Army Rumour Service

Register a free account today to become a member! Once signed in, you'll be able to participate on this site by adding your own topics and posts, as well as connect with other members through your own private inbox!

Cyber attack 'collateral damage'

Why not use one laptop for program development and uploading it to the customer system, and another one for e-mail and admin jobs? Just like separating admin and operational functions in an organisation, or separating power and signal cables, or using only sterile equipment in an operating theatre...

That would be logical but IT departments don't get a budget for giving developers extra equipment

And management's idea of what Agile is in practice makes a swiss cheese out of security with it
 
Maybe the source was on a repository on the likes of Github, if the virus go onto the software for the control system and he pushed an update it wouldn't be hard for it to spread
It wasn't. Nobody in industrial controls was using a work flow involving anything like that, and the Siemens S7 software wasn't really designed to be able to do text oriented merges. In fact the actual vulnerability was due to the STEP-7 system being built around a database, which was used as a totally different approach to having multiple people working on the same system simultaneously. Siemens has a tendency to re-invent the wheel in the form of tesseracts.
 
Why not use one laptop for program development and uploading it to the customer system, and another one for e-mail and admin jobs? Just like separating admin and operational functions in an organisation, or separating power and signal cables, or using only sterile equipment in an operating theatre...
At the time almost nobody in the industry was taking security as being an issue they needed to deal with. And if you were working for a large company there's no way you would be allowed to have separate PCs for "security reasons". It would be against company policy.

Shortly before Stuxnet was deployed the Americans had been going around the American utility industry hyperventilating about "security vulnerabilities", but nobody could get a clear answer out of them as to what it was they were concerned about. They even set up a demonstrator using a diesel generator which they proceeded to wreck in front of witnesses by "cyber" means, but wouldn't give any details.

Then Stuxnet hit the news, and then everybody in the industry finally figured out what it was the Americans were talking about.

The Americans have a sort of pattern they follow. If they are hyperventilating about how someone else having the capability of "something bad", chances are they are doing it themselves to someone already.

Critical infrastructure industries however won't do anything about security voluntarily themselves however. It has no immediate payoff and so doesn't improve the bottom line (and therefore the executive bonuses) this quarter, while it imposes costs. There are some regulatory efforts to impose legal requirements on industry, but it's mostly just a box ticking exercise.

Control system vendors are largely still selling software systems that were developed in the 1990s or early 2000s with updates to keep it running, and have no interest in actually creating systems that are secure by design. I have a background working in this field, and the technology there tends to be 10 to 20 years behind what you see in the IT industry, and heavily based around proprietary systems where each vendor's primary concern is about customer lock-in. The people using the kit and writing the programs are generally domain experts on the manufacturing processes, not security, and would really struggle to configure a system that had to be secure by design unless that was the vendor's defaults (which is generally isn't).
 
All of which begs the question:- What did hospitals do before computers were ever invented?.. It beggars belief that a hospital cannot save a life without electronics.
More people died you ******* idiot.
 

A.N.Other

Old-Salt
That would be logical but IT departments don't get a budget for giving developers extra equipment

And management's idea of what Agile is in practice makes a swiss cheese out of security with it
Also the dev laptop would also need updates. The dev say "New version of {name of tool here} offers more functionality! Just imagine what we can do with it!". Dev lead ok's an update and it's connected to the network just long enough to install the new version and a virus.

Nothing is really secure unless the device is installed from virgin oem media, never updated, usb/wifi/Bluetooth/ports diabled and kept and used in a faraday cage with monitored/cleaned power supply by people who are 1001% trustworthy in an all angle cctv monitored room.

Even then I'd have my doubts.
 
That's not very secure, about 30 years ago something strange was going on at work that we weren't told about.

One guy replaced the ribbons in the secretary's typewriter and opened the used one up. It was like a transfer film and where the character had been typed there was clear film. Simple matter to see exactly what had been typed.

Sent from my SM-T510 using Tapatalk
So called ‘one time’ ribbons introduced by IBM. They were a polymer tape and as you say, easy to read the used tape.
 

Bob65

War Hero
Why not use one laptop for program development and uploading it to the customer system, and another one for e-mail and admin jobs? Just like separating admin and operational functions in an organisation, or separating power and signal cables, or using only sterile equipment in an operating theatre...

A previous employer did this: terminals on the VAX for programming work, PCs for email and word processing. Another gave me a Sun workstation for programming, and again a PC. This used to be quite normal and there's no reason it couldn't be again. But note that the purpose wasn't necessarily security: the PC was obviously handling sensitive material too. This was before access to the Internet became a 'uman right...

The biggest obstacle will be the developers themselves. I don't know if you have met many but typically they will demand admin rights on their PC and howl and whine to everyone who will listen that they are "crippled" without it. If they get those rights the first thing they will do is disable antivirus because it makes the machine fractionally slower. The next thing they will do is download random things from just about anywhere to "pimp" the appearance of their PC. The third thing is upload the code for whatever they are working on to Github (usually including config files with passwords in!). Basically they are the biggest vector for social engineering attacks and it's only getting worse.
 
