SCADA systems security issues

SCADA systems are used to monitor and control critical installations in oil and gas refineries, water and power distribution plants, manufacturing plants and other industrial facilities. There has been a lot of discussion about malware and security in industrial automation systems after Stuxnet. Widely viewed as the most complex piece of computer malware ever created, Stuxnet is believed to have been designed to sabotage uranium enrichment centrifuges at the Iran’s Natanz nuclear plant. If nasty malware can do that, other similar malware can do something else nasty as well.

Attacks against SCADA systems can have potentially very serious consequences. I think that we have been quite lucky that we have not seen any big disasters yet. Even though the attacks are rare at the moment, security researchers are confident that their number will increase, especially since the Stuxnet industrial sabotage worm set a successful precedent. And now there are many news on Dugu worm.

News around one month ago told that SCADA hack shut down a US water plant at 8 November 2011. This hacking attack at a US water plant has been credited to an unknown attacker (handle “pr0f” took credit) who according to hacker sources managed to access a SCADA controller and take over systems. Once again caused security experts to question the security of SCADA systems. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System. “This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site On the other hand Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery. What is the truth in this case it is hard to say.

What is known that many industrial systems are vulnerable. Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers according to Siemens industrial control systems are vulnerable to attack that can cause serious problems. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned earlier that Siemens’ SIMATIC S7-1200 programmable logic controllers (PLCs) are vulnerable to so-called replay attacks that can interfere with the normal operations. An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation. ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.

White Paper On Industrial Automation Security In Fieldbus And Field Device Level is an interesting white paper (from Vacon, Nixu and F-secure) that focuses on presenting a generic overview about security in industrial automation. Security aspects of traditional fieldbuses, Ethernet-based networks and wireless communication technologies are presented. Challenges regarding data security in the field of industrial automation are discussed. The properties of industrial automation devices are described with a focus on security, tampering possibilities, and risk mitigation methods.

Many protocols used in industrial control systems were intentionally designed to be open and without security features. As long the the networks that run those protocols are kept physically separate from public network you are quite safe. For the most part SCADA systems are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access. Anytime you do this you put in a pathway where someone can get in. And there are often case where remote devices are accessed using those non-secure protocols though unsafe networks (public telephone network, cellular network, radio waves, even Internet).

There has been long time the belief that SCADA systems have the benefit of security through the use of specialized protocols and proprietary interfaces (security through obscurity), networks are physically secured and disconnected from the Internet. Today those beliefs all do not hold anymore. There are nowadays you can find many tools on Internet to work with standard SCADA protocols (for example Wireshark can be used to decode several commonly used SCADA protocols).

The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Modern SCADA systems should be designed so that they can be withstand the situation they are accidentally connected to Internet (it will happen sooner or later). In addition to making SCADA system itself secure, you should separate it from Internet (no connection at all or very strictly configured series of firewalls). FACT CHECK: SCADA Systems Are Online Now article tells at nearly everything is connected now. Nearly all SCADA systems are online. The addition of a simple NAT device is far from bulletproof security access control.

Most of SCADA systems in use are are old computer systems. They are usually horribly patched (“if it ain’t broken, don’t fix it”) and often run very old operating system version. Windows is very commonly used operating systems on SCADA applications, because only few SCADA-packages support other than Windows operational systems. It seems that there are many people who are not happy with the security stance being taken within their organizations around SCADA hosts. Even if you have patches up to date and current anti-malware on a host, all you have done is eliminated some of the risk (and maybe created new risks caused by fact that anti-malware software can sometimes disturb normal system operation). Add a firewall and you have reduced some of the risk. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable.

I wish no one had to worry about hackers in any application, but we do. Unfortunately, data security is never a non-issue.

FACT CHECK: SCADA Systems Are Online Now article mentions an interesting story on Boeing 747 (For those who do not know, modern 747′s are big flying Unix hosts with lots of Ethernet). They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. The security researchers managed to break the VLANs and access other systems (including Engine management systems). The issue here is that all that separated the engine control systems and the open network was VLAN and NAT based filters.


  1. Security trends for 2013 « Tomi Engdahl’s ePanorama blog says:

    [...] SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA devices. Good idea to test your devices against it. [...]

  2. Danial Putz says:

    I think it’s better not to provide social security number.Do they called you ans ID?

  3. Tomi Engdahl says:

    CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk

    A presenter at this week’s CanSecWest security conference has withdrawn his scheduled talk for fear the information could be used to attack critical infrastructure worldwide.

    Since his lab is under supervision of the French government, he was required to review his findings with authorities.

    “They told me that this presentation was unsuitable for being public,” Filiol said in an email

    Filiol said his methodology—a combination of information gathered through open source intelligence means, mathematical modeling and infantry techniques—could damage critical infrastructure in the United States, and likely worldwide.

    “With a small unit of around 10 people, it is possible in an invisible way to cause major national disruptions,” Filiol said.

    Filiol said his research is now classified.

  4. Tomi Engdahl says:

    Lack of US Cybersecurity Across the Electric Grid

    “Meghan McGuinness of the Bipartisan Policy Center writes about the Electric Grid Cybersecurity Initiative, a collaborative effort between the center’s Energy and Homeland Security Projects. She points out that over half the attacks on U.S. critical infrastructure sectors last year were on the energy sector.”

    “Cyber attacks could come from a variety of sources, and ‘a large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.’ “

  5. Tomi Engdahl says:

    A new organization for cybersecurity across the electric grid

    Cyber attacks are an increasing risk for the US electric sector and have eclipsed terrorism as the primary threat, according to the Federal Bureau of Investigation. The Industrial Control Systems Cyber Emergency Response Team responded to 256 incidents that targeted critical infrastructure sectors in fiscal year 2013, and 59 percent of those incidents involved the energy sector.

    A large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.

    It is probably impossible to protect the electric grid from all cyber attacks, particularly given the rapid pace at which cyber threats evolve. Therefore, industry and policymakers must consider how to most effectively manage the risks, taking steps to reduce the likelihood of cyber attacks and to limit the impacts of a successful attack.

    Beyond mandatory standards. In many ways, the electric power sector is in a stronger position than other critical infrastructure sectors to address cyber threats, because it already has mandatory, federally enforceable standards: The North American Electric Reliability Corporation, with oversight from the Federal Energy Regulatory Commission, develops and enforces standards that apply to the bulk power system (generally, generation and transmission), and the Nuclear Regulatory Commission develops and enforces standards for nuclear power plants. However, while these standards provide a useful baseline level of cybersecurity, they do not create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. Furthermore, focus on compliance with standards may draw attention and resources away from comprehensive security.

  6. Jayne says:

    І appreciate, lead to Ӏ discovered just what I was having a
    look fοr. You have ended mmy 4 day lengthy hunt!

    God Bless you man. Have a nice day. Bye

  7. boca raton cpa's sum says:

    This small window of time is simply not enough for you
    to study all your materials from beginning
    to end, so be sure you have a complete set of study notes that you can memorize during the last few valuable days before
    your exam. yet with an Internet-age spin that he describes is like “putting lipstick on a pig. But if the church or religious institution is providing accommodation, then the Parsonage is calculated as the market value of the home, yard, furnishings and other utilities.

