4 thoughts on “Malware”

  1. For the last year, I have been working with embedded industrial control systems and was surprised to find that most such systems run on an embedded version of Windows XP or Windows 7. This version of Windows is stripped of bloatware, but it seems to be, in most all respects, the same Windows that runs on any desktop or laptop system from 10 to 15 years ago. I understand the desire to use the Windows platform for ease of development, most of these systems were programmed in C#, but Windows is notoriously a very soft target for security threats. Also, running on relatively low-end CPUs, there isn’t much performance overhead to run resource-heavy anti-virus or other security software. So such embedded systems seem to run without anything.

    Most industrial systems seem to just be protected at the perimeter with firewalls, but once that layer is penetrated either via technical or social hacking, the systems seem to be very vulnerable. Perhaps even more vulnerable than typical home networks which are running much more modern versions of Windows with anti-virus software.

    The scenario of the virus traveling from system to system in an industrial network, as described in the article, seems completely plausible.

    1. I ran a fortune 50 advanced control group for a number of years. Know the guys who created Triconex well… they eventually formed a really cool company called Wonderware. All were eventually sold to Schneider, who are also very good people. Unfortunately, some industrial control solutions don’t even port to newer machines. No matter how much you want to update them. The best protection is to isolate controls from data interfaces from IT with VERY strong protection at the very limited gateways. You can read but not write. Everything is push upward. You allow access to the control and data interface sections from rigidly and paranoid structures. Limited access. No USB ports, no mounted CD/DVD drives. No access to IT nets or internet. ZERO. STRICT control with strict enforcement. No calling in from home. No use of engineering specific machines for email or web or open ports. None. Fanatical and continuous deep background checks on all who have access, regular drug tests… and that’s a very small list. Companies with dangerous or valuable processes must maintain a sacrificial copy of all process controls, designed to test new software under the tightest challenges, and with a white hat team challenging it as well to find holes. Every machine needs to perform byte for byte comparisons of each others programming and firmware. ANY disagreement is an emergency. It’s an insane world and I am glad I retired from it.

  2. When the Iranian nuclear weapon infrastructure was penetrated by Western intelligence agencies and computer virus’s unleashed, it was only a matter of time before the same thing happened here. Frankly, I’m surprised it took this long.

    Another aspect of this is that it is likely that peer powers (China and Russia) have a supply of such hacks in the wings waiting for an appropriate moment to be released.

  3. Don’t be Stephen Green, Rand.

    This is not “The Internet Of Things”.

    This is a control system on an internal, private network, not using the Internet (as such), directly.

    Reading the article, it looks like they had to get through the company’s IT department, through a bad firewall to the operations network and then subvert an on-network workstation, to get to the controller. Which they then specificially targeted.

    That’s exactly the kind of attack that’s most difficult to stop – a multi-year effort aimed at subverting one specific company and one specific system.

    This is not “lulz our IoT device just opens up a control port with a default password” or “what even is TLS who cares?!” carelessness.

Comments are closed.