back to article Hackers induce 'CATASTROPHIC FAILURE' in mock oil well

Security researchers have demonstrated how to exploit widely deployed SCADA systems to spoof data to the operator, and remotely control equipment such as pumps in oil pipelines. The exploits were demonstrated live at Black Hat 2013 in Las Vegas on Thursday, and saw security engineers from energy sector process automation …

COMMENTS

This topic is closed for new posts.
  1. Boris the Cockroach Silver badge
    Terminator

    Which

    is why I insist on the work laptops having their wireless networks turned off and an air gap between the robots and their internal network and the outside world

    Not funny when 1/2 of robot arm does a 180 with the operator in range and its bypassed the PLC check on the gate interlock...... and a bast to clean up too

    1. Destroy All Monsters Silver badge
      Holmes

      Re: Which

      > air gap

      Dontcha mean a firewall?

      1. Anonymous Coward
        Anonymous Coward

        Re: Which

        air gap <> firewall. An air gap means NO connection, a firewall means a possible connection, and if you don't need it, no connection is always better.

    2. Irongut

      Re: Which

      And that is exactly how it works in a real oil well.

      You can create a mock anything and prove how easy it is to attack, the question is how easy is it to attack the real deal. Having attended a number of energy industry security conferences in the UK I can tell you that they use separate networks for the industrial control systems and corporate networks. Firms that design rigs even have multiple computers on an engineers's desk - one for email, web, etc and another for doing the actual design work where everything is encrypted and there is no transfer of data between the two.

      1. Anonymous Coward
        Anonymous Coward

        Re: Which

        Having attended a number of energy industry security conferences in the UK I can tell you that they use separate networks for the industrial control systems and corporate networks. Firms that design rigs even have multiple computers on an engineers's desk - one for email, web, etc and another for doing the actual design work where everything is encrypted and there is no transfer of data between the two.

        Those attending security conferences tend to be companies that take security seriously - for every company at these conferences there are 10 more that haven't bothered to attend.

        I worked in the oil industry for 4 years developing control systems, and we only had a single machine on our desks. Corporate network access for emails and development were done from the same machine (even getting a second monitor was almost impossible, let alone a second machine).

        There was no thought to security at all on the product I worked with (and I doubt that has changed on the newer products). The only attempt at security was to insist the client put the control system on a separate network to the rest of the platform, however I know this was not done on a few projects.

        In these systems, simply gaining access to the same network would give you complete control of the entire system. You would then be free to open any valves you wish, with no logic in the controller to prevent dangerous operations.

        Posted Anonymously for obvious reasons.

      2. Drs. Security

        Re: Which

        That is indeed how it should be, total separation between ICS and office networks.

        Unfortunately that is far from everyday common practice. Even safety systems should have a total separation which isn't common practice either.

        And I'm not even considering vendor VPNs, old modems for remote access or wireless.

        Essentially it mostly boils down to a misunderstanding between IT and process engeneers.

  2. Eddy Ito

    The sad part

    More and more of these jobs are being turned over to such systems in an attempt to promote safety. Sure, it makes it safer for the guy who doesn't have to manhandle pipe stands reaching 90 odd feet in the air but does that really matter if the guy at the drillers console doesn't always have full control? Perhaps drone rigs aren't the best idea.

  3. Anonymous Coward
    Stop

    Sigh....why? Oh why leave key infrastructure control systems facing the internet!

    It's like asking for a beating these days! All we need is another multi-billion Dollar oil spill in the Gulf of Mexico or something.

    1. Drs_Security

      Re: Sigh....why? Oh why leave key infrastructure control systems facing the internet!

      true that, although the Deep Water Horizon incident had nothing to do with SCADA or DCS (ICS in genral) systems but pure a lack of following rules and regulations to save money.

      Clearly in this case they didn't learn from Piper Alpha or blatantly ignored its lessons, sad isn't it?

  4. John Smith 19 Gold badge
    FAIL

    OMFG. How is this even *possible* in 2013?

    And no "air gap" IE no permanent (wireless or cable) connection to the general internet, is the right term.

    It's not even conceptuallydifficult to explain. This is a variation of Gary McKinnons DoD attack, something which I explained to a civil service friend (someone with no interest in computers but an awareness of remote admin tools) in about 2 minutes.

