Stuxnet. SCADA. And The Fact That 747s Are Giant Flying Unix Hosts.

OK. After looking at a lot of different hierarchies for SCADA systems I see that they are going to seldom be out of the box packages and will have to be custom done for each site (I guess; given the complexity).

I found a really good schematic that shows that the master is also a complex of machines and software and really not one thing. Just like aaa2500 is saying ( I hope I got this now)...

Originally posted by camaro68ss
sweet, so hackers can upload vireses into planes and now crash them into buildings remotely? Whos side are we on anyways?

was there the ability to do this September 11, 2001? not jumping to any conclusions but merely throwing it into the mix.

stuxnet was purpose made to derail irans nuclear program.

ars covered it thoroughly

it caused the centrifuges used in the manufacture of enriched uranium to temporarily run faster than they should, a change small enough to evade detection, but still ruin the result.

it targeted specific types of centrifuges used in iranian plants, and iirc they werent connected to the internet for obvious security reasons, therefore someone inside infected the system.

its a very small market for these centrifuges, and of course joe shmoe hacker cant buy one to look for exploits, because of that specificity and the inside knowledge required to compromise it, its most likely that one of our own intelligence agencies created it, perhaps in concert with israel.

so theres that.

Remember when you were learning about data processing in school, and had trouble understanding that the term 'CPU' could refer to both a processor in a computer OR a whole computer OR a computing department in an organisation, depending on the level of abstraction? SCADA systems and subsystems are similar.

It seems to me that the HIM must be running a host OS that the SCADA software runs on. Have I got that straight? Or is the HIM talking to yet another machine?

The master is the system that does the hard work of collecting the data and evaluating it and pulling in more data and putting out the proper reaction to that data.

HMI can refer to either software running on the master(the SCADA software running as one process on the Master and the HMI running as another process, both processes running on an OS) or a separate dedicated computer.

And if engineers are getting this stuff on their cell phones are they logging on to a website that displays the HMI? Or what?

That's one way. Another could be an app for the cell phone, with a secure persistent connection to the network.

OK. After looking at a lot of different hierarchies for SCADA systems I see that they are going to seldom be out of the box packages and will have to be custom done for each site (I guess; given the complexity).

...Or be made from different out of the box systems connected together. Hardware from A, a real-time OS from B, Router and network from C, RTU's from D, sensors from E, actuators from F, software from G, all put together by H in a timely manner.

I found a really good schematic that shows that the master is also a complex of machines and software and really not one thing. Just like aaa2500 is saying ( I hope I got this now)...

Yes, on different levels of complexity, the Master can be a simple controller or a massively multiprocessing, distributed system.

But remember. A SCADA system can range from a simple system controlling production in a small workshop, to massive distributed systems controlling many different sites. Even systems of systems if you want to go there.

Originally posted by Nobama
reply to post by Frater210

 

Everything has it's traces from UNIX, it paved the way for multitasking and server hosts, and almost every server runs a variant of it (mainly Linux), but I don't see 747s being giant Unix hosts just for the fact that it would be far cheaper to have servers running on the ground.

oh and I have a copy of Stuxnet on a VMware OS that is used to test computer infections, and Stuxnet is not FUD and most scanners detect it now, so it would be pointless to use.

Also Stuxnet attacks windows based computers which is based on DOS, not Unix

edit on 27-9-2011 by Nobama because: (no reason given)

Finally,
Some sanity.

reply to post by Ahmose

Finally, Some sanity.

I loved this post simply because it is funny to me to think of all the really talented computer folks on the forum that all must be bruised pretty badly from doing multiple double face palms.

C'mon! it can't be that bad. I think I finally got it.

From member: Nobama:
oh and I have a copy of Stuxnet on a VMware OS that is used to test computer infections, and Stuxnet is not FUD and most scanners detect it now, so it would be pointless to use.

So does the guy who produced the video from InfoSecInstitute at the bottom of the previous page. My point is not that Stuxnet is of any great danger. I just wanted to point out the ubiquity of these systems and that Stuxnet may be prototypical.

reply to post by aaa2500

Yes, on different levels of complexity, the Master can be a simple controller or a massively multiprocessing, distributed system. But remember. A SCADA system can range from a simple system controlling production in a small workshop, to massive distributed systems controlling many different sites.

Even systems of systems if you want to go there.

Thank you for all of your kind help. Although I am a late comer to all of this and my educational focus is a little diffuse I really have a deep interest in systems theory and discovering all this SCADA stuff is like finding heaven. I am in the wrong line of work.

I was fortunate enough to work for 2 years as a support technician for networked digital operating room imaging and capture systems. This is commonly referred to as PACS. It has its similarities but these SCADA rigs are much more complex.

