Bugtraq mailing list archives

Previous By Date Next
Previous By Thread Next

Re: Vulnerabilities in some SCADA server softwares

From: Kent Borg <kentborg () borg org>
Date: Thu, 24 Mar 2011 13:02:18 -0400
Simple Nomad wrote:
2. Ensure that these systems, if they exist, are not accessible from either the Internet or even the local network where most of the users are. 


Much easier said than done.
The really scary SCADA systems are small cogs in large facilities that have been been built up over the years. New bits added now and then, old bits removed, things reconfigured. How do they know whether they are connected to the larger internet? And if they know one day how do they know a week later that no one plugged in something s/he shouldn't? ("I just wanted to check my e-mail...")
I am not saying it is impossible to keep a network isolated, but when dealing with a big legacy system (maybe measured in acres/hectares) with lots of random personnel tempted to do random things, and other annoying daily requirements (manufacturing the clothespins, generating the power--whatever it is that pays the bills), it is hard to do everything necessary to mitigate all dangerous and poorly documented security decisions, some from many years ago.
And even if one is successful in being isolated, it sounds like Stuxnet didn't require a direct connection, I think it could spread the old fashioned way, via sneakernet. How do you stop that? (And then how do you apply a security fix from the responsible SCADA manufacturer?)
As for encouraging creation and application of patches, say the responsible SCADA manufacturer sends a floppy (!) with a patch to your local, aging, nuclear power plant:
Hmmm, we have three motor controllers that possibly match the model numbers they say this is for. The one circulating the number one storage pool has an "-A" suffix that the others don't, and it isn't mentioned on the datasheet that came with floppy. I phoned the manufacturer's help line and was told the patch is compatible. 

What do *you* want them to do with that floppy...?
(I have no idea if nukes use computerized motor controllers--if not, substitute "chemical plant" or "oil refinery" or...)
Yes, one can be more stupid or more smart, I am all for the smart stuff, and lots of us know lots of smart stuff, but I fear some underestimate the difficulties with legacy SCADA.
-kb, the Kent who is willing to bet there are SCADA products available with features that require a connection to the public internet.
Previous By Date Next
Previous By Thread Next

Current thread: