Having updated substation control systems to NERC-CIP compliance I'm getting a kick etc.

Seriously though - the industrial landscape has transitioned from highly technical and custom control system and communication mediums to one that a highschool kid can design. There has been a move to a TCIP/IP backbone for industrial architecture and while it's been a good decision for robustness and troubleshooting it opens the door to the walled garden of control systems.

/former SCADA designer

these passwords ARE however completely useless when you don't plug a cat5e into the nuclear reactor then leave fifteen doors open and plug it in to the TV in the break room.

oh, and the passwords aren't passwords, they're pre-encryption keys for commands sent.

We are doomed. Doomed, I tell you.

This is all going as planned. Iran complained about this weakness being exploited in order to commit terrorist acts against them. When some third party now uses the same weakness and attacks US or European infrastructure, it will be characterized as Iranian terrorism.

Because they shouldn't have complained when it was done to them.

meat0918: Given that morons will pick up a random thumb drive left in the parking lot outside of a secure facility and plug it into their work computers, I can see what the worry is.

There's actually a whole part of the NERC guildelines that cover that

/Thinks we are RUNNING OUT OF TIME

Lucky LaRue: According to a blog post published on Monday by independent security researcher Rubén Santamarta, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals.

Wait. We are talking about software used to control vital machinery in nuclear power plants, and someone thinks it's a good idea to publish the f*cking passwords?! Really?

Publishing the password is not really the issue. The things would not really be much more secure if the passwords were secret. The real problem is that the passwords were hardcoded into the things.

I can't really imaging a situation where a hardcoded password in a mass produced piece of equipment meant for long term use could every be considered a good idea let alone secure.

AndreMA: When some third party now uses the same weakness and attacks US or European infrastructure, it will be characterized as Iranian terrorism.

"The main system terminal keeps repeating 'DESU DESU WE ARE LEGION'!"

"Damn you, Iran!"

Makes not encripting my wireless router seem like a reasonable thing to do.

/I'm SURE my neighbors don't look at kiddie picture on my open signal anyway.

If our enemies didn't know how to do it before this article, they sure as hell have some ideas now!

Loki-L: Lucky LaRue: According to a blog post published on Monday by independent security researcher Rubén Santamarta, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals.

Wait. We are talking about software used to control vital machinery in nuclear power plants, and someone thinks it's a good idea to publish the f*cking passwords?! Really?

Publishing the password is not really the issue. The things would not really be much more secure if the passwords were secret. The real problem is that the passwords were hardcoded into the things.

I can't really imaging a situation where a hardcoded password in a mass produced piece of equipment meant for long term use could every be considered a good idea let alone secure.

Not only that, but why even have a password? Couldn't the code be streamlined even more if there was no need for the password?

Sounds like taking a door with an unlockable knob on it, removing the knob, installing a lockable knob, and welding the key into it. What's the point? More billable hours for the programmer? "Look, I wrote a program that takes the input of A, changes it to the inverse and calls it B, then takes B and changes it to the inverse and calls it C, and then multiplies C by 2, and outputs the product and calls it 2A. WooHoo! Me am smart!" Just write the code that multiplies A by 2. Dumass.

Wait a minute. Hold on, Subby. Are you trying to tell us that some high school kid with an IBM XT, a 5.25" external floppy drive and a 4 Kbaud modem can access and activate the WOPR? This is an outrage!

detroitdoesntsuckthatbad: Having updated substation control systems to NERC-CIP compliance I'm getting a kick etc.

Seriously though - the industrial landscape has transitioned from highly technical and custom control system and communication mediums to one that a highschool kid can design. There has been a move to a TCIP/IP backbone for industrial architecture and while it's been a good decision for robustness and troubleshooting it opens the door to the walled garden of control systems.

/former SCADA designer

A WTF I ran into last week while porting some code over to the 'ix environment:
a. The standard/registered Modbus TCP port is 502 (asa_appl_proto)
b. On an unix/linux system, your process need superuser privileges to open a port numbered below 1024

Great. Defeat the built-in security, by design. For no reason whatsoever.

Now, I'm pretty sure that MY Modbus protocol code is immune from a buffer-overflow attack, but I betcha that there are implementations out there that aren't.

How ironic. The stuxnet that our Men in Black created to fry Iran's program is now affecting our own.

detroitdoesntsuckthatbad: Seriously though - the industrial landscape has transitioned from highly technical and custom control system and communication mediums to one that a highschool kid can design. There has been a move to a TCIP/IP backbone for industrial architecture and while it's been a good decision for robustness and troubleshooting it opens the door to the walled garden of control systems.

