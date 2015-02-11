Hacker News new | comments | show | ask | jobs | submit login
'Crash Override': Malware That Took Down a Power Grid (wired.com)
67 points by cwal37 9 months ago | hide | past | web | favorite | 22 comments



Comprehensive white paper gives you more information and context [1]. Looking at it it has 4 payloads and targets systems made by Siemens [2].

[1] https://www.welivesecurity.com/wp-content/uploads/2017/06/Wi...

[2] http://w3.siemens.com/smartgrid/global/en/products-systems-s...


Control systems are so ridiculously insecure given what they do. I was lucky enough to attend a DHS control systems security summit at INL way back in 2006 (or 2007 I can't remember). They had a huge lab full of various PLCs, etc, and a bunch of surprisingly smart folks working on pen-testing them. But still, it's a decade later and we don't seem to have made much progress.


> But still, it's a decade later and we don't seem to have made much progress.

Despite all the "IIoT" buzzwords their marketing may spout, industrial vendors operate a decade behind the software curve at best. Arcane proprietary stacks running atop XP, CE, ActiveX, and various flavors of DOS are still getting deployed in new industrial installations...often supported by vendors staffed by a hundred salescritters to every engineer, if they're lucky enough to have any staff remaining that wrote or understand the original product in the first place.

It's filled with dozens of mini-Oracles, each with licensing more insane than the next because your typical integrator will either run for the hills at the first sign of anything that isn't ladder logic or spew forth spaghetti garbage that makes INTERCAL look like the most pretentiously elegant Lisp. When you're the lone programmer on the team that even knows what Git is, you start to realize why nobody ever got fired for just buying Rockwell.


Ahh, the painful memories of writing the SCADA control software. In VBScript. The old system was running on VMS. The new system could be accessed via ActiveX control in an IE page.

At least the plant network was sufficiently airgapped.


> At least the plant network was sufficiently airgapped.

The Iranians thought that as well.


This is correct. The ActiveX is very, very real.


As the grugq has pointed out, incentives are not currently aligned properly to produce secure industrial systems:

"Firstly, a lot of infrastructure and data is in civilian hands. The people and organizations responsible for securing things are not the ones responsible for retaliating against attacks. They can’t do it anyway because they lack the resources, capability, and legal authority to do so.

As for investing in securing their systems, there is no regulatory requirement to do so. Indeed, for a board of directors, I’ve seen it suggested that they have a fiduciary duty to shareholders not to bear the cost burden of securing critical national infrastructure. It’s not their business to directly bear the costs of defending the nation, that’s what the nation state is for in the first place!"

https://medium.com/@thegrugq/idle-thoughts-on-cyber-82170b2b...


>bunch of surprisingly smart folks working on pen-testing them.

of course, you need those to implement stuxnet. I recommend "Zero Days" (2016)


It's a decade later and the new secure versions still havent been installed in Ukrainian power stations...


Are you just assuming new secure versions exist that could be used? I work with industrial control but mainly Rockwell not siemens and I don't know of any PLC communication protocol that supports any kind of encryption but I want to hear about any options that do exist.


This, from a former coworker, might give you a good sense of the state of things:

https://www.youtube.com/watch?v=tPWKJR6IVfA


Do these infrastructures really need the level of hardware they seem to use?

Rather than use a unsecured raspberry pi3 with it's wifi left on, why not have a closed system specifically built instead. Something not casually running embedded Windows XP, rather maybe a barebones OS written in assembly with minimal networking functionality on minimal hardware.


Building on commodity hardware is cheap, easy, quick to develop and often more stable and secure. Going fully custom results in more custom components which are often less tested and less audited than their commodity counterparts. Yes, it sounds like they'll be "simple" but it rarely is so - especially when your boss or sales team asks why you don't have IP-based monitoring.

The best bet in my opinion is to use commodity stuff but reduce the attack surface as much as possible by simply disabling, firewalling and physically restricting everything possible. In many cases like this, you could probably get away with absolutely minimalist control systems run on microcontrollers and similar with monitoring only over an isolated unidirectional interface (think fiber optic connection with no physical receiver on the other side).


The whole area is heavily, heavily reactionary and slow moving. They're on embedded XP because that's the closest they can get given the software platforms they're dependent on.

You're right that locked down embedded industrial (Linux) PCs are the best option, but your control platform has to run on them...


I suspect the actual cause is similar to the fuel station hacks from a couple of years ago [0], where industrial control systems have been 'upgraded' to run over the internet.

[0] https://www.theregister.co.uk/2015/02/11/anonymous_hacks_fue...


IT still hasn't made it into higher management, especially in the public sector which even privatized utilities resemble. Unfortunately this means things like security comes last, when they really ought to be part of your architectural design.

We recently bought a manegement software for our translators, which somehow made it through all the business and management layers revolving public contracts without anyone questioning the fact that none of it was encrypted. Meaning anyone snooping on our network could get anything from private data to system logins with absolutely no effort.

Things are getting better, but IT is still a subsection of the economy department in a lot of places, and a lot of execs still think it's magic. Couple this with most developers and entrepreneurs being hackers who want to toy around with cool world changing features, and, no one is left to worry about security.


> Rather than use a unsecured raspberry pi3 with it's wifi left on, why not have a closed system specifically built instead.

Security through obscurity. Just because a system is closed doesn't make it safer.

In fact, generally the opposite. Look at the security fiasco over in medical device land.


This is coming from the perspective of someone who is an expert in software already, all this stuff looks like a trivial side project, right?

Imagine this in different contexts though. Why go to IKEA for furniture when you can just build your own of higher quality in your garage shop? Or why bother going to a mechanic when you can just rebuild your car's engine yourself at home?

The fact is, of these three examples the software one is actually the most unrealistic. Having someone on staff with software expertise is a hard problem, and an expensive one too. If you don't already have a group of folks with software expertise on staff then hiring for it becomes a massively difficult problem. This is why there's still so much business in the build-for-hire software biz. Most companies in the world who need software based solutions are not themselves software companies. They need to use objective measures to determine the quality of the companies they farm out these projects to as well as the software that results.

Additionally, software built on commodity systems (like Windows XP) is often a better choice for these companies because it means there's a much larger group of folks they can hire if they need to make changes or perform service on the system in the future (which is inevitable). As much as a custom solution built on a microcontroller or small linux based embedded system might be technically superior, cheaper, and more robust, it might not be a sustainable solution for a given company.


Weird name collision with the Crash Override Network and Zoe Quinn's book.

I'm curious about the provenance of the name, as the article seems to suggest the security researchers provided the name.

[Edit]: I show my cultural ignorance -- it appears both are likely a reference to Hackers, based on the responses below.


Maybe a reference to the protagonist from Hackers: http://www.imdb.com/title/tt0113243/


I immediately thought of Dade "Zero Cool" Murphy and Acid Burn. And Angelina Jolie...


Depends on how many systems it crashed, I would say




