I Understand (Score: 1) by venkman@pipedot.org on 2015-01-13 04:12 (#2WPT) I understand how these control systems end up connected to the Internet. A few years ago in my process engineering job, I had the ability to VPN in and access our plant's control system. When someone calls at 2 in the morning, you don't want to come in to work to troubleshoot. Re: I Understand (Score: 1) by tanuki64@pipedot.org on 2015-01-13 09:14 (#2WPW) You understand? I don't. Yes, it is understandable that no one wants to come to work at 2am t troubleshoot. But you also mentioned one solution: VPN. It is (or should be) a well known fact that embedded devices and industrial systems often suck at security. But this does not matter, if they are isolated behind a proper firewall/gateway. It may not be possible to upgrade the machinery, but the access to and from those systems should be under total control of the operating company. Re: I Understand (Score: 1) by evilviper@pipedot.org on 2015-01-13 21:49 (#2WPZ) You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons. The article explains the only sure way is an air gap... With ANY internet access at all, no matter how indirect, compromise is possible. An extreme example might be a DNS exploit, where any system on the control network only tried resolving a host name... Commands can similarly be relayed and data proxied over DNS.Actually, I'd say an air gap is overrated though... The JC Penny breach wasn't over the internet, but instead required physical proximity as they broke-in over the WiFi network. Similarly, critical control systems need to be hardened against someone connecting a device with remote access capabilities... That could be a small WiFi router hidden somewhere, a cell phone connected to the network, a dial-up modem connected to a router, etc. Any one of those leaves an air-gapped network open to exploitation from outside attackers. You could insert a WiFi chip into a non-threatening looking USB mouse, and just leave it some place such a thing might have been accidentally dropped, and watch as it eventually gets connected, giving you a backdoor to an air-gapped network.And don't forget Stuxnet... Completely air-gapped network, with tremendous physical security and paranoia. Still got penetrated by a worm on a USB thumb drive... which is how air-gapped networks get updates into their networks. There simply is no easy answer to the problem. Re: I Understand (Score: 2, Interesting) by tanuki64@pipedot.org on 2015-01-13 22:58 (#2WQ0) You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons.Oh yes, I know the reasons. At the very beginning of my career I worked for almost a year as system administrator for a small company. My first task? Make our net secure. We need a firewall. I did it. And then the complaints started:"I can't do this, I can't do that. I NEED ftp, I NEED telnet.. no, ssh and scp is not enough (I don't know how it works, I don't want to learn anything new).But...No 'but'. You are only admin, I am very important person... Open the ports for me or go job hunting.That's what I did.... both. No 'or'. The company does not exist anymore.So yes, security is never 100% free. You say one possible attack vector is a USB drive? I know a company where all USB ports were glued shut. A few 'experts' opened their machines to circumvent this useless chicanery with USB boards. Hey, the sys admins are paranoid a**holes with a god complex. Security is important, but not when it interferes with real work... and who can work without music from his personal mp3 collection on USB?Of course I cannot say for sure that something like this happened in this steel mill, but I would not be surprised a bit. For years now, the most important attack vector isn't the hard- and software anymore, but the wetware. Re: I Understand (Score: 1) by evilviper@pipedot.org on 2015-01-14 02:30 (#2WQ3) I know a company where all USB ports were glued shut. A few 'experts' opened their machines to circumvent this useless chicaneryThey didn't do a very good job then. Computers are easy enough to padlock. Besides, you're obviously not talking about a secure network.And there's nothing special about USB... ANY WAY you get data into a secure network, from the un-secured rest of the world, is an attack surface. DVD-Rs are just as vulnerable as USB thumb drives. Glue-shut all the ports you want, and you'll still need to exchange data, and however you do that will leave you open to attack.
