Posts Tagged ‘HMI’
Tuesday, January 13, 2015 @ 09:01 AM gHale
Financial malware is hitting ICS/SCADA networks looking like GE, Siemens, and Advantech HMI products.
These cyber attacks are attacking plant floor networks using banking Trojan malware posing as legitimate ICS software updates and files.
Kyle Wilhoit, senior threat researcher with Trend Micro, recently found 13 different types of crimeware versions disguised as human machine interface (HMI) products Siemens Simatic WinCC, GE Cimplicity, and Advantech device drivers and other files. The attacks appear to be coming from traditional cybercriminals rather than nation-state attackers, and are not using cyber espionage-type malware.
ICS/SCADA environment is aware of the potential for attacks from nation states, but now users must remain ultra vigilant because of the advanced sophistication of banking malware able to come in and actually steal.
ICS/SCADA systems remain low hanging fruit for bad guys. HMI machines remain Windows-based and either don’t run anti-malware software, or aren’t updated with the latest signatures.
Targeted attacks on critical infrastructure via Havex and BlackEnergy remain a threat, but the potential for crimeware-based attacks could end up being a big problem also.
HMI systems are highly sensitive, so a malware infection via a financial Trojan could bring down the system as well.
Wilhoit said in a published report he noticed a spike in attacks in October. The attacks originate as spear-phishing campaigns and drive-by downloads: When the victim visits the malicious link, the fake HMI product uploader, which is the Trojan, infects a computer.
Application whitelisting, keeping AV updated, and network security monitoring, are ways to defend against these attacks.
Wednesday, October 29, 2014 @ 06:10 PM gHale
A sophisticated malware campaign compromised numerous industrial control system (ICS) environments using a variant of the BlackEnergy malware, according to a report on ICS-CERT.
Analysis indicates this campaign has been ongoing since at least 2011. Multiple companies working with ICS-CERT identified the malware on Internet-connected human-machine interfaces (HMI).
Users of HMI products from various vendors ended up targeted in this campaign, including GE Cimplicity, Advantech/Broadwin WebAccess, and Siemens WinCC, according to ICS-CERT. It remains unknown whether other vendor’s products are also targets. ICS CERT is working with the involved vendors to evaluate this activity and also notify their users of the linkages to this campaign.
At this time, ICS-CERT has not identified any attempts to damage, modify, or otherwise disrupt the victim systems’ control processes.
ICS-CERT has not been able to verify if the intruders expanded access beyond the compromised HMI into the remainder of the underlying control system. However, typical malware deployments have included modules that search out any network-connected file shares and removable media for additional lateral movement within the affected environment. The malware is highly modular and not all functionality deploys.
In addition, public reports reference a BlackEnergy-based campaign against a variety of overseas targets leveraging vulnerability CVE-2014-4114 (affecting Microsoft Windows and Windows Server 2008 and 2012). ICS-CERT has not observed the use of this vulnerability to target control system environments. However, analysis of the technical findings in the two report shows linkages in the shared command and control infrastructure between the campaigns, suggesting both are part of a broader campaign by the same threat actor.
ICS-CERT analysis identified the probable initial infection vector for systems running GE’s Cimplicity HMI with a direct connection to the Internet. Analysis of victim system artifacts has determined attackers have been exploiting a vulnerability in GE’s Cimplicity HMI product since at least January 2012. The vulnerability, CVE-2014-0751, was published in ICS CERT advisory ICSA-14-023-01 on January 23. Guidance for remediation published to the GE IP portal in December 2013. GE has also released a statement about this campaign on the GE security web site.
Using this vulnerability, attackers were able to have the HMI server execute a malicious .cim file [Cimplicity screen file] hosted on an attacker-controlled server.
ICS-CERT has analyzed two different .cim files used in this campaign: devlist.cim and config.bak. Both files use scripts to ultimately install the BlackEnergy malware.
• devlist.cim: This file uses an embedded script executed as soon as the file opens using the Screen Open event. The obfuscated script downloads the file “newsfeed.xml” from the same remote server, which it saves in the Cimplicity directory using the name <41 character string>.wsf. The name ends up randomly generated using upper and lower case letters, numbers, and hyphens. The .wsf script then executes using the Windows command-based script host (cscript.exe). The new script downloads the file “category.xml,” which it saves in the Cimplicity directory using the name “CimWrapPNPS.exe.” CimWrapPNPS.exe is a BlackEnergy installer that deletes itself once the malware installs.