This, with a but.

Why would control systems be networked onto anything reaching an outside line? In most industrial facilities the computer that is handling this stuff is not connected to the network, mostly because the electricians are hourly personnel and they don't want them on facebook instead of programming PLCs and they don't want to risk a virus shutting down the production machinery.

/once had a vendor offer to setup a VPN system so he could monitor my equipment from his location.
//Told him to shove it
///seriously why would I want the computer that runs my $500,000 robot exposed to the internet?

So isolate the control network from the outside world.

Egoy3k: detroitdoesntsuckthatbad: Seriously though - the industrial landscape has transitioned from highly technical and custom control system and communication mediums to one that a highschool kid can design. There has been a move to a TCIP/IP backbone for industrial architecture and while it's been a good decision for robustness and troubleshooting it opens the door to the walled garden of control systems.

This, with a but.

Why would control systems be networked onto anything reaching an outside line? In most industrial facilities the computer that is handling this stuff is not connected to the network, mostly because the electricians are hourly personnel and they don't want them on facebook instead of programming PLCs and they don't want to risk a virus shutting down the production machinery.

/once had a vendor offer to setup a VPN system so he could monitor my equipment from his location.
//Told him to shove it
///seriously why would I want the computer that runs my $500,000 robot exposed to the internet?

I hate to tell you but almost every major food and pharma facility in the US allow contractor VPN access for remote support as well as for the inhouse process control guys. It's scary but there has to be a level of trust for whoever you give the keys. My hope is if the company's product is important enough they take security seriously and manage that access tightly.

In my experience - they don't. It's a heck of a lot easier to give some guy an RSA key and a VPN client then buy him a plane ticket and pop for a hotel.

meat0918: detroitdoesntsuckthatbad: meat0918: Given that morons will pick up a random thumb drive left in the parking lot outside of a secure facility and plug it into their work computers, I can see what the worry is.

There's actually a whole part of the NERC guildelines that cover that

I was trying to find the study (DoD funded I think) that showed guidelines that govern what you can and cannot plug into secure systems didn't do jack, but failed to find it.

Hopefully it comes up here

Here's the guidlines:

Don't plug anything into secure systems.

Good luck with that, and getting Seaman Schmuckitelli to not use a USB-stick based flash-game into the computer that controlls the reactor on a sub. With all of the interchangeability that comes with USB, the people have become the last failsafe for systems security.

Brilliant, Batman.

Critical systems, if countries want them secured, will either need to be designed to not have USB, or go back to specifically designed systems that have no way to talk to the outside world.

this just in from Lindsey Graham.........

IRAN IS IN OUR BACKYARD!!!!

IRAN IS IN OUR BACKYARD!!!!

IRAN IS IN OUR BACKYARD!!!!

detroitdoesntsuckthatbad: In my experience - they don't. It's a heck of a lot easier to give some guy an RSA key and a VPN client then buy him a plane ticket and pop for a hotel.

Well to be fair most of what you can do on the food side would just make it unpalatable not deadly. On the pharma side.....that could be bad. I guess my (very limited) experience is the exception rather than the rule.

None of my equipment is monitored in real time at current and come to think of it I don't seem them springing for a new network and computer if they did decided to let me network my machines.....so yeah I guess we would be the same here if it came to that.

Egoy3k: ///seriously why would I want the computer that runs my $500,000 robot exposed to the internet?

So your employer can call you while you are on vacation, have you VPN into that computer, and revert the patch that someone unqualified applied when you left your robot's side for a day.

/Sadly, I speak from experience

JackieRabbit: Wait a minute. Hold on, Subby. Are you trying to tell us that some high school kid with an IBM XT, a 5.25" external floppy drive and a 4 Kbaud modem can access and activate the WOPR? This is an outrage!

Actually, they were 8 inch floppies.

Lucky LaRue: According to a blog post published on Monday by independent security researcher Rubén Santamarta, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals.

Wait. We are talking about software used to control vital machinery in nuclear power plants, and someone thinks it's a good idea to publish the f*cking passwords?! Really?

He would publish it in a minute and his Farker fans would have no issue with it.

Egoy3k: detroitdoesntsuckthatbad: In my experience - they don't. It's a heck of a lot easier to give some guy an RSA key and a VPN client then buy him a plane ticket and pop for a hotel.

