
Hackers destroy water pump via SCADA abuse - munin
http://www.wired.com/threatlevel/2011/11/hackers-destroy-water-pump/all/1
======
mindslight
Good. Malicious crackers, please destroy as many non-safety-critical water
pumps as it takes for people to take security on these systems seriously. It
seems most of the industrial controls industry is used to operating on a
proprietary network, and when moving to IP their guess at security is "uh,
firewall?".

~~~
jrockway
This is indeed odd. On my home network, I have a firewall at the edge, a
firewall on each machine, and every service requires authentication
(cryptographic where possible; username+password over SSL otherwise). It took
me about a day to set up, and I'm not even a security person.

It's unacceptable that people whose jobs are to secure computer networks do a
worse job than I do for the little computer under my TV.

(Yup, all of my machines at home have a public IP address. Convenient!)

~~~
pnathan
SCADA systems often rely on time-deterministic routing of packets, which
TCP/IP doesn't make easy. There are a number of issues with securing them,
including the fact that unscheduled downtime can be catastrophic (ergo, no
hotpatching without massive work).

There are some good posts on the SCADASEC mailing list. There are some lousy
posts as well.

Culturally, SCADA system security is approximately where IT systems were in in
1995 with Windows 95.

~~~
momotomo
Second this, as per other comment I made as well. SCADA systems are generally
unstable and very precious about how they are implemented, it can drive people
to make a lot of concessions. Thankfully we run enough support staff to ensure
physical site visits are possible, which eliminates the security and technical
issues associated with trying to tie these things into a WAN.

*edit, inferring that instability can drive people to network these devices for support reasons.

------
NathanKP
Did anyone else notice this choice comment:

 _“They just figured it’s part of the normal instability of the system,” Weiss
told Wired.com. “But it wasn’t until the SCADA system actually turned on and
off that they realized something was wrong.”_

That's a pretty bad sign that the system is so buggy that at first it seems
like a hacking attempt is just "normal" instability.

~~~
momotomo
Anybody that's worked with SCADA systems unfortunately wouldn't bat an eye at
this. In my own experience they're horribly issue prone, we've churned through
4-5 different vendors in the last 3 years trying to get past basic stability
issues.

~~~
weaksauce
What issues did you have?

Unfortunately, writing plc code is like writing in assembly with global access
to variables. Unless you test things thoroughly it's really tough to have a
system run bug free. Thankfully, most of the processes are pretty simple so
its not exceedingly hard to test it.

------
jed_s
Stanford EE Computer Systems Colloquium

Control System Cyber Security - State of the State

<http://www.stanford.edu/class/ee380/Abstracts/111012.html>

"Industrial control systems are used in electric power, water, pipelines, etc.
These systems were designed for performance and safety considerations, not
security. Traditional IT security technologies, policies, and testing may not
apply to these systems. Moreover, there is currently no university with an
interdisciplinary program accross multiple engineering disciplines to address
control system cyber security. There have already been more than 200 actual
control system cyber incidents to date, though most have not been identified
as cyber. In the US alone, there have been 4 control system cyber incidents
that have killed people, 3 major cyber-related electric outages, 2 nuclear
plants shut down from full power, etc. With the advent of Stuxnet, cyber has
been introduced as an offensive weapon. The purpose of this presentation is to
provide a state-of-the-state view of control system cyber security."

The speaker gets quite a grilling from the academics.

~~~
shabble
Do you know of any videos of the talk itself? That page only seems to list the
abstract and a very handwavy CNN report clip.

From the abstract/slides, it seems like it could be quite interesting.

------
MrEnigma
So they stole username/passwords the SCADA vendor kept for the clients.

There are better ways to gain access to systems. But even then, you have to
prevent access to your own systems first...

~~~
MrEnigma
I wonder if the glitches were that they remote people couldn't login. So they
kept changing the passwords, and restoring them, and then the hackers just
went and got the password again, changed it...

------
danso
So let's take bets. Was this hack attack made possible through:

1) A SQL injection

2) A default admin password

~~~
kamkha
The article mentions that the intrusions involved a security hole in
PHPMyAdmin, so, likely neither (unless the attackers just got access to the
database through PHPMyAdmin using the default admin password rather than a
security hole).

~~~
jronkone
Why isn't using PHP for security sensitive work considered illegal yet?

~~~
code_duck
PHPMyAdmin is just some software used by clueless neophytes, not part of PHP.
Similarly poorly written and insecure software is surely possible with Ruby,
Python, you name it.

------
vahallawalla1
They aren't even talking about what happened in San Diego :-\

SCADA controls those power systems too ;-)

~~~
mrpollo
So the Blackout was due to a SCADA hack?

~~~
vahallawalla1
The system is redundant, and no single operator should be able to do what was
done that day. The military bases went delta-5. Largest military port city,
and China's looking to let the fire out of their dragon...

Dark days, eh?

~~~
mrpollo
Never thought about it that way, but you are right, a system so vital and
critical should never be left for 1 human to deal with, reminds me of missile
systems where you need 2 keys and Passphrase's, did they ever resolved this?
I'm guessing no.

------
tomjen3
This seems like an exciting decade we are about to enter where hackers can
mess with actual physical infrastructure. Sooner or later somebody is going to
do something really destructive with that power.

Fortunately it shouldn't be that hard to secure the systems. At the very least
use a two factor authentication system, if possible the same way gmail does
since it is pretty simple, or just store the passwords in a big physical
folder and access as necessary.

~~~
tptacek
Exactly what good does "two factor authentication" do when every verb in the
protocol was designed with the assumption that the protocol would only ever be
addressed with an authorized client? These things are insecure by design,
insecure in implementation, and insecure at deployment. Don't trivialize the
problem; it's immense.

Maybe password theft was involved this time, but that's a trivial detail. I
don't feel like endorsing feel-good measures. A lot of this code really needs
to be forklifted out, which is a fact made especially painful because a lot of
this code is already pushing the limits of the 8 bit TI microcontrollers it
runs on.

~~~
statictype
Is the controller really the place for putting in security measures? I would
have assumed that they reside on a private internal network and it's the
software layer on top ( ie, a bacnet gateway or whatever) that needs to be
fixed

------
feralchimp
The Shelbyville branch of Anonymous strikes again. Hoot hoot!

