nanog mailing list archives
Re: First real-world SCADA attack in US
From: Christopher Morrow <morrowc.lists () gmail com>
Date: Mon, 21 Nov 2011 17:02:34 -0500
On Mon, Nov 21, 2011 at 4:51 PM, Jason Gurtz <jasongurtz () npumail com> wrote:
Having worked on plenty of industrial and other control systems I can safely say security on the systems is generally very poor. The vulnerabilities have existed for years but are just now getting attention.+1 Just for context, let me tell everyone about an operational characteristic of one such system (Sold by a Fortune 10 (almost Fortune 5 ;) company for not a small amt. of $) that might be surprising; the hostname of the server system cannot be longer than eight characters. The software gets so many things so very very wrong I wonder how it is there are not more exploits!
siemens, honeywell... essentially all of the large named folks have just horrendous security postures when it comes to any facilities/scada-type systems. they all believe that their systems are deployed on stand-alone networks, and that in the worst case there is a firewall/vpn between their 'management' site and the actually deployed system(s). You think your SCADA network is "secure", what about your management company's network? What about actual AAA for any of the changes made? Can you patch the servers/software on-demand? or must you wait for the vendor to supply you with the patch set? folks running scada systems (this includes alarm systems for buildings, or access systems! HVAC in larger complexes, etc) really, really ought to start with RFC requirements that include strong security measures, before outfitting a building you'll be in for 'years'. -chris
Current thread:
- Re: First real-world SCADA attack in US, (continued)
- Re: First real-world SCADA attack in US Leigh Porter (Nov 21)
- Re: First real-world SCADA attack in US Mark Radabaugh (Nov 21)
- Re: First real-world SCADA attack in US Steven Bellovin (Nov 21)
- Re: First real-world SCADA attack in US Michael Painter (Nov 22)
- Re: First real-world SCADA attack in US Jay Ashworth (Nov 21)
- Re: First real-world SCADA attack in US Charles Mills (Nov 21)
- Re: First real-world SCADA attack in US Mark Radabaugh (Nov 21)
- RE: First real-world SCADA attack in US Jason Gurtz (Nov 21)
- Re: First real-world SCADA attack in US Christopher Morrow (Nov 21)
- Re: First real-world SCADA attack in US Jimmy Hess (Nov 21)
- Re: First real-world SCADA attack in US Jay Ashworth (Nov 21)
- Re: First real-world SCADA attack in US Jussi Peltola (Nov 21)
- Re: First real-world SCADA attack in US Valdis . Kletnieks (Nov 21)
- Re: First real-world SCADA attack in US Brett Frankenberger (Nov 22)
- Re: First real-world SCADA attack in US Jay Ashworth (Nov 22)
- Re: First real-world SCADA attack in US Brett Frankenberger (Nov 22)