Ever wonder how hackers could possibly pwn power plants? Here are 54 Siemens bugs that could explain things

Asking the obvious question...

Siemens recommends administrators lock down the server from any sort of external network access.

It doesn't take much searching to discover that Siemens offers remote support as an integral part of its tech support package. Ho hum.

Difficult..

"So far, Siemens says it has only been able to patch three of the bugs. Siemens recommends administrators lock down the server from any sort of external network access."

....with certain software vendors pushing more and more of their stuff to the cloud.

Siemens recommends administrators lock down the server from any sort of external network access.

Errr ... doh! :-) This is a damn infra-structure power plant not an IoT light bulb in Jonny's bedroom, I would hope that's *always* the case.

Production control systems were built before the internet

When I was implementing systems in a COMAH chemical plant around the millennium it was acknowledged that the control systems had to be air gapped from the rest of the plant network as there was no way the kit could be secured. In effect there we had 3 disparate cabling systems

The hard wired connections between sensors, machinery and the control room. The cat 3 wired network (yes really) which provided voice and data services to the plant and all offices and the hard wired 50+ year old 'red phone' network which was to be used in the case if an emergency. Needless to say these 3 networks shared ducts along the 1/4 mile long production processing plant the air gap approach did mean that it was necessary to lay serial cab;es hundreds of meters between the control room and tanks to allow the tank levels to be reported. Add in the fact that it was necessary to get feeds on tank levels, flow rates etc into the AS400 Business Planning and control system and we had a bit of a conundrum.

It was done and I was told it was secure but I had many doubts. Bearing in mind that access to the control room systems could potentially allow the release of large volumes of Chlorine as one of the less nasty ingredients I was glad I lived 20 miles away.

What works shall remain

The problem with industrial hardware is that much of it HAS to work with the 30 year old (or older) predecessor. Especially for things like PLCs this means a lot of them are bodge jobs with a lot of baggage from previous implementations that we NOW know to be insufficiently protected (But were considered good enough in the past). It's VERY hard moving away to completely new systems in any plant that already exists.

The best that can be done is proper air-gapping and a security conscious implementation of network access protocols. If getting on the network requires physical access you can provide more lines of defense in the form of (as called above) Guards, Guns and Gates. There's a reason you'd get rugby tackled in many chemical plants if you carry around a laptop within the security boundry without the proper credentials. Paranoid doesn't begin to cover it in some instances.

Optimal design is often a unicorn.

In my experience in the field, real-world design --

-- may have to run machine-level kit which uses decades-old software;

-- may compromise security to facilitate process data handling across networks;

-- may come under pressure from management to permit remote or wireless monitoring-and-control;

-- may have to implement back compatibility in order to interface with existing control subsystems.

And so forth.

I hope that when commentard kmedcalf wrote, "It is highly unlikely that the Systems Engineers or Instrumentation will get it wrong" he or she was being sarcastic. For one example, Boeing system engineers and instrumentation experts certainly managed to "get it wrong" multiple times in designing the control automation for the 737 Max.

My question has always been why are they online and accessible to hackers? Critical infrastructure components should have their own lines dropped, a closed system.

Having seen many PLCs and allegedly industrially hardened IT over the years; examples where they are really hardened seem to be few and far between.

Siemens are certainly not the only culprit in this arena. Leaving wide attack surfaces seems to be a common feature of almost all current PLC; for inevitably the PLC itself is attached to a Windows box for "user interface". I've seen XP boxes being installed as late as 2015 as UI to a PLC. Not even the embedded edition!

Some would argue that airgapping is a defence, but one well placed USB stick soon beats that. And don't mention the difficulties of patching an air-gapped, USB-banned network.