lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [day] [month] [year] [list] 
Date: Thu, 24 Mar 2011 13:02:18 -0400
From: Kent Borg <kentborg@...g.org>
To: Simple Nomad <thegnome@...c.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares

Simple Nomad wrote:
> 2. Ensure that these systems, if they exist, are not accessible from 
> either the Internet or even the local network where most of the users 
> are.


Much easier said than done.

The really scary SCADA systems are small cogs in large facilities that 
have been been built up over the years.  New bits added now and then, 
old bits removed, things reconfigured.  How do they know whether they 
are connected to the larger internet?  And if they know one day how do 
they know a week later that no one plugged in something s/he shouldn't?  
("I just wanted to check my e-mail...")

I am not saying it is impossible to keep a network isolated, but when 
dealing with a big legacy system (maybe measured in acres/hectares) with 
lots of random personnel tempted to do random things, and other annoying 
daily requirements (manufacturing the clothespins, generating the 
power--whatever it is that pays the bills), it is hard to do everything 
necessary to mitigate all dangerous and poorly documented security 
decisions, some from many years ago.

And even if one is successful in being isolated, it sounds like Stuxnet 
didn't require a direct connection, I think it could spread the old 
fashioned way, via sneakernet.  How do you stop that?  (And then how do 
you apply a security fix from the responsible SCADA manufacturer?) 


As for encouraging creation and application of patches, say the 
responsible SCADA manufacturer sends a floppy (!) with a patch to your 
local, aging, nuclear power plant:

   Hmmm, we have three motor controllers that possibly match the model 
numbers
   they say this is for.  The one circulating the number one storage 
pool has an "-A"
   suffix that the others don't, and it isn't mentioned on the datasheet 
that came with
   floppy.  I phoned the manufacturer's help line and was told the patch 
is compatible.

What do *you* want them to do with that floppy...?

(I have no idea if nukes use computerized motor controllers--if not, 
substitute "chemical plant" or "oil refinery" or...)


Yes, one can be more stupid or more smart, I am all for the smart stuff, 
and lots of us know lots of smart stuff, but I fear some underestimate 
the difficulties with legacy SCADA.


-kb, the Kent who is willing to bet there are SCADA products available 
with features that require a connection to the public internet.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