  8. Tomi Engdahl says:

    Machine safety labeling standards can lower manufacturing risk

    Creating effective product safety labels can dramatically reduce accidents and improve safety communication while poorly designed product safety labels can increase the dangers and hazards for both the worker and the company, according to safety standards.

    If your company manufactures machinery which has potential hazards associated with its transportation, installation, use, maintenance, decommissioning, and/or disposal, you most likely have a very strong need to create effective product safety labels. This task must be done right. Simply put, the stakes are too high for this job to be done incorrectly-people’s lives and your company’s financial well-being are on the line. Based on standards committee experiences over the past 25 years, safety labels can do one of two things:

    If properly designed, they can dramatically reduce accidents. This improves a machine or other product’s overall safety record and adds to a company’s bottom line by reducing product liability litigation and insurance costs.
    If poorly designed, needed safety communication does not take place and this can lead to accidents that cause injuries. When such accidents happen, companies spend hundreds of thousands (if not millions) of dollars settling or fighting lawsuits because their products lacked “adequate warnings.”

    Tool number one: The standards
    Tool number two: Risk assessment
    Tool number three: Global warnings that use symbols
    Lower risk, save lives, avoid litigation

  9. Tomi Engdahl says:

    Trojan variant making big attack push
    A wave of attacks pushing a new variant of Pushdo Trojan compromised more than 11,000 systems in just 24 hours.

    Indian PCs lead in terms of attacks, but systems in the UK, France and the U.S. have also suffered hits, according to security software firm Bitdefender. As one case in point, the Romanian firm said 77 machines suffered infection in the UK via the botnet in 24 hours, with more than 11,000 infections reported worldwide in the same period. Other countries heavily affected by the Pushdo variant include Vietnam and Turkey.

    The Pushdo Trojan also distributed secondary malware strains such as ZeuS and SpyEye, but over the years its main use has been for spam distribution.

  10. copper repiping pompano beach real estate says:

    Check the maker’s site for further information and tips on the appliance in your home.
    ” I asked my friend who’s got a busy family and a full-time people-oriented job. With conscientious use, a programmable thermostat can save about $150 year in energy costs.

  11. b&b vaticano says:

    Appreciating the hard work you put into your site and detailed information you present. It’s great to come across a blog every once in a while that isn’t the same old rehashed information. Wonderful read! I’ve saved your site and I’m adding your RSS feeds to my Google account.

  12. Ongoing says:

    Hi, I believe your web site may be having internet browser compatibility problems.
    Whenever I look at your blog in Safari, iit looks
    fine however when opning in Internet Explorer, it’s got some overlapping issues.
    I simply wanted too provide you with a quick heads up!
    Aside from that, excellent blog!

    • Tomi Engdahl says:

      What is your specific problem with IE and which version do you have this?
      I have tested the my site with IE and I have not seen any issues on using the site with it.

  13. Tomi Engdahl says:

    Serious Vulnerabilities Found in Schneider Electric’s ProClima Solution

    The ProClima configuration utility developed by Schneider Electric is affected by several command injection vulnerabilities, the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) reported on Tuesday.

    ProClima is a thermal management software used in sectors such as energy, commercial facilities, and critical manufacturing, mainly in the United States and Europe. The solution processes thermal data, such as temperature and humidity, in order to define the right thermal management choice (ventilation, control, heating and cooling functions) for installed equipment.

    The security holes, which according to Schneider Electric are ActiveX Control vulnerabilities, were discovered by researchers Ariele Caltabiano, Andrea Micalizzi, and Brian Gorenc, and reported through HP’s Zero Day Initiative (ZDI). Successful exploitation could allow a remote attacker to execute arbitrary code.

    The vulnerabilities can be exploited even by an attacker with a low skill level. However, ICS-CERT says there’s no evidence that they are being exploited in the wild.

    Since Schneider Electric’s products are widely deployed, they are targeted by many researchers who specialize in ICS security.

  14. Tomi Engdahl says:

    Vulnerabilities Found in Schneider Electric SCADA Product Line

    A total of three security holes have been identified in Schneider Electric’s StruxureWare SCADA Expert ClearSCADA products, ICS-CERT reported this week.

    Schneider Electric SCADA Expert ClearSCADA solutions are Web-based systems deployed in industries such as energy, water and commercial facilities, mainly in the United States and Europe.

    According to security advisories published by ICS-CERT and Schneider Electric, the flaws include an authentication bypass issue, a weak hashing algorithm and a cross-site scripting (XSS) vulnerability. Independent security researcher Aditya Sood, who has been credited for identifying two of the vulnerabilities, clarified for Kaspersky’s Threat Post that he actually reported a cross-site reference forgery (CSRF) flaw, not an XSS vulnerability.

    By leveraging this vulnerability (CVE-2014-5411), an attacker could remotely shut down the ClearSCADA server by tricking a victim with system administrator privileges logged in via the WebX client interface to unknowingly execute arbitrary code, the vendor said.

  15. Tomi Engdahl says:

    Computer intrusion inflicts massive damage on German steel factory — A German steel factory suffered significant damage after attackers gained unauthorized access to computerized systems that help control its blast furnace, according to a report published Friday by IDG News.

    Computer intrusion inflicts massive damage on German steel factory
    Blast furnace can’t be properly shut down after attackers take control of network.

    A German steel factory suffered significant damage after attackers gained unauthorized access to computerized systems that help control its blast furnace, according to a report published Friday by IDG News.

    The attackers took control of the factory’s production network through a spear phishing campaign, IDG said, citing a report published Wednesday by the German government’s Federal Office for Information Security. Once the attackers compromised the network, individual components or possibly entire systems failed. IDG reporter Loek Essers wrote:

    Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant,”

    The incident is notable because it’s one of the few computer intrusions to cause physical damage. The Stuxnet worm that targeted Iran’s uranium enrichment program has been dubbed the world’s first digital weapon, destroying an estimated 1,000 centrifuges. Last week, Bloomberg News reported that a fiery blast in 2008 that hit a Turkish oil pipeline was the result of hacking, although it’s not clear if the attackers relied on physical access to computerized controllers to pull it off. The suspected sabotage of a Siberian pipeline in 1982 is believed to have used a logic bomb. Critics have long argued that much of the world’s factories and critical infrastructure aren’t properly protected against hackers.

  16. Tomi Engdahl says:

    Cyberattack on German steel factory causes ‘massive damage’

    A German steel factory suffered massive damage after hackers managed to access production networks, allowing them to tamper with the controls of a blast furnace, the government said in its annual IT security report.
    Featured Resource
    Presented by Jive Software
    10 Commandments of Collaboration for Exceptional Customer Service

    Read this whitepaper to discover best practices that drive brand affinity, repeat business and
    Learn More

    The report, published Wednesday by the Federal Office for Information Security (BSI), revealed one of the rare instances in which a digital attack actually caused physical damage.

    Due to these failures, one of the plant’s blast furnaces could not be shut down in a controlled manner, which resulted in “massive damage to plant,” the BSI said, describing the technical skills of the attacker as “very advanced.”

