"Too big to fail...."
Remember Stuxnet? You'll endure its hated-by-critics sequel if you don't patch your holey Siemens industrial kit
Industrial control software vulnerabilities, which would be perfect for next-gen Stuxnet-style worms to exploit, are as prevalent as ever, apparently. A report out this week from Tenable outlined a series of CVE-listed security holes in the products of four of the largest industrial control system (ICS) makers, including …
Wednesday 10th July 2019 22:30 GMT Anonymous Coward
Why are they using Windows and Siemens proprietary stuff anyway?
Like, if you've mastered the necessary engineering to build a uranium centrifuge, I'm pretty damn sure you could figure out how to wire it up to an arduino and some breadboard and get it talking to linux :P Not exactly rocket science...
(that's the building next door)
Friday 12th July 2019 07:47 GMT big_D
Re: Why are they using Windows and Siemens proprietary stuff anyway?
It is a lot more than Arduino and Linux. For a start, Linux is not a real-time OS, it is interrupt driven, in its standard form. That means that it isn't ideal for many industrial settings.
If you need answers in the millisecond spectrum, waiting for a disk IO to complete before reading an analogue register is too long and you have missed your opportunity.
There are some applications, where a normal system would work, but you still need to write the control interfaces and drivers for the equipment being used, And, yes, there are some RTOS versions of Linux on the market, but they usually have propriatary compenents as well. And mixing analogue and digital registers isn't always easy, there is a reason why the hardware and software is so expensive.
It isn't ideal, but it also isn't as easy to replace as you seem to think.
Wednesday 10th July 2019 23:57 GMT Anonymous Coward
Vulner what? Just getting a RSLInx connection without some DRM idiocy even when pleading / swearing / muttering right next to it should be enough of a challenge to ward off the bad guys. Perhaps Siemens could make their comms as bad so their users have fewer problems. Failing that a few hours / years spent talking to tech support (quote "turn off your firewall" & "buy another license") should break them. Shame really as the hardware is solid.
Thursday 11th July 2019 00:44 GMT Palpy
Ah, that really takes me back.
Indeed -- the initial setup, and subsequent troubleshooting, can make strong techs weep like schoolchildren. Before I retired I got to watch a factory tech slog into the bowels of an installation, muttering, to crouch like a balding gargoyle over his laptop whilst trying to get the SULFUROUSLY DAMNED Allen-Bradley PLC to take instruction. For... days.
That said, and as you say, once it is up and running the hardware is solid. Well, mostly. Unless the power supply gets jiggy.
And for those who say air-gap, air-gap: Yes, well, tell it to the vendors. Tell it to management. I tell ya, vendors are pushing online-everything -- diagnostics, data collection, remote troubleshooting, etc -- and management wants it all. So do the vendor's techs, 'cos house calls are so very twentieth-century. "Nobody does that anymore. Come on, plug in the ethernet and let us remote in!" Even if the equipment is spinning uranium isotopes at very high speeds.
Thursday 11th July 2019 07:27 GMT Claverhouse
Thursday 11th July 2019 09:48 GMT Anonymous Coward
Friday 12th July 2019 07:52 GMT big_D
Re: Ah, that really takes me back.
I know of one manufacturer locally, they have a CNC machine whose control software still runs on Windows XP. They have air-gapped it, because the CNC-manufacturer wants 7 figures to "upgrade" the software - well, the new software is already there, but only works with a newer model, which costs 7 figures. Given the old machine is still going strong, the just air-gapped.
The tech support always want to use TeamViewer to look at the machine. The IT manager remains firm, update the software to work on a supported platform and they can get TeamViewer access, otherwise they have to remote control the machine operator over the telephone.
Thursday 11th July 2019 01:36 GMT Anonymous Coward
Attacker could execute arbitrary commands through websockets
CVE-2019-10915,::“The vulnerability is an authentication bypass in the TIA Administrator server. An attacker could execute arbitrary application commands through websockets on the node.js server which is externally exposed by default.”
Nobody in their right mind uses a web server/web browser to control their industrial controllers.
Thursday 11th July 2019 01:51 GMT NetBlackOps
Thursday 11th July 2019 07:57 GMT amanfromMars 1
Re: Attacker could execute arbitrary commands through websockets
Nobody in their right mind uses a web server/web browser to control their industrial controllers. .... Walter Bishop
Oh yes they do ....... and also to command and control the industry of others, WB.
And that is what is so terrifying to the likes of a Microsoft Windows type Operation, for they be undoubtedly responsible and surely accountable for presentation and maintenance of the portal/utility/facility?
Thursday 11th July 2019 12:41 GMT katrinab
Thursday 11th July 2019 13:28 GMT Anonymous Coward
Friday 12th July 2019 07:56 GMT big_D
Thursday 11th July 2019 07:51 GMT amanfromMars 1
Re Abiding Achilles Heels ....... with Filthy Rich Honey Pots
Do not attempt to gain unauthorised access to, use or attempt to interfere with or compromise the normal functioning, operation or security of any network, system, computing facility, equipment, data or information, including but not limited to any attempt to probe, scan or test the vulnerability of a system or network or to breach security or authentication measures without the express authorisation of the owner of the system or network. This includes using sniffers or SNMP tools to gain such unauthorised access.
Do not attempt to circumvent user authentication or security of any host, network or account (a.k.a. "cracking"). This includes, but is not limited to, accessing data not intended for you, logging in to or making use of a server or accounts that you are not expressly authorised to access or probing the security of other networks.
Thursday 11th July 2019 15:26 GMT Lee D
That's okay, we all learned to put industrial controls on a managed and controlled and isolated and monitored internal network, with no direct access to the Internet, via firewalls and proxies and whatever else necessary to ensure they stay isolated from everything else and, where possible, even each other after the last thing like this.
Thursday 11th July 2019 19:59 GMT Anonymous Coward
@Lee D - Don't forget human factor
It seems the Stuxnet attack against Iran benefited from the modest contribution of an insider who offered to help the pest cross the air-gap. However since he was executed he couldn't claim the reward so the operation cost the Westerners almost nothing. Like someone was saying, it's good to be king.