• config.bak: This file uses a script that executes when the file opens using the OnOpenExecCommand event. The script downloads a BlackEnergy installer from a remote server, names it “CimCMSafegs.exe,” copies it into the Cimplicity directory, and then executes it. The CimCMSafegs.exe file is a BlackEnergy installer that deletes itself after the malware installs.
Analysis suggests the attackers likely used automated tools to discover and compromise vulnerable systems.
ICS-CERT fears any companies running Cimplicity since 2012 with their HMI directly connected to the Internet could suffer from the BlackEnergy malware. ICS-CERT recommended companies use the indicators and Yara signature in this alert to check their systems.
Resident in the same folder hosting the Cimplicity .cim files referenced above was a file with the name “CCProjectMgrStubEx.dll.” While this file is not part of the WinCC product, it uses a name that is similar to legitimate WinCC files. Given the use of filenames matching legitimate Cimplicity files to exploit Cimplicity systems, the presence of this file alongside other BlackEnergy campaign files suggests that WinCC could potentially also be a target.
A number of the victims associated with this campaign were running the Advantech/BroadWin WebAccess software with a direct Internet connection. ICS-CERT has not yet identified the initial infection vector for victims running this platform but it could also be a target.
ICS-CERT produced a Yara signature to aid in identifying if the malware files are present on a given system. This signature is “as is” and has not undergone full testing for all variations or environments. Any positive or suspected findings should be immediately report to ICS CERT for further analysis and correlation.
YARA is a pattern-matching tool used to by computer security researchers and companies to help identify malware. You can find usage help and download links on the main Yara page.
Wednesday, July 23, 2014 @ 01:07 PM gHale
Omron Corp. mitigated the multiple vulnerabilities in the NS series of human-machine interface (HMI) terminals, according to a report on ICS-CERT.
These vulnerabilities, discovered by researcher Joel Sevilleja Febrer of S2 Grupo, are remotely exploitable.
The following Omron Corporation products suffer from the issues:
• NS15 Version 8.1xx – 8.68x,
• NS12 Version 8.1xx – 8.68x,
• NS10 Version 8.1xx – 8.68x,
• NS8 Version 8.1xx – 8.68x, and
• NS5 Version 8.1xx – 8.68x.
Successful exploitation of these vulnerabilities could allow an attacker to modify device configuration and expose sensitive information.
Omron Corporation is an international company headquartered in Kyoto, Japan.
The affected products are NS series HMI terminals. The NS series HMI terminals have a global marketing channel, however, Omron said the vulnerabilities only affect their overseas market. The NS series HMI terminals see action across several sectors including critical manufacturing and healthcare and public health.
One of the vulnerabilities is cross-site request forgery where the web application receives a request from a client without adequately verifying the request ended up intentionally sent. This could allow an attacker to execute commands thereby compromising the system and enabling modifications to the system’s configuration.
CVE-2014-2369 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.6.
There is a cross-site scripting issue where the web application stores untrusted data that can end up read back into the application and included in dynamic content.
CVE-2014-2370 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.0.
While no known public exploits specifically target these vulnerabilities, an attacker with a high to moderate skill would be able to exploit these vulnerabilities.
Omron Corporation produced update, Version 8.69x for Japan and Version 8.7x for other countries, that mitigates the vulnerabilities. The updates for the NS series of HMI terminals can be downloaded at the following locations:
Wednesday, May 21, 2014 @ 06:05 PM gHale
By Gregory Hale
More data is coming in to operators every day and that can be a good thing if the flood of information is understandable and in the right context.
“Big Data is no good if it is not the right data at the right time,” said Amy Ericson, U.S. Country president for energy and transportation solutions provider Alstom during her talk at the PAS Technology Conference 2014 in Houston. “How do you visualize the data that is coming in?
Along those lines, Alstom and PAS inked a deal where Alstom will distribute the PAS PowerGraphiX software.
“We are looking at PowerGraphiX to bring consistency to the industry,” Ericson said.
PowerGraphiX is a set of predesigned graphic templates, object libraries and best-practice guidelines for the design and implementation of operator interfaces at power generation plants. The goal is the make graphics easier to read and understand compared to the hodgepodge of inconsistent offerings out now.
Initially, the software came about because Southern Company Services, Inc. had a vision of consistent HMIs and improved situational awareness in control rooms across the operating fleet. PAS is now making the product commercially available for all utilities.
