I Understand (Score: 1) by venkman@pipedot.org on 2015-01-13 04:12 (#2WPT) I understand how these control systems end up connected to the Internet. A few years ago in my process engineering job, I had the ability to VPN in and access our plant's control system. When someone calls at 2 in the morning, you don't want to come in to work to troubleshoot. Re: I Understand (Score: 1) by tanuki64@pipedot.org on 2015-01-13 09:14 (#2WPW) You understand? I don't. Yes, it is understandable that no one wants to come to work at 2am t troubleshoot. But you also mentioned one solution: VPN. It is (or should be) a well known fact that embedded devices and industrial systems often suck at security. But this does not matter, if they are isolated behind a proper firewall/gateway. It may not be possible to upgrade the machinery, but the access to and from those systems should be under total control of the operating company. Re: I Understand (Score: 1) by evilviper@pipedot.org on 2015-01-13 21:49 (#2WPZ) You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons. The article explains the only sure way is an air gap... With ANY internet access at all, no matter how indirect, compromise is possible. An extreme example might be a DNS exploit, where any system on the control network only tried resolving a host name... Commands can similarly be relayed and data proxied over DNS.Actually, I'd say an air gap is overrated though... The JC Penny breach wasn't over the internet, but instead required physical proximity as they broke-in over the WiFi network. Similarly, critical control systems need to be hardened against someone connecting a device with remote access capabilities... That could be a small WiFi router hidden somewhere, a cell phone connected to the network, a dial-up modem connected to a router, etc. Any one of those leaves an air-gapped network open to exploitation from outside attackers. You could insert a WiFi chip into a non-threatening looking USB mouse, and just leave it some place such a thing might have been accidentally dropped, and watch as it eventually gets connected, giving you a backdoor to an air-gapped network.And don't forget Stuxnet... Completely air-gapped network, with tremendous physical security and paranoia. Still got penetrated by a worm on a USB thumb drive... which is how air-gapped networks get updates into their networks. There simply is no easy answer to the problem.
Re: I Understand (Score: 1) by tanuki64@pipedot.org on 2015-01-13 09:14 (#2WPW) You understand? I don't. Yes, it is understandable that no one wants to come to work at 2am t troubleshoot. But you also mentioned one solution: VPN. It is (or should be) a well known fact that embedded devices and industrial systems often suck at security. But this does not matter, if they are isolated behind a proper firewall/gateway. It may not be possible to upgrade the machinery, but the access to and from those systems should be under total control of the operating company. Re: I Understand (Score: 1) by evilviper@pipedot.org on 2015-01-13 21:49 (#2WPZ) You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons. The article explains the only sure way is an air gap... With ANY internet access at all, no matter how indirect, compromise is possible. An extreme example might be a DNS exploit, where any system on the control network only tried resolving a host name... Commands can similarly be relayed and data proxied over DNS.Actually, I'd say an air gap is overrated though... The JC Penny breach wasn't over the internet, but instead required physical proximity as they broke-in over the WiFi network. Similarly, critical control systems need to be hardened against someone connecting a device with remote access capabilities... That could be a small WiFi router hidden somewhere, a cell phone connected to the network, a dial-up modem connected to a router, etc. Any one of those leaves an air-gapped network open to exploitation from outside attackers. You could insert a WiFi chip into a non-threatening looking USB mouse, and just leave it some place such a thing might have been accidentally dropped, and watch as it eventually gets connected, giving you a backdoor to an air-gapped network.And don't forget Stuxnet... Completely air-gapped network, with tremendous physical security and paranoia. Still got penetrated by a worm on a USB thumb drive... which is how air-gapped networks get updates into their networks. There simply is no easy answer to the problem.
Re: I Understand (Score: 1) by evilviper@pipedot.org on 2015-01-13 21:49 (#2WPZ) You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons. The article explains the only sure way is an air gap... With ANY internet access at all, no matter how indirect, compromise is possible. An extreme example might be a DNS exploit, where any system on the control network only tried resolving a host name... Commands can similarly be relayed and data proxied over DNS.Actually, I'd say an air gap is overrated though... The JC Penny breach wasn't over the internet, but instead required physical proximity as they broke-in over the WiFi network. Similarly, critical control systems need to be hardened against someone connecting a device with remote access capabilities... That could be a small WiFi router hidden somewhere, a cell phone connected to the network, a dial-up modem connected to a router, etc. Any one of those leaves an air-gapped network open to exploitation from outside attackers. You could insert a WiFi chip into a non-threatening looking USB mouse, and just leave it some place such a thing might have been accidentally dropped, and watch as it eventually gets connected, giving you a backdoor to an air-gapped network.And don't forget Stuxnet... Completely air-gapped network, with tremendous physical security and paranoia. Still got penetrated by a worm on a USB thumb drive... which is how air-gapped networks get updates into their networks. There simply is no easy answer to the problem.