back to article BlackEnergy crimeware coursing through US control systems

Industrial control systems in the United States have been compromised by the BlackEnergy malware toolkit for at least three years in a campaign the US Computer Emergency Response Team has dubbed "ongoing" and sophisticated. Attackers had compromised unnamed industrial control system operators and implanted BlackEnergy on …

  1. Paul Crawford Silver badge

    Colour me unsurprised

    So we have internet-connected machines running critical control stuff, probably not OS patched due to the risks of disruption from untested interactions or bad patches (and the near-inevitable reboots in these as windows-based system), and probably not application patched due to vendors taking their time and/or the same risks of downtime, more testing needed, etc.

    And they get compromised.

    Are there any El Reg readers who are surprised?

    1. Anonymous Coward
      Anonymous Coward

      Re: Colour me unsurprised

      "So we have internet-connected machines running critical control stuff, probably not OS patched due to the risks of disruption from untested interactions or bad patches (and the near-inevitable reboots in these as windows-based system)"

      If they are not patched, then there would be no need to reboot them. We just found a Windows Server 2003 box with over 4 years uptime!

      1. Paul Crawford Silver badge

        Re: AC

        "not patched, then there would be no need to reboot"

        That was what I meant, these days an unmolested Windows box (as for Linux) should stay up more or less indefinitely.

        The problems come when patching, and that leads you to the "soapy frog dilemma":

        (1) Do you leave things alone because they are working, and risk someone coming along with a bucket of soapy frogs, or;

        (2) Do you patch/update them to keep your trousers on, and risk breaking things.

        1. The Man Who Fell To Earth Silver badge

          Re: AC

          Maybe there's a business opportunity for checking & cleaning these systems...

  2. Anonymous Coward
    Anonymous Coward

    Simple fix

    Zero Point Module

    I have done a patent search and apart from trademarks there is no prior art on the idea of using 40Km2 in the way I have designed, module good for over 400 years of power assuming low radiation environment and may be a lot longer depending on other factors.

    Experimental prototype under construction, check arXiv shortly.

    1. Anonymous Coward
      Anonymous Coward

      Re: Simple fix

      Does a tin foil hat come with that?

      1. Destroy All Monsters Silver badge

        Re: Simple fix

        How do I download module from arxiv?

        1. Anonymous Coward
          Anonymous Coward

          Re: Simple fix

          Still trying to get my fusor working to enrich the 40K in the first place.

          40Km2 is very rare in nature it seems, maybe one atom in 1000 of 40K so in real terms nearly undetectable which is why it was missed.

          40K + low energy neutrons = 40Km2 which is the isomer used.

          It is only possible with fusors due to the nature of the neutron emission which simply cannot be achieved with any configuration of fission reactors and neutron moderators.

          I am probably correct in this conclusion as you can irradiate indium as a neutron detector and it will then emit a well defined low energy gamma ray for the hour or so it takes to decay.

          Main sticking point with the fusor is that I can't get deuterium cheaply, due to proliferation concerns.

          D2O or HDO is used in neutron detectors but is very hard to find surplus.

          It might be possible to make using the LHC, I expect CERN would probably approve it once the pilot plant is in operation as it would be a matter of simply leaving blocks of moderator cased 40KI next to the collision zones and waiting a month for each charge to complete.

  3. This post has been deleted by its author

    1. Salts

      Re: Let the soft- war----e begin

      If you read Legacy of Ashes: The History of the CIA by Tim Weiner and what the CIA is alleged to have done to a Russian oil pipeline, you will find yourself even more convinced. It's not even tin foil hat territory, I agree with you this is more likely to cause WWIII than some trigger happy country with nukes.

  4. Anonymous Coward
    Anonymous Coward

    This is just the start ...

    Just wait until our homes, our vehicles, our utilities and our cities are all connected to the Internet of Things, by cheap gadgets with minimal provision for security. The IOT will become Critical National

    Infrastructure but no-one seems to acknowledge this

  5. Destroy All Monsters Silver badge


    Every weel another layers of pwnage is being discovered.

    It's like the "agressive clown spree" that has reportedly been plaguing european cities in recent times.

    Maybe there is a connection between the planes of existence of the real world and the information world? How can we know?

  6. thames

    So just another Windows Virus?

    The article seems to waffle around to avoid mentioning that this is at its heart just another Windows virus, like the tens (hundreds?) of thousands of other Windows viruses already circulating around. The "industrial" application software running on the targeted Windows PC is the only novelty here.

    Software like Cimplicity or WinCC (I'm not familiar with WebAccess) are not even really "control systems". They're Windows programs which are used to monitor the actual control systems, which are proprietary boxes dedicated to running proprietary software and connected to the Windows PC running WinCC (or whatever) via an Ethernet or RS-485 cable to pass the monitoring data back and forth. The software running on the Windows PCs displays a nice graphical view of what is going on, and also usually logs data to a database (typically MS SQL Server).