The Alstom pact was not the only partnership unveiled at the conference as PAS inked an agreement with security provider,Tripwire.
The agreement is part of the Tripwire NERC Alliance Network Program designed to bring collaboration on critical infrastructure compliance and security solutions to help companies efficiently and effectively achieve the complicated NERC CIP compliance.
The integration between the PAS Integrity Software Suite and Tripwire NERC Solution Suite will provide uses with automation software that drastically reduces the time and resources required to collect audit evidence. The goal is the bring a consistent approach to the management and maintenance of secure configurations across a wide range of devices including Industrial Control Systems (ICS), SCADA, Microsoft Windows and Windows Servers.
“Automating the collection of configuration information for all critical assets in energy organizations saves precious resources, improves compliance, reduces human error and, in addition, dramatically reduces cyber security risks,” said Mark Carrigan, vice president of technology at PAS.
Energy organizations must gather, analyze, prioritize and document a large amount of vulnerability and network data in order to protect their most critical assets and meet compliance requirements. The integration of PAS’ Integrity Software Suite and Tripwire’s NERC Solution Suite provides customers with:
• A single process that enables continuous monitoring and rapidly captures detailed status information across a wide range of critical cyber assets, from computer systems and network devices to badge entry systems and SCADA devices.
• Audit-ready reports and dashboards grouped via a flexible and extensible classification system.
• Automated assessment and aggregation of security data alerts that assist in detecting potential security breaches or configuration modifications that affect compliance status.
Wednesday, April 16, 2014 @ 10:04 AM gHale
Progea created a new version that mitigates an information disclosure vulnerability in the Movicon application, according to a report on ICS-CERT.
Celil Ünüver of SignalSEC Ltd., the researcher that discovered the remotely exploitable vulnerability, tested the new version to validate it resolves the issue.
Progea Movicon 11.4 prior to Build 1150 suffers from the issue.
The service of the software allows download and upload of files. Some opcode functions could end up triggered remotely to release limited information such as OS version information.
Progea Srl is an Italian-based company.
The affected product, Progea Movicon 11, is an XML-based human-machine interface development system that includes drivers for programmable logic controllers (PLCs). Movicon provides OPC-based connectivity for data transfer, including OPC DA and OPC XML DA services. According to Progea, Movicon sees use across several critical infrastructure sectors including critical manufacturing, energy, and water and wastewater systems.
Progea said this primarily sees use in Europe, India, and the United States.
TCPUploader module listens on Port 10651/TCP for incoming connections. Exploitation of this vulnerability could allow a remote unauthenticated user access to release OS version information. While this is a minor vulnerability, it represents a method for further network reconnaissance.
CVE-2014-0778 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
No known public exploits specifically target this vulnerability. However, an attacker with a moderate skill would be able to exploit this vulnerability.
Progea has updated and fixed the vulnerability in Movicon Version 11.4.1150. This is available as a download from the Progea Technical Support site.
Users must register on the Progea web site to download this new version.
Thursday, February 27, 2014 @ 02:02 PM gHale
Houston-based PAS Inc released its PowerGraphiX 2.0, a high performance human-machine interface (HMI) package for the power generation industry.
PowerGraphiX consists of predesigned graphic templates, object libraries and best-practice guidelines for the design and implementation of operator interfaces at power generation plants.
The view from the new product improves visual capabilities over the traditional HMI graphics.
The idea behind the software came from a request by Southern Company Services, Inc., which had a vision of consistent HMIs and improved situational awareness in control rooms across its operating fleet.
“Southern Company is committed to proprietary research and development in order to deliver solutions to our company and the industry,” said Harvey Ivey, Southern Company Manager of Instrumentation and Controls Design and Support. “This particular software was originally created to streamline information displayed in control rooms across our generating fleet, significantly improving operator effectiveness.”
The methodology behind developing PowerGraphiX came from the book “The High Performance HMI Handbook” written by PAS Founder and Chief Executive Eddie Habibi and Principal Consultant for High Performance HMI Bill Hollifield.
The book addresses the use of color, pattern recognition, standardization and other principles to transform data into actionable information, providing operators with a more holistic view of plant operating conditions.
This is one way of solving the issue of a less cluttered look for graphics that has been floating around the industry for years.
Wednesday, February 12, 2014 @ 09:02 AM gHale
By Ellen Fussell Policastro
When you think about the automation, asset reliability and mechanical reliability we’ve been investing in our plants for the past 40 years, it’s no wonder we’ve designed in some pretty amazing technologies to boost overall plant reliability.
