[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <4D8B791A.9020806@borg.org>
Date: Thu, 24 Mar 2011 13:02:18 -0400
From: Kent Borg <kentborg@...g.org>
To: Simple Nomad <thegnome@...c.org>
Cc: bugtraq@...urityfocus.com
Subject: Re: Vulnerabilities in some SCADA server softwares
Simple Nomad wrote:
> 2. Ensure that these systems, if they exist, are not accessible from
> either the Internet or even the local network where most of the users
> are.
Much easier said than done.
The really scary SCADA systems are small cogs in large facilities that
have been been built up over the years. New bits added now and then,
old bits removed, things reconfigured. How do they know whether they
are connected to the larger internet? And if they know one day how do
they know a week later that no one plugged in something s/he shouldn't?
("I just wanted to check my e-mail...")
I am not saying it is impossible to keep a network isolated, but when
dealing with a big legacy system (maybe measured in acres/hectares) with
lots of random personnel tempted to do random things, and other annoying
daily requirements (manufacturing the clothespins, generating the
power--whatever it is that pays the bills), it is hard to do everything
necessary to mitigate all dangerous and poorly documented security
decisions, some from many years ago.
And even if one is successful in being isolated, it sounds like Stuxnet
didn't require a direct connection, I think it could spread the old
fashioned way, via sneakernet. How do you stop that? (And then how do
you apply a security fix from the responsible SCADA manufacturer?)
As for encouraging creation and application of patches, say the
responsible SCADA manufacturer sends a floppy (!) with a patch to your
local, aging, nuclear power plant:
Hmmm, we have three motor controllers that possibly match the model
numbers
they say this is for. The one circulating the number one storage
pool has an "-A"
suffix that the others don't, and it isn't mentioned on the datasheet
that came with
floppy. I phoned the manufacturer's help line and was told the patch
is compatible.
What do *you* want them to do with that floppy...?
(I have no idea if nukes use computerized motor controllers--if not,
substitute "chemical plant" or "oil refinery" or...)
Yes, one can be more stupid or more smart, I am all for the smart stuff,
and lots of us know lots of smart stuff, but I fear some underestimate
the difficulties with legacy SCADA.
-kb, the Kent who is willing to bet there are SCADA products available
with features that require a connection to the public internet.
Powered by blists - more mailing lists