Threat group builds custom malware to attack industrial systems Hackers have created custom tools to control a range of industrial control system (ICS) and supervisory control and data acquisition (SCADA) devices, marking the latest threat to a range of critical infrastructure in the United States, according to several government agencies. In an alert this week, the Cybersecurity and …
Why, oh why are these devices openly visible on the public internet?
At the very least they should be accessible only from specific static IP addresses via a proxy with secret access credentials. At best, they should be strictly air gapped.
SCADA kit has lifetimes in whole decades and has until now not been designed primarily to protect against malicious access, but the prospect of 'secure' SCADA with regular online 'security updates' doesn't bear thinking about given the potential implications of bricking via a bad update.
I am always amazed and appalled that such systems are accessible either directly from the internet, or even internally from PCs used for web/email.
That level of security fail should result in senior executives facing jail time, maybe then they would pay more attention to having a network system designed on the assumption the bad guys are not only trying to get in, but are already in your web browser.
Well we can give people that advice all we want, but they like the convenience until they get hacked. Ukraine seems to have learned the lessons of Russian hacks on their power grid in 2015 well, and likely disconnected everything from the internet after that or they would have seen further hacks.
However, most likely Russia is now trying to plant the malware INTERNALLY, as they have surely taken over a few facilities on the Ukrainian grid's internal network like power plants and switching stations. So Ukraine would have to disconnect internal connections from anything they do not control or where there's a chance they might lose control in the near future.
Why do you assume they are visible from a public internet?
The malware is designed to search for attack systems once they have access to the internal OT network.
Schneider have issued a statement that the tools are not even using vulnerabilities, just standard features.
https://www.securityweek.com/russia-linked-pipedreamincontroller-ics-malware-designed-target-energy-facilities
"Why do you assume they are visible from a public internet?"
Indirectly, at least, they must be visible from the public internet or they couldn't be attacked at all. Connecting your critical technologies to the same LAN on which staff browse the web (as DigiNotar did) is idiotic, but excessively common. Apart from which, given the expectation of control access from 'anywhere' (for engineer convenience) results in the systems being open to attack unless strict precautions are in place (and usually, they're not).
The same hazard is widely encountered in the case of POS terminals. I guess the fundamental problem may be that those setting up the connectivity are general IT folks who may not understand the sensitivity of the devices they're interfacing to.
>Schneider have issued a statement that the tools are not even using vulnerabilities, just standard features.
This is part of the problem.
Most PLC systems (not only Schneider) use a threat model saying anyone on the local subnet is trustworthy thus the network access must be secured. The plc systems usually don't support any modern form of authentication - you either give access to nobody or to anyone able to reach it on the network.
At the same time today you will want to provide a maintenance connection to whoever is in charge of programming said PLC systems. Of course this maintenance connection should use VPN and other steps to secure the access but using an air gap to the internet is usually not an option.
Air gapping the PLC network would result in lengthy wait times for a technicians to arrive on site while production is stopped.
If any of the accomplished commentards knows a good and practicable solution i'd love to hear aboutit.
The engineering company I used to work for was asked to provide network access to complex machinery a few times. The on-site crew (the ones the manglement wanted to get rid of) understood the risks immediately, but the Ivory Tower lot only started to think a bit when they saw our contract terms in big bold lettering:
"The company accepts no liability for loss or damage due to network faults or external interference."
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
