That barrier should be much higher for networking devices imho; aviation, container ships, cruise ships, healthcare controller systems, utility controller systems, factory controller systems, parts of banking, parts of payments, all of these And More should not be connected to the internet for their critical operations.
I did a project for an 'embedded' controller software house a long time ago and asked why they used Windows (which was just quite hackable at the time and I wouldn't use it today for critical operations but that might just be because it used to be so bad at a time when I mostly used Solaris which was unbreakable compared) and why it was connected to the internet; answer was obvious; software for Win was easier to outsource to far away countries (in NL you find great engineers but costly and you cannot fire them easily; this company traded quality to be able to do it cheap and be able to do it project basis) and networking because it's too expensive to go to the client and update the software manually. So it was just always connected. The first versions where directly on the internet, the latter versions via a gateway computer but it was both pretty easy to get into. Cannot imagine other reasons to have it open from the outside besides that? Just convenience of maintenance.
For industrial machines it's also becoming common to have them networked and open so that you can gather data about everything. Watch the temperatures of the injection molding machine and how long it's taking to do it's job. If things change then you know that parts need replacing or it's getting ready to fail. This lets you do more runs, faster, without having to take down for maintenance at intervals rather than when it's needed. That both increases reliability (early failures can be caught) and how much you can produce before needing to take it offline (since you can go longer knowing the machine is performing identically).
Ofcourse, and that's a good thing, but networked doesn't have to be the internet. Why have that connected to the internet? And not some setup where it is physically or at least reasonably physically seperated. Those values would also be fine on the LAN. Not networked is safer than networked, but connecting them to the actual internet (via usually not more than some basic router) is the other extreme.
My thoughts exactly. Just use an IPsec VPN through to the monitoring centre if it must be monitored. No need to have listening ports on the Internet. It's not exactly network engineering black magic. I imagine what happened is that it was compromised by phishing on an unprotected host. In that case the control systems should be air-gapped from Joe Blog's in accounting PC.
Definitely agree, I've never understood why so many seem to end up connected to the internet at large, or through some easy to pass through gap. Even before Stuxnet it never quite made sense, and post stuxnet it's hard to argue that it's not negligent to have a setup like that. The only thing I can assume is that because having it as a separate lan that's not routed to the internet (arguments about vlans being sufficient, etc are a different discussion) would cost more in both hardware and maintenance.
> When will people learn that industrial control systems can't ever be safely connected to the internet.
When a disaster happens.
Politics as usual, and it's not the politicians fault (who are mostly limited by the whims of public opinion), but that there won't be enough political momentum for action until there's a disaster. The fault, like most things in politics, is of human nature.
It's unnatural for large groups of people to be motivated to take serious preventive action against something that has never happened before and has been up to then only a theoretical concern for experts.
The problem is that these systems produce business data that has to be a analyzed and used (think maintenance planning). So it must at least make it somehow to the office network. This is where the issue finds its root because once you create this link, it becomes indirectly possible to reach the Internet much more easily.
The article confirmed my suspicion from the headline, that this was a "failsafe" and on some level at least working as intended. I'm sure there are lots of lessons to learn here, but at least one to be reinforced is the concept and proper implementation of defensive failsafes is critical to overall system safety.
Perhaps it's slightly better than the plant keeping running with incorrect parameters, but not by much. This approach just leads to DoS for industrial equipment.
Indeed. There are 3 criteria studied to classify cyber threats: Confidentiality, Integrity, Availability. While it is possible, an integrity attack on safety related systems is very difficult to achieve, while an availability attack is much easier to obtain due to the failsafe nature of such systems. It is totally not better. Worse. If you shutdown power & light of a city, you can probably hurt or kill even more people than by making the plant work improperly.
I would bet that running a power plant in wrong ways could cause worse harm in several ways:
Damaging the plant equipment such that repair takes a long time. Depending on the control systems available, something like turning off coolant circulation, and running the engine at high load could cause problems quickly.
Running the equipment to provide out of spec output which could damage things outside the plant. Possibly transmission lines or other outside equipment or equipment at other plants. Maybe increasing output voltage could ruin outside equipment, and altering output frequency could cause problems with other plants that try to be in frequency lock.