    Let's take the mystery out of all of this. The actual control systems are not getting infected. The viruses are doing the same thing here that they are doing to all the other Windows PCs in the company.

    What the viruses can do is to send commands to do things like dial set-point values up and down which might do things like spoil your batch of product. This is what Stuxnet did. More likely, they will snarf up production data so your competitor (who outsourced his industrial espionage to someone in China) is going to know what is in the recipes you use and how much stuff you are making (and presumably selling).

    Your production line is not going to blow up from a virus. The reason for this is because the guy who designed it, if he was at all competent, will assume that the Windows PC is going to screw up with or without a virus. Software has bugs. Windows craps itself now and again. You assume this is going to happen so your control **system** is designed with that in mind. Where I live, you won't be allowed to put into production any sort of industrial machine without an engineering report that says you took all this into account.

    What the virus can do is cost you money in lost production. The biggest problems are that a) industrial control system designers generally don't know much about Windows and b) industrial software companies want nothing to do with security. To them, that's up to the guys mentioned in point "a", who happen to know everything about servo drives and nothing about Windows.

    The solution involves:

    a) Tfhe HMI and SCADA vendors taking responsibility for providing a complete package, including the OS,

    b) The package including repositories for supported third party components (like a Linux distro does), and

    c) Standardizing industrial communications protocols instead of the current ludicrous situation where everyone has their own proprietary protocol, but they're all declared to be "standard" (just like every retard gets declared a winner in school) so we get rid of 95% of the security holes which relate to COM/DCOM based OPC (where the standard debugging ritual consists of gradually turning off all the security until things mysteriously start to work).

    Everyone in the business knows what the problems are. The people who have their heads screwed on know what the solution is. The problem is that the current dominant vendors are only interested in selling proprietary hardware and are afraid that **any** change at all will disturb their painstakingly constructed vendor lock-in strategies.

  7. dhcp pump


    most !,: cough industrial control systems have a hardware lock and physical lock on the processor ,if this is applied and the controlling code has safeguards then it near impossible to change the actual control system unless the cs parameters are modified.

    As mentioned the gui or win interface is only that ,able to control and monitor ( hmi ,scada) of the actual plant which isnt controlled by windows ,ie : if the windows box goes down the system wont stop or change.

    if the systems integrator has the code on the scada for the plc etc and doesnt lock the processors then that could be trouble if the PMI /win box is comprimised ,now who would do that ???.

    1. chris 17 Silver badge

      Re: lockit

      How does a hardware lock and cpu lock stop someone remotely controlling the system from its connected controlling windows box that is connected to the Internet?

      1. strings

        Re: lockit

        You obviously dont understand scada systems ! and what they actually do.

        Simplified ver ;

        The cpu ( usually arm or other) in a nuclear or oil plant is a SIL rated plc or controller,the executing code is self checked and cannot exceed the rated set points and algorithms currently in memory and cpu.

        The scada system is the driving (window) or operating platform for the system you are controlling ,with the overarching control of the process in this isntance governed ' completely by the CPU on the plant controllers.

        If the cpu coding programme is installed on the scada ( win) machine ,which is a big mistake and often done by plant engineers who dont have any process security then the code could be changed if the running code is not passworded and physically locked,the physical lock on the plant processor stops and write functions to the cpu or memory ,except for the static code that is in operation.

        In laymens terms its like you driving a car,you can only push the pedal so far and no more fuel will be injected into the car enginer than what the ecu allows for the air /fuel ratio set by the m/f,for you to push the pedal and extract or inject more fuel you would need to either have a piggy back system ( to emulate false conditions) or have the access code for the existing ecu /cpu so you can recode the m/f setpoints to allow a richer or leaner a/f ratio.

  8. Anonymous Coward
    Anonymous Coward

    Re. ZPM

    Hey Destroy All Monsters I am still working on this.

    Trying to get parts ATM, had some issues with the postal system but now somewhat fixed.

    BOM so far is:

    Y123 (obtained)

    O2 (to anneal the Y123) - still trying on that one but works out around £40

    40K (easy)

    Recrystallize 40K to get rid of unwanted 39K and 41K - feasible, tested in lab

    LN2 - doable but again the cost is quite high.

    Fusor - need to scratch build

    Vacuum pump - need to rebuild

    HV supply for fusor - old dead flat panel driver PCBs with 5 stage C/W, confirmed this does work.

    My current estimate is that the whole setup will fit onto a kitchen table (about 2m3) but the main

    problem is that poxy LN2 for which it would need ETSC materials which are not yet stable enough

    for Tc much over 138K.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon