Category Archives: Energy

SCADA exploits released: Siemens SIMATIC

Every time I hear people tell me how it would take a nation state budget with an army of trained cyber warriors to design and infiltrate systems I wonder where they get their data from. Billy Rios has been kind enough to argue against this not only in theory but by demonstrating just how easy it was for him to find vulnerabilities in the Siemens SIMATIC system. Now he has released exploit details.

Nothing sophisticated here:

If a user changes their password to a new password that includes a special character, the password may automatically be reset to “100”. Yes, you read that correctly… if a user has any special characters in their password, it may be reset to “100”. You can read about these awesome design decisions (and many others) in the Siemens user manuals.

And again:

For those non-techies reading this… what can someone do with this non-existent bug? They can use this to gain remote access to a SIMATIC HMI which runs various control systems and critical infrastructure around the world… aka they can take over a control system without knowing the username or password. No need to worry though, as there are “no open issues regarding authentication bypass bugs at Siemens.”

In his presentations he has pointed out that evaluation of the exploits is easy from the comfort of one’s own bedroom. In his latest post he also points to some (perhaps illegal) remote test options.

I’ve found MANY of these services listening on the Internet… in fact you can find a couple here: http://www.shodanhq.com/search?q=simatic+HMI
https://www.google.com/?#q=%22SIMATIC+HMI+Miniweb+on%22

A major tenet of my argument at the Dr. Stuxlove presentation was that we can do ourselves a serious disservice in risk management by overestimating the sophistication and talent of our adversaries. If the level of knowledge required to exploit a system is low then vendors will be under far more pressure to patch and fix.

Another interesting way of looking at this is to review the natural schism of resources in the security industry; there’s natural tension between remediation and investigation. Those monitoring for attacks may emphasize a presence of highly sophisticated adversaries because there is a direct link to their funding. If you put them into a complete risk equation and point out that vulnerabilities are easily fixed they will tell you that you just don’t understand how smart the people are that you are up against. Don’t be tempted to give them more money right away. That is the point at which you should ask them “define sophisticated”, which really means explain the details of vulnerabilities and the cost of remediation.

True security is to live a vulnerable lifestyle. When someone says driving a car safely is so sophisticated that you should spend millions on detection and investigation funds, you might be in a position to respond that wearing a seatbelt, installing airbags, brakes and suspension will work just fine for your risk management program. That is to say there is a balance of investment and overestimating the sophistication of threats may lead to less risk reduction than spending on innovation around the reduction of vulnerabilities.

Of course manufacturers first have to acknowledge that their emperor is naked — vulnerabilities are real.

For all the other vendors out there, please use this as a lesson on how NOT to treat security researchers who have been freely providing you security advice and have been quietly sitting for half a year on remote authentication bypasses for your products.

Since Siemens has “no open issues regarding authentication bypass bugs”, I guess it’s OK to talk about the issues we reported in May. Either that or Siemens just blatantly lied to the press about the existence of security issues that could be used to damage critical infrastructure…. but Siemens wouldn’t lie… so I guess there is no authentication bypass.

Siemens has faced embarrassing exposure of public security issues in the past, public disclosure of easy exploits, and has released advisories so it will be interesting to watch how this episode plays out.

Billy Rios is thus doing a great service by pointing our attention to something Americans should already be very familiar with. A Siemens SIMATIC is Unsafe at any speed: there are Designed-In Dangers in critical infrastructure systems.

People’s Gas Breach not Infinite

According to the latest reports from the Chicago-area, a contractor who breached an energy company was unable to steal infinity.

It’s still bad news for the “finite” number of records he did access.

Peoples Gas and sister utility North Shore Gas have notified an undisclosed number of customers of the possible theft and potential use of personal information about them by a contract worker.

[…]

They said, though, that the number is “finite and very small.” The companies said they had no information to indicate that the number of customers affected by the possible identity theft would grow.

The contracted employee has been fired and is “subject to criminal investigation and prosecution,” the companies said.

Never mind the X-men. A cartoon comes to mind with an evil character who has the amazing ability to steal an infinite amount of data. Oh no! It’s…it’s…SAN Man! Egress man?

50km wireless link for Farallon Islands

I thought I wrote about this before but it doesn’t seem to show up anywhere. Tim Pozar gave an excellent presentation on how he and Matt Peterson built a wireless link from San Francisco to the Farallon Islands.

WMV and PDF available from NANOG49

The presentation will cover the requirements for a very limited budget and power consumption, issues of remote deployments, long distance microwave links over the ocean, sensitivity to the largest breeding colony the contiguous United States.

Additional network topics will be the requirement to support various services on the island via VLANs, fiber deployment to overcome distance and lightning, RF path calculations, “tuning” of the radio modulations schemes to provide the best up-time and remote support of a location that may only be accessible once a month.


Sailing around the Farallon Islands: Photo by me

Funnel Triples Wind Turbine Output

Wind LensIt has a fancy name and design but as you can tell from the photo it is a simple innovation based on a reverse funnel effect. Cleantechnica reports:

The Wind Lens works by creating an area of low pressure behind the turbine that essentially sucks the wind through the turbine, increasing effective wind speed. As wind power is proportional to the wind speed cubed, the wind lens changes the fluid dynamics around the turbine to increase its power.

Can we expect to see datacenters designed around tubines in the near future? Both new power and cooling solutions may be found by engineers trying to harness the wind. I envision a tunnel that flows through a datacenter to power turbines yet also pull heat out and away.

I’ve already written about the overproduction of power from wind turbines in Germany that has forced them to export energy to their neighbors.

Now the Japanese appear ready to take the issue even further by dropping the cost of wind energy below nuclear energy and forcing a giant shift in risk calculations.

Imagine: no more dirty coal power, no more mining deaths, no more nuclear disasters, no more polluted aquifers as a result of fracking.

Fair enough but don’t forget to imagine instead some new risks such as climbing up giant turbines to service them, the impact to weather and wildlife