    The only way to justify this behaviour is that it will save some money and the replacement cost (if the plant is destroyed) is never considered. I'm amazed better security is not justified by lower insurance premiums alone.

    Fail because this level of compromise should simply not be possible in the second decade of the 21st century.

    1. Anonymous Coward
      Anonymous Coward

      Re: OMFG. How is this even *possible* in 2013?

      It easily possible, unfortunately. If the system was created in 1995, it'll still be running win95. Takes too much time/money to re-writing you systems every couple of years just because some new OS is out. Then by the time you realise the system is ancient the people who wrote have left the company, so it would take even more time/money to update. Hell, we're still running DOS for some critical systems. Oh, and the system probably wasn't written with security in mind and will probably baulk at being disconnected from SAP etc., so no, you can't just unplug it.

      1. John Smith 19 Gold badge
        Meh

        Re: OMFG. How is this even *possible* in 2013?

        "It easily possible, unfortunately. If the system was created in 1995, it'll still be running win95. Takes too much time/money to re-writing you systems every couple of years just because some new OS is out. Then by the time you realise the system is ancient the people who wrote have left the company, so it would take even more time/money to update. Hell, we're still running DOS for some critical systems. "

        Which would not be a problem as it's air gaped from the rest of the world.

        But then we get.

        "Oh, and the system probably wasn't written with security in mind and will probably baulk at being disconnected from SAP etc., so no, you can't just unplug it."

        Because you're saying a system developed when dialup was the common way for remote connections requires an always on connection, unless you're saying the system started running on a private WAN and transitioned to the general internet later?

        This scenarios does not quite stand up IRL.

    2. Anonymous Coward
      Anonymous Coward

      Re: OMFG. How is this even *possible* in 2013?

      Laziness mainly. Also a lack of space on the platform can be an issue.

      The control system gear will typically be located on one side of the platform, with the subsea gear on the other - rather than running a cable between the two they may choose to just tap into the existing network which already has a connection between the two areas.

      You also have the issue of upgrading existing platforms. You may be installing a new field to an existing platform that is already producing from another field. Running new cables may require shutting down production - good luck getting approval for that!

      1. Anonymous Coward
        Anonymous Coward

        Re: OMFG. How is this even *possible* in 2013?

        " they may choose to just tap into the existing network which already has a connection between the two areas."

        "Running new cables may require shutting down production - good luck getting approval for that!"

        Isn't that what vLAN-capable kit (e.g. switches) is for? I'm several years behind, so correction welcome.

        One set of cables, carrying multiple logically-independent networks?

        Actually presumably two sets of cables, for resilience, with dual sets of switches and dual-homed kit?

        OK it introduces complexity, which in itself can often increase risk, but it's a tradeoff between the risk of having dumb switches and all traffic visible to all kit (doesn't sound good to me) on the one hand, and on the other hand a slightly more complex network where (given proper practices) kit can only see the network traffic on the vLAN they're supposed to be using.

        My £50 SoHo router at home can do this. An enterprise or industrial switch used to be able to do this. Do they not still do this?

  5. TrishaD

    @Irongut

    Well .... absolutely.

    Whenever one of these SCADA stories come up, there's always a great deal of wooooooo in response, and everyone talks about how foolish it is to expose them to the internet etc etc.

    And indeed it is. Which is why very few people do it these days. Buried in the bowels of some of our power stations there are control systems being powered by Windows 2000 boxes. Which matters not in the slightest because they're not exposed to the corporate network let alone the public internet. A bit of change control and an absolute veto on memory sticks keeps them clean.

    The problem with SCADA is that normal controls do not apply - you cant take stuff out of service for software patches and AV upgrades and that's just a fact of life we have to work around.

    1. Tim Parker

      Re: @Irongut

      "Whenever one of these SCADA stories come up, there's always a great deal of wooooooo in response, and everyone talks about how foolish it is to expose them to the internet etc etc.

      And indeed it is. Which is why very few people do it these days."

      Even if correct, which i'd be inclined to ask for some evidence for, this neglects the controllers already deployed - which was much of the thrust of the presentation. As you said yourself

      "The problem with SCADA is that normal controls do not apply - you cant take stuff out of service for software patches and AV upgrades and that's just a fact of life we have to work around."

