Forgot your password?
typodupeerror
Government Security Your Rights Online

Support Forums Reveal SCADA Infections 66

Posted by samzenpus
from the patient-zero dept.
chicksdaddy writes "We hear a lot about vulnerabilities in industrial control system (ICS) software. But what about real evidence of compromised SCADA and industrial control systems? According to security researcher Michael Toecker, a consultant at the firm Digital Bond, the evidence for infected systems with links to industrial automation and control systems is right under our eyes: buried in public support forums. Toecker audited support sites like bleepingcomputer.com, picking through data dumps from free malware scanning tools like HijackThis and DDS. He found scans of infected systems that were running specialized ICS software like Schweitzer Engineering Labs (SEL) AcSELerator Software and GE Power's EnerVista Software (used to configure GE electric power protection products). The infected end user systems could be the pathway to compromising critical infrastructure, including electrical infrastructure. 'With access to a protection relay through a laptop, a malicious program could alter settings in the configuration file, inject bad data designed to halt the relay, or even send commands directly to the relay when a connection was made,' Toecker wrote."
This discussion has been archived. No new comments can be posted.

Support Forums Reveal SCADA Infections

Comments Filter:
  • wtf... (Score:3, Insightful)

    by Anonymous Coward on Sunday November 11, 2012 @04:29PM (#41951555)

    Why are you people posting about your nuclear power plant problems online?

    • Re:wtf... (Score:5, Funny)

      by gnarfel (1135055) <anthony.j.fiumara@gmail.com> on Sunday November 11, 2012 @04:31PM (#41951571) Homepage
      'Updated ReactorCoreSafety to 8.34, can't access admin interface. Anyone else having this problem?'
      • by PPH (736903)
        Don't know about that one. What do all the blinking red light mean?
        • Re: (Score:2, Insightful)

          What do all the blinking red light mean?

          Nothing, unless you've tried turning it off and then back on again. In which case, it means I have to refer you to second level support.

          • Just reboot three times.

            If that doesn't help, reinstall the operating system.

            Where did you say you were calling from again?

            • Oh, you've hooked our hardware up to somebody else's hardware? That light means there is a problem with the other hardware.

              We'll have to charge you for this support call and recommend you call the other manufacturer.

          • by sr180 (700526)

            Second level support here. It means the Radiation Beam has been erroneously set to full power.

            (Unfortunately if you think this is a joke, google the Therac 25 accident. This should be compulsory study for all programmers and software engineers.)

        • do they still blink even after you've given the box a fonzie?

      • Core Meltdown Simulation in progress Mr. Simpson.

    • Re: (Score:2, Insightful)

      by Anonymous Coward

      ICS controls more then just Nuclear Plants. They control a wide range of industry machinery. Think how windows is to desktop, ICS is to the "professional" industry that involves complex machines.

  • ... where they take you through the seven stages of grief? Twelve steps to living a sober life?

    Will we have to go up in front of a group and say, "Hi. My name is PPH and I plugged a thumb drive into my SCADA controller. I've been doing Windows for years and I guess it just caught up with me one day."

    • "Hi. My name is PPH and I plugged a thumb drive into my SCADA controller. I've been doing Windows for years and I guess it just caught up with me one day."

      "Hi, PPH. This is the support group for information security professionals." (lights go out) "Alright guys, group therapy time has been rescheduled in favor of physical therapy. GET HIM!"

  • by TheGratefulNet (143330) on Sunday November 11, 2012 @04:45PM (#41951653)

    if you keep picking on the SCADA, it will never heal!

    of course it gets infected.

  • by juventasone (517959) on Sunday November 11, 2012 @06:12PM (#41952165)

    I'm a sysadmin for a small municipal office with a SCADA system. I manage every computer except the one used for SCADA, which is the responsibility of the vendor. Their only concern is that the computer stays unmodified from their "standard" set up, but it still requires unrestricted Internet access. This means:

    *Windows XP SP2
    *Automatic Updates turned off
    *No third-party software (ex: antivirus)
    *No domain/group policy
    *Symantec pcAnywhere 11 host (this is the version Symantec admited to being breached and to stop using)

    As the sysadmin I can stick it on a VLAN to keep it away from the computers I'm responsible for, but other than that, my hands are tied.

    • Similar situation. (Score:4, Insightful)

      by khasim (1285) <brandioch.conner@gmail.com> on Sunday November 11, 2012 @06:50PM (#41952371)

      The only thing I could do was to log all the traffic to/from those boxes and save it in case anything happened in the future.

      I blame whomever negotiated those contracts. There is no reason why those machines cannot be firewalled at the very least.

      • by aaarrrgggh (9205)

        Agree. Bad contract setup and irresponsible vendor. You can have it done better, although that doesn't provide much for guarantees. At least a certificate-based VPN...