    The attack involved the compromise of a variety of different internal systems and industrial components

    The hack sounds similar to attacks involving the Stuxnet worm.

  17. Tomi Engdahl says:

    Iranian hackers compromised airlines, airports, critical infrastructure companies

    For the past two years, a team of Iranian hackers has compromised computers and networks belonging to over 50 organizations from 16 countries, including airlines, defense contractors, universities, military installations, hospitals, airports, telecommunications firms, government agencies, and energy and gas companies.
    Featured Resource
    Presented by Jive Software
    10 Commandments of Collaboration for Exceptional Customer Service

    Read this whitepaper to discover best practices that drive brand affinity, repeat business and
    Learn More

    The attacks have collectively been dubbed Operation Cleaver after a string found in various malware tools used by the hacker group, which is believed to operate primarily out of Tehran.

    “We discovered over 50 victims in our investigation, distributed around the globe,” said researchers from IT security firm Cylance in an extensive report released Tuesday. “Ten of these victims are headquartered in the US and include a major airline, a medical university, an energy company specializing in natural gas production, an automobile manufacturer, a large defense contractor, and a major military installation.”

    The attackers used publicly available attack tools and exploits, as well as specialized malware programs they created themselves.

  18. Tomi Engdahl says:

    No evidence of such sabotage by the group exists so far, but Cylance believes this could be the campaign’s end goal, as retaliation by Iran for the Stuxnet, Duqu and Flame malware attacks. Stuxnet, which is viewed as the world’s first cyberweapon, is believed to have been created by the U.S. and Israel to sabotage Iran’s uranium enrichment efforts and set back its nuclear program.


  19. Tomi Engdahl says:

    US Gas Stations Exposed to Cyberattacks: Researchers

    Malicious actors could theoretically shut down more than 5,300 gas stations in the United States because the automatic tank gauges (ATGs) used to monitor fuel tanks are easily accessible via the Internet.

    ATGs are electronic devices that monitor fuel level, temperature, and other parameters in a tank. The devices alert operators in case there is a problem with the tank, such as a fuel leak.

    “Many ATGs can be programmed and monitored through a built-in serial port, a plug-in serial port, a fax/modem, or a TCP/IP circuit board. In order to monitor these systems remotely, many operators use a TCP/IP card or a third-party serial port server to map the ATG serial interface to an internet-facing TCP port. The most common configuration is to map these to TCP port 10001,” Rapid7’s HD Moore noted in a blog post.

    Based on an Internet-wide scan targeting the TCP port 10001, Rapid7 has determined that roughly 5,800 ATGs are accessible via the Internet and without a password to protect them against unauthorized access.

    According to Moore, malicious hackers who have access to the serial interface of an ATG can spoof reported fuel levels, generate false alarms, and perform other actions that could lead to the gas station being shut down.

    The Internet of Gas Station Tank Gauges

    How serious is this?

    ATGs are designed to detect leaks and other problems with fuel tanks. In our opinion, remote access to the control port of an ATG could provide an attacker with the ability to reconfigure alarm thresholds, reset the system, and otherwise disrupt the operation of the fuel tank. An attack may be able to prevent the use of the fuel tank entirely by changing access settings and simulating false conditions, triggering a manual shutdown. Theoretically, an attacker could shut down over 5,300 fueling stations in the United States with little effort.

    What can be done to mitigate or remediate?

    Operators should consider using a VPN gateway or other dedicated hardware interface to connect their ATGs with their monitoring service. Less-secure alternatives including applying source IP address filters or setting a password on each serial port.

  20. Tomi Engdahl says:

    New Technology Detects Cyberattacks By Power Consumption

    Startup’s “power fingerprinting” approach catches stealthy malware within milliseconds in DOE test.

    A security startup launching early next week uses trends in power consumption activity, rather than standard malware detection, to spot cyberattacks against power and manufacturing plants. The technology successfully spotted Stuxnet in an experimental network before the malware went into action.

    PFP Cybersecurity, which officially launches on Monday and was originally funded by DARPA, the Defense Department, and the Department of Homeland Security, basically establishes the baseline power consumption of ICS/SCADA equipment such as programmable logic controllers (PLCs), supervisory relays, or other devices and issues an alert when power consumption or RF radiation changes outside of their baseline usage occur. Such changes could be due to malware, as well as to hardware or system failures, for instance.

    Joe Cordaro, advisory engineer with SRNL, says the PFP system right away found small changes to the code on the PLC while it was dormant.

  21. Tomi Engdahl says:

    Siemens sighs: SCADA bugs abound
    Wimax network kit vulnerable

    Another security advisory covering Siemens industrial kit has reached the public, this time covering wireless industrial networking hardware.

    ICS-CERT advises that the Ruggedcom range of 802.16e (Wimax, for those with long memories) switches from the company carries a range of vulnerabilities that let attackers scam admin privileges for themselves.

    Products impacted are in the company’s WIN 51xx, WIN 52xx, WIN 70xx and WIN 72xx series. These are Wimax base stations designed for harsh environment deployments.

    The ICS-CERT note puts the kit in a wide range of industries worldwide, including chemical, communications, critical manufacturing, dams, defence, energy, food and agriculture, government facilities, transportation systems, and water and wastewater systems.

    Siemens is asking customers to get in touch (online support request to get a firmware update.

  22. Tomi Engdahl says:

    Connecting buildings via the Internet of Things
    The Internet of Things offers engineers ripe opportunities to take the lead with clients.

    The Internet of Things (IoT) is not aspirational technology. It’s here. It’s not a question of “if,” but of “how much” and “how fast.” And what it means to consulting engineers day to day. The answer could be: “A lot.”

    The reason is that IoT is taking by storm many of the technologies engineers include when designing, specifying, and building projects: building and industrial automation systems, backup power, lighting, asset management, and testing and measurement.

    A number of prestigious organizations already have weighed in on IoT:

    Gartner projects there will be about 25 billion connected devices by the end of this decade
    McKinsey Global Institute has reported that IoT could potentially generate an economic impact of $2.7 trillion to $6.2 trillion annually by 2025
    International Data Corp. (IDC) estimated that organizations spent $113 billion worldwide in 2013 on relevant information management, access, and analysis technologies and services.

    The industrial version of IoT (IIoT) makes a good business case for consulting engineering clients. It also is good business for engineering firms to be their clients’ IIoT go-to source of expertise.

    Specifying, designing, and building IIoT capabilities require skillsets already offered by engineering firms: deep understanding of facility spaces and the knowledge to connect legacy systems with new technology. That makes IIoT a low-hanging fruit. The opportunities to enable clients to achieve higher efficiencies and reliability by better managing, controlling, maintaining, diagnosing issues, and optimizing their facilities are ripe.

    The overall business case for consulting engineers lies in the compelling insights produced when big data are analyzed quickly. Such insights empower clients to know what’s happening 24/7. Call it heightened situational awareness or contextual insight in real time.

    Specifying, designing, and building IIoT capabilities into critical power management systems need to accommodate such requirements as power demand, integration, lifecycle value, and security considerations.

    Improving efficiency and reliability, for example, can be accomplished with more data points and faster response times, which are at the heart of IIoT.