These sorts of things could be much worse than an unscheduled outage; in many locations the local power grid spans many power plants and can absorb the loss of one plant, and if not, the local grid is probably fairly unreliable, and critical loads have local generation available.
Many things shouldn't accept inbound connections, but outbound is really useful. A manufacturer being able to collect data from devices to monitor their health means they can have an engineer onside before a problem takes the equipment down, and the manufacturer is able to learn what happens in the lead up to certain problems, and so on.
Most modern industrial equipment has this sort of telemetry data collection. You don't hear about hacks very often. A lot of manufacturers seem to do a pretty good job of security (or of covering up hacks).
Telemetry is encrypted end-to-end, using proprietary stacks, networks and protocols. Very hard to exploit. Not impossible but would require a lot of insider knowledge to make it practical.
Yeah, outbound connections should be fine. Monitoring data, heartbeats or alerts especially. It's not too hard to encrypt it securely. And even if it's leaked, it shouldn't be too critical in general. The sink of this data should be a regular server, so you can secure and update it properly.
I am ready to bet that this was not supposed to be connected to Internet, but it was just more convenient to use this « workstation » for multiple use, and so hook it up to the company office network and automation network. Cyber security is mostly a matter of policy and control, rather than technical issues.
Control systems are built for safety, not security. This means that they are built with the assumption that random equipment failure happens and has to be caught. There is no regard for security aspects. In particular, there are typically no safeguards against deliberate malicious intent. For example, in common field buses, once it is confirmed that a message transmission was free of errors, the message itself is typically taken at face value and acted upon. There is no way to verify sender identity.
The only purpose of a SIS in a CPS (Cyber Physical System) is to take over and bring the plant/processes down safely when things go wrong but before they get out of control.
So it seems it did its job here. The big question is how the malware got onto the engineering workstation to begin with. These are usually very segmented (firewalls, data diodes, etc.)
27 comments
[ 3.9 ms ] story [ 74.8 ms ] threadI did a project for an 'embedded' controller software house a long time ago and asked why they used Windows (which was just quite hackable at the time and I wouldn't use it today for critical operations but that might just be because it used to be so bad at a time when I mostly used Solaris which was unbreakable compared) and why it was connected to the internet; answer was obvious; software for Win was easier to outsource to far away countries (in NL you find great engineers but costly and you cannot fire them easily; this company traded quality to be able to do it cheap and be able to do it project basis) and networking because it's too expensive to go to the client and update the software manually. So it was just always connected. The first versions where directly on the internet, the latter versions via a gateway computer but it was both pretty easy to get into. Cannot imagine other reasons to have it open from the outside besides that? Just convenience of maintenance.
When a disaster happens.
Politics as usual, and it's not the politicians fault (who are mostly limited by the whims of public opinion), but that there won't be enough political momentum for action until there's a disaster. The fault, like most things in politics, is of human nature.
It's unnatural for large groups of people to be motivated to take serious preventive action against something that has never happened before and has been up to then only a theoretical concern for experts.
Security education and practices need to be taken more seriously by executives.
Damaging the plant equipment such that repair takes a long time. Depending on the control systems available, something like turning off coolant circulation, and running the engine at high load could cause problems quickly.
Running the equipment to provide out of spec output which could damage things outside the plant. Possibly transmission lines or other outside equipment or equipment at other plants. Maybe increasing output voltage could ruin outside equipment, and altering output frequency could cause problems with other plants that try to be in frequency lock.
These sorts of things could be much worse than an unscheduled outage; in many locations the local power grid spans many power plants and can absorb the loss of one plant, and if not, the local grid is probably fairly unreliable, and critical loads have local generation available.
Maybe things shouldn't be able to be accessed from the internet...
Most modern industrial equipment has this sort of telemetry data collection. You don't hear about hacks very often. A lot of manufacturers seem to do a pretty good job of security (or of covering up hacks).
[1] https://en.wikipedia.org/wiki/Stuxnet
So it seems it did its job here. The big question is how the malware got onto the engineering workstation to begin with. These are usually very segmented (firewalls, data diodes, etc.)