back to article Amazingly insecure industrial control systems + internet = Cupful of nope

Many industrial control system are exposed to the internet, creating a severe risk because most are hopelessly insecure, according to a new study by Kaspersky Lab. To minimise the possibility of a cyber-attack, Industrial Control Systems (ICS) are supposed to be run in a physically isolated environment. In total, 188,019 hosts …

  1. Darryl

    The vulnerabilities aren't surprising, as a huge number of these controls are running old versions of Windows and doing things like patching and installing antivirus packages can bugger up the proprietary software that seems to be designed to be flaky on purpose to ensure lots of expensive after sales service by the manufacturer.

    What surprises me is why these things are connected to the internet? I can understand having to plug them in for remote support occasionally, but they should be isolated the rest of the time. That's what we've always done...

    1. Anonymous Coward

      Re : why these things are connected to the internet?

      Because it's cheaper to have one guy sitting behind a desk at a central location than several guys in the field to fix things when they go wrong...

      So the short answer (as always) is : Money...

    2. Anonymous Coward
      Anonymous Coward

      What surprises me is why these things are connected to the internet?

      Although I agree with Malie up there (the money drive) I also think there's another aspect to keep in mind: incompetence.

      It wouldn't be the first time that such a controller was accessible using the very hard to obtain username/password combination of admin/admin, or administrator/administrator (these are some examples which were discovered in Holland). Although there could be money concerns (I most certainly wouldn't rule the option out!) I also think there's an unhealthy dose of incompetence involved as well.

      Note: probably not from the engineers who placed and maintained all this, but from a public servant one level up. They have no clue what they're doing, they feel mighty important and so they deny the request to change any passwords because there's no procedure for that and they surely can't take any initiative themselves because that could put their position at risk.

      And so nothing changes.

    3. CommodorePet

      Probably Systems originally accessed via dial-up

      My best guess: For remote access, these kind of systems would have been accessed via a dial-up line - giving it some level of security via the phone system (drop the call if the caller-id doesn't match a known number, automatic call back, etc). As part of cost cutting, dedicated phone lines get absorbed into VOIP fabric, and then it's "let's get rid of this modem and connect it directly to the router".

      What little security it had was thusly stripped.

      It could be that the systems were always crap, but if you think back to Windows 3.1 / Windows 95 days, dial up was the only way to do networked stuff remotely.

      1. Mike 16

        Re: Probably Systems originally accessed via dial-up

        Given the apparent ease of having CallerID report whatever the scam artists want, I would definitely go for callback. Ah, those were the days, having the corporate VAX ring up my TRS-80 Model 100 so I could check my mail. And the remote logging systems using brick-sized mobile phones with a 9-pin serial connector and Hayes Compatible (tm, but that patent should never have issued) command set.

        As for "how many holes can you punch in internet-connected industrial systems?", one employer used a single admin password on all their manufacturing systems. Said password was the company name and last two digits of the current year. Of course, they only had about 500 employees, across a dozen plants, so I'm sure there was _never_ a problem with anybody leaving on less than friendly terms and carrying that secret with them.

  2. Duncan Macdonald

    Unpatchable control systems

    Many control systems are so old that no one now has access to the source files or the build environment. Given those conditions the only safe thing to do is to keep them physically isolated from the internet - the engineers often know that but are overridden by stupid management who want the convenience of remote access without considering potential costs. (Building a new up to date control system would cost so much money that it is almost never done.)

    If remote access is forced then using a dedicated firewalled gateway computer (NOT running Windows) may limit the damage. (Better still use 2 gateway systems - one connected to the internet and the second one connected to the control system with the link between the 2 using a protocol other than IP (for example DECNET phase 4) to make it difficult for an attacker to get from the internet to the control system.)

  3. Anonymous Coward
    Anonymous Coward

    Where's the link?

    It would be courteous (not to say useful) to include a link to the report on which this piece is based.

    1. Stoneshop

      Re: Where's the link?

      You mean this one under the very last word in the very last sentence of the very last paragraph?

  4. Anonymous Coward
    Anonymous Coward

    I expect the reason so many of these systems don't encrypt their comms is that they were originally designed for a plant environment, i.e. no off-site access ( this of course assumed that there was a low threat of bad hats having physical access on-site, but then if they have that you're probably lost anyway ).

    Along comes much more capable but cheaper hardware, universal adoption of GUI systems, and t'internet, and everything get replaced - except for the (probably undocumented) design assumptions.

  5. Captain Badmouth

    I wonder..

    just how many hooks the likes of IS may have in the system already?

  6. Anonymous Coward
    Anonymous Coward

    Old versions of Windows you don't know the half of it. Many of these systems are ROM based meaning it is very difficult to upgrade them. Most were designed for in plant intranets and considering the old hardware they replaced like RS-232/422 or proprietary stuff they are a huge improvement. I'm putting some of our stuff on the net now and security is what keeps me up at night.

    AC because I'm working on this type of stuff right now.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon