
'Crash Override': Malware That Took Down a Power Grid - cwal37
https://www.wired.com/story/crash-override-malware/
======
zitterbewegung
Comprehensive white paper gives you more information and context [1]. Looking
at it it has 4 payloads and targets systems made by Siemens [2].

[1] [https://www.welivesecurity.com/wp-
content/uploads/2017/06/Wi...](https://www.welivesecurity.com/wp-
content/uploads/2017/06/Win32_Industroyer.pdf)

[2] [http://w3.siemens.com/smartgrid/global/en/products-
systems-s...](http://w3.siemens.com/smartgrid/global/en/products-systems-
solutions/protection/pages/overview.aspx)

------
erentz
Control systems are so ridiculously insecure given what they do. I was lucky
enough to attend a DHS control systems security summit at INL way back in 2006
(or 2007 I can't remember). They had a huge lab full of various PLCs, etc, and
a bunch of surprisingly smart folks working on pen-testing them. But still,
it's a decade later and we don't seem to have made much progress.

~~~
snerbles
> But still, it's a decade later and we don't seem to have made much progress.

Despite all the "IIoT" buzzwords their marketing may spout, industrial vendors
operate a decade behind the software curve at best. Arcane proprietary stacks
running atop XP, CE, ActiveX, and various flavors of DOS are still getting
deployed in new industrial installations...often supported by vendors staffed
by a hundred salescritters to every engineer, if they're lucky enough to have
any staff remaining that wrote or understand the original product in the first
place.

It's filled with dozens of mini-Oracles, each with licensing more insane than
the next because your typical integrator will either run for the hills at the
first sign of anything that isn't ladder logic or spew forth spaghetti garbage
that makes INTERCAL look like the most pretentiously elegant Lisp. When you're
the lone programmer on the team that even knows _what Git is_ , you start to
realize why nobody ever got fired for just buying Rockwell.

~~~
jcranmer
Ahh, the painful memories of writing the SCADA control software. In VBScript.
The old system was running on VMS. The new system could be accessed via
ActiveX control in an IE page.

At least the plant network was sufficiently airgapped.

~~~
noir_lord
> At least the plant network was sufficiently airgapped.

The Iranians thought that as well.

------
evdev
This, from a former coworker, might give you a good sense of the state of
things:

[https://www.youtube.com/watch?v=tPWKJR6IVfA](https://www.youtube.com/watch?v=tPWKJR6IVfA)

------
jumpkickhit
Do these infrastructures really need the level of hardware they seem to use?

Rather than use a unsecured raspberry pi3 with it's wifi left on, why not have
a closed system specifically built instead. Something not casually running
embedded Windows XP, rather maybe a barebones OS written in assembly with
minimal networking functionality on minimal hardware.

~~~
problems
Building on commodity hardware is cheap, easy, quick to develop and often more
stable and secure. Going fully custom results in more custom components which
are often less tested and less audited than their commodity counterparts. Yes,
it sounds like they'll be "simple" but it rarely is so - especially when your
boss or sales team asks why you don't have IP-based monitoring.

The best bet in my opinion is to use commodity stuff but reduce the attack
surface as much as possible by simply disabling, firewalling and physically
restricting everything possible. In many cases like this, you could probably
get away with absolutely minimalist control systems run on microcontrollers
and similar with monitoring only over an isolated unidirectional interface
(think fiber optic connection with no physical receiver on the other side).

~~~
evdev
The whole area is heavily, heavily reactionary and slow moving. They're on
embedded XP because that's the closest they can get given the software
platforms they're dependent on.

You're right that locked down embedded industrial (Linux) PCs are the best
option, but your control platform has to run on them...

------
Pfhreak
Weird name collision with the Crash Override Network and Zoe Quinn's book.

I'm curious about the provenance of the name, as the article seems to suggest
the security researchers provided the name.

[Edit]: I show my cultural ignorance -- it appears both are likely a reference
to Hackers, based on the responses below.

~~~
rangersanger
I immediately thought of Dade "Zero Cool" Murphy and Acid Burn. And Angelina
Jolie...

~~~
jagermo
Depends on how many systems it crashed, I would say

