Results 1 to 5 of 5
  1. #1
    Join Date
    Oct 2003
    Location
    Minnesota
    Posts
    1,377

    Something to think about ....

    As we connect ever more equipment to networks in general and to the internet specifically. And link ever more and more controls to front ends that use commonly known and understood protocols, commands, etc.

    The below links refer to problems with SCADA systems. But the same principles and ideas can be applied to other open control protocols and frameworks for which there is plentiful documentation and real equipment that can be purchased by anyone for the purposes of testing, learning, and so forth.

    Wallstreet Journal article:
    Electricity Grid in U.S. Penetrated By Spies

    WASHINGTON -- Cyberspies have penetrated the U.S. electrical grid and left behind software programs that could be used to disrupt the system, according to current and former national-security officials.

    http://online.wsj.com/article/ SB123914805204099085.html


    "Zombies ahead!" sign says something about SCADA security

    http://blogs.zdnet.com/security/?p=2452


    Experts hack power grid in no time
    Basic social engineering and browser exploits expose electric production and distribution network

    http://www.networkworld.com/news/200...ower-grid.html


    C4-Security is an industry association which concerns itself with Scada security issues. Here is a list of some real incidences they've got on record:

    http://www.c4-security.com/index-5.html


    I'm guessing that there is a very good reason that one of our larger and more security conscious customers does not allow any PC that is connected to their intranet or to the Internet in general, to be also connected to their controls network.
    A site where I stash some stuff that might be interesting to some folks.
    http://cid-0554c074ec47c396.office.l...e.aspx/.Public

  2. #2
    Join Date
    May 2002
    Posts
    9,564
    Add your unsecure iPhone to the list.

    I think it's interesting they had this sci-fi show that had this spaceship that survives because it wasn't networked.

    Many people now are installing their own networks within buildings. That way they control their points of access and the building owner writes this off as an entry to their system.

    It mostly comes down to access and access points. I guy infiltrating your building has to both see and access your comm to get in and start doing work. Or, that guy needs to get into a PC or embedded controller having access. I think guys and engineers requiring all the tools be bundled with the controlling device may want to rethink things a bit. If I can hack into an embedded box with it's associated work tool in it that may create a problem.

    I think most guys are not even employing simple things. Passwords are all defaulted and computer updates are automatic rather than controlled and monitored.

  3. #3
    Join Date
    Apr 2007
    Location
    San Diego, CA
    Posts
    1,330
    Quote Originally Posted by sysint View Post
    If I can hack into an embedded box with it's associated work tool in it that may create a problem.
    I can blank your admin password in a non syskey partitioned Windows box by just having physical access to it, and then it won't matter what tool you're running. But I can't do the same to an embedded box running Qnx.

  4. #4
    Join Date
    May 2002
    Posts
    9,564
    Digo - You are a very sharp guy... and reader. How does it do with DoS?

  5. #5
    Join Date
    Apr 2007
    Location
    San Diego, CA
    Posts
    1,330
    Well thank you sys, I know you meant that as a compliment.
    Are you talking about this DoS vulnerability?
    http://www.ca.com/us/securityadvisor....aspx?id=28331

    That's from 5 years ago, so you're a little bit behind the curve on that one.
    Fast forward to 2009, I've got a T-box here running QNX 6.3.2
    By the next release, we'll probably move to 6.4.0, which has been certified to the stringent security requirements of the Common Criteria ISO/IEC 15408 Evaluation Assurance Level 4+ (EAL 4+).

    source: http://www.qnx.com/news/pr_3361_1.html

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
Comfortech Show Promo Image

Related Forums

Plumbing Talks | Contractor Magazine
Forums | Electrical Construction & Maintenance (EC&M) Magazine
Comfortech365 Virtual Event