While the mechanical side has seen an upturn, the human side of reliability needs some work. The human side of reliability was the subject of Tuesday’s PAS-sponsored webinar, “Prevent incidents by improving operator situation awareness.”
“Plants used to shut down once a year to replace a valve or change out a pump seal because they would break on a regular basis,” said Mark Carrigan, vice president of technology at PAS in Houston, Tex., who gave a detailed overview of the root of the problem and how his team is improving human machine interface (HMI) technologies to bring the human side of reliability up a few notches. “Now plants run from five to seven years without a scheduled shutdown because we don’t break things like we used to.”
While overall asset management has improved, and we’re doing a good job on mechanical reliability, challenges remain. “We’ve seen exponential growth in complexity and integration with all these systems in place at a typical facility— doing more with less,” he said. “In the past, a typical refinery plant or chemical plant would have a lot more people producing less product. But when we reduced staff, we realized we could make more product with less people.”
But here’s the problem: There’s still a lack of visibility about vulnerabilities within our systems. “We constantly have to ask ourselves whether we should be working during the startup. Are we doing things potentially unsafe and increasing risks? That’s hard to measure and understand.”
Another difficulty is transferring and maintaining knowledge. With more people retiring, there’s a greater gap in the workforce. How do you make sure all that operational knowledge in the next five years is transferred to the upcoming group of workers?
Not managing these situations well has led to unintended consequences, Carrigan said. “An alarm flood could take place, or equipment could shutdown with an improperly managed change.”
Carrigan offered a few examples of how this can happen, one of which involved testing shutdown systems (testing pressure and measuring safety systems) while the plant was running. Because the plant was running, “they bypassed the SIS system, everyone signed off, and they continued with the test. As a result, they increased pressure, and the interlocked tripped. The safety system was bypassed so it didn’t take action,” he said. The interlocked signal was seeing use within the integrated control system; consequently, valves closed, the system shutdown the plant, and the whole process caused an environmental incident. In this case, people made a change without understanding the consequences. “This is just one example of people not managing complex systems and understanding how the work they do can impact things,” he said.
Human Error, Airline Comparison
Within one graphic, Carrigan compared the rise and leveling off of safety within the automation control industry with that of the airline industry. “We can see a dramatic improvement in overall airline safety, but that improvement has leveled off over the past couple of decades. We can also see interesting trends. Those incidents attributed to human error have not seen nearly as much improvement,” he said.
While the airline and automation control industries are very different, they do have one thing in common — an operator sits in front of a screen, which conveys information about a process, and takes action to keep things on course.
“This type of reliability is hard for our industry,” he said. “But we can look at things, such as equivalent forced outage rate (EFOR) — the time the equipment is not operating as it is supposed to. There has also been an increase in reliability, which has flat-lined over the last several years. “We can see better improvement in mechanical reliability but not human reliability, he said. “This type of information is also less public for the oil and gas industry.”
Carrigan showed through an integrated platform demonstration how all these tools work together in a gas plant within a refinery—how operators and engineers can use an integrated platform to get information quickly to understand what’s taking place, which will allow them to make better and faster decisions.
His team built the example graphic in an HTML environment, so any system has the ability to integrate information from disparate sources. “As an operator, I have this alarm, and now I have to deal with it. So we want to deliver the information the operator needs. We’ve implemented this on many different kinds of control platforms. It’s easy to do. And it doesn’t impact your control network traffic at all,” he said. “By better designing the HMIs, I can help operators catch things while they are still small and help mitigate them. At a Level 3 graphic, you can see the trends — the bottom levels are going up and top levels are going down.”
The graphic allowed Carrigan to see more detail at the various pumps from the overhead and flow control and pressure controls. In his demo, he right-clicked on the alarm for a menu of available options to respond to it (inbound, loop sheets, control map, correlation matrix, and more). “I can see this is a process condition, so it doesn’t make sense to shelve the alarm. If I click on alarm details, I can get all the information I need to see the consequence of not responding is loss of controls,” he said. “So clearly, I need to respond. I can look at different potential causes. The controller is not in manual; it’s 100 percent open. That’s not what the problem can be. The next one is ‘valve stuck’ or ‘pump tripped.’ A bad instrument means I’m getting a bad reading. But that’s not the problem. Yet I do want to do further investigation on ‘valve stuck.’ But I need to understand more about operational limits. I’ve been told if I don’t respond, I’ll end up shutting the process down.”
