Proof-of-concept ransomware locks up the PLCs that control power plants


#1

Originally published at: http://boingboing.net/2017/02/14/proof-of-concept-ransomware-lo.html


#2

That backup generator is looking like a better idea every day.


#3

I’ve worked in three different power plants (consulting from corporate) and toured through a dozen or so. Their control systems are thoroughly and carefully isolated from the vast wasteland of the internet. Anyone who operates differently deserves the consequences, IMO.


#4

Unfortunately, their customers have no way of knowing which camp their supplier falls in; and arguably don’t deserve them.

Asking my utility to let me audit their systems to my satisfaction might be worth it for the response; but only because it’d be humorous; not because it’d be ‘sure, go ahead’.


#5

That’s what regulators are for. I’d be shocked if, at least in the developed world, this was not a strict requirement.


#6

I have seen similar equipment that is thoroughly isolated from the internet, yet ‘phones home’ to the vendor (a major vendor of power equipment, one of the biggest). In other words, no incoming traffic allowed other than established connections, which are allowed only to the vendor.

If I understand this exploit correctly, the malware would first attack a poorly-secured device, then travel back to the vendor, then to the ‘thoroughly isolated’ devices. So no matter how careful you are, you’re only as secure as the most poorly secured device made by this vendor.


#7

Sorry, but it’s already been pretty conclusively shown that MANY power plants are almost completely unsecured, as well as other important systems: https://www.wired.com/2013/11/internet-exposed/

Yes, the corporations involved deserve some misfortune, but do their customers?


#8

Hopefully. Regulatory capture can be a hell of a drug; but hopefully boring legacy industries are worse at it than the synthetic-derivative slingers on Wall Street.


#9

Non-default passwords, like door keys, don’t keep intruders out. They keep lazy intruders out.


#10

Three sets of people are swearing a lot right now:

  • The Chinese and
  • Russian governments
    Who have active eWarfare capacity, and just lost one of their exploits to use in conflict against us. And…
  • Our governments, who either didn’t notice and are scrambling, or (more likely) just lost one of _their_tools against the above.

#11

And the better your password, the larger the “lazy” set becomes. Sorry, that’s not an argument.


#12

neither is that, but neither is this.


#13

Excuse me? Noting a “counterpoint” isn’t even remotely close to an actual counterpoint is invalid how, exactly?
I’ll wait.


#14

Not counterpointing, not arguing. Thank you again for the getting hit on the head lesson!


#15

LOL
I notice you forgot to include your own post in that list, silly. Whatever.


#16

So what you notice when confronted with your rudeness (sorry, but is massively disingenuous, yes,but means no, and those who use those aren’t interesting to me) is how rude, or silly, I am for mentioning it.

This isn’t an argument. This is documentation. Have a good day. Be less boring and I’ll see you there.


#17

This topic was automatically closed after 5 days. New replies are no longer allowed.