Securing Industrial Controllers
Monday, October 17, 2016 @ 01:10 PM gHale
By David Meltzer
Risks to the control levels of industrial networks have been on the rise – and yet many are not aware of the many vulnerabilities and weaknesses these environments have.
Today we are looking at the importance of securing industrial controllers in an industrial control system (ICS) operations environment (also referred to as OT by some) to reduce risk. We look at a simple, 1-2-3 approach to industrial cyber security to help answer the question of how should companies be thinking about the different steps to take when working toward improving the security of these highly specialized environments.
Let’s clarify what we mean by industrial controllers. In a typical industrial environment, there will be the physical systems – things like robots, sensors, pumps, actuators, and motors to name a few.
As these are the systems that actually interact with the physical world, when it comes to the priorities of cyber security in these environments – first safety and then availability — these are ultimately the systems we need to protect. However, something like a motor is not often going to be a system that can or will be directly attacked or exploited.
Instead, these physical systems connect back to a type of specialized computer that actually controls it. It is these specialized computers that make the bridge between controlling the physical systems and receiving programming or instructions from a network. These are the industrial controllers, and they are the systems targeted to create physical damage or disrupt a revenue generating industrial process in cyber attacks. Industrial controllers come in different varieties, but you will hear terms such as PLC (programmable logic controllers) and DCS (distributed control systems) used commonly to refer to different types of these.
Common Attack Methods
There are a few different attack vectors we worry about when it comes to industrial controllers.
Denial-of-Service (DoS): The first and simplest would be a DoS attack. By overwhelming a system with a large number of frames in network traffic, or malformed packets that create load on a system, it may be possible to create latency and downtime on a controller, which could interrupt physical systems. There may be some physical processes where disruption could create damage. Although safety is potentially a concern here, the reality is most safety systems have been built to handle these situations — a well-designed safety environment would not compromise safety by an increase in latency or lack of availability of a single controller.
ICS Misconfigurations and Vulnerabilities: Another attack vector is to exploit vulnerabilities or misconfigurations in the controller. By attacking a vulnerability that has not been patched with upgraded firmware, a malicious attacker could potentially disrupt, gain access to, or take over control of a system. Similarly, although modern controllers have added security features like authentication and logging, if these are not setup properly those checks and balances may be disabled and allow an attacker to easily modify the system without detection.
“During cyber security assessments,” Tony Gore, chief executive at Red Trident said, “We find that there has to be a pivot point the attacker has gained access to. Taking advantage of weak configurations or known and exploitable vulnerabilities is one of the easiest ways to gain access to engineering workstations, HMIs, servers, third parties and other systems. Another is through stolen credentials, jointly shared credentials, or a lack of authentication methods.
“Once unrestricted access is gained at Level 2 devices, this becomes the adversary’s pivot point. We don’t always see PLCs directly connected to the Internet, but will use Shodan to see what shows up for our customer’s Internet-facing systems. It’s always a surprise.”
Malware, USBs, and Firmware: A third and most dangerous attack would be uploading a malicious program to the controller, overwriting the valid program that already existed on it. On some controllers, physical access to the device can end up used to accomplish this (i.e. plugging a USB drive into it or making a serial connection), and on more modern ones, programs are uploaded across the network – requiring various forms of authentication, which is often not setup at time of PLC deployment.
Older networked controllers may have no authentication at all required, a major issue, while newer ones almost certainly will. Even with proper authentication, a malicious insider, such as a disgruntled employee or a consultant, or an outside attacker who has stolen credentials (ie the password to the system) can go make these changes.
Additional ICS Attack Vectors: Additional vectors of attack can exist in the form of trusted computer systems operating on levels inside the ICS environment that have unrestricted and unmonitored access to various levels of the control environment. Malicious programs have been used in industrial attacks to create subtle or not so subtle changes to physical processes, causing physical damage. Almost equally damaging are pivot points and attackers’ toolkits modifying set points in a non-monitored and poorly engineered security architecture. This allows for ample time of reconnaissance as well as the trial and error to successfully compromise but ultimately maliciously modify the environment.
David Meltzer is chief research officer at Tripwire. Click here to view David’s full blog.