Re: First real-world SCADA attack in US

[Christopher Morrow <morrowc.lists () gmail com>]

On Mon, Nov 21, 2011 at 4:51 PM, Jason Gurtz <jasongurtz () npumail com> wrote:
> > Having worked on plenty of industrial and other control systems I can
> > safely say security on the systems is generally very poor.   The
> > vulnerabilities have existed for years but are just now getting
> > attention.
>
> +1
>
> Just for context, let me tell everyone about an operational characteristic
> of one such system (Sold by a Fortune 10 (almost Fortune 5 ;) company for
> not a small amt. of $) that might be surprising; the hostname of the
> server system cannot be longer than eight characters.
>
> The software gets so many things so very very wrong I wonder how it is
> there are not more exploits!

siemens, honeywell... essentially all of the large named folks have
just horrendous security postures when it comes to any
facilities/scada-type systems. they all believe that their systems are
deployed on stand-alone networks, and that in the worst case there is
a firewall/vpn between their 'management' site and the actually
deployed system(s).

You think your SCADA network is "secure", what about your management
company's network? What about actual AAA for any of the changes made?
Can you patch the servers/software on-demand? or must you wait for the
vendor to supply you with the patch set?

folks running scada systems (this includes alarm systems for
buildings, or access systems! HVAC in larger complexes, etc) really,
really ought to start with RFC requirements that include strong
security measures, before outfitting a building you'll be in for
'years'.

-chris