pa2a.org


Share Thread:  
NSA Director: China can damage US power grid
#11
One of the country's major power interconnects happens to be my customer. I have a lot of energy generators as customers, so I do see things since my software runs inside these places.

SCADA boxes are a smorgasbord of different things in them, these days some cheap micro linux or QNX is quite common for the OS, and they don't really close down the interfaces as streaker said.

The more up-level stuff though has control systems that are on older, less "talky" technologies, with PLBs that are proprietary and the PLB has dumbed down inputs and outputs. There is still a lot of old shitty RS-232 and RS-485 stuff out there, usually connected to some "smarter" piece of equipment that's actually on an IP LAN.

Within this particular realm is a lot of the oversight the Department Of Energy does that you don't get to see. Getting to touch (software-wise, as in being able to interface to the mfg's software) the PLCs giving sensor data for the turbines and coolant pumps of a nuclear reactor is just about as easy as getting high levels of DoD clearance.

Unfortunately in this industry, a lot of this stuff is basically protected by some private or publicly-held company and the only real security is the secrecy policies adhered-to by that vendor's employees COMBINED with the expectation of similar secrecy of their own customers. Your average nuke plant for instance wouldn't really just let any Tom, Dick or Hacker walk on-prem and plug into the closed LAN nearest the reactor house where the sensor shit feeds into the control room and over to the on-prem datacenter for telemetry. Failure to do network audits though often reveals that someone has opened the control center LAN up to the plant's general-employee LAN. These facilities are also very loathe to upgrade their software because there is risk of software bugs compromising systems so it's even more important to keep the networks this equipment is on locked down and inaccessible with no Internet; so you have two problems---you're secure in one way because your equipment can't talk to the outside, but then it's super-insecure because loads of vulnerabilities continue to be found every day that you haven't upgraded and patched the software to keep up with security flaws that have been found... so now the risk of someone running a patch cable across a data center and letting the closed-loop network reach the outside carries far worse consequences.


There have been enough failings of microcontroller security, and the infamous centrifuge sabotage incident involving Siemens controllers has made controller boxen and cards a permanent feature of security cons and BlackHat.

Also: The NSA invests heavily researching vulnerabilities in this space.



If any of y'all do sec-cons; I usually go to them. Most of the big ones are held in Vegas, so if anybody wants to head out and shoot FA with me or jump off the Stratosphere Tower, just holla.
Reply
#12
ArcticSplash;157360 Wrote:There have been enough failings of microcontroller security, and the infamous centrifuge sabotage incident involving Siemens controllers has made controller boxen and cards a permanent feature of security cons and BlackHat.

I was at a SCADA conference in DC a few years ago, there was a guy there from Siemens, I know this because he started every sentence with "I work for Siemens', anyway, he said that it was very common when Siemens' engineers/contractors that were installing the larger switch gear they would order a telephone line for a direct connection to the gear.

Many times, the company having the gear involved didn't know the line was installed because it was just done by the contractor and with companies many times having dozens of phone lines, one being added to their bill didn't really raise any curiosity. What he told us is these lines when dialed into with a modem opened a Telnet session to the switch with no authentication.

It wouldn't take much for someone to wardial a bunch of numbers and see what they're hitting. Apparently the Telnet connection allowed for total control of the switch gear. Makes you wonder how many of those phone lines are still connected and no one is aware of them or the danger they're in by having them.
Reply
#13
streaker69;157361 Wrote:
ArcticSplash;157360 Wrote:There have been enough failings of microcontroller security, and the infamous centrifuge sabotage incident involving Siemens controllers has made controller boxen and cards a permanent feature of security cons and BlackHat.

I was at a SCADA conference in DC a few years ago, there was a guy there from Siemens, I know this because he started every sentence with "I work for Siemens', anyway, he said that it was very common when Siemens' engineers/contractors that were installing the larger switch gear they would order a telephone line for a direct connection to the gear.

Many times, the company having the gear involved didn't know the line was installed because it was just done by the contractor and with companies many times having dozens of phone lines, one being added to their bill didn't really raise any curiosity. What he told us is these lines when dialed into with a modem opened a Telnet session to the switch with no authentication.

It wouldn't take much for someone to wardial a bunch of numbers and see what they're hitting. Apparently the Telnet connection allowed for total control of the switch gear. Makes you wonder how many of those phone lines are still connected and no one is aware of them or the danger they're in by having them.


All Cisco equipment for the longest time also had the RS-232 on the front or the back and a dumb contractor would see a modem lying around and plug it into the switch while hooking up the cabling after the runs were fed into the room.

Isolating machines in a giant org is hard and its a big time-wasting machine. I feel sorry for network engineers who have to employ MAC-to-port policies [where you have to setup the switches to raise an alarm if the MAC address connected to a port switch ever changes]. DOD office networks are like that.

