This article is like calling 911 with a fire warning but giving no location.
I have no doubt that it is important and something should be done. But what and by whom? No symptoms are given that would allow anyone to detect an infection. No indication of the severity of damage one might expect is given. Worst of all, there is no indication of remedial actions that should or can be taken.
Don't ring my fire alarm if you don't have something specific in mind that I should do.
WDM
Discussion on:
View:
Show:
Understandably this is an issue, but to whom? The article fails to connect the story to the everyman corporate and small business CIO/IT Director.
I feel for the manufacturing field, but is this a RED ALERT scenario for the rest of us?
I feel for the manufacturing field, but is this a RED ALERT scenario for the rest of us?
While the will not apply to the majority of IT personnel, it serves as a good awareness of what is happening in the other sectors, especially since the "brain" behind a SCADA system is a computer.
It might not affect us as IT jockeys per se, however, its use in controlling water treatment plants, sewerage systems, electrical power transmission and large communication system makes it important for us to at least know something about it.
It might not affect us as IT jockeys per se, however, its use in controlling water treatment plants, sewerage systems, electrical power transmission and large communication system makes it important for us to at least know something about it.
Besides the SCADA system, I see problems comming on the horizon with BACnet, Zigee, and all these SMART Meters all the power companies are installing. Imagine, someone can shut down your business' HVAC, power, and even other SMART devices.
I share your concerns. Anything attached to a network is a potential target. While I like the idea instant data collections, the downside is too great.
I don't want anything in my home except my PC connected to the outside.
I don't want anything in my home except my PC connected to the outside.
I agree with your statement primarily because I support SCADA systems that cover a municipal collection system, distribution system, two wastewater treatment plants and a water filtration plant. If the SCADA system goes down at one of them there could be sewer spills (leading to a very sick public), water hammers (blow the top right off your sink), improper chemical levels that could damage the environment or poison unsuspecting people - and the list goes on.
Just because you don't work with it doesn't mean don't pay attention. I am not an Oracle DBA (nor do I want to be), but I still pass information on about patches or bugs I get information on to our Oracle DBA's. Why? Because I believe that we all should help each other and at least be aware of what is going on. The minute you turn a blind eye on something or think it can't affect you - it will.
Just because you don't work with it doesn't mean don't pay attention. I am not an Oracle DBA (nor do I want to be), but I still pass information on about patches or bugs I get information on to our Oracle DBA's. Why? Because I believe that we all should help each other and at least be aware of what is going on. The minute you turn a blind eye on something or think it can't affect you - it will.
I work for a Public water supply (PSD) We have Siemens Equipment in the plant, and from one end of the system to the other. Lots of it on the INTERNET as a comm. link. Used to control chemical feed pumps, monitor water quality at remote system sites. etc etc.....I won't go into any more detail.I'm sure you can see the
potential for a large number people. As a SCADA field Tec let me invite you to go to the kitchen, run out a glass of water and really think about this while you drink it.
Did it taste a little different this time??
potential for a large number people. As a SCADA field Tec let me invite you to go to the kitchen, run out a glass of water and really think about this while you drink it.
Did it taste a little different this time??
Our company producing paper is controlled by SCADA systems from electical energy supply (utility and own generators), through wood processing machines (chippers) and whole production line to waste and water treatment plants. With very little effort (in software) you can destroy whole mill: exceed some parameters (pressure or something else), let it explode and rip some equipment carrying strong chemicals (for example HCl = hydrochloric acid). That carried by wind and/or water will kill local population...
In case of emergency ALL personel including contractors have gas masks. Mine is in the drawer below computer here. It is only to escape. Many windsocks around indicate direction to chose. In the town people don't have all of that. They don't have to have computers to be afected. OS is also irrelevant...
In case of emergency ALL personel including contractors have gas masks. Mine is in the drawer below computer here. It is only to escape. Many windsocks around indicate direction to chose. In the town people don't have all of that. They don't have to have computers to be afected. OS is also irrelevant...