    The variety of data often has to be combined from many sources that will almost always have different structures and meet various standards.

    For critical systems, such as backup power, data is streamed in real time at speeds measured in milliseconds. It’s monitored, stored, and if it signals out-of-parameter operating conditions, displayed graphically and perhaps annunciated.

    For IIoT, cluster management is a group of sensing devices on related equipment. A prime example is the coexistence of devices for building management systems, supervisory control and data acquisition, data center infrastructure management, and critical power management systems. The devices have local intelligence and compatible, two-way communication pathways, and, ideally, streamlined network topology protocols that eliminate repetitive wrapping and unwrapping of data.

    Such clusters integrate legacy equipment and new technologies into an interoperable, distributed ecosystem that can be fairly autonomous and remotely controlled. A top 10 global banking firm, for example, monitors and controls a critical power management system more than 900 miles from the firm’s control center. Near-term, it plans to manage such systems globally.

  23. Tomi Engdahl says:

    7 things control engineers should know about management

    How to communicate effectively with management and accelerate your career: Engineers should know these 7 things about management today. Don’t wait for others to delegate the needed resources or complain that they haven’t. Leadership can be innate, earned, learned, or situational, but knowing these strategies and tactics and reviewing these examples can help you succeed.

  24. Tomi Engdahl says:

    Moving to the cloud with mobility technology

    Human machine interface (HMI) applications and industry are connecting to the rapidly expanding cloud to cut costs, speed implementation, and provide worldwide access to data. To assist, use these simple series of steps to set up, operate, and maintain a safe and secure cloud-based data distribution system to improve efficiency through mobility.

    Accessing manufacturing and other industrial data in the cloud via mobile devices such as smartphones, tablets, and laptops provides many benefits, but security must be carefully considered. Although the cloud’s enabling technologies have been around for quite some time and are proven in use, particularly in the commercial sector, many in the industrial world have questions and concerns when it comes to using the cloud. To assist, use these simple series of steps to set up, operate, and maintain a safe and secure cloud-based data distribution system.

    Mobile technology and the cloud can provide instant access to production and process data while adhering to security policies, and can be implemented by users with limited experience.

    Cloud technology can be thought of as many redundant and physically separate central repositories of data, some free and some provided as a service. These repositories can be off-site, as with a public or hybrid cloud, or on-premise, as with a private cloud. Explanations here will focus on public cloud implementations, by far the lowest-cost solution among cloud technologies, and much less expensive than purchasing, implementing, and maintaining similar computing infrastructure on premise.

    Perhaps a firm’s biggest fear when it comes to implementing the cloud and mobility is loss of control. If a server or other IT hardware owned and maintained by a firm fails, action can be taken internally to correct the problem. In the cloud, the firm, or more precisely its IT department, doesn’t have the same level of visibility and control. However, there are ways to make the cloud more resilient, as high availability and redundancy are achievable but must be planned.

    If one cloud service provider goes down, a second one can be kept ready, with the speed of transition depending on the criticality of the firm’s business. For the quickest switchover, data should be sent from the HMI to the two cloud service providers simultaneously. This is the most expensive solution. A lower cost alternative is uploading data to a second provider only after the primary provider experiences an outage. The speed of recovery in this case will depend on just how long it takes the HMIs to upload data to the second provider.

  25. Tomi Engdahl says:

    Toward simpler and faster control system implementations

    Control system hardware and architectures will look much different going forward: Less customized, more automated.

  26. Tomi Engdahl says:

    The role of industrial networks in energy usage

    Energy costs big dollars for manufacturers, and most plants don’t know where energy is used, said Eric Scott of Molex Inc. Industrial network groups are working on interfaces to help. See the video.

    In today’s world energy costs big dollars for manufacturers and the fact is most plants don’t know where their energy is being used. To help with this problem the industrial network communities are providing common interfaces to gather and control energy in the industrial space. This presentation will focus on aspects of energy where it relates to industrial automation and some of the challenges companies face. It will also cover upcoming initiative for interfacing to the Smart Grid for demand response request.

  27. Tomi Engdahl says:

    Embedded server software development kit is Embedded OPC server compliant

    Version 2.0 of Matrikon OPC’s Embedded Server Software Development Kit (SDK) has been certified to be compliant with the Embedded OPC Server profile and is configurable and scalable from microcontrollers to high-end embedded systems.

  28. Tomi Engdahl says:

    Distributed power control

    Results from distributed power control include integrating power users with power suppliers with Smart Grid technologies and storing energy for peak load shifting, and evening the load from renewable (non-baseload) power sources.

  29. Tomi Engdahl says:

    A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever

    Amid all the noise the Sony hack generated over the holidays, a far more troubling cyber attack was largely lost in the chaos. Unless you follow security news closely, you likely missed it.

    I’m referring to the revelation, in a German report released just before Christmas (.pdf), that hackers had struck an unnamed steel mill in Germany. They did so by manipulating and disrupting control systems to such a degree that a blast furnace could not be properly shut down, resulting in “massive”—though unspecified—damage.

    This is only the second confirmed case in which a wholly digital attack caused physical destruction of equipment. The first case, of course, was Stuxnet

    It’s not clear when the attack in Germany took place. The report, issued by Germany’s Federal Office for Information Security (or BSI), indicates the attackers gained access to the steel mill through the plant’s business network, then successively worked their way into production networks to access systems controlling plant equipment. The attackers infiltrated the corporate network using a spear-phishing attack

    Once the attackers got a foothold on one system, they were able to explore the company’s networks, eventually compromising a “multitude” of systems, including industrial components on the production network.

    “Failures accumulated in individual control components or entire systems,” the report notes. As a result, the plant was “unable to shut down a blast furnace in a regulated manner” which resulted in “massive damage to the system.”

    “The know-how of the attacker was very pronounced not only in conventional IT security but extended to detailed knowledge of applied industrial controls and production processes,” the report says.

    The report doesn’t name the plant or indicate when the breach first occurred or how long the hackers were in the network before the destruction occurred.

    The report also illustrates the need for strict separation between business and production networks to keep hackers from leaping from one network to another and remotely accessing critical systems over the internet. Although a network can only be considered truly air-gapped if it’s not connected to the internet and is not connected to other systems that are connected to the internet, many companies believe that a software firewall separating the business and production network is sufficient to stop hackers from making that leap. But experts warn that a software firewall can be misconfigured or contain security holes that allow hackers to break through or bypass them nonetheless.

  30. Tomi Engdahl says:

    Industrial PLC market actually collapsed in 2012, when economic uncertainty coagulated investments in production facilities. Now the market has returned to a growth path. The logic of the modules, however, need to develop smaller and more efficient investment in order to justify itself.

    Frost & Sullivan research institute predicts that in 2018 PLC is sold for 14.6 billion dollars. This covers the services, software and hardware solutions that, in particular the so-called. micro size range of modules is increasing.

    Frost & Sullivan to bring security one of the key features of the new logic control system. Mills networks are no longer separate from the Internet, so they must be protected with the same seriousness and care as other business networks.


