers at security firm Tenable found the flaw in the popular Schneider Electric software, used across the manufacturing and power industries, which if exploited could have allowed a skilled attacker to attack systems on the network. It's the latest vulnerability that risks an attack to the core of any major plant's operations at a time when these systems have become a greater target in recent years. The report follows a recent warning, issued by the FBI and Homeland Security, from Russian hackers. The affected Schneider software, InduSoft Web Studio and InTouch Machine Edition, acts as middleware between industrial devices and their human operators. It's used to automate the various moving parts of a power plant or manufacturing unit, by keeping tabs on data collection sensors and control systems. But Tenable found that a bug in that central software could leave an entire plant exposed.
Re: (Score:2)
How about making it illegal to access such systems with malicious intent? That should solve it, right?
(I think I play too much with the boys from the legal department recently...)
Re: (Score:2)
I usually feel like I need a shower afterwards, though.
Slash-bots. (Score:1)
expect more of these stories (Score:4, Insightful)
as the manufacturing world connects more and more things to the Internet. This is driven by MBA managers who want to be able to access fancy dashboards from their head offices miles away from the plants. The major marketing push currently going on in the manufacturing world is the IIOT (Industrial Internet of things) and is driven by greedy companies who are taking advantage of middle to upper management's lack of knowledge to sell them on fancy gizmos and gadgets with out actually explaining the potential consequences. When combined with the race to the bottom for cost of I.T in manufacturing, this is a catastrophe just waiting to happen.
We have already seen examples recently of ski lifts but this was already a problem with remote desktops and all you have to do is search for defcon talks to see hundreds of examples. The only difference is that now the access is baked right into the control software and black hats dont need to worry about looking for vulnerable remote desktops.
Re: (Score:2)
Re:expect more of these stories (Score:4, Informative)
Systems should be able to tell the outside world about their current state, but they should not be able to be controlled from the outside.
In short, make those types of systems read-only.
Re:expect more of these stories (Score:5, Insightful)
More to the point, attach them to one way communications links. A high speed serial interface with only the RX pin connected on the receiving end can simply not be used to communicate back to the reporting device/gateway. Not every damned thing needs to be on Ethernet.
Re:expect more of these stories (Score:5, Informative)
Re: (Score:2)
There's two types of things in industrial control. There's the one you mentioned, but even then you can "soft" block it from the outside requiring access via a private LAN, problem lot of companies don't want to create a side-by-side corp net and IC net, they see it as too expensive. That'll change as soon as some nut figures out that they can cause serious damage to infrastructure or hold company for ransom. The second, is the type that uses PLC's for adjustment and control of plant controls. The latte
Re: (Score:2)
Well, for the inner layer...usually. But that means someone's got to be able to get to the machine to throw a switch or turn a dial. So it's not always going to be possible.
Additionally, you generally want to protect the inner layer from even being read by someone unauthorized. So you need multiple layers of security with different restrictions.
OTOH, that's just how it should be done this year. As interfaces and machines get smaller, it will be less practical to have human sized switches on the machines
Re: (Score:3)
This is driven by MBA managers who want to be able to access fancy dashboards from their head offices miles away from the plants.
We used to have a technology that solved this problem with little or no increase in security risk. How it worked was, you have a remote site with its own airgapped internal LAN. A dedicated PC would fetch data from the internal server and use a dial-up modem to connect to a machine at corporate HQ. It would then transmit data to corporate HQ via advanced protocols such as Kermit or XMODEM.
The modem at the remote site would be configured to ignore (not answer) incoming calls for security reasons. It would on
In other news.... (Score:2)
That's it, there is no other news. Exploit found, manufacturer fixed in a timely manner. I would say that whatever ad-hoc system that is in place for identifying software vulnerabilities, whether it's a reward or just the coolness factor of having one's name in an article, seems to be working. I did like the picture of the Nuke plant in the article though. I am making a wild guess that any software running internally in a nuclear plant is not accessible from outside, not even through a firewall. But I could
Mitigation (Score:1)
1. Don't put any control hardware on the internet. Air-gap everything. This is already best practice. For monitoring, do an RS-232 link to an internet-connected machine, from an embedded machine with no network stack.
2. Lock down the machines running the control software. Physically isolate the machines. Make the web-based client machines thin clients running a locked-down browser.
3. Lock down the control network. Use MAC filtering and IP authentication, which I believe is part of the industrial IP standard
It's ok we have a no homers rule at our plant (Score:2)
It's ok we have a no homers rule at our plant
Is this ... (Score:3)
Re: (Score:1)
"InduSoft Web Studio (or IWS, for short) is a powerful, integrated tool that exploits key features of Microsoft operating systems and enables you to build full-featured SCADA (Supervisory Control and Data Acquisition) or HMI (Human-Machine Interface) programs for your industrial automation business."
"InTouch Machine Edition is a natural extension of the current Wonderware HMI portfolio and the perfect complement for customers who already own Wonderware System Platform... Wonderware System Platform runs on m
Re: (Score:2)
Sorry. I forgot the <sarcasm></sarcasm> tags.
Not as scary as it sounds (Score:2)
I figured that I would chime in here, since I've worked on these types of systems, and in this type of environment for nearly 30 years.
It is common to see these types of alerts for all kinds of HMI software, PLC's, and DCS's. They all have security vulnerabilities discovered, just like any software-based systems do. In the electric utility environment in the US, these systems fall under NERC CIP regulations. There will be someone at the utility tasked with keeping track of these alerts and making sure that
Re: (Score:1)
InTouvh machine edition is for remote HMIs for field operators. Likely a OPC connection.
OPC is the biggest shit show that exists on industrial systems, and im sure you have run into this issue over you're years...
to transfer data between computers, both computers use DCOM and must have the same local account WITH THE SAME PASSWORD.
its a joke. its DCOM.
Critical Security Flaw in industrial software .. (Score:2)