It's not about the system or sector that STUXNET is attacking. It's abou the concept that an undetectable piece of malware is attacking a network or system that no one probably worried about. I doubt there is NORTON A/V that you run on this stytem. So think about your own network. What non-microsoft, non-mainstream systems to you deploy. How about that new car you bought with built-in bluetooth technology? Your kid d/l's a file on their IPOD and links it to the car stereo. Then when the file is accessed, a code is sent to the cars computer via the link between them for speed volume control. By the way that code was to disable the brakes and increase the throttle. Is this likely, no, but possible. We forget that although some devices may not be directly connected to the internet, they are connected to a network, or become connected at some point. The bad guys understand this and are finding ways to infect these sytems that we thought where "secure". That is Everyday IT as you put it.
Aliases
VirTool:WinNT/Rootkitdrv.HK (other)
Trojan horse SHeur3.XLI (AVG)
Sus/UnkPack-C (Sophos)
Rootkit.TmpHider (other)
Alert Level: Severe
Summary
TrojanDropper:Win32/Stuxnet.A is a trojan that drops and installs other Stuxnet components detected as Trojan:WinNT/Stuxnet.A and Trojan:WinNT/Stuxnet.B. It also injects code into certain processes. The injected code contains links to certain football betting websites.
Symptoms
The following system changes may indicate the presence of this malware:
?The presence of the following files:
system folder\mrxcls.sys
system folder\mrxnet.sys
?The presence of the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Services\MRxCls
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
Aliases
VirTool:WinNT/Rootkitdrv.HK (Microsoft)
Win32/Rootkit.Agent.NTK (ESET)
Alert Level: Severe
Summary
Trojan:WinNT/Stuxnet.B is a trojan component that loads other malware and is installed by TrojanDropper:Win32/Stuxnet.A.
Symptoms
The following system changes may indicate the presence of this malware:
?The presence of the following files:
system folder\mrxnet.sys
?The presence of the following registry keys:
HKLM\SYSTEM\CurrentControlSet\Services\MRxNet
Is this specific enough for you?
It even gets more specific, see here:
Details from Microsoft
Microsoft Malware Protection Center
The Stuxnet Sting
http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx
and here
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Trojan%3AWinNT%2FStuxnet.B
and here
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=TrojanDropper%3AWin32%2FStuxnet.A&ThreatID=-2147331492
Also look at this article:
http://www.eweek.com/c/a/Security/Stuxnet-Malware-Still-Exploiting-Microsoft-Windows-Security-Hole-166909/
Complaint ack'd. However, since the alarm went out last week in numerous places, my focus wasn't to repeat it here. The links given accomplish that. Cheers
Do you use SCADA systems? Check them out. Click the links. Read the magazine. Use a search engine.
Oh, and FIRE!
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=226100011
That will give you something else to complain about.
Oh, and FIRE!
http://www.darkreading.com/vulnerability_management/security/app-security/showArticle.jhtml?articleID=226100011
That will give you something else to complain about.
http://gspp.berkeley.edu/iths/Tsang_SCADA%20Attacks.pdf
http://www.scribd.com/doc/11531054/1052-Hacking-Scada
Note the 3K explosion, "the most monumental non-nuclear explosion " ; below is a detailed link for it:
http://www.builderau.com.au/architect/work/soa/US-software-blew-up-Russian-gas-pipeline-/0,339024596,320283135,00.htm
I am an automation engineer. I never consider being a web developer or a DB admin because I like controlling hardware to see something physically happens by your code.
Several years ago, some robots in our plant started working slowly. We found that it caused by a worm spreading over companies network, and consuming huge bandwidth. It took more than several hours to fix it.
Probably, hackers of future will involve in SCADA attacks more than deleting data or abusing web pages.
Someone get injured and even died in case of SCADA attacks, so I believe that securing SCADA is more critical than securing ordinary IT systems.
http://www.scribd.com/doc/11531054/1052-Hacking-Scada
Note the 3K explosion, "the most monumental non-nuclear explosion " ; below is a detailed link for it:
http://www.builderau.com.au/architect/work/soa/US-software-blew-up-Russian-gas-pipeline-/0,339024596,320283135,00.htm
I am an automation engineer. I never consider being a web developer or a DB admin because I like controlling hardware to see something physically happens by your code.
