Forgot your password?
typodupeerror
Government Security Your Rights Online

Support Forums Reveal SCADA Infections 66

Posted by samzenpus
from the patient-zero dept.
chicksdaddy writes "We hear a lot about vulnerabilities in industrial control system (ICS) software. But what about real evidence of compromised SCADA and industrial control systems? According to security researcher Michael Toecker, a consultant at the firm Digital Bond, the evidence for infected systems with links to industrial automation and control systems is right under our eyes: buried in public support forums. Toecker audited support sites like bleepingcomputer.com, picking through data dumps from free malware scanning tools like HijackThis and DDS. He found scans of infected systems that were running specialized ICS software like Schweitzer Engineering Labs (SEL) AcSELerator Software and GE Power's EnerVista Software (used to configure GE electric power protection products). The infected end user systems could be the pathway to compromising critical infrastructure, including electrical infrastructure. 'With access to a protection relay through a laptop, a malicious program could alter settings in the configuration file, inject bad data designed to halt the relay, or even send commands directly to the relay when a connection was made,' Toecker wrote."
This discussion has been archived. No new comments can be posted.

Support Forums Reveal SCADA Infections

Comments Filter:
  • wtf... (Score:3, Insightful)

    by Anonymous Coward on Sunday November 11, 2012 @04:29PM (#41951555)

    Why are you people posting about your nuclear power plant problems online?

  • Re:wtf... (Score:2, Insightful)

    by girlintraining (1395911) on Sunday November 11, 2012 @04:39PM (#41951629)

    What do all the blinking red light mean?

    Nothing, unless you've tried turning it off and then back on again. In which case, it means I have to refer you to second level support.

  • Re:wtf... (Score:2, Insightful)

    by Anonymous Coward on Sunday November 11, 2012 @04:42PM (#41951645)

    ICS controls more then just Nuclear Plants. They control a wide range of industry machinery. Think how windows is to desktop, ICS is to the "professional" industry that involves complex machines.

  • Re:I'm confused.. (Score:5, Insightful)

    by Gorobei (127755) on Sunday November 11, 2012 @05:23PM (#41951827)

    Why would anyone responsible for these computers (running devices whose operation is dangerous to human life) ever connect them to the internet?? Are they complete morons? Why would they be able to keep their jobs? Are they all idiot sons of rich people and therefore can't be fired or something? I don't get it? What am I missing?

    How many millions of dollars a year do you want to spend to maintain that isolation? You can do it, it's just really expensive.

    1. Lock down/destroy all wireless comm on all hardware
    2. Make entire network visible - all cable runs visible in clear conduits.
    3. No software installs without full audit (sorry, no commercial installs allowed, no audit software allowed on the gold network)
    4. Destroy all hardware leaving the building (and yes, that includes guests' cellphones.)
    5. No windows, line of sight, radio leakage, etc.
    6. Fab your own chips. Even a 555 timer can hold a rogue 8086.
    7. No interns. Assume every Chinese grad is a malware vector (and everyone else, too.)
    8. Assume you still have a 1 bit per second channel to the outside world (power draw, sound, etc.)

  • Re:I'm confused.. (Score:5, Insightful)

    by fuzzyfuzzyfungus (1223518) on Sunday November 11, 2012 @05:29PM (#41951863) Journal

    My impression is that there are two basic schools of problem:

    1. The SCADA-related stuff is, in fact, properly air-gapped. Then the contractor who has to update the firmware on widget Z shows up and plugs in or a stupid and/or malicious insider manages to find a working USB port.

    2. You install a fancy Supervisory Control and Data Acquisition system. Your Boss says "WTF, why can't I supervise and manage from the comfort of my iPad like in the vendor demo?" You proceed to punch one or more holes in your precious security.

  • Re:I'm confused.. (Score:4, Insightful)

    by Gorobei (127755) on Sunday November 11, 2012 @06:33PM (#41952273)

    Why would anyone responsible for these computers (running devices whose operation is dangerous to human life) ever connect them to the internet??

    How many millions of dollars a year do you want to spend to maintain that isolation? [proceeds to list a lot of stuff that goes WAY beyond the requirement of "don't connect it to the internet"]

    What the fuck did I just read?

    Something about actual security issues (like what the article was about,) rather than "system ok, internet link bad, idiot sons of rich people" post.

  • Similar situation. (Score:4, Insightful)

    by khasim (1285) <brandioch.conner@gmail.com> on Sunday November 11, 2012 @06:50PM (#41952371)

    The only thing I could do was to log all the traffic to/from those boxes and save it in case anything happened in the future.

    I blame whomever negotiated those contracts. There is no reason why those machines cannot be firewalled at the very least.

As far as we know, our computer has never had an undetected error. -- Weisert

Working...