The Salivating Press

Automation PressBack in September 2011 2010 Ralph Langner had hard evidence that the Stuxnet code was fingerprinting and attacking a specific process in a PLC. After Ralph announced his findings, and we blogged on them extensively, it was weeks before it got seriously picked up in the automation press and about a month before it started hitting the mainstream press.

A year later the press is salivating for a “SCADA Hack” with two great examples in recent months. Duqu got immediate and massive coverage even though there has been no evidence it is more than a Remote Access Trojan that happened to reuse some of the Stuxnet code. This factor warranted the initial attention, but it is still being treated by many as Stuxnet II for no apparent technical reason related to ICS.

Last week we had the Springfield Water System Hack making it high up on the Drudge Report and all over the mainstream press. This is a minor hack of a small system. It appears to have caused a pump to burn out. To date the rumor mill indicates it was some compromised passwords, poor network segmentation and classic ICS lack of authentication that allowed the attacker to control the process. Nothing particularly noteworthy there.

All this is not to criticize the press coverage, in the water system hack case. The press will decide what their readers are interested in, and Ralph commented in one of our podcasts this summer that one of his biggest surprises was how interested the general public was in the Stuxnet story.

It does show that at least for a while the public is hungry for stories on SCADA hacks and SCADA vulnerabilities. This should lead to more attacks, perhaps of this rather benign nature, as people love attention. And it could actually lead to some progress on some long ignored basic security issues.

Image by jurvetson

1 comment to The Salivating Press

  • Eh… I guess that was Sep 2010…

    One more thing, the automation press has managed to keep silent on the Stuxnet exploits while occasionally talking about Stuxnet as a game changer and celebrating a company that is in complete state of denial about its vulnerabilities as leading the pack in terms of ICS securities. Besides, I agree with Dale that it is difficult to understand the fuzz around Duqu and the water facility hack when all of Stuxnet’s vulnerabilities are still there, with exploit code in the wild, and an ICS-CERT that officially says it doesn’t intend to do anything about it. It would be very easy to demonstrate, for example, a generic exploit implementation of the process image overwrite done by Stuxnet (who knows, time permitting I might do it at S4). It’s not rocket science, and it’s not even fumbling around with a buffer overflow that might be fixed in the next release by the vendor. It’s simple, straightforward, and reliable. It’s exploiting a classic design flaw because an input process image should never have been read/write in the first place, but certainly read-only. Who cares? The vendor doesn’t. ICS-CERT doesn’t. The automation press doesn’t. I do.

Leave a Reply