Category Archives: Control Systems

Industrial and other control systems

Your Air Safety Is Dependent on Windows 3.1 – And Vacuum Tubes

As if Paris didn’t have enough problems, Paris’ Orly Airport had to close briefly last week because a Windows 3.1 system that sends Runway Visual Range information to pilots failed.  Windows 3.1 dates back to 1992.  The French air traffic control union said that Paris airports use systems running 4 operating systems, including Windows 3.1 and XP, all are between 10 and 20 years old.  The system should be upgraded anywhere between 2017 and 2021, depending on who you talk to.

But don’t beat up the French too much.  Until the late 1990s or early 2000s, the FAA was still using systems running with VACUUM TUBES.  Seriously.  For a while, the U.S. Government was the largest user of vacuum tubes, which had to be specially made for them.

And many of you probably remember last year when a mentally ill technician attempted suicide after setting fire to an Air Route Traffic Control Center outside Chicago.  Air traffic around the country was screwed up for weeks.

Fundamentally, there is a lot critical infrastructure in the U.S. and around the world that is older than most of the readers of this blog.  Software that is 20, 30 or even 40 years old is not likely to be as secure, reliable or robust as software built today.  However, whether it is inside power plants, trains, or air traffic control systems, it is what we got.

From a hacker standpoint, that is a dream.  Much of the software was designed and built pre-Internet, but much of it is connected to the Internet anyway.  Which is why Admiral Rogers, head of the NSA, told Congress recently that he is convinced that there are several countries that have the ability to take out pieces of our critical infrastructure.  Several today.  Probably more soon.

Unfortunately, there is so much of it and the critical points are almost all under private ownership.  Nationwide, we are talking hundreds of thousands of pieces of infrastructure – drinking water, gas, electric, waste water, etc.

Unless we get serious about upgrading it,some hacker is going to get there first.  That is not a very exciting thought.

Information for this post came from ARS Technica, Baseline and Wired.

Drug Infusion Pump Vulnerable To Hackers

Wired reported that some Hospira drug infusion pumps are vulnerable to a number of attacks.  The article also says that Hospira was not receptive to the news when told of the problem and it took DHS a year to issue an alert – only after someone made the facts public.  In fact, Hospira initially refused to fix the vulnerabilities and would not test other pumps to see if they had  the same problems.

The researcher was told that the pumps are undergoing re-certification by the FDA since the fix requires a core change to the firmware.  Hospira is now saying that the pump is not being re-certified.  They said that there are already protections in place, but would not say what those protections are.  Somehow, I am more trusting of the researcher.  The Wired article can be found here.

Some details about the vulnerabilities – you can read a lot more in the Wired article.

The pumps are loaded with libraries for each drug.  The library tells the pump what the allowed dosages are for the drug, so that if a nurse prescribes a dosage that could kill the patient, the pump will alert.  These libraries however, are not authenticated and the pump does not authenticate who is sending it an update – any device on the hospital network could send an update.

There is also no way for the practitioner to see what limits are in the actual pump, so there is no easy way to see if the pump has been hacked.

The server software can also send firmware updates to the pump and the server software is no more secure than the pump. Some userids and passwords are stored in clear text and cryptographic keys are hard coded.  SQL database passwords are also hardcoded and stored in the clear.  This, along with other vulnerabilities would allow a hacker to take over the server.

Apparently Hospira thinks that stonewalling is the best defense.  It will work until someone dies.  It is unfortunate that things work that way.  Unfortunately, it would likely cost Hospira a lot of money to fix the tens of thousands of pumps out there, as well as the server software and get it all certified.

In the mean time, it appears that the FDA is on the side of the manufacturer – the best we got from them was a memo  – after a year and after the flaws were publicly disclosed by someone else.

Do you see anything wrong here?