So I think I am beginning to get it. It is an abstraction on a basic theme for SCADA application. It changes as needed. Would I be wrong in surmising that these are presently the mother of all systems?

Originally posted by grey580
reply to post by Frater210

 

I don't know how much UNIX is used through a 747 so I'll have to defer that part to someone else.

Nil, nada, nothing, because the B747 is not fly by wire/computer.

Even the B777 that is fly by wire must be on the ground engines off, parking brake on before any changes or reconfig can be done to any of the onboard systems.

The only access is in the electronic bay below and behind the flightdeck.

Forget wlan, ip and irq, realtime industrial computers just doesn't work that way.

reply to post by Ivar_Karlsen

Even the B777 must be on the ground engines off, parking brake on before any changes or reconfig can be done to any of the onboard systems.

I am not trying to be contentious but after all we have been through trying to clear this up I just wanted to point out that this actually contradicts, in a way, what the original article author reported...

From OP Page 1...

For those who do not know, 747's are big flying Unix hosts.

At the time, the engine management system on this particular airline was Solaris based (Ed: definitely Unix). The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this.

The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.

www.infosecisland.com...

The only access is in the electronic bay below and behind the flightdeck.

Sop it sounds to me as though you are mistaken here. Things may be different on the B777 but it sounds like the 747 is accessible in the manner described in the OP. In fact, that is what we are seeing in the video of the Qantas airline, the downlink from the systems on the plane.

Forget wlan, ip and irq, realtime industrial computers just doesn't work that way.

Then how do they work, if you please? I have it on good report that these systems actually are used, even when the bird is in flight, to schedule maintenance ad service, and also to prioritize service, as everything does not have to be done immediately and this helps to keep the schedule tight.

Thanks for coming by to help us figure this whole thing out.

By the way, to everyone still tagging along with this thread.

Not a single one of the aircraft that were used in the attacks of 9/11 were 747s.

So I would love it if we could get way far away from this fly by wire and terrorist stuff.

I had only hoped to discuss the omnipresence of Unix and it's accessibility.

Thanks, folks.

Originally posted by Frater210but after all we have been through trying to clear this up

.



Looks like the only thing you haven't done is listening to people with actual knowledge of aviation and aircraft systems.

Yeah system data and engine trend monitoring data can be sent to the company almost real time via satcom and whf/uhf, but that's a one way street. There is no way any one can communicate with the aircrafts systems outstside the cockpit.

This thread is at the same level as most 9/11 threads.

reply to post by C46driver


Why are you even suggesting that it is an 9/11 thread?

It has been repeated on this thread by myself at least twice and probably three times that it is downlink only.

Aviation professionals have been consulted.

I know it is a lot and that it is a challenging read, but give it a try, especially before posting nonsense.

Now. As for the article that prompted me to post this thread; you have seen the man's credentials and he is saying that in his experience, mechanics are able to tune the damn 747 whilst in flight. Via SCADA that is running on Solaris. If you have a problem with it take it up with him.

Before you have a knee jerk reaction like that at least read the page that you have posted on. I have put a post up which states what you have missed: none of the aircraft used in the 9/11 terrorist attacks were 747s. This thread is about 747s that have Unix hosts. Not 757s or 767s.

Why are you so anxious to make sure your post connects all of this to 9/11?




OK. You must be a retired aviation pro that now pushes a C-46 Commando for kicks or something. Have you flown commercial airlines? If so please share what you know. No need to be cryptic.

reply to post by Frater210

.

Why are you even suggesting that it is an 9/11 thread?

I'm not. What i'm saying is that this thread is at the same level as most 9/11 threads.

I know it is a lot and that it is a challenging read, but give it a try, especially before posting nonsense.

I've red it all.

Now. As for the article that prompted me to post this thread; you have seen the man's credentials and he is saying that in his experience, mechanics are able to tune the damn 747 whilst in flight. Via SCADA that is running on Solaris.

He's either misinformed or simply not telling the truth.
The FADEC's/EEC's used on the B747 NG uses industrial standard read only software required for transport category aviation safety critical systems. It's sertification requirement. What he's claiming is not possible.

This thread is about 747s that have Unix hosts. Not 757s or 767s

The system design and philosophy of the B747 NG is the same as on the other Boeings, the difference is weight, size, number of engines/systems.

OK. You must be a retired aviation pro that now pushes a C-46 Commando for kicks or something. Have you flown commercial airlines? If so please share what you know

I currently fly the B747-400 as a captain, i am however rated on several other Boeings and the C46.


End of discussion for me.

Look folks,

I was brought up to be a good, patriotic, American citizen and I love our brave pilots as much as the next guy. Probably more.