IBM for the longest time on SNA networks and on early MUX Token Ring systems had that policy on by default--thinking nobody would ever want to unplug equipment from the network drop and plug in something else. Your helpdesk gets plagued with calls from people who have moved their PC or phone without authorization, plugged it into another drop and then wonder why it doesn't work, and it's set off alarms on the network monitoring. The steps to obtain the MAC serial on the equipment is too hard for a user to do--so you have to always have warm bodies around to send out to the user to hunt the MAC, retag equipment, then go change the switch they left and the switch they arrived at and enter in all the changes.


I worked at a place that was like that. 4 people put food on the table for their families just doing that crap for a 1.4mm sqft complex with 9,000 workstations.
Reply
#14
What a lot of people that have never even heard of SCADA before don't realize is that you just don't replace these systems easily. For older plants that are still using ModBus+ gear you're just not pulling out the PLC's and dropping AB's. There's a shitton of other work involved in doing that. Companies and utilities that installed SCADA systems intended them to be in constant operation for 30+ years. The backbone of the systems aren't just replaced the same way your desktop PC is. Pulling out PLC's and updating the HMI's to reflect the changes in hardware can cost hundreds of thousands.

Most of the time it's just easier to do whatever external measures you can to protect these vulnerable systems, and limit physical access to them.
Reply
#15
streaker69;157361 Wrote:
ArcticSplash;157360 Wrote:There have been enough failings of microcontroller security, and the infamous centrifuge sabotage incident involving Siemens controllers has made controller boxen and cards a permanent feature of security cons and BlackHat.

I was at a SCADA conference in DC a few years ago, there was a guy there from Siemens, I know this because he started every sentence with "I work for Siemens', anyway, he said that it was very common when Siemens' engineers/contractors that were installing the larger switch gear they would order a telephone line for a direct connection to the gear.

Many times, the company having the gear involved didn't know the line was installed because it was just done by the contractor and with companies many times having dozens of phone lines, one being added to their bill didn't really raise any curiosity. What he told us is these lines when dialed into with a modem opened a Telnet session to the switch with no authentication.

It wouldn't take much for someone to wardial a bunch of numbers and see what they're hitting. Apparently the Telnet connection allowed for total control of the switch gear. Makes you wonder how many of those phone lines are still connected and no one is aware of them or the danger they're in by having them.

LOL modems, how 1980s. I may have to retract my previous statement.

[Image: 2ii9zie.jpg]

I remember when just the sight of one of these 9600 bit per second babies would double me over in shuddering nerdgasms. The AT command set was like my native tongue. I wonder if I still remember my old BBS passwords?
Ammunition, it's the new lead bullion. Buy it cheap and stack it deep.
Reply
#16
Rik Bitter;157365 Wrote:
streaker69;157361 Wrote:I was at a SCADA conference in DC a few years ago, there was a guy there from Siemens, I know this because he started every sentence with "I work for Siemens', anyway, he said that it was very common when Siemens' engineers/contractors that were installing the larger switch gear they would order a telephone line for a direct connection to the gear.

Many times, the company having the gear involved didn't know the line was installed because it was just done by the contractor and with companies many times having dozens of phone lines, one being added to their bill didn't really raise any curiosity. What he told us is these lines when dialed into with a modem opened a Telnet session to the switch with no authentication.

It wouldn't take much for someone to wardial a bunch of numbers and see what they're hitting. Apparently the Telnet connection allowed for total control of the switch gear. Makes you wonder how many of those phone lines are still connected and no one is aware of them or the danger they're in by having them.

LOL modems, how 1980s. I may have to retract my previous statement.

[Image: 2ii9zie.jpg]

I remember when just the sight of one of these 9600 bit per second babies would double me over in shuddering nerdgasms. The AT command set was like my native tongue. I wonder if I still remember my old BBS passwords?

The reason this was done with the switchgear was so that Siemens' engineers could dial in and troubleshoot the gear if need be. But apparently it was common practice to not tell them that it was there, or if they did tell, no one really thought through the danger of having an open Telnet session connected to a modem, because no one wardials anymore.
Reply
#17
Reply






Possibly Related Threads…
Thread Author Replies Views Last Post
  NSA shooting spblademaker 3 1,360 04-03-2015, 11:52 AM
Last Post: ArcticSplash
  China unveils anti-terror laser cannon that can shoot drones more than a mile away wi das 3 1,153 11-05-2014, 10:44 PM
Last Post: Emptymag
  HEARTBLEED: Yes, the NSA and probably everyone else knows all your passwords ArcticSplash 15 1,984 04-12-2014, 05:53 PM
Last Post: csmith
  Destroy 9 Substations, Grid Down for 18 Months das 1 663 03-22-2014, 08:11 AM
Last Post: spblademaker
  April power grid attack was act of terror das 6 1,376 02-10-2014, 03:34 PM
Last Post: Ten*K



Users browsing this thread: 1 Guest(s)

Software by MyBB, © 2002-2015 MyBB Group.
Template by Modogodo Design.