Fun times for industry - SCADA
I am fascinated by
SCADA systems. Supervisory Control And Data Acquisition -- these are the computers, programs and hardware that control major industrial entities; steel mills, petroleum refineries, manufacturing lines, power generation and transmission. The backbone of industry.
There has been a long history of them being horribly unsecure from outside hacking. Wen the first IBM PCs were integrated into these systems, there was never any intention to connected them to the outside world so security was never an issue. During this time, the core protocols and libraries were developed and all of a sudden, when these systems were connected to the internet, security holes were discovered allowing outside hackers to alter or completely shut down these factories. Not good. (
here and
here)
Needless to say, there has been a major push over the last twenty years but things still come back to bite us.
From Australian
IT News:
Hackers gain 'full control' of critical SCADA systems
Researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems.
The vulnerabilities were discovered by Russian researchers who over the last year probed popular and high-end ICS and supervisory control and data acquisition (SCADA) systems used to control everything from home solar panel installations to critical national infrastructure.
Some details:
The researchers published an updated version of a password-cracking tool that targeted the vulnerability in Siemens PLC S-300 devices as part of the SCADA Strangelove project at the Chaos Communications Conference in Berlin.
They also published a cheat sheet to help researchers identify nearly 600 ICS, PLC and SCADA systems.
SCADA Strangelove had identified more than 150 zero day vulnerabilities of varying degrees of severity affecting ICSes, PLCs and SCADA systems. Of those, 31 percent were less severe cross site scripting vulnerabilities and five percent were dangerous remote code execution holes.
And it's not just the big guys:
But it wasn't just industrial systems that were affected; the researchers found some 60,000 ICS devices -- many which were home systems -- exposed to the public internet and at risk of attack.
Is everybody happy happy happy?
Posted by DaveH at January 12, 2014 11:25 AM