Also the dev laptop would also need updates. The dev say "New version of {name of tool here} offers more functionality! Just imagine what we can do with it!". Dev lead ok's an update and it's connected to the network just long enough to install the new version and a virus.

Nothing is really secure unless the device is installed from virgin oem media, never updated, usb/wifi/Bluetooth/ports diabled and kept and used in a faraday cage with monitored/cleaned power supply by people who are 1001% trustworthy in an all angle cctv monitored room.

Even then I'd have my doubts.

There is usually no oversight on updates to developer tools, the cost of buying or upgrading software tools are what's noticed

At least they're getting better on how you connect to the network, stuff like Forticlient is better than nothing

An often if anything is web based you need to test on various devices, you do use automated online testing tools, but you also need to use real devices from up to date expensive one's to more middling ones that people will actually use, iPhone, Android, Surface, Kindle, and probably not for much longer Microsoft phones
 
Also the dev laptop would also need updates. The dev say "New version of {name of tool here} offers more functionality! Just imagine what we can do with it!". Dev lead ok's an update and it's connected to the network just long enough to install the new version and a virus.

Nothing is really secure unless the device is installed from virgin oem media, never updated, usb/wifi/Bluetooth/ports diabled and kept and used in a faraday cage with monitored/cleaned power supply by people who are 1001% trustworthy in an all angle cctv monitored room.

Even then I'd have my doubts.
Most industrial control systems are programmed in a completely different way than "conventional" computer programming. Here's a very simple example of "ladder logic" programming, which is used for more than 95% of industrial controls.



I basically emulates hard wired control diagrams which programmable systems replaced. It's a completely different world from programming PCs, web servers, or mobile phones, and the skills do not carry over from one to the other.

The programming software translates that into instructions for the PLC (programmable logic controller) and also downloads it into the PLC. It's also used to debug the program once it's loaded.

The software is proprietary to each vendor, who might even have different software for each product line. The big vendors charge eye watering prices for the software, and as a result it is copy protected. You have to go online to the Internet to register your software key, and also to download regular updates. You also need to pay a regular subscription fee to get access to the updates. If you don't update, then your software won't work with newer models of their kit, which can even just be minor updates. A dependence on regular updates over the Internet is part of their revenue model, at least for the major vendors.

The files containing the PLC programs are also big "binary blobs", not text files. You can't read the program on your PC without the proprietary programming software from that vendor. You could upload a PLC program to a code repository as an opaque "blob" of a file, but as it's not a text file it's not really meant to work with text oriented systems such as git.

The Stuxnet virus operated by taking over the programming software on a programmer's laptop and using it to download changes into the PLCs controlling the equipment the next time he connected to fix a bug or some other such thing.

So, analogies from experience programming with C or Python don't really translate across to how things are done in the industrial control world.
 

Yokel

LE
Most industrial control systems are programmed in a completely different way than "conventional" computer programming. Here's a very simple example of "ladder logic" programming, which is used for more than 95% of industrial controls.



I basically emulates hard wired control diagrams which programmable systems replaced. It's a completely different world from programming PCs, web servers, or mobile phones, and the skills do not carry over from one to the other.

The programming software translates that into instructions for the PLC (programmable logic controller) and also downloads it into the PLC. It's also used to debug the program once it's loaded.

The software is proprietary to each vendor, who might even have different software for each product line. The big vendors charge eye watering prices for the software, and as a result it is copy protected. You have to go online to the Internet to register your software key, and also to download regular updates. You also need to pay a regular subscription fee to get access to the updates. If you don't update, then your software won't work with newer models of their kit, which can even just be minor updates. A dependence on regular updates over the Internet is part of their revenue model, at least for the major vendors.

The files containing the PLC programs are also big "binary blobs", not text files. You can't read the program on your PC without the proprietary programming software from that vendor. You could upload a PLC program to a code repository as an opaque "blob" of a file, but as it's not a text file it's not really meant to work with text oriented systems such as git.

The Stuxnet virus operated by taking over the programming software on a programmer's laptop and using it to download changes into the PLCs controlling the equipment the next time he connected to fix a bug or some other such thing.

So, analogies from experience programming with C or Python don't really translate across to how things are done in the industrial control world.

There is a company near to me that produces bespoke industrial machinery - all driven by PLCs. The ladder diagrams look familiar. I have no direct experience but I understand that each command is pretty much a program in its own right.

Something I have encountered is Automated Test Equipment driven by Windows PCs that were also connected to the internet.
 
There is a company near to me that produces bespoke industrial machinery - all driven by PLCs. The ladder diagrams look familiar. I have no direct experience but I understand that each command is pretty much a program in its own right.

Something I have encountered is Automated Test Equipment driven by Windows PCs that were also connected to the internet.

Could be worse, the Insecure of Things (or IOT as it's known) is going to be the next big problem
 

Yokel

LE
Could be worse, the Insecure of Things (or IOT as it's known) is going to be the next big problem

Yes - why does anyone need their fridge to be connected to the internet? Will it have a camera so people can look at what colour the out of date cheese has turned? Why not connect the toilet? Or what about pets?

Imagine an internet connected cooker - or just a toaster or a kettle. Could they be turned on to cause a fire? When I was eleven my neighbours' toaster went wrong and started a fire.
 
