security incidents

Tag: security incidents

MELTDOWN-SPECTRE: THE MESS CONTINUES

The fallout from the Meltdown and Spectre CPU bugs rolls on. There’s a lot of reading on this topic, but here are some of the bullets you need to know:

  • According to one experienced tester, the Meltdown patches “introduce the largest kernel performance regressions I’ve ever seen.”
  • The early patches might be causing more harm than good … and it’s not just the performance hit. As noted by Security Week, “Both microcode and software updates designed to address the Spectre and Meltdown vulnerabilities have turned out to be buggy, often making systems unbootable or causing them to reboot more frequently.” Major software vendors including Microsoft stopped the patches due to instability.
  • Attacks can be exploited by JavaScript in a Web browser … and proof-of-concepts are already floating around in the wild, according to ZDNet.
  • Intel is coming out with a new set of patches that supposedly avoid the reboots and other problems noted earlier. But considering Intel’s history of attempting to spin its way out of this PR mess and releasing half-baked fixes, I would take the news with a grain of salt.
  • Long-term, the entire world has a big security problem on its hand that won’t be fixed until silicon platforms are rearchitected AND older systems are patched or replaced. This could take years.

If you’re trying to play catch-up with these flaws, the best to start is on this page created by security researchers, which includes links to advisories and patches put out by major vendors.

Reaction to Triconex breach: “We have to isolate safety from all other systems”

In the wake of a serious security breach involving Schneider Electric’s Triconex industrial safety system at a “critical infrastructure” facility overseas, Priority Payload Report talked with Joe Weiss, managing partner of Applied Control Solutions and the author of Protecting Industrial Control Systems from Electronic Threats. Weiss has decades of experience in the energy industry and serves on the ISA99 committee of the International Society of Automation

PPR: Why is the incident involving Schneider Electric’s Triconex safety system such a big deal?

Weiss: Triconex and Siemens have a large segment of the safety systems worldwide and Triconex also happens to be used in many U.S. nuclear power plants as Triconex has been certified by NRC for nuclear safety applications. Schneider for years has said you can’t hack Triconex because it’s triple-redundant. Triple-redundant improves reliability but does not address cyber security.

PPR: What is a typical industrial scenario that would require the triple-redundant PLC?

Weiss: In a refinery, you would use this to make sure that the safety valves would open if the pressure got too high, so a pipe doesn’t burst. Safety systems are used to make sure that you don’t have a pipe break, or a valve releasing toxic chemicals, prevent trains from crashing, etc.

PPR: So this isn’t about IT security, but facility integrity and human life at risk.

Weiss: Safety systems are to protect facility integrity and human life, not for data.

PPR: We don’t know all of the details of the incident, but is this a situation in which air-gapping that particular PLC could have prevented the breach?

Weiss: We have to isolate or air gap safety from all other systems. Today, non-nuclear safety standards allow safety to talk to non-safety. Nuclear does not allow safety systems to mix with non-safety. The nuclear plant approach must be extended to non-nuclear safety systems.

PPR: If a manager or engineer at a power plant came to you and said, ‘I just heard about this incident involving Triconex, which we have implemented in our facilities. What should I be doing now?’

Weiss: The very first thing is make sure safety doesn’t touch non-safety including basic process control systems much less the business network..

PPR: So other than nuclear, there’s no there’s no requirements to have this kind of separation.

Weiss: No, that’s part of what we’re going to have to address in the new ISA Level 0, Level 1 Task Force.

Weiss has also blogged about the Triconex events and associated safety issues at Implications of the Triconex safety system hack – Stuxnet part 2?