  31. Tomi Engdahl says:

    Schneider Electric Fixes Vulnerabilities in HMI Products

    Schneider Electric has released software updates to address several vulnerabilities affecting the Wonderware InTouch Machine Edition 2014 and InduSoft Web Studio product lines.

    Wonderware InTouch Machine Edition is designed for the development of secure, intuitive and highly maintainable human-machine interface (HMI) applications for embedded devices, intelligent machines, and industrial panel computers. InduSoft Web Studio is a development and runtime software that is used to create supervisory control and data acquisition (SCADA) HMI applications, overall equipment effectiveness (OEE) interfaces, and dashboards.

    According to ICS-CERT, the vulnerabilities can be exploited from an adjacent network.

    Organizations are advised to update their installations as soon as possible, especially since even an attacker with low skill can exploit the vulnerabilities, and ICS-CERT says public exploits for these flaws might exist.

  32. Tomi Engdahl says:

    Siemens Patches DoS, Other Vulnerabilities in SIMATIC HMI Products

    Researchers have identified three vulnerabilities in Siemens’ SIMATIC HMI devices. The German engineering giant has started releasing software updates to address the security holes in affected products.

    The most severe of the issues is a resource exhaustion vulnerability (CVE-2015-2822) that can be leveraged by an attacker positioned between the HMI panel and a programmable logic controller (PLC) to cause a denial-of-service (DoS) condition in the HMI panel. The flaw can be exploited by sending specially crafted packets on TCP port 102, ICS-CERT and Siemens explained in advisories.

    The fact that a malicious actor can launch this kind of man-in-the-middle (MitM) attack by positioning himself on the network path between a PLC and its communication partner is a separate vulnerability that has been assigned the CVE identifier CVE-2015-1601. An attacker can leverage this vulnerability to intercept or modify industrial communications, Siemens said.

  33. Tomi Engdahl says:

    US government report: planes with avionics and passengers on same network could theoretically be vulnerable to hackers

    GAO: Newer aircraft vulnerable to hacking

    Washington (CNN)Hundreds of planes flying commercially today could be vulnerable to having their onboard computers hacked and remotely taken over by someone using the plane’s passenger Wi-Fi network, or even by someone on the ground, according to a new report from the Government Accountability Office.

    One of the authors of the report, Gerald Dillingham, told CNN the planes include the Boeing 787 Dreamliner, the Airbus A350 and A380 aircraft, and all have advanced cockpits that are wired into the same Wi-Fi system used by passengers.

    “Modern communications technologies, including IP connectivity, are increasingly used in aircraft systems, creating the possibility that unauthorized individuals might access and compromise aircraft avionics systems,” according to the report, which is based on interviews with cybersecurity and aviation experts.

    The government investigators who wrote the report say it is theoretically possible for someone with just a laptop to:

    – Commandeer the aircraft

    – Put a virus into flight control computers

    – Jeopardize the safety of the flight by taking control of computers

    – Take over the warning systems or even navigation systems

    Dillingham says although modern aircraft could be vulnerable, there are a number of redundancy mechanisms built into the plane systems that could allow a pilot to correct a problem.​

    The report explains that as the air traffic control system is upgraded to use Internet-based technology on both the ground and in planes, avionics could be compromised. Older planes systems aren’t highly Internet-based, so the risk for aircraft 20 years and older is less.​

    Commercial pilot John Barton told CNN, “We’ve had hackers get into the Pentagon, so getting into an airplane computer system I would think is probably quite easy at this point.”

    Experts told investigators, “If the cabin systems connect to the cockpit avionics systems and use the same networking platform, in this case IP, a user could subvert the firewall and access the cockpit avionics system from the cabin.”

    He says that the Federal Aviation Administration “must focus on aircraft certification standards that would prevent a terrorist with a laptop in the cabin or on the ground from taking control of an airplane through the passenger Wi-Fi system. That’s a serious vulnerability.”

    Washington went on to say “It is also important to note that the FAA had already initiated a comprehensive program to improve the cybersecurity defenses of the NAS (National Airspace System) infrastructure, as well as other FAA mission-critical systems. We are significantly increasing our collaboration and coordination with cyber intelligence and security organizations across the federal government and in the private sector.”

    “The Dreamliner and the A350 were actually designed to have the technology in it going forward to be able to have remote control intervention between the pilot and the ground or if an emergency were to happen in the air,” Barton said. But he quickly added, “It’s going to take a long time before we get to the point where that technology is safe and secure.”

    Boeing said it is committed to designing secure aircraft.

    “Boeing airplanes have more than one navigational system available to pilots,”

  34. Tomi Engdahl says:

    Your city’s not smart if it’s vulnerable says hacker
    Major vendors block hackers from testing insecure IoT kit

    “Real world hacker” Cesar Cerrudo has blasted vendors, saying they’re stopping security researchers from testing smart city systems, and as a result they’re being sold with dangerous unchecked vulnerabilities.

    The warning will be detailed at RSA San Francisco this week, and comes a year after the IOActive chief technology officer found some 200,000 vulnerable traffic control sensors active in cities like Washington DC, London, and Melbourne.

    Vendors don’t want their kit tested, Cerrudo said, although there are now 25 major cities across the world taking the lead in deployment, such as New York, Berlin, and Sydney.

    In An Emerging US (and World) Threat: Cities Wide Open to Cyber Attacks (pdf), the hacker warns that attack surfaces in smart city technology are plentiful given its complexity and integration with legacy systems, and says the woeful security shortfalls with internet-of-things devices are creeping into city tech.

    “In our research at IOActive Labs, we constantly find very vulnerable technology being used … for critical infrastructure without any security testing,” Cerrudo says.

    “Technology vendors impede security research: New systems and devices used by smart cities are difficult to acquire by the security research community – most are expensive and are usually only sold to governments or specific companies, making it difficult for systems to be rigorously tested.”

    He added that “a simple problem can have a large impact due to interdependencies and associated chain reactions [which] highlights the need for threat modelling.”

  35. Tomi Engdahl says:

    Rail signal upgrade ‘could be hacked to cause crashes’

    A hi-tech signalling system that will eventually control all of Britain’s trains could potentially be hacked to cause a serious crash, according to a scientist who advises the government.

    Prof David Stupples told the BBC that plans to replace ageing signal lights with new computers could leave the rail network exposed to cyber-attacks.

    UK tests of the European Rail Traffic Management System are under way.

    Network Rail, which is in charge of the upgrade, acknowledges the threat.

    “We know that the risk [of a cyber-attack] will increase as we continue to roll out digital technology across the network,” a spokesman told the BBC.

    “We work closely with government, the security services, our partners and suppliers in the rail industry and external cybersecurity specialists to understand the threat to our systems and make sure we have the right controls in place.”

    Once the ERTMS is up and running, computers will dictate critical safety information including how fast the trains should go and how long they will take to stop.

    “Certain ministers know this is absolutely possible and they are worried about it. Safeguards are going in, in secret, but it’s always possible to get around them.”

    “The weakness is getting malware into the system by employees. Either because they are dissatisfied or being bribed or coerced,” he explained.

    Independent security expert Graham Cluley agreed that the sector could be vulnerable.