But I can't be held responsible for the fact that after all these years, all of us may not be fully aware of the extensibility and accessibility of the computer systems that help manage these aircraft.

I am beginning to realize that it may be news to some of us. I am sorry if the news comes as a shock, but saying that Craig Wright is outright lying about this is misguided and a little obstinate. Why would he lie? One member suggested that he is only providing proof of concept but it sounds like if the system had been updated he would have gotten even further than the error message he got.

So I apologize that Mr. Wright used a 747 for the target his pen-testing lab. I am sorry this is bugging some of you. But now we are at the point where industry professionals are just pulling up short and calling him a liar.

Why has this thread about Unix drawn so much heat from the 9/11 people?

Thanks again for everyone being here and helping out.

EDIT:

This adds nothing to the discussion and only serves to knock the goal post back another hundred yards or so.

OK. That is me being stupid again. It adds everything to the discussion. Please understand that I am a little bit harried due to this thread. I am as sensitive as the next person and I feel as though I have been dragged from pillar to post. Which is awesome because I am learning and feeling really challenged. Thank you all.

Listen. This is an open forum for discussion. I am sorry I am chasing people off.

If we all hunker down I think that we can make this the final word on SCADA and airplanes.

Please, C46driver, don't go. I apologize for being an ass. Let's all try to get to the bottom of it.


There is obviously only one thing I can do. I am going to contact Craig Wright directly, ask him to at least read this forum, and give me his feedback. I doubt he will log on, but in the past when I have done this, people are usually kind enough to read the thread and help out via email.

I will get back as soon as I can to let you all know if he responds.

Meanwhile, while we are waiting to see if I can contact Mr. Wright, here is a link to his own blog as well as another snippet of his own OP (so to speak)...

A recent "Fact Check" by Scot Terban requires some fact checking.

In his post, he basically shows that he has no idea how many SCADA systems are online.

Scot stated "How about the fact that said systems are connected to the internet on a regular basis and SCADA aren’t",

well this is a flaw and error of epic magnitude. The fact is, nearly everything is connected now. In 2000 I contracted to the Sydney Olympic authority. To make the Olympics run smoothly, they NSW government officials decided to connect control systems into a central head-quarters. We linked:

Traffic systems
Rail systems
Water systems
Power systems
Emergency response systems / Police
Sewerage systems

That was only the tip of the iceberg.

The rail systems had been connected to report on rail movements. They used a Java class file that was set to read the signals devices. The class was not protected, but the read only status was considered sufficient (despite protests to the contrary). The control class file was easy to reverse engineer and it was simple to toggle the controls in order to make it into a system that could send signals as well as report them.

When I noted that I could reverse engineer the class file, the comment was "not everyone has your skills Craig, we do not think others can do this". Yet it is simple to reverse engineer a Java class file.


gse-compliance.blogspot.com...

I am not trying to throw this in anyone's face, but please, honestly; he's misinformed? he's not telling the truth?

Hello, ATS.

Dr.. Craig S. White, the gentleman who has written the original article, was kind enough to take the time to respond to my email. I would like to just go ahead and let you see the correspondence for yourselves...

Hi, Mr. Wright. My name is Frater210.

I belong to a discussion forum called ATS (Above Top Secret) and I started a thread there with the hopes of discussing your discoveries, in particular, and Unix and SCADA in general. Well, things have flown off the tracks a bit with the discussion.

I should let you know that I am not a computer professional. I have a strong 2 year old interest in Linux and I am learning the command line. The closest I have ever been to working in the industry is a two year stint as on-site technical support for surgical image-capture systems. All of that to say that I am just a big fan of these systems and I only have a rudimentary understanding of SCADA.

So, what has happened is that we have professionals from all walks of life on our forum, and two or three of the older wiser aviation heads (they are actually pilots of 747s and such) swear that what you are claiming cannot be done. Some have gone so far as to pull up short and say that you are either misinformed or lying. I know that is not the case.

The entire point of the thread was to discuss the ubiquity and accessibility of these SCADA systems that are running on Unix based platforms but the whole thing went immediately into the gutter with people correlating your work with the possibility of taking the planes over ala 9/11 conspiracy theory.

So I was wondering if you would not mind looking over the thread and maybe give me some feedback that I can use to help clear this all up. I find it interesting that people can be told about how this can make our municipal utilities less secure and they forget it by morning, but since 9/11, if aircraft are brought in to the mix people just lose the ability to reason.

I hope that you are not put off by the general subject matter at ATS. The membership there really is made up of some good hearts and minds and your input would be greatly appreciated. Here is the link: www.abovetopsecret.com...

Sincerely, Frater210.

...

And now, Dr. Wright's email response regarding this thread...