For a picture of the potential for mayhem, you may be interested to follow developments in the Middle East.
A few months ago the extremist Islamist regime in Tehran attempted a cyber attack on civilian infrastructure in Israel, namely the water supply. It had the potential to cause mass poisoning by chlorine. Fortunately for the Iranians they failed and were shortly afterwards taught a lesson (allegedly) in a retaliatory exercise, which put one of their major ports out of action fo a day, causing immense chaos.

However, do not allow this news to worry you about me, fellow Arrsers. As a pre-emptive measure I try to limit my ingestion to Earl Grey and Glenfarclas.

Allegedly? This quote from Times of Israel seems to be a bit more definite, and the style is amusing.
" It was small, very small — like a knock on the door,” said one official. “Think of it [as] a gentle reminder. ‘We know where you live."

Earl Grey? How very British old chap. Nice to see that you don't drink water, the stuff's dangerous, countless millions of damage world wide plus thousands of deaths every year.
 
Yes - why does anyone need their fridge to be connected to the internet? Will it have a camera so people can look at what colour the out of date cheese has turned? Why not connect the toilet? Or what about pets?

Imagine an internet connected cooker - or just a toaster or a kettle. Could they be turned on to cause a fire? When I was eleven my neighbours' toaster went wrong and started a fire.

Internet connected toilets are already a thing, they can take stool samples for medical analysis, do your shopping on the touch screen etc, load up some porn so you can **** on the bog etc

Internet pets, if you could internet connected collars with cameras to track the pet and show the same picture the pet can see, then yes it already exists

Internet connect kettles exist, the worst are the ones that are supposed to be normal kettles but contain wifi sniffers (Usually Chinese of course)

Not sure about toasters, but it's rather inevitable someone will make one if it doesn't already exist
 
There is a company near to me that produces bespoke industrial machinery - all driven by PLCs. The ladder diagrams look familiar. I have no direct experience but I understand that each command is pretty much a program in its own right.
The first rung (line) of the example program would translate into "conventional" programming as

Auto_Mode = (Auto_PB or Auto_Mode) and not Manl_PB

It's a simple seal-in circuit using boolean logic. From the labels I assume it's a push button circuit. Press the "auto" push button and a memory location becomes true. Press the "manual" push button and it turns off. You can do the exact same thing by wiring up a relay, which is where ladder logic programming came from.

Now emulate those relays in software and you have something much cheaper, more compact, and reliable. The programming software was designed to make it easy for someone who was used to doing it with actual relays to transition over to doing it in software. The convention has stuck, and now generations of people who've never done an actual relay circuit are emulating relays in PLCs.

Something I have encountered is Automated Test Equipment driven by Windows PCs that were also connected to the internet.
Automated test equipment tends to be different from the production equipment itself due to it's different requirements. Labview is a popular proprietary platform, and also uses its own proprietary graphical programming language. I've done a number of automated test systems, but used C, Basic, and Python for them rather than Labview. One very common requirement is to log (store) the test results, and some customers will store offsite backups on an Internet accessible server, so the test system needs an Internet connection.


Companies are hooking their production lines up to the "cloud" via the Internet so they can monitor production performance and connect to their ERP systems without having their own servers. Everything that has a computer involves seems to be going "cloud" these days.
 
Everything that has a computer involves seems to be going "cloud" these days.

Which really is just abstracting the responsibility and the risk for devops somewhere else rather than getting rid of problems

Cloud computing still has to involve real servers somewhere, but at least it gives people a warm and fuzzy feeling that everything is safe because it's in the cloud
 

Yokel

LE
Which really is just abstracting the responsibility and the risk for devops somewhere else rather than getting rid of problems

Cloud computing still has to involve real servers somewhere, but at least it gives people a warm and fuzzy feeling that everything is safe because it's in the cloud

I wonder if it is like people who think that cyber threats mean that the physical security of their own equipment and the telecommunications infrastructure does not needed to be worried about.

Incidentally, my father's laptop has not been booting up. He took it to a computer shop where the bloke reckoned it had been hacked.
 
Yes - why does anyone need their fridge to be connected to the internet? Will it have a camera so people can look at what colour the out of date cheese has turned? Why not connect the toilet? Or what about pets?

Imagine an internet connected cooker - or just a toaster or a kettle. Could they be turned on to cause a fire? When I was eleven my neighbours' toaster went wrong and started a fire.

For surfing Arrse, obviously :)

485A41D0-9ADD-47D1-8D82-DA7DCEA567A9.jpeg


In fairness, we bought this fridge on Black Friday, and the smart panel was essentially free. We wouldn’t have chosen it, if we had to pay for it. it does have its uses though, like a timer app, and it shows the time and weather forecast on its screen saver. it does indeed have a camera inside, and you can look at the inside from the supermarket if you really wanted to. I‘ve never done it, not sure if the wife has. I like it.
 

MoleBath

LE
Kit Reviewer
Book Reviewer
The choirmaster has lost an irreplaceable collection of young hitler youth boys photographs in lederhosen photographs to cyber attack
 

Latest Threads

Top