        • How retarded promotional videos like this [youtube.com] geared towards PHBs. The marketing and sales people do not want certificates and security as it would make their products look bad and hard to setup.

          Easy access and PHB approved so the IT is ordered to do it or find another job. When shit hits the fan you just fire the IT guy.

      • I think if government (ie: DHS in the US) really wants to secure SCADA without overhauling it, they should require and provide site-to-site VPN routers with Internet traffic blocked minus a few things. Just plug them into a modem or switch and 99% of the problem is taken care of. I think it would cost pennies compared to things like the backscatter scanners.

    • Re: (Score:3, Informative)

      by Billly Gates (198444)

      As the sysadmin I can stick it on a VLAN to keep it away from the computers I'm responsible for, but other than that, my hands are tied.

      Until your boss calls and asks why can't he view setup on his phone from the internet like was shown in the promotion video? Please unblock internet access. ... then an employee who is trying to get around the facebook firewalling software uses it to browse the internet. Oh, yeah fun times.

    • Holy mother of god.
      • by Anonymous Coward

        Not to surprising. BTW it worse than that.

        These systems were *never* designed with security in mind. They were designed to talk to each other and quickly and then get out of the way. The protocols used do not even have a concept of it. In many cases you are lucky they talk to each other at all.

        Then you had a handful of manufactures trying to corner the 'security' (which was a pathetic joke). Which means at a time when it should have been getting traction on 'how to talk to each other securely'. You ha

    • by myxiplx (906307)

      We had a company with those requirements and we refused point blank to allow it Internet access. We allowed them a one day trial to prove it was secure and of course it was riddled with viruses within hours. We then forced them to wipe and reinstall it, and plugged it in to our isolated production network.

      The guys designing and working with these systems haven't the first clue about IT, let alone security.

    • by symbolset (646467) *
      You're already PWNed. Exposed to the real Internet that rig has a lifespan of three minutes.
  • by Anonymous Coward

    I, along with many others at my company, have Quickset loaded on our laptops. It's just configuration software that you use to prepare protective relays (and could use to communicate with them). I suppose the database on it could be hacked (it's a secured pgsql database, but that security can easily be overridden if you know what you're doing). It is *not* a SCADA package. It's on every relay tech's laptop, along with many engineers. I'd not be surprised to see virii on computers with Quickset on it at all,

  • by Anonymous Coward on Sunday November 11, 2012 @08:14PM (#41952863)

    I can tell you that none of the protective relays I've installed, the engineers involved didn't care one bit for security and all the SEL relays, Square D SEPAM relays, GE Relays, they are all installed with the default password with full access to anyone that has a RS-232 or Modbus cable. None of these relays are set correctly and barely anyone knows what setups to use on them. If someone really wanted to create a disaster, these relays are wide open, and someone with a laptop can easily just make a quick script to upload malicious settings and code to these relays very easily and quickly. The ones that are networked via status updates are even worse. As for SCADA systems, the majority of them are running Windows XP with no updates on, no antivirus, no anything and have full unrestricted access to the internet with full access to the PLC's on machines. These vulnerabilities have been known for YEARS by many installers, so I really don't find this article that surprising.

    • by Anonymous Coward

      If someone has access to the RS232 port on the relay, you have MUCH bigger problems. Heck, they can remove the six screws and set the 'no password' jumper on an SEL relay and not worry about passwords at all.

      Once physical security is compromised, electronic security is worthless. Hit the bus diff lockout switch and the station will clear anyway...

    • by Anonymous Coward

      I currently take care of one the largest SCADA/DCS/PLC systems. I have had numberous discussions about security but our policy seems to be security through obscurity.
      Later

    • by thegarbz (1787294)

      Modbus cable? What kind of security are you dealing with here? From what I can gather the only time someone will be able to start messing with this stuff is if they are there, standing right in front of the relay. At this point all bets are off. There are many thousands of things someone could do at a plant to wreak havoc even once you have passworded your modbus interface, and many of them are far less technical than modifying a protective scheme so why bother.

      If this is your only remaining concern I would

  • 'First I got infected by "malware protection designed to protect" and "windows xp recovery" I used rkill to fix this. But now any google search gets redirected and I hear commercials even with no browser open. The TDSSKiller won't run even when is renamed. And SAS or malware bytes won't detect anything.' link [bleepingcomputer.com]
  • Organizations that use SCADA and/or distributed controls, typically the manufacturing and raw materials sectors but also public utilities, very seldom maintain complete on-site in-house support for said systems or their industrial sub-components (proprietary machine programs, frequently written in Step 7 or ControlLogix but locked down by the machine vendor). Neither are most maintenance budgets able to afford frequent on-site vendor visits.

    That means off-site tech support, and therefore internet access.

    Air

Put no trust in cryptic comments.

Working...