24 comments

[ 3.2 ms ] story [ 44.7 ms ] thread
Weird name collision with the Crash Override Network and Zoe Quinn's book.

I'm curious about the provenance of the name, as the article seems to suggest the security researchers provided the name.

[Edit]: I show my cultural ignorance -- it appears both are likely a reference to Hackers, based on the responses below.

I immediately thought of Dade "Zero Cool" Murphy and Acid Burn. And Angelina Jolie...
Depends on how many systems it crashed, I would say
A "developer" who calls messing around with a WSWYG html editor "game development" decides to crib an iconic name from the hacker ethos. Of course there will be collisions.
Control systems are so ridiculously insecure given what they do. I was lucky enough to attend a DHS control systems security summit at INL way back in 2006 (or 2007 I can't remember). They had a huge lab full of various PLCs, etc, and a bunch of surprisingly smart folks working on pen-testing them. But still, it's a decade later and we don't seem to have made much progress.
It's a decade later and the new secure versions still havent been installed in Ukrainian power stations...
Are you just assuming new secure versions exist that could be used? I work with industrial control but mainly Rockwell not siemens and I don't know of any PLC communication protocol that supports any kind of encryption but I want to hear about any options that do exist.
> But still, it's a decade later and we don't seem to have made much progress.

Despite all the "IIoT" buzzwords their marketing may spout, industrial vendors operate a decade behind the software curve at best. Arcane proprietary stacks running atop XP, CE, ActiveX, and various flavors of DOS are still getting deployed in new industrial installations...often supported by vendors staffed by a hundred salescritters to every engineer, if they're lucky enough to have any staff remaining that wrote or understand the original product in the first place.

It's filled with dozens of mini-Oracles, each with licensing more insane than the next because your typical integrator will either run for the hills at the first sign of anything that isn't ladder logic or spew forth spaghetti garbage that makes INTERCAL look like the most pretentiously elegant Lisp. When you're the lone programmer on the team that even knows what Git is, you start to realize why nobody ever got fired for just buying Rockwell.

This is correct. The ActiveX is very, very real.
Ahh, the painful memories of writing the SCADA control software. In VBScript. The old system was running on VMS. The new system could be accessed via ActiveX control in an IE page.

At least the plant network was sufficiently airgapped.

> At least the plant network was sufficiently airgapped.

The Iranians thought that as well.

>bunch of surprisingly smart folks working on pen-testing them.

of course, you need those to implement stuxnet. I recommend "Zero Days" (2016)

As the grugq has pointed out, incentives are not currently aligned properly to produce secure industrial systems:

"Firstly, a lot of infrastructure and data is in civilian hands. The people and organizations responsible for securing things are not the ones responsible for retaliating against attacks. They can’t do it anyway because they lack the resources, capability, and legal authority to do so.

As for investing in securing their systems, there is no regulatory requirement to do so. Indeed, for a board of directors, I’ve seen it suggested that they have a fiduciary duty to shareholders not to bear the cost burden of securing critical national infrastructure. It’s not their business to directly bear the costs of defending the nation, that’s what the nation state is for in the first place!"

https://medium.com/@thegrugq/idle-thoughts-on-cyber-82170b2b...

Do these infrastructures really need the level of hardware they seem to use?

Rather than use a unsecured raspberry pi3 with it's wifi left on, why not have a closed system specifically built instead. Something not casually running embedded Windows XP, rather maybe a barebones OS written in assembly with minimal networking functionality on minimal hardware.

Building on commodity hardware is cheap, easy, quick to develop and often more stable and secure. Going fully custom results in more custom components which are often less tested and less audited than their commodity counterparts. Yes, it sounds like they'll be "simple" but it rarely is so - especially when your boss or sales team asks why you don't have IP-based monitoring.

The best bet in my opinion is to use commodity stuff but reduce the attack surface as much as possible by simply disabling, firewalling and physically restricting everything possible. In many cases like this, you could probably get away with absolutely minimalist control systems run on microcontrollers and similar with monitoring only over an isolated unidirectional interface (think fiber optic connection with no physical receiver on the other side).

The whole area is heavily, heavily reactionary and slow moving. They're on embedded XP because that's the closest they can get given the software platforms they're dependent on.

You're right that locked down embedded industrial (Linux) PCs are the best option, but your control platform has to run on them...

This is coming from the perspective of someone who is an expert in software already, all this stuff looks like a trivial side project, right?

Imagine this in different contexts though. Why go to IKEA for furniture when you can just build your own of higher quality in your garage shop? Or why bother going to a mechanic when you can just rebuild your car's engine yourself at home?

The fact is, of these three examples the software one is actually the most unrealistic. Having someone on staff with software expertise is a hard problem, and an expensive one too. If you don't already have a group of folks with software expertise on staff then hiring for it becomes a massively difficult problem. This is why there's still so much business in the build-for-hire software biz. Most companies in the world who need software based solutions are not themselves software companies. They need to use objective measures to determine the quality of the companies they farm out these projects to as well as the software that results.

Additionally, software built on commodity systems (like Windows XP) is often a better choice for these companies because it means there's a much larger group of folks they can hire if they need to make changes or perform service on the system in the future (which is inevitable). As much as a custom solution built on a microcontroller or small linux based embedded system might be technically superior, cheaper, and more robust, it might not be a sustainable solution for a given company.

> Rather than use a unsecured raspberry pi3 with it's wifi left on, why not have a closed system specifically built instead.

Security through obscurity. Just because a system is closed doesn't make it safer.

In fact, generally the opposite. Look at the security fiasco over in medical device land.

IT still hasn't made it into higher management, especially in the public sector which even privatized utilities resemble. Unfortunately this means things like security comes last, when they really ought to be part of your architectural design.

We recently bought a manegement software for our translators, which somehow made it through all the business and management layers revolving public contracts without anyone questioning the fact that none of it was encrypted. Meaning anyone snooping on our network could get anything from private data to system logins with absolutely no effort.

Things are getting better, but IT is still a subsection of the economy department in a lot of places, and a lot of execs still think it's magic. Couple this with most developers and entrepreneurs being hackers who want to toy around with cool world changing features, and, no one is left to worry about security.

(comment deleted)