Hello Frater210,

I give you permission to take what you want (in context) from this email and post it.

I am actually amazed just how little people knew and how much misunderstanding there is. A security person at Boeing is BCC’d on this, but that is as far as I will note. He will receive far more than you and I hope that you understand that.

“What we see in the video is downlink only.”

There is no such thing as “download only”. This is a one way filter at a firewall. TCP requires that a connection is 2-way. Basically, it does mean that a user cannot start a session. I have been doing this line of work for over 2 decades and I have remained technical the entire time. I have a few “real world” clients as I believe that maintaining an applied focus is important.

That said, my main roles are: · GICSR Evangelising security and promoting communication between the US and Au government agencies (The Internet is global) · CSU Teaching and research.

As for self-promotion, this can be argued, but what matters is what is coming from that. I am promoting training and awareness sessions and applied research within government and critical infrastructure. Not that it should matter, but I am not making money from this. Yes, I am promoting my training within government, but not as I want to have them hand me more money, but as I have a target to have people I train, train others and the goal is to have at least 20,000 people trained in security within the decade.

The Boeing systems use a combination of systems. The controllers are actually a series of single board computers. Not only Unix hosts, but all of the following:

· Embedded Linux,
· QNX O/S
· RT-Linux,
· VxWorks 5.5,
· Windows CE 5.0.

You cannot fly a plane in air from the ground. You can crash systems at best and this is something that is around as difficult making another Stuxnet.

If people think I will be giving details outside of contacts with Boeing, they are crazy.

Crashing critical systems more than 30-45 mins from an airport (such as over the Pacific) is a problem. Without the flight-critical systems, a flight is at extreme risk.

A pilot cannot fly a 747 without computers. The hydraulic controls are computerised and the stick goes by signal and is not a direct connection to the ailerons as with a Cessna.

The electronic processing units for the EFBs and the cockpit display use 1,000Base-SX networks. Individual electronics units are formed from a pair of systems that are logically partitioned. In some, the systems are comprised of Part 25-certifiable Linux O/S (Level D) and a Windows 2000 system running from a 40GB HDD. These are small and fast as the O/S is cut to only run a selected number of executables.

Basically, you need to simultaneously compromise separate systems to take over and “fly” a 747. On top of that there are many other things you need to do. This is beyond the scope of reality. Crashing systems is difficult, remote controlling them is science fiction.

Many of these systems are secured well, but like all things it comes to people. I do not have an issue with airline security, I fly and they do hire people like myself to test new systems. They also take security seriously.
An aircraft is one of the better run and secured systems we have, but even here we need to take care.

The issues I noted have been fixed. I only use old analogies when I write as I am not stupid enough to mention things that I know will be compromised.

I am surprised how this has turned into a 9/11 argument and more.

The Boeing and other airline guys actually take all of this seriously. The airlines are the best run control systems and I fly as I am happy with what they do. Is anything perfect, no. The point is that we need to maintain vigilance in all we do or we will have issues.

Regards,

Dr. Craig Wright GSE GSM LLM

While very little is technically incorrect in the OP, the juxtaposition of material serves to mislead rather than inform.

The fact that controllers in any system are accessible (and re-configurable) over ordinary communication channels is not reasonable cause for concern. Such channels are unlikely to be significantly secured except through obscurity. It is feasible that a controller could be compromised given the right combination of software and knowledge of the system. However, directly accessing the controller would require inside information or a huge investment of time reverse-engineering the running system. Additionally, the intruder would have to be physically present on the aircraft (and as long as you're already on the plane, there are less complex ways to take control of it).

Removing the attacker from the plane requires that the cited NAT be bypassed. NATs are quite simple: an external point of access forwards data to an internal computer. This forwarding is governed by existing connections, rules set up based on protocol information or forwarded to a default host that takes care of manipulating and forwarding data to an inaccessible internal computer. This reduces an attacker's potential access to either finding a glaring configuration fault to access the controllers or having any communication routed through (and authenticated by) a central computer. NAT configurations are very simple, and an omission will be blatantly obvious (notably, an omission will prevent access, not allow it). Even semi-modern computers have built-in authentication and access control which is harder to disable than to properly configure. Link protocol (telnet was cited) is largely irrelevant, since unless a potential attacker has the capacity to access the link itself (requiring physical access or astonishingly expensive equipment with inside information), there's no way to intercept or falsify data to gain access.

The bottom line is that an attack is technically possible: given enough information about the system and enough access to it, it's possible to break it.

In order to accomplish an attack like this; one would have to spend several years in college, get a job at Boeing, familiarize themselves with the software in use, then take their laptop and tool-bag onto the plane, physically gain access to the controllers, and attempt to control the plane from inside a closet.