Well to be fair most of what you can do on the food side would just make it unpalatable not deadly. On the pharma side.....that could be bad. I guess my (very limited) experience is the exception rather than the rule.

None of my equipment is monitored in real time at current and come to think of it I don't seem them springing for a new network and computer if they did decided to let me network my machines.....so yeah I guess we would be the same here if it came to that.


What I was working on for a lot of the smaller co-op electrical delivery companies they actually have the ability to trip offline parts of the grid from a remote account. There are very strict controls on who can do it but by nature of their business model they need to be able to act remotely. It's very unnerving to log onto a system in Raleigh and realize you can knock out Dallas. Additionally you can update relay settings which are not as immediate as opening a breaker but they sure can add instability to a network and in the long run can really screw a system.

thrasherrr: So your employer can call you while you are on vacation, have you VPN into that computer, and revert the patch that someone unqualified applied when you left your robot's side for a day.

/Sadly, I speak from experience


No see I'm not IT and cannot actually do that myself. They were in my department and my responsibility, but I really didn't have much of a clue on the nuts and bolts of programming them. I can code and I can troubleshoot but I would NOT be messing with something like that. If they called me on vacation about this the only input I could give is, "Well, fix it. Call me when you are done."

/mechanical engineer
//management
///don't judge me, it pays the bills

Latinwolf: Lucky LaRue: According to a blog post published on Monday by independent security researcher Rubén Santamarta, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals.

Wait. We are talking about software used to control vital machinery in nuclear power plants, and someone thinks it's a good idea to publish the f*cking passwords?! Really?

He would publish it in a minute and his Farker fans would have no issue with it.
[blogs.telegraph.co.uk image 460x287]

maybe because it's not his fault?

I'd be looking back to the publishers who somehow thought it was a good idea to make passwords public at any time in any semblances whatsoever. Those people should be fired.

And this is why you shouldn't use Siemens controllers.

/Not that Allen Bradley or Modicon are much better at security...

Well since the CIAsome guy wrote the virus to attack the controllers it's ok. It took an international team of Einsteins to break "some" of the virus code and at least figure out what it was doing.

/STUXNET What's it for? (new window)
//cookie?

I still don't get the need to have a water plant's control computers connected to the outside world.

plc5_250: And this is why you shouldn't use Siemens controllers.

/Not that Allen Bradley or Modicon are much better at security...

Coming from a guy named plc5_250 - I lol'd.

Egoy3k: detroitdoesntsuckthatbad: Seriously though - the industrial landscape has transitioned from highly technical and custom control system and communication mediums to one that a highschool kid can design. There has been a move to a TCIP/IP backbone for industrial architecture and while it's been a good decision for robustness and troubleshooting it opens the door to the walled garden of control systems.

This, with a but.

Why would control systems be networked onto anything reaching an outside line? In most industrial facilities the computer that is handling this stuff is not connected to the network, mostly because the electricians are hourly personnel and they don't want them on facebook instead of programming PLCs and they don't want to risk a virus shutting down the production machinery.

/once had a vendor offer to setup a VPN system so he could monitor my equipment from his location.
//Told him to shove it
///seriously why would I want the computer that runs my $500,000 robot exposed to the internet?

Typically it is not. But it is connected to a network that also isn't exposed to the outside. Later, someone is doing upgrades and everyone on the network is clamoring to access adjacent site B. A link is made between site A and site B. Eventually someone at site B wants to connect with site C. The fifteenth incarnation of the Network guy at site B looks at his network and sees no issues and connects site C. Somewhere on site C there is a link to the outside.

Now your robot is expose to the Internet via several layers of abstraction. When you first checked with site a, they were not exposed. When a checked with b, they were not exposed. When b checked with c, they were exposed but B had no requirement or need to not be exposed, and manager 15 had no clue about the agreement between you and A.

Sometimes though, people just don't think it through.

detroitdoesntsuckthatbad: plc5_250: And this is why you shouldn't use Siemens controllers.

/Not that Allen Bradley or Modicon are much better at security...

Coming from a guy named plc5_250 - I lol'd.

Glad you enjoyed that!

Let's see if you can figure this one out: I was ABEL to get that CELL working after a bit of reverse engineering. :)

Launch Code: If our enemies didn't know how to do it before this article, they sure as hell have some ideas now!

Yeah -- Americas enemies are trolling the register for ideas on how to disrupt complicated refining machinery and this was just the article that made everything click for them. -- Americas enemies have absolutely no idea how to penetrate the USA and its super shell of security, but now that the register has some info and they are going to DESTROY some equipment.