After checking other options in the dropdown menu, Carrigan could see there was just a small amount of time before the process shut down. With each option, the operator can see more information. “I can also check the impact of making changes to the controller. I have pressure indicators, which let me see various outputs. So I know if I make a change, I will cause a problem to my APC application,” he said. “I have a complex loop, so I better be careful before making changes to the process controller. Next I need to know if there are any control problems with this loop or any performance problems, such as hysteresis.”
Finally, the operator can look at incident reports to discover whether he’s seen the same problem in the past. The incident report database ties everything back to the integrity database. “So we can bring those over to the platform as well,” he said. “We can see in June of last year there was an incident report of the very same thing — the controller was stuck. So we can put in a work order.”
All in all, systems are complex and interactive, and they come from so many different vendors, he said. “Perhaps with better HMI tools, there’s a chance to improve operational reliability so operators can get the information they need quickly — without having to look it up in five different places.”
Ellen Fussell Policastro is a freelance writer in Raleigh, NC. Her email is firstname.lastname@example.org.
Thursday, January 9, 2014 @ 03:01 PM gHale
Ecava Sdn Bhd created an update that mitigates the project directory information disclosure vulnerability in the IntegraXor application, according to a report from ICS-CERT.
Ecava Sdn Bhd IntegraXor – 4.1.4360 and earlier suffer from the remotely exploitable vulnerability. ICS-CERT received the report from the Zero Day Initiative (ZDI) who got the details from security researcher “Alphazorx aka technically.screwed.”
An attacker can use a crafted URL to download certain files in the project directory, compromising the confidentiality of the system.
Ecava Sdn Bhd is a Malaysia-based software development company that provides the IntegraXor SCADA product. Ecava Sdn Bhd specializes in factory and process automation solutions.
The affected product, IntegraXor, is a suite of tools used to create and run a Web-based human machine interface (HMI) for a SCADA system. IntegraXor is in several areas of process control in 38 countries with the largest installation based in the United Kingdom, United States, Australia, Poland, Canada, and Estonia.
IntegraXor does not properly restrict access to files in the project directory. An attacker may use a specially crafted URL to download project backup files from the system project directory without any authentication.
CVE-2014-0752 is the case number assigned to the vulnerability, which has a CVSS v2 base score of 7.5.
No known public exploits specifically target this vulnerability, however, an attacker with a low skill would be able to exploit this vulnerability.
Ecava Sdn Bhd issued a notification that details this vulnerability and provides mitigations to its customers. Ecava Sdn Bhd recommends users download and install the update, IntegraXor SCADA Server 4.1.4369.
For additional information, click here to view Ecava’s vulnerability note.
Tuesday, January 7, 2014 @ 06:01 PM gHale
Advantech provided a free version upgrade that mitigates a Remote Procedure Call (RPC) vulnerability in the Advantech WebAccess and legacy BroadWin WebAccess software (WebAccess), according to a report on ICS-CERT.
This is a web browser based human-machine interface (HMI) product. The RPC vulnerability affects the WebAccess Network Service on Port 4592/TCP and allows remote code execution. Independent security researcher Rubén Santamarta found the vulnerability and released exploit code.
This vulnerability affects all versions of WebAccess prior to Version 7.1 2013.05.30, including all legacy versions of either Advantech WebAccess or BroadWin WebAccess.
The successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code.
Advantech/Broadwin WebAccess is a Web-based HMI product used in energy, manufacturing, and building automation systems. The installation base is across Asia; North, Central, and South America; North Africa; the Middle East; and Europe. WebAccess Client software is available for desktop computers and laptops running
Windows 2000, XP, Vista, Server 2003, Windows 7, and Windows 8. A thin-client interface is available for Windows CE and Windows Mobile 5.0.
The code injection vulnerability exploits an RPC vulnerability in WebAccess Network Service on 4592/TCP.
CVE-2011-4041 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.
An attacker can initiate this exploit from a remote machine without user interaction.
An exploit of this vulnerability went public and it requires a moderate level of skill to leverage it.
Advantech released a new version of WebAccess that mitigates this vulnerability. Users may upgrade to the latest version from any previous version of WebAccess at no charge. Download the latest version of WebAccess (V 7.1 2013.05.30) from the Advantech web site.
Advantech has also created the following site to share additional information about WebAccess.
Prior to the release of this new version, customers using WebAccess should refer to security considerations recommended by Advantech in the WebAccess Installation Manual.