Several years ago, some robots in our plant started working slowly. We found that it caused by a worm spreading over companies network, and consuming huge bandwidth. It took more than several hours to fix it.
Probably, hackers of future will involve in SCADA attacks more than deleting data or abusing web pages.
Someone get injured and even died in case of SCADA attacks, so I believe that securing SCADA is more critical than securing ordinary IT systems.
Interesting article. Few days ago I was shocked when I found out that a lot of powerplants in my country still keep their 70s dinosaurs in working order. I understand them now. Properly set-up obsolete mainframe is way better than running plant by hand if SCADA viruses start spreading and making real damage.
We have industrial espionage now. How far away are viruses which will actually attempt to sabotage industrial complexes, especially in most critical moments?
We have industrial espionage now. How far away are viruses which will actually attempt to sabotage industrial complexes, especially in most critical moments?
Life cycle for SCADA equipment is usually 15 to 20 years instead of 5 years for typical IT equipment. It's expensive and risky to upgrade control systems.
Bill
Bill
Dark Reading reports today on misconfigured VxWorks devices that include ". . . VoIP equipment and switches, DSL concentrators, industrial automation systems for SCADA environments, and Fibre Channel switches."
http://bit.ly/dosxEl
http://bit.ly/dosxEl
Only he can tell us truly scary stories about malware. Maybe he can teach this young buck a thing or two. Just playin! ROFL!! But damn!! The threat was hard to figure out from this Jar Jar binks style rant. Writing is just like speaking; YOU HAVE TO DELIVER or your audience gets hella-bored QUICK! Something to grow on.
VeriSign?s Tim Callan just wrote a blogpost on this issue: Code signing certificates used in repeat attacks
https://blogs.verisign.com/ssl-blog/2010/07/code_signing_certificates_used.php
https://blogs.verisign.com/ssl-blog/2010/07/code_signing_certificates_used.php
Two more exploits have been detected that target the same vulnerability as Stuxnet: Dulkis-A and Chymine. http://bit.ly/biVrxn.
I used to work in industrial automation some 20 years ago. Back then, PCs were considered totally unreliable, justifiably so. The typical PC running Windows 3.x behaved pretty much like typical malware infected PC of today: Slow and chrasheable. That's why PCs were used mostly for display and data logging, while critical processing was done by microcontrollers and PLCs. When critical commands had to be entered via display, keyboard & mouse, dedicated computers were used.
In any case, PLCs & microcontrollers were programmed not to trust the SCADA entirely, to reject commands, which could cause direct damage. As a matter of fact, all computers were considered a bit unreliable, including PLCs. Consequently, electomechanical failsafes were placed wherever possible. It was nearly impossible to cause serious damage to the well designed system via SCADA alone.
I sure hope the same philosophy still holds today. Especially in that Iranian nuclear power plant Stuxnet is allegedly targeting.
In any case, PLCs & microcontrollers were programmed not to trust the SCADA entirely, to reject commands, which could cause direct damage. As a matter of fact, all computers were considered a bit unreliable, including PLCs. Consequently, electomechanical failsafes were placed wherever possible. It was nearly impossible to cause serious damage to the well designed system via SCADA alone.
I sure hope the same philosophy still holds today. Especially in that Iranian nuclear power plant Stuxnet is allegedly targeting.
Here's a brief review of what Stuxnet, Duqu, and Flame are designed to do:
http://dougvitale.wordpress.com/2012/11/08/hardcore-malware-stuxnet-duqu-and-flame/
I think they are going to be using more Linux in Iran from now on.
http://dougvitale.wordpress.com/2012/11/08/hardcore-malware-stuxnet-duqu-and-flame/
I think they are going to be using more Linux in Iran from now on.
- Keyboard Shortcuts:
- Prev
- Next
- Toggle