    “Seeing as we have seen nuclear enrichment facilities targeted with state-sponsored malware attacks and ‘massive damage’ done to a German steelworks, you have to ask yourself whether it is likely that a train signal system would be any better defended?” he asked.

    “The most obvious danger is going to be human.”

  36. Tomi Engdahl says:

    Companies collaborate to provide cyber security solutions for oil plants

    Yokogawa and Cisco are collaborating to deliver Shell’s SecurePlant initiative, which SecurePlant is a security management solution for plant control systems. This is scheduled to be implemented over the next three years at around 50 Shell plants globally.

    Industrial producers around the world face a wide range of operational challenges in areas such as cybersecurity that pose a pervasive threat to safety and availability. Most companies with global operations, however, still take a relatively simplistic plant-by-plant approach, such as implementing operating system security patches and anti-virus pattern file updates. As a result, security levels tend to vary at each plant and there is a lack of standardization.

    Yokogawa and Cisco collaborated on the design of the SecurePlant service with the aim of standardizing security practices at Shell plants.

  37. Tomi Engdahl says:

    ICS cyber insecurity: Not if, but when

    Think Again: A major cyber security incident will happen to industrial control systems (ICS): not if, but when. Are you and your coworkers ready? Is your organization ready? Do you have the technologies, processes, and procedures ready at every level?

    Hackers are knocking at the door daily of facilities with industrial control systems, whether you choose to acknowledge it or not. When someone lets them in, how will you and your organization, customers, partners, and supply chain respond?

    Some experts equate today’s cyber security maturity level to where plant floor safety was before OSHA. Ignoring risk will NOT make it go away. Get cyber security help, make multi-layered plans and policies for defense in depth, invest in technologies to promote defense by design, talk about it with employees, and encourage them to talk among themselves.

    Stephen Biller, PhD, chief manufacturing scientist, GE, talking about Internet of Things (IoT) and cyber security, said, “Companies don’t have a choice. They have to invest in IoT; otherwise, they will be out of business. Doing nothing is a much higher risk. Cyber security has to be at the highest level.”

    Many cyber security technologies are available. To name a few discussed at ARC Forum:

    Cisco, Shell, and Yokogawa announced a collaborative effort to provide cyber security solutions for about 50 Shell facilities.
    Bedrock Automation showed a defense by design automation system, with hardened backplane, I/O modules, power supplies, and programmable logic controller (PLC).
    Skkynet introduced its Secure Cloud Service to enable bidirectional supervisory control, integration, and sharing of data with multiple users, and real-time access to selected data sets in a web browser. That service can securely handle more than 50,000 data changes per second, per client.

    But think again if you consider technology investments enough.

    Vulnerability assessment: Never?!

    Despite all the discussion and education, it doesn’t seem like we’re ready for cyber security threats. A recent poll at asked, “When is the last time your organization performed any type of a cyber security vulnerability assessment?” About half (as of Feb. 21) said, “Within past 6 months,” but a stunning one-third said, “Never,” 10% said, “Within the past 2 years,” and 6% said, “Within the past year.”

  38. Tomi Engdahl says:

    Industry information security, the next forefront?

    Facing the increasingly severe information security issue of industrial control systems, the Chinese government has established a “Central Network Security and Informatization Leading Group” led by President Xi Jinping to raise network security to the national strategic level. The industrial information security market expects accelerated growth in the future, according to Control Engineering China.

  39. Tomi Engdahl says:

    DoE releases guidance for cyber security framework

    In developing this guidance, the Energy Department collaborated with private sector stakeholders through the Electricity Subsector Coordinating Council and the Oil & Natural Gas Subsector Coordinating Council.

    The Cybersecurity Framework consists of standards, guidelines, and practices to promote the protection of critical infrastructure and ended up developed in response to Executive Order 13636 “Improving Critical Infrastructure Cybersecurity” through collaboration between industry and government.

    Framework for Improving
    Critical Infrastructure Cybersecurity

  40. Tomi Engdahl says:

    Advance network security, support system monitoring

    Cyber security: Applications can improve power reliability and reduce energy costs by advancing network security and supporting system monitoring. Allowing network access raises cyber security concerns. Five defense-in-depth measures can help.

    “Defense in depth” is a strategy to establish variable barriers across multiple levels in the organization to secure the ICS. These barriers include electronic countermeasures such as:

    1. Establish firewalls to add stringent and multifaceted rules for communication between various network segments and zones in the ICS network.
    2 . Create demilitarized zones from the established firewall by grouping critical components and isolating them from the traditional business IT network.
    3. Deploy intrusion detection and prevention systems that focus on identifying possible incidents in an ICS network.
    4. Establish well-documented and continuously reviewed policies, procedures, standards, and guidelines regarding IC network security.
    5. Implement continuous assessment and security training to ensure the security of the ICS and the safety of the people who depend on it.

  41. Tomi Engdahl says:

    Security in automation: Smartphone might be the greatest threat

    Smartphones have made access to information easy and thus increase security risk for critical information. It requires constant and holistic attention to understand the patterns of attacks and raise awareness with organizations.

    Attack precedents and patterns

    A certain pattern can be identified from both of these attacks, which are quite similar in execution. For example, in case of the Dragonfly, Symantec outlines three phases of the attack:

    1. “The first phase of Dragonfly’s attacks consisted of the group sending malware in phishing emails to personnel in target firms.
    2. In the second phase, the group added watering hole attacks to its offensive, compromising websites likely to be visited by those working in the energy sector in order to redirect them to websites hosting an exploit kit. The exploit kit in turn delivered malware to the victim’s computer.
    3. The third phase of the campaign was the Trojanizing of legitimate software bundles belonging to three different ICS equipment manufacturers.”

    Guy walks into his workplace—with a smartphone!

    The diagram outlines one of the many attack scenarios where a smartphone infected by a dedicated hacker can cause damage to the enterprise systems. Courtesy: Intech Process AutomationAnd amidst this chaos, imagine an oil and gas (or for that matter, any industrial) employee walking into his work place with a smartphone in his hand!

    One can’t deny the utility of these marvels of technology. Smartphones have become prolific in industrial enterprises, and with the constant flow of data, staying up to date with critical information has become significant. With the advent of emerging mega-trends in the industry like industrial Internet, digital oilfield, and Internet of Things (IoT), more and more data is being generated and floated by instruments rather than people. Solutions providers have now begun to furnish customized mobile applications that give instant access to energy, production, and related critical information and analytics where real-time and historical data, KPIs, alarms, trends, scorecards, and GEO SCADA visualization is made available on almost all platforms.

    So in essence, smartphones are no different from the personal computer, and that magnifies the threat in comparison to a PC. All the work-related tasks that you can perform on a PC can be performed easily on a smartphone. There is no difference between the two for the user. And there is no difference between the two for the attacker. The higher frequency of accessing and sending information from a smartphone (as compared to a PC), and the disregard for security measures on the smartphone from the user as well as the enterprise, makes the smartphone an ideal target for the attackers to infiltrate your enterprise and threaten your systems.

    o ensure better security, adopt a strategy composed of the following key elements:

    1. The right policies: Ask yourself whether your organization has the right policy (or a policy at all) that provides guidelines to employees about smartphone usage. Are your employees aware of the threat to their smartphones and, consequently, to your enterprise’s systems?
    2. The right plans: What is your strategy to implement the policy and ensure that the implementation is consistent throughout? Is your smartphone security plan designed to protect and support the technologies of today and the future?
    3. The right products: Do you have the right products to implement your smartphone security plan? Can they provide the desired level of security, performance, and quality of service that you desire?
    4. The right processes: How will you manage your smartphone security infrastructure and ensure constant monitoring, testing, and adaptation?
    5. The right people: Do you have the right people who have the skill set that forms a strategic fit between your policies and plans and your products and processes?

