Go Down

Topic: virus/trojan malware usb transport. (Read 1 time) previous topic - next topic

robtillaart

Quote
Internet has no business in nuclear reactor control rooms.

Did you check Homer Simpson? ;)

More serious, I think you mean:
The computers in the control room controlling the nuclear reactor should never be connected to the Internet.
There may be additional computers for communication documentation simulation etc
Rob Tillaart

Nederlandse sectie - http://arduino.cc/forum/index.php/board,77.0.html -
(Please do not PM for private consultancy)

wizdum


Quote from: wizdum

And those PLCs were usually plugged into computers running unpatched or pirated versions of Windows XP.  


That reads as the words of some spokesman of Microsoft trying to convince the world to buy their latest products (over and over and over again).
Unpatched computers are no problem whatsoever and are more or less standard in SCADA systems that are not connected to an other than the internal network.
That means no internet connection whatsoever.
Internet has no business in nuclear reactor control rooms.
Patching systems that are part of critical (nuclear) processes is something that has to be tested extensively before applying that patch.
You won't be able to do that every "patch tuesday".
So if the base is stable, and you have no external (network) connections why would you need to patch/update of which you don't know what that will do with stability.
If you do need to backup or update/restore the SCADA application, you should use media that is only used for that goal and that is loaded from a system that meets the same conditions or is up to date.



I have no love for MS, so take that crap elsewhere. One of the early patches for Windows XP removed the USB Autorun "Feature". So yes, a Patch Tuesday patch would have prevented that. There are more complex auto-execution hacks, but they still require the user to run them manually (and hopefully people working in these places no not to run random .exe files they find on a thumbdrive in the parking lot). Windows XP is 12 years old. Is 12 years enough time to "test extensively before applying that patch"? As I said in my previous post, these systems were never supposed to be online in the first place, but they are placed on the public network to make users happy. The problem is threefold: lazy sysadmins, cheap upper management, and outdated software. Obviously jumping on the RTM version of Windows 8.1 is a bad idea, but how about trying an OS that was created in THIS decade? Or better yet, get rid of Windows entirely and use a stripped down variant of Linux with no GUI or USB support.
"Anyone who isn't confused really doesn't understand the situation."

Electronic props for Airsoft, paintball, and laser tag -> www.nightscapetech.com

AWOL

#7
Aug 21, 2013, 06:12 pm Last Edit: Aug 21, 2013, 06:19 pm by AWOL Reason: 1
Quote
these infected sticks are starting to see code to communicate and upload to microcontrollers PLCs in one example infecting via the stick inside a nuclear station uranium enrichment plant where it dpread [sic] machine to machine looking for hardware controllers then speeding up the servos gas centrifuges or slowing thrm[sic] down to destroy rods/ disrupt yield i think...

Close, but no cigar.
(old news, BTW)

The stuxnet dossier is a good read.
"Pete, it's a fool looks for logic in the chambers of the human heart." Ulysses Everett McGill.
Do not send technical questions via personal messaging - they will be ignored.

Osgeld


And those PLCs were usually plugged into computers running unpatched or pirated versions of Windows XP.  :smiley-eek:


I have dozens of PLC's under my control at work, none of them require attachment to a PC, and when they do its typically via a GPIO interface (ISA PCI USB whatever) sending single bits on single channels

not saying that machines dont use direct computer connections over some bus, but its typically a very simple bus, much like an arduino ... so unless your saving raw data from a plc, packing it up and running it as a windows exe, its not that big of a deal

wizdum

#9
Aug 22, 2013, 06:17 pm Last Edit: Aug 22, 2013, 06:20 pm by wizdum Reason: 1


And those PLCs were usually plugged into computers running unpatched or pirated versions of Windows XP.  :smiley-eek:


I have dozens of PLC's under my control at work, none of them require attachment to a PC, and when they do its typically via a GPIO interface (ISA PCI USB whatever) sending single bits on single channels

not saying that machines dont use direct computer connections over some bus, but its typically a very simple bus, much like an arduino ... so unless your saving raw data from a plc, packing it up and running it as a windows exe, its not that big of a deal


I'm not sure how these were interfaced with a Windows PC, but they were able to change some of the instructions for the PLCs from the Windows environment. Wikipedia says they used this: http://en.wikipedia.org/wiki/WinCC.
Quote
Stuxnet installs malware into memory block DB890 of the PLC that monitors the Profibus messaging bus of the system.[40] When certain criteria are met, it periodically modifies the frequency to 1410 Hz and then to 2 Hz and then to 1064 Hz, and thus affects the operation of the connected motors by changing their rotational speed.[46] It also installs a rootkit - the first such documented case on this platform - that hides the malware on the system and masks the changes in rotational speed from monitoring systems.

http://en.wikipedia.org/wiki/Stuxnet

The other kinds of SCADA "vulnerabilities" are as you say, not a big deal. The one that comes to mind is a nuclear power plant in France. The system is on the internet, and you can access it remotely using default telnet credentials. The only thing it gets you is a page of statistics. You can see their total power output, output per reactor, temperatures, stuff like that.
"Anyone who isn't confused really doesn't understand the situation."

Electronic props for Airsoft, paintball, and laser tag -> www.nightscapetech.com

Go Up