Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror

Slashdot videos: Now with more Slashdot!

  • View

  • Discuss

  • Share

We've improved Slashdot's video section; now you can view our video interviews, product close-ups and site visits with all the usual Slashdot options to comment, share, etc. No more walled garden! It's a work in progress -- we hope you'll check it out (Learn more about the recent updates).

×

Comment: Re:What took them so long? (Score 1) 212

by omglolbah (#48648417) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

Virtually all oil and gas rigs in the North Sea are connected (through firewalls of course) to the corporate office network.

Most of them are now moving to "Integrated Operations" which is a buzzword they came up with for "remote control room and maintenance" where the network is extended to vendor locations so that we do not have to send people out to the rig to look at stuff. We just call the rig and ask them to open the 'gate' so to speak and we get full raw network access to the secure network from a dedicated switch at our offices.
This is of course all tunneled across the internet... *sigh*

It is going to go horribly wrong at some point, I just hope I am on-shore when it happens.....

Comment: Re: What took them so long? (Score 1) 212

by omglolbah (#48648393) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

A safety valve -should- go into a safe position when power is lost. Virtually all such valves will be hydraulic anyway (at least in the oil/gas business where I work anyway) and can be operated manually with stored pressure.
The issue in the case of the steel plant is knowing what a 'safe' state is for the valves. That requires a proper consequence analysis with a resulting "cause and effect" matrix for executing safe shutdown. It is tedious as fuck, and expensive as all hell, but mostly worth it. Alas people tend to overestimate the rarity of such events and go or the "save us a bit of money now" solution :(

Comment: Re:What took them so long? (Score 1) 212

by omglolbah (#48648337) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

With sufficiently 'annoying' security practices, people stop following them.

We were issued password-protect usd sticks for secure use at work, and a month later we got ones without passwords. Why?
People found the encrypted and protected sticks "too cumbersome" and just went out and bought a cheap 16 gig stick for themselves....

I bet the procedures will not be properly followed until one of the oil rigs get taken down. It pains me to know the issues and have zero ways to affect it....

Comment: Re:What took them so long? (Score 1) 212

by omglolbah (#48648309) Attached to: Cyberattack On German Steel Factory Causes 'Massive Damage'

Except things that we regularly bring to oil rigs and plug into the 'secure' side of the network: .xlsx and .docx files containing installation instructions and checklists .pdf files with 'red markups' of changed logic .exe files fetched from manufacturer websites with firmware upgrades
A ton of files in proprietary file formats we have no actual way to check the contents of other than trusting the software which created the files.

We essentially have to trust that McAfee and MS endpoint protection will keep stuff out... (office net scans with endpoint, secure side with mcafee)

It is far far faaaar from perfect, and the staff there make it less so by putting usb sticks on their KVM boxes so every time they hop from office->secure and back they re-mount the drives automatically... it is cringeworthy for sure, but nobody sees the issue, or they plain dont care.

Comment: Re:fire them (Score 5, Interesting) 110

by omglolbah (#48626803) Attached to: Hackers Compromise ICANN, Access Zone File Data System

We have a document control system at work, it has grown to such a degree that adding a document is a 3 day process involving a document controller and various other tasks. If the document does not fit a corporate template it may get rejected.

At that point people tend to go "fuck it" and just send around work copies until it is finalized and THEN go through the hassle.

It is unfortunate, but I've seen it happen in two different companies so far... both multinational, both ignoring their own procedures for sensitive data.

Comment: Re:Shocking (Score 1) 224

by omglolbah (#48462401) Attached to: Top Counter-Strike Players Embroiled In Hacking Scandal

Valve has done a huge job in getting rid of those sorts of hacks. But this is and has always been a big arms race.

VAC did defeat most of this crud for quite a while, but there will always be people willing to create new hacks as long as there is money or 'lulz' involved.

Best we can really do is be vigilant and weed out those who ruin the game for the rest. Be it with hacks or just general asshatesque behavior.

Comment: Re:Various hacking tools? (Score 4, Informative) 224

by omglolbah (#48459543) Attached to: Top Counter-Strike Players Embroiled In Hacking Scandal

Wall-hacking and tracking stuff mostly. Since your client knows the location of all the players for the purpose of generating 3d sound etc you can extract that info. These hacks were distributed through steam workshop due to a flaw in that system, and were thought to be hidden from VAC.. until the bans hit ;)

Comment: Re:Automated test in is a minimum (Score 5, Interesting) 152

by omglolbah (#47817511) Attached to: Can ISO 29119 Software Testing "Standard" Really Be a Standard?

You would love the control system software we use at work... (world leading platform for the industry).

No revision control. You have 'current' revision. That is it.

Integrated code editor that has no syntax highlighting.

Patches to the system will break components that are not considered 'core'. Which forces updates of ALL components in the system. This has lead to bugs persisting at sites for years with no patch because nobody wants to fix bugs when it costs tens of millions of dollars to do so.

No automatic testing. Of anything. When we update a component everything has to be tested manually. Someone will sit for 2 weeks and check every state of GUI symbols for the whole HMI. Oh joy...

If you change ANYTHING in code, you can no longer connect to controllers to view live data. You need to do a download to the control with the code changes before live data can be observed. This means that as soon as you make changes, you lose the ability to view the old code running. There is no way to have both a 'online capable' version of the code and a changed codebase in the same control system. We operate two separate virtual environments and switch VLANs or just move a cat6 when testing...

This is for oil rig control systems. There is no automated testing of any kind, even for critical emergency shutdown systems. Every test is done manually.
The ESD systems are usually a complex matrix of casues and effects with hundreds of inputs, hundreds of outputs... This is all tested manually as the software does not support any reasonable simulation of the controller input/output systems.

Enjoy that little gem.

If you analyse anything, you destroy it. -- Arthur Miller

Working...