    Smartphone security remains a tricky issue for organizations. Attackers can only be battled by instigating an organization-wide cultural drive that promotes smartphone security consciousness, responsibility, and responsiveness. It requires constant and holistic attention because hackers are relentlessly following where the money and information are.

  42. Tomi Engdahl says:

    Smart grid security WORSE than we thought
    OSGP’s DIY MAC is a JOKE

    Don’t try crypto at home, kids: the Open Smart Grid Protocol project rolled its own crypto and ended up with something horribly insecure.

    This paper at the International Association for Cryptologic Research explains big issues with the OSGP crypto protocol deployed in as many as four million smart meters and devices.

    The digest has a bunch of flaws, they write:

    Zero-byte message padding “results in messages with any number of trailing zeroes sharing the same tag”; and
    The relationship between the OMA digest’s state and the message is fully reversible.

    The upshot is that the OMA digest is “extremely weak, and cannot be assumed to provide any authenticity guarantee whatsoever”.

    One attack needed just 13 queries to an OMA oracle to recover the 96-bit secret key; ; “a more sophisticated version breaks the OMA digest with only 4 queries and a time complexity of about 225 simple operations”

    Dumb Crypto in Smart Grids:
    Practical Cryptanalysis of the Open Smart Grid Protocol

  43. Tomi Engdahl says:

    EtherCAT Linking Factory to Office

    In the industrial market, one of the key applications for the Internet of Things (IoT) is to provide information on factory operation to the back office. Doing so requires a bridge between the networks running the factory machinery and the IT networks in the office. The EtherCAT Technology Group and the OPC Foundation are working together to develop standards for building such a bridge in next-generation factories utilizing industrial IoT.

    The OPC Foundation has created the OPC Unified Architecture (OPC-UA), a platform-independent, service-oriented infrastructure model that facilitates communications of information and control among operations such as field devices, manufacturing execution systems, and enterprise resource planning systems. The EtherCAT Technology Group (ETG) supports the EtherCAT real-time industrial Ethernet, providing conformance and interoperability testing and certification. Together, the two aim to provide industrial users with consistent communications across all levels of a manufacturing enterprise, from factory to cloud, using Internet technologies. The groups have agreed to develop a common definition of open interfaces bridging the two approaches.

    OPC’s choice of EtherCAT as the field network for its industrial IoT framework mirrors a growing interest in the bus for next-generation industrial network systems. For instance, both Microchip and Infineon have recently introduced new products supporting EtherCAT. Microchip released the LAN9252 3-port EtherCAT slave controller with integrated PHY. Infineon released the XMC4800, a Cortex M-based microcontroller with integrated EtherCAT node.

  44. Tomi Engdahl says:

    Industrial Ethernet: From the Front Office to the Factory Floor

    Ethernet networks traditionally connect our workplace environments where laptops and mobile devices are the primary communication tools. Now, Ethernet networks are expanding beyond the office to connect to major monitoring and control systems used in the manufacturing space. Ethernet is an obvious solution for industrial automation applications in part because it is a mature, highly affordable technology. This modern communications capability makes on the fly adjustments to production more than just a futuristic fantasy.

    One of the “big picture” business benefits of industrial Ethernet often touted by analysts and vendors is rapid response—both to market demand and to problems happening during production runs. How might rapid response affect the future of manufacturing?

    The rapid transmission of information over TCP/IP from the front office to the factory has the potential to revolutionize the ways in which products get made. Interoperability between product design, workflow systems, and the machines that make and assemble goods will decrease time-to-market. That same capability will increase the number of product variations possible in a manufacturing plant.

    When seconds equal big savings or losses

    The office network and the industrial Ethernet network may transmit data similarly, but a key difference is in the priority of response times. The stakes are much higher when an automated alert that something is amiss on the factory floor is delayed, compared to the consequences of an email’s showing up after a lag of a few seconds. Out on the line, a missed message may throw off a precisely synchronized, rapid-fire process, resulting in raw material waste or even a complete line stoppage. For this reason, data transfer performance is a critical concern for anyone relying on industrial Ethernet for remote monitoring of manufacturing equipment.

    A number of tactics and techniques can make a big difference for industrial automation. For example, network segmentation designed to keep communications efficient helps. Use of subnets within the corporate network makes it possible to ensure communications are as fast as possible. This also reduces the possibility of network traffic collisions, an otherwise common issue for lags in data packet delivery on Ethernet networks.

  45. Tomi Engdahl says:

    I Told You SSO

    Last month the French TV network, TV5Monde, had 11 of its stations’ signals disrupted by an Islamist group. Its websites and social media pages were also defaced, but the biggest immediate impact was loss of advertising revenue during the blackout.

    And what security failure led to this embarrassing and costly security breach? One source reported that the network’s highest-level password was “azerty12345,” the French-keyboard equivalent of “qwerty12345″, making it easy for attackers to guess.

    But this story gets better (or worse, depending on your perspective). While reporting on their own incident, they actually filmed a staffer in their offices with user names and passwords written down and visible in the background. Then they aired that footage for all the world to see.

    IPasswords on Papert’s the security equivalent of an “own goal” in soccer.

    Not just a French problem

    Lest you think that this form of security self-sabotage is uniquely Gallic, last week, a BBC documentary inadvertently exposed passwords used at a British rail network’s control center.

    How do we stop handing attackers our credentials?

    One way would be to stop allowing TV crews to film inside of private areas. Human nature being what it is, though, we will likely continue to want to show off our offices and control centers.

    Clearly, an obvious solution is that users should be dissuaded from displaying their credentials on stickers, banners, white boards and sticky notes as well. But putting the responsibility entirely on users is a fool’s errand.

    Whose responsibility is it?

    We like to say that security is everyone’s responsibility, and there is truth to that. Users are understandably at an impasse, though, when we ask them to use unique, complex passwords for every application, and to rotate them every 90 days without repetition. This makes for good security policy, while boosting the sales of Post-It Notes – in reality, this is security-driven self-sabotage.

    Security teams must bear equal, if not more responsibility, for reducing the risk of credential fatigue leading to inadvertent exposure.

    Reducing reliance on passwords

    It should be no surprise that single-sign on (SSO) is an important part of reducing this risk, given the maturity of SSO technology. SSO reduces the number of unique passwords that users have to remember, implements far more complex passwords than users typically employ and rotates them automatically according to policy.