Because bombing a greyhound bus would be like... complicated and stuff.

Egoy3k: If they called me on vacation about this the only input I could give is, "Well, fix it. Call me when you are done."

As management here, you would be the one to call someone qualified in when the bloody murder yells started.

Your shop may be more enlightened. I've been chewed out for NOT waking up someone on the other side of the world on his Saturday AM.

/We aren't on call, technically

thrasherrr: Egoy3k: If they called me on vacation about this the only input I could give is, "Well, fix it. Call me when you are done."

As management here, you would be the one to call someone qualified in when the bloody murder yells started.

Your shop may be more enlightened. I've been chewed out for NOT waking up someone on the other side of the world on his Saturday AM.

/We aren't on call, technically

Oh I do that, and I'm OK with it. I do understand my machinery pretty well and I always like to learn more. I can operate every piece of equipment in my department, just not as well as the actual operators who are highly skilled in this line of work. I once worked as a maintenance supervisor at a brewery and had a can filler lock up with sterilizer in it at 3 AM on a Saturday morning. The sterilizer in question can pit stainless steel if left to it's own devices for too long. Needless to say I called the experts real quick. The experts failed to respond though so I had to figure it out myself anyway. It wasn't exactly a fun night and I was rewarded with a beer/water/sterilizer shower when I finally manually forced the valve open.

Getting paid salary instead of hourly is just another exchange. you get better pay, vacation, benefits, and a nice pension, nobody questions your comings or goings, but in return the company basically owns your ass.

the_innkeeper: Critical systems, if countries want them secured, will either need to be designed to not have USB, or go back to specifically designed systems that have no way to talk to the outside world.

i remember reading that this was the knee-jerk reaction after cpl. fruitypants took a "lady gaga" CD full of intel and FedEx-ed it to julian's assrange. this was made the official policy for level 9001 secured systems. however - it doesnt work in practice so there is a dont-ask-dont-tell about violations for removing data (the irony is not lost).

it was an interesting read about how the various gov't security levels work. however - i lost all faith in "gov't security" when i found out this indonesian girl i was banging had Q clearance to nuclear materials. her dad was a general in the indonesian military and this was at the time of the bali bombings when the country was very open about protecting the mastermind terrorist guy.

/csb
//too lazy for citations

Did StuxNet have anything to do with remote access? I thought it was a self contained package.

scanman61: Did StuxNet have anything to do with remote access? I thought it was a self contained package.

Not to the PLCs it didn't. It interacted with PLCs by "rootkitting" (for lack of a better term) the software (on a Windows PC) used to program the PLCs. It intercepted commands to and from the programming software and injected its own commands at times.

Remote access to the programming/engineering PCs? Oh hell yes. Six ways to Sunday it could move its ass through an installation site via direct ethernet, printers, infected USB keys, infected files, etc.

As an independent IT contractor, the lack of security EVERYWHERE is sickening. Massive corporate networks who's ENTIRE security policies rely on Active Directory. Which is to say, if you connect to the network and don't politely ask to be restricted, you aren't.

Out-of-band router consoles connected to external modems for ghetto remote administration. Problem is Out-of-band configuration lets you reset all passwords so all you need is a phone number and all their base are belong to you.

Default settings, default settings everywhere.

utterly INSANE 'hiring' practices too. You want me to fix and subsequently 'hack' into your freight server in (redacted) that has a direct line to your corporate office in (redacted). You have never seen me. You don't know my name. You don't even send me a work order. I'm just supposed to talk my way into your server room. You only want to spend 15 bucks an hour? This will end well.

Protip: you aren't paying a good IT guy 75-100 bucks an hour for what he/she CAN do. You are paying them for what they DON'T do while they are there.

plc5_250: And this is why you shouldn't use Siemens controllers.

/Not that Allen Bradley or Modicon are much better at security...

All I've seen in my machines are Omron.

itsdan: I feel sometimes like the best engineers can never finish a project because they're always anticipating the issues. Unfortunately in a "ship it now fix it later" climate, the engineers who get the job are the ones who can show a working demo, long term consequences be damned.

Egoy3k: /mechanical engineer
//management
///don't judge me, it pays the bills

Two things about the engineering world today that should scare the crap out of people:

1) It's always more important to do it fast than it is to do it right.

2) Like what you're doing? Good at it? Then we'll make you a manager and you'll never do it again.

/Eventually, these will get someone important killed, and then we'll think about correcting them.