Re: I Understand (Score: 1) by tanuki64@pipedot.org on 2015-01-13 09:14 (#2WPW) You understand? I don't. Yes, it is understandable that no one wants to come to work at 2am t troubleshoot. But you also mentioned one solution: VPN. It is (or should be) a well known fact that embedded devices and industrial systems often suck at security. But this does not matter, if they are isolated behind a proper firewall/gateway. It may not be possible to upgrade the machinery, but the access to and from those systems should be under total control of the operating company. Re: I Understand (Score: 1) by evilviper@pipedot.org on 2015-01-13 21:49 (#2WPZ) You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons. The article explains the only sure way is an air gap... With ANY internet access at all, no matter how indirect, compromise is possible. An extreme example might be a DNS exploit, where any system on the control network only tried resolving a host name... Commands can similarly be relayed and data proxied over DNS.Actually, I'd say an air gap is overrated though... The JC Penny breach wasn't over the internet, but instead required physical proximity as they broke-in over the WiFi network. Similarly, critical control systems need to be hardened against someone connecting a device with remote access capabilities... That could be a small WiFi router hidden somewhere, a cell phone connected to the network, a dial-up modem connected to a router, etc. Any one of those leaves an air-gapped network open to exploitation from outside attackers. You could insert a WiFi chip into a non-threatening looking USB mouse, and just leave it some place such a thing might have been accidentally dropped, and watch as it eventually gets connected, giving you a backdoor to an air-gapped network.And don't forget Stuxnet... Completely air-gapped network, with tremendous physical security and paranoia. Still got penetrated by a worm on a USB thumb drive... which is how air-gapped networks get updates into their networks. There simply is no easy answer to the problem. Re: I Understand (Score: 2, Interesting) by tanuki64@pipedot.org on 2015-01-13 22:58 (#2WQ0) You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons.Oh yes, I know the reasons. At the very beginning of my career I worked for almost a year as system administrator for a small company. My first task? Make our net secure. We need a firewall. I did it. And then the complaints started:"I can't do this, I can't do that. I NEED ftp, I NEED telnet.. no, ssh and scp is not enough (I don't know how it works, I don't want to learn anything new).But...No 'but'. You are only admin, I am very important person... Open the ports for me or go job hunting.That's what I did.... both. No 'or'. The company does not exist anymore.So yes, security is never 100% free. You say one possible attack vector is a USB drive? I know a company where all USB ports were glued shut. A few 'experts' opened their machines to circumvent this useless chicanery with USB boards. Hey, the sys admins are paranoid a**holes with a god complex. Security is important, but not when it interferes with real work... and who can work without music from his personal mp3 collection on USB?Of course I cannot say for sure that something like this happened in this steel mill, but I would not be surprised a bit. For years now, the most important attack vector isn't the hard- and software anymore, but the wetware. Re: I Understand (Score: 1) by evilviper@pipedot.org on 2015-01-14 02:30 (#2WQ3) I know a company where all USB ports were glued shut. A few 'experts' opened their machines to circumvent this useless chicaneryThey didn't do a very good job then. Computers are easy enough to padlock. Besides, you're obviously not talking about a secure network.And there's nothing special about USB... ANY WAY you get data into a secure network, from the un-secured rest of the world, is an attack surface. DVD-Rs are just as vulnerable as USB thumb drives. Glue-shut all the ports you want, and you'll still need to exchange data, and however you do that will leave you open to attack.
