Bugtraq mailing list archives
Re: Vulnerabilities in some SCADA server softwares
From: Kent Borg <kentborg () borg org>
Date: Thu, 24 Mar 2011 13:02:18 -0400
Simple Nomad wrote:
2. Ensure that these systems, if they exist, are not accessible from either the Internet or even the local network where most of the users are.
Much easier said than done.The really scary SCADA systems are small cogs in large facilities that have been been built up over the years. New bits added now and then, old bits removed, things reconfigured. How do they know whether they are connected to the larger internet? And if they know one day how do they know a week later that no one plugged in something s/he shouldn't? ("I just wanted to check my e-mail...")
I am not saying it is impossible to keep a network isolated, but when dealing with a big legacy system (maybe measured in acres/hectares) with lots of random personnel tempted to do random things, and other annoying daily requirements (manufacturing the clothespins, generating the power--whatever it is that pays the bills), it is hard to do everything necessary to mitigate all dangerous and poorly documented security decisions, some from many years ago.
And even if one is successful in being isolated, it sounds like Stuxnet didn't require a direct connection, I think it could spread the old fashioned way, via sneakernet. How do you stop that? (And then how do you apply a security fix from the responsible SCADA manufacturer?)
As for encouraging creation and application of patches, say the responsible SCADA manufacturer sends a floppy (!) with a patch to your local, aging, nuclear power plant:
Hmmm, we have three motor controllers that possibly match the model numbers they say this is for. The one circulating the number one storage pool has an "-A" suffix that the others don't, and it isn't mentioned on the datasheet that came with floppy. I phoned the manufacturer's help line and was told the patch is compatible.
What do *you* want them to do with that floppy...?(I have no idea if nukes use computerized motor controllers--if not, substitute "chemical plant" or "oil refinery" or...)
Yes, one can be more stupid or more smart, I am all for the smart stuff, and lots of us know lots of smart stuff, but I fear some underestimate the difficulties with legacy SCADA.
-kb, the Kent who is willing to bet there are SCADA products available with features that require a connection to the public internet.
Current thread:
- Re: Vulnerabilities in some SCADA server softwares, (continued)
- Re: Vulnerabilities in some SCADA server softwares Michal Zalewski (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares R Michael Williams (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Michal Zalewski (Mar 23)
- RE: Vulnerabilities in some SCADA server softwares Jim Harrison (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Luigi Auriemma (Mar 23)
- RE: Vulnerabilities in some SCADA server softwares Jim Harrison (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Theo de Raadt (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Simple Nomad (Mar 23)
- Message not available
- Re: Vulnerabilities in some SCADA server softwares Simple Nomad (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Kent Borg (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Michal Zalewski (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Theo de Raadt (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Jamie Riden (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Willy Tarreau (Mar 25)
- Re: Vulnerabilities in some SCADA server softwares bugtraq (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares CJC (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares Michal Zalewski (Mar 24)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares Mike Hoskins (Mar 23)
- Re: Vulnerabilities in some SCADA server softwares J. Oquendo (Mar 24)