      ..and in some cases the reason for that is the poor design of the ICS, often due to economic constraints. Redundancy and fail-over control passing can assist greatly in updating systems, but unfortunately they usually have to be designed-in - at least to some degree - from the start... and that is not always easy or cheap especially in bespoke systems. A trivial example is your bog standard server machine these days, which can often have power supplies, management modules, processors, memory, disks and applications/kernels updated in real-time with no shutdown or loss of control - and have done for some time. That's not to say they represent the same scenario, and i'm not intending to trivialize ICS implementation - just that these things are conceptually possible and similar methods have been used in industry for years.

      1. TrishaD

        Re: @Irongut

        "Even if correct, which i'd be inclined to ask for some evidence for, this neglects the controllers already deployed - which was much of the thrust of the presentation".

        Fair comment. I think there's good evidence that most agencies who are supporting critical national infrastructure in the UK are indeed following the right protocols - if only because CPNI (more power to their elbows on this one) have been campaigning in this area for some years

        I also take your point about ICS systems and economic constraints - they're built down to a budget, of course they are, and vendors are not particularly impressive when it comes to the implementation of secure design. But if they remain isolated, I'll maintain that there isnt an issue.

        The control systems that tend to worry me are those linked with with or developed from building management systems, particularly those associated with large public venues. BMS systems dont get a lot of publicity in terms of security controls which causes me to wonder how well they are actually controlled.

        1. Tim Parker

          Re: @Irongut

          "I think there's good evidence that most agencies who are supporting critical national infrastructure in the UK are indeed following the right protocols - if only because CPNI (more power to their elbows on this one) have been campaigning in this area for some years."

          That's good to hear. Agree with you on BMS derived systems, that's a frightening thought.....

  6. The elephant in the room
    Mushroom

    Black Hat 2013 or Black Suit 1982

    OK this isnt a fair comparison as deliberately writing spiked firmware is an entirely different kind of game, but the end result is the same:

    "http://en.wikipedia.org/wiki/Siberian_pipeline_sabotage"

  7. Anonymous Coward
    Anonymous Coward

    Costs of downtime drive behaviour

    The high cost of downtime (as much as $10 million per day) mean that these companies are well aware of security risks and are doing all they can to minimise these. Additionallty, recent disasters like Deepwater Horizon have shown how expensive a real event can be.

    Hypothetically, you could connect to an industrial controller and write directly to the datatables to make the system do something it shouldn't, but this is almost never possible in practice due to multiple layers of security, including physical access security as well as computer security.

    In fact, most systems are bolted down so tightly that you can't easily do your job. I worked on one system where we couldn't install any software on the client's computer because they themselves didn't have administrator access and their security consultant wouldn't let anyone else have access besides their own team. I also remember another case where a client's security team implemented security so tightly that they locked themselves out of the system and had to re-install from a backup...

  8. veeguy

    I agree with the "No downtime allowed" theory. I was recently dispatched to a paper mill for a problem on a coating machine. I opened the cabinet the AB SLC500 PLC was in, fired up my laptop and jacked in to the 5/04 processor. I opened the ladder logic program to troubleshoot, I had never worked at this plant before. I soon noticed a couple of employees behind me watching me work. The program was very convoluted, with tons of subroutines to examine. About 5 minutes into my troubleshooting, I noticed the group of observers had grown to include several manager types with suits on. I asked the company man I was working with what was up. He said that every minute this machine was down, it cost the company $4000.-. I found the problem after about 10 minutes, and it took another 15 minutes to replace the pressure sensor that was giving flaky readings. I was *very* happy to drive out the plant gates that day.

    1. John Smith 19 Gold badge
      Unhappy

      " I asked the company man I was working with what was up. He said that every minute this machine was down, it cost the company $4000.-. I"

      Perhaps they should have thought of that when they spec'd the hardware and made some better arrangements to localize faults.

  9. Anonymous Coward
    Facepalm

    It's déjà vu all over again Yogi* ..

    Reading this site is like being stuck in '12:01 PM' ..

    --

    * as was once said by Yogi Bear ..

This topic is closed for new posts.

Biting the hand that feeds IT © 1998–2021