Re: I Understand (Score: 1) by evilviper@pipedot.org on 2015-01-13 21:49 (#2WPZ) You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons. The article explains the only sure way is an air gap... With ANY internet access at all, no matter how indirect, compromise is possible. An extreme example might be a DNS exploit, where any system on the control network only tried resolving a host name... Commands can similarly be relayed and data proxied over DNS.Actually, I'd say an air gap is overrated though... The JC Penny breach wasn't over the internet, but instead required physical proximity as they broke-in over the WiFi network. Similarly, critical control systems need to be hardened against someone connecting a device with remote access capabilities... That could be a small WiFi router hidden somewhere, a cell phone connected to the network, a dial-up modem connected to a router, etc. Any one of those leaves an air-gapped network open to exploitation from outside attackers. You could insert a WiFi chip into a non-threatening looking USB mouse, and just leave it some place such a thing might have been accidentally dropped, and watch as it eventually gets connected, giving you a backdoor to an air-gapped network.And don't forget Stuxnet... Completely air-gapped network, with tremendous physical security and paranoia. Still got penetrated by a worm on a USB thumb drive... which is how air-gapped networks get updates into their networks. There simply is no easy answer to the problem. Re: I Understand (Score: 2, Interesting) by tanuki64@pipedot.org on 2015-01-13 22:58 (#2WQ0) You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons.Oh yes, I know the reasons. At the very beginning of my career I worked for almost a year as system administrator for a small company. My first task? Make our net secure. We need a firewall. I did it. And then the complaints started:"I can't do this, I can't do that. I NEED ftp, I NEED telnet.. no, ssh and scp is not enough (I don't know how it works, I don't want to learn anything new).But...No 'but'. You are only admin, I am very important person... Open the ports for me or go job hunting.That's what I did.... both. No 'or'. The company does not exist anymore.So yes, security is never 100% free. You say one possible attack vector is a USB drive? I know a company where all USB ports were glued shut. A few 'experts' opened their machines to circumvent this useless chicanery with USB boards. Hey, the sys admins are paranoid a**holes with a god complex. Security is important, but not when it interferes with real work... and who can work without music from his personal mp3 collection on USB?Of course I cannot say for sure that something like this happened in this steel mill, but I would not be surprised a bit. For years now, the most important attack vector isn't the hard- and software anymore, but the wetware. Re: I Understand (Score: 1) by evilviper@pipedot.org on 2015-01-14 02:30 (#2WQ3) I know a company where all USB ports were glued shut. A few 'experts' opened their machines to circumvent this useless chicaneryThey didn't do a very good job then. Computers are easy enough to padlock. Besides, you're obviously not talking about a secure network.And there's nothing special about USB... ANY WAY you get data into a secure network, from the un-secured rest of the world, is an attack surface. DVD-Rs are just as vulnerable as USB thumb drives. Glue-shut all the ports you want, and you'll still need to exchange data, and however you do that will leave you open to attack.
Re: I Understand (Score: 2, Interesting) by tanuki64@pipedot.org on 2015-01-13 22:58 (#2WQ0) You didn't read the article. The SCADA systems were on a different, firewall controlled network. That is not nearly enough to keep attackers out, for many reasons.Oh yes, I know the reasons. At the very beginning of my career I worked for almost a year as system administrator for a small company. My first task? Make our net secure. We need a firewall. I did it. And then the complaints started:"I can't do this, I can't do that. I NEED ftp, I NEED telnet.. no, ssh and scp is not enough (I don't know how it works, I don't want to learn anything new).But...No 'but'. You are only admin, I am very important person... Open the ports for me or go job hunting.That's what I did.... both. No 'or'. The company does not exist anymore.So yes, security is never 100% free. You say one possible attack vector is a USB drive? I know a company where all USB ports were glued shut. A few 'experts' opened their machines to circumvent this useless chicanery with USB boards. Hey, the sys admins are paranoid a**holes with a god complex. Security is important, but not when it interferes with real work... and who can work without music from his personal mp3 collection on USB?Of course I cannot say for sure that something like this happened in this steel mill, but I would not be surprised a bit. For years now, the most important attack vector isn't the hard- and software anymore, but the wetware. Re: I Understand (Score: 1) by evilviper@pipedot.org on 2015-01-14 02:30 (#2WQ3) I know a company where all USB ports were glued shut. A few 'experts' opened their machines to circumvent this useless chicaneryThey didn't do a very good job then. Computers are easy enough to padlock. Besides, you're obviously not talking about a secure network.And there's nothing special about USB... ANY WAY you get data into a secure network, from the un-secured rest of the world, is an attack surface. DVD-Rs are just as vulnerable as USB thumb drives. Glue-shut all the ports you want, and you'll still need to exchange data, and however you do that will leave you open to attack.
Re: I Understand (Score: 1) by evilviper@pipedot.org on 2015-01-14 02:30 (#2WQ3) I know a company where all USB ports were glued shut. A few 'experts' opened their machines to circumvent this useless chicaneryThey didn't do a very good job then. Computers are easy enough to padlock. Besides, you're obviously not talking about a secure network.And there's nothing special about USB... ANY WAY you get data into a secure network, from the un-secured rest of the world, is an attack surface. DVD-Rs are just as vulnerable as USB thumb drives. Glue-shut all the ports you want, and you'll still need to exchange data, and however you do that will leave you open to attack.