With the release of the new 'hot malware' Duqu report by Symantec (read the PDF analysis here), which according to Symantec is the child of Stuxnet, the big bad malware which shivered the timber of SCADA systems everywhere. McAfee, the lead rival to Symantec, differs with them on a few points. You can read McAfee's explanation of the Duqu malware here.
Regardless of its true intent (or who you want to follow), the fact of the matter is that the thing which worries people most about Stuxnet and now possibly Duqu... SCADA systems are really no more secure than when Stuxnet first kept us awake at night.
According to the article SCADA compromises two systems- Human Machine Interface (HMI) and Programmable Logic Controllers (PLC). Most of the exploit we have seen seeing in the public are the ones involved HMI, however the real bump-in-the-night vulnerabilities are still in the PLC. These systems will be running (vulnerable) for years before they get upgraded, and even when they do get upgraded there is no 'security baked in'....
From the article:
Stuxnet showed how programmable logic controllers could be overwritten to send commands that caused equipment to fail, he said. Despite that warning, little has changed. "Prior to Stuxnet there were zero programs for securing PLCs. To this day there are no programs for securing PLCs," Weiss said. [...] In many cases anyone with logical access to a control system can upload firmware on it without authentication, he said. Passwords are often hardcoded into systems many have administrative backdoors, and very basic buffer overflow errors.
So, half the time I feel like we are always playing catch up, we need to get to the ROOT of the problem and figure out how to fix it. If we keep doing what we are doing, we will always be reactive.
I am not saying I know how to fix the problem, but I am sure there are some super smart people who have the ability to bring the deal makers together to make a decision... do we really want the electricity of water systems to go down?
Think of it like this, if you have an infected computer, do you only fix that one or do you check your entire system to ensure your a completely protected? Do you only secure your outer perimeter and leave your OSes completely vulnerable?
In other fun news-- I am hoping to make a couple of videos about volatility. Just to show how powerful memory forensics can be. I did a first run today-- I would not put you guys thru that torture ('Now just hit enter and ... oh that didn't work'). Stay tuned!
Regardless of its true intent (or who you want to follow), the fact of the matter is that the thing which worries people most about Stuxnet and now possibly Duqu... SCADA systems are really no more secure than when Stuxnet first kept us awake at night.
According to the article SCADA compromises two systems- Human Machine Interface (HMI) and Programmable Logic Controllers (PLC). Most of the exploit we have seen seeing in the public are the ones involved HMI, however the real bump-in-the-night vulnerabilities are still in the PLC. These systems will be running (vulnerable) for years before they get upgraded, and even when they do get upgraded there is no 'security baked in'....
From the article:
Stuxnet showed how programmable logic controllers could be overwritten to send commands that caused equipment to fail, he said. Despite that warning, little has changed. "Prior to Stuxnet there were zero programs for securing PLCs. To this day there are no programs for securing PLCs," Weiss said. [...] In many cases anyone with logical access to a control system can upload firmware on it without authentication, he said. Passwords are often hardcoded into systems many have administrative backdoors, and very basic buffer overflow errors.
So, half the time I feel like we are always playing catch up, we need to get to the ROOT of the problem and figure out how to fix it. If we keep doing what we are doing, we will always be reactive.
I am not saying I know how to fix the problem, but I am sure there are some super smart people who have the ability to bring the deal makers together to make a decision... do we really want the electricity of water systems to go down?
Think of it like this, if you have an infected computer, do you only fix that one or do you check your entire system to ensure your a completely protected? Do you only secure your outer perimeter and leave your OSes completely vulnerable?
In other fun news-- I am hoping to make a couple of videos about volatility. Just to show how powerful memory forensics can be. I did a first run today-- I would not put you guys thru that torture ('Now just hit enter and ... oh that didn't work'). Stay tuned!
No comments:
Post a Comment