  46. Tomi Engdahl says:

    Software Glitch Caused Crash of Airbus A400M Military Transport Aircraft

    A software glitch caused the crash of an Airbus A400M military transport aircraft, claims German newspaper Der Spiegel

    Airbus orders checks on A400M engine system after crash

    Airbus (AIR.PA) on Tuesday ordered engine software checks on the A400M military aircraft following the first crash of Europe’s new troop and cargo carrier.

    The request comes after data compiled by the planemaker after the fatal May 9 accident pointed to a possible anomaly in a system running the plane’s turboprop engines.

    Two people familiar with the matter said the investigation was expected to focus on possible flaws in the way the system had been installed, rather than a design problem.

    Airbus said it had issued an alert asking air forces to examine the plane’s ‘Electronic Control Unit’.

    The unit controls the powerplants and is part of a suite of software systems that process commands and monitor the performance of the West’s largest turboprop engines.

    Problems in certifying the complex engine software, which originally fell under the responsibility of MTU, made headlines in 2009 when they were partially blamed for costly delays.But the plane has also faced a litany of other technical problems from refueling to cargo loading.

    The engines and software of the crashed plane were delivered in February after passing factory inspections.

  47. Tomi Engdahl says:

    If you cannot afford an Einstein to protect the network, try a canary

    By using what is known as a “canary,” companies can take an active defense against cyber attackers. The canary will alert IT when there have been changes to the system and actions can be taken to shore up the system and block the attackers. The time between system compromise and detection is more than seven months, too long to know that the manufacturing IT system has been hacked.

  48. Tomi Engdahl says:

    Is It Possible for Passengers to Hack Commercial Aircraft?

    When security researcher Chris Roberts was removed from a United fight last month after tweeting a joke about hacking the plane’s inflight entertainment system, the security community was aghast at the FBI’s over-reaction and United’s decision to ban him from a subsequent flight.

    But with publication of an FBI affidavit this month asserting that Roberts admitted to hacking a plane inflight, causing it to veer slightly off course, reaction in the community swiftly shifted. Wrath that had been directed at the FBI was now directed at Roberts.

    How could a professional security researcher put passengers at risk by doing a live and unauthorized pen-test of a plane’s network while in the air?

    “While these systems receive [plane] position data and have communication links, the design isolates them from the other systems on airplanes performing critical and essential functions,” Boeing said in a statement.

    The statement seemed a contradiction in terms, though. Were the avionics and infotainment networks connected by communication links or were they isolated? And if connected, how could Boeing be certain a hacker couldn’t leap from the entertainment system to the avionics system and manipulate controls? After all, a report released last month by the Government Accountability Office raised this very concern, as did an FAA document issued to Boeing in 2008.

    According to the affidavit, Roberts was able to issue a “climb command”, which “caused one of the airplane engines to climb resulting in a lateral or sideways movement of the plane.”

    Whether it’s possible to create this condition by issuing a command from a passenger seat is a different matter, however. Soucie and others who WIRED spoke to agree with Boeing that this isn’t possible. But unlike Boeing, they provided clearer details explaining why.

    “The auto-throttle wants to keep the engines together. It does not want to split the engines,” he says. “The only command [available] is to drive them together, not to drive them apart.”

    The only way someone could hack the system to throttle one engine would be if they were able to gain access to the box housing the system and reprogram the software for the throttles. “But you can’t just reprogram a box. There are all sorts of interlocks to make sure that software can’t change inflight,”

    Soif Roberts wasn’t able to alter the thrust of an engine, would he have at least been able to access the avionics system to do other things? Soucie and Lemme say no.

    In-Flight Entertainment Systems

    According to the FBI affidavit, Roberts got access to the thrust-management system through the in-flight entertainment system. The affidavit indicates that he found vulnerabilities in two models of IFE made by Panasonic and Thales, a French electronics firm that makes a variety of components and security products for the defense and aerospace industries and others.

    On at least 15 different flights, Roberts evidently compromised IFE systems by obtaining physical access through the Seat Electronic Box, or SEB, installed beneath passenger seats. After removing the cover to the SEB by “wiggling and Squeezing the box,” the affidavit says Roberts took a Cat6 ethernet cable with a modified plug on the end and attached it to the box and his laptop.

    A connection between the avionics system and the IFE does exist. But there’s a caveat.

    Soucie and Lemme say the connection allows for one-way data communication only. The systems are connected through an ARINC 429 data bus that feeds information from the avionics to the IFE about the plane’s latitude, longitude and speed.

    “On every airplane it’s done a little differently and is done in a proprietary way,” Lemme says. But in each case, the ARINC 429 is an output-only hub that allows data to flow out from the avionics system but not back to it, he says.

    But WIRED was able to find a document online (.pdf), which indicates that Boeing’s line of 777 planes use ARINC 629 buses. These buses are designed for two-way communication.

    It’s unclear, however, if these are used only for communication between critical components within the avionics system, or if they are also used for communication between the avionics and non-critical systems like the IFE. Boeing did not respond to a request for comment.

    “The data exchanges are pre-programmed as a part of their system requirements—each transmitter and receiver is programmed for specific data to be provided at a specific rate,” Lemme says.”Each receiver is checking that the data is being received when it should be received, and that it is receiving valid data.”

    The big question in this case would be whether the restrictions programmed into the avionics software were properly coded to reject the communication.

    “People suggest that it’s possible there’s unintended ways of using that interface if it wasn’t [implemented] 100 percent [correctly] and they left some gaps. But I don’t believe these gaps exist,”

    Lemme says there may be some aircraft that now use ethernet connections in place of ARINC 429 buses to transmit data from the avionics to the entertainment system. But in a design like that, he says, there would be a box sitting between the avionics system and the in-flight system to securely convey information to the latter without allowing a connection back to the avionics from the IFE.

    During an interview with WIRED in April, Roberts said he found vulnerabilities that allowed him to jump from the satellite communication system (SATCOM) to the inflight entertainment and cabin-management systems.

    The FBI affidavit doesn’t address the SATCOM system, but Lemme says Roberts would not be able to access the avionics in this way, either.

    A Teller of Tales?

    All of this appears to add up to the conclusion that there’s no way Roberts could have hacked the thrust controls of a plane and manipulated the aircraft, either through the IEF, the SATCOM or anything else. But then how to explain the FBI affidavit?

    Roberts told WIRED after the affidavit came out that the FBI took what he said out of context

  49. Tomi Engdahl says:

    Joseph Menn / Reuters:
    Sources: US tried deploying Stuxnet-style virus against North Korea five years ago to destroy equipment, but the campaign failed — Exclusive: U.S. tried Stuxnet-style campaign against North Korea but failed – sources — The United States tried to deploy a version of the Stuxnet computer virus …

    Exclusive: U.S. tried Stuxnet-style campaign against North Korea but failed – sources

    The United States tried to deploy a version of the Stuxnet computer virus to attack North Korea’s nuclear weapons program five years ago but ultimately failed, according to people familiar with the covert campaign.

    The operation began in tandem with the now-famous Stuxnet attack that sabotaged Iran’s nuclear program in 2009 and 2010 by destroying a thousand or more centrifuges that were enriching uranium. Reuters and others have reported that the Iran attack was a joint effort by U.S. and Israeli forces.


Leave a Comment

Your email address will not be published. Required fields are marked *