Posts Tagged ‘HMI’
Wednesday, April 16, 2014 @ 10:04 AM gHale
Progea created a new version that mitigates an information disclosure vulnerability in the Movicon application, according to a report on ICS-CERT.
Celil Ünüver of SignalSEC Ltd., the researcher that discovered the remotely exploitable vulnerability, tested the new version to validate it resolves the issue.
Progea Movicon 11.4 prior to Build 1150 suffers from the issue.
The service of the software allows download and upload of files. Some opcode functions could end up triggered remotely to release limited information such as OS version information.
Progea Srl is an Italian-based company.
The affected product, Progea Movicon 11, is an XML-based human-machine interface development system that includes drivers for programmable logic controllers (PLCs). Movicon provides OPC-based connectivity for data transfer, including OPC DA and OPC XML DA services. According to Progea, Movicon sees use across several critical infrastructure sectors including critical manufacturing, energy, and water and wastewater systems.
Progea said this primarily sees use in Europe, India, and the United States.
TCPUploader module listens on Port 10651/TCP for incoming connections. Exploitation of this vulnerability could allow a remote unauthenticated user access to release OS version information. While this is a minor vulnerability, it represents a method for further network reconnaissance.
CVE-2014-0778 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
No known public exploits specifically target this vulnerability. However, an attacker with a moderate skill would be able to exploit this vulnerability.
Progea has updated and fixed the vulnerability in Movicon Version 11.4.1150. This is available as a download from the Progea Technical Support site.
Users must register on the Progea web site to download this new version.
Thursday, February 27, 2014 @ 02:02 PM gHale
Houston-based PAS Inc released its PowerGraphiX 2.0, a high performance human-machine interface (HMI) package for the power generation industry.
PowerGraphiX consists of predesigned graphic templates, object libraries and best-practice guidelines for the design and implementation of operator interfaces at power generation plants.
The view from the new product improves visual capabilities over the traditional HMI graphics.
The idea behind the software came from a request by Southern Company Services, Inc., which had a vision of consistent HMIs and improved situational awareness in control rooms across its operating fleet.
“Southern Company is committed to proprietary research and development in order to deliver solutions to our company and the industry,” said Harvey Ivey, Southern Company Manager of Instrumentation and Controls Design and Support. “This particular software was originally created to streamline information displayed in control rooms across our generating fleet, significantly improving operator effectiveness.”
The methodology behind developing PowerGraphiX came from the book “The High Performance HMI Handbook” written by PAS Founder and Chief Executive Eddie Habibi and Principal Consultant for High Performance HMI Bill Hollifield.
The book addresses the use of color, pattern recognition, standardization and other principles to transform data into actionable information, providing operators with a more holistic view of plant operating conditions.
This is one way of solving the issue of a less cluttered look for graphics that has been floating around the industry for years.
Wednesday, February 12, 2014 @ 09:02 AM gHale
By Ellen Fussell Policastro
When you think about the automation, asset reliability and mechanical reliability we’ve been investing in our plants for the past 40 years, it’s no wonder we’ve designed in some pretty amazing technologies to boost overall plant reliability.
While the mechanical side has seen an upturn, the human side of reliability needs some work. The human side of reliability was the subject of Tuesday’s PAS-sponsored webinar, “Prevent incidents by improving operator situation awareness.”
“Plants used to shut down once a year to replace a valve or change out a pump seal because they would break on a regular basis,” said Mark Carrigan, vice president of technology at PAS in Houston, Tex., who gave a detailed overview of the root of the problem and how his team is improving human machine interface (HMI) technologies to bring the human side of reliability up a few notches. “Now plants run from five to seven years without a scheduled shutdown because we don’t break things like we used to.”
While overall asset management has improved, and we’re doing a good job on mechanical reliability, challenges remain. “We’ve seen exponential growth in complexity and integration with all these systems in place at a typical facility— doing more with less,” he said. “In the past, a typical refinery plant or chemical plant would have a lot more people producing less product. But when we reduced staff, we realized we could make more product with less people.”
But here’s the problem: There’s still a lack of visibility about vulnerabilities within our systems. “We constantly have to ask ourselves whether we should be working during the startup. Are we doing things potentially unsafe and increasing risks? That’s hard to measure and understand.”
Another difficulty is transferring and maintaining knowledge. With more people retiring, there’s a greater gap in the workforce. How do you make sure all that operational knowledge in the next five years is transferred to the upcoming group of workers?
Not managing these situations well has led to unintended consequences, Carrigan said. “An alarm flood could take place, or equipment could shutdown with an improperly managed change.”
Carrigan offered a few examples of how this can happen, one of which involved testing shutdown systems (testing pressure and measuring safety systems) while the plant was running. Because the plant was running, “they bypassed the SIS system, everyone signed off, and they continued with the test. As a result, they increased pressure, and the interlocked tripped. The safety system was bypassed so it didn’t take action,” he said. The interlocked signal was seeing use within the integrated control system; consequently, valves closed, the system shutdown the plant, and the whole process caused an environmental incident. In this case, people made a change without understanding the consequences. “This is just one example of people not managing complex systems and understanding how the work they do can impact things,” he said.
Human Error, Airline Comparison
Within one graphic, Carrigan compared the rise and leveling off of safety within the automation control industry with that of the airline industry. “We can see a dramatic improvement in overall airline safety, but that improvement has leveled off over the past couple of decades. We can also see interesting trends. Those incidents attributed to human error have not seen nearly as much improvement,” he said.
While the airline and automation control industries are very different, they do have one thing in common — an operator sits in front of a screen, which conveys information about a process, and takes action to keep things on course.
“This type of reliability is hard for our industry,” he said. “But we can look at things, such as equivalent forced outage rate (EFOR) — the time the equipment is not operating as it is supposed to. There has also been an increase in reliability, which has flat-lined over the last several years. “We can see better improvement in mechanical reliability but not human reliability, he said. “This type of information is also less public for the oil and gas industry.”
Carrigan showed through an integrated platform demonstration how all these tools work together in a gas plant within a refinery—how operators and engineers can use an integrated platform to get information quickly to understand what’s taking place, which will allow them to make better and faster decisions.
His team built the example graphic in an HTML environment, so any system has the ability to integrate information from disparate sources. “As an operator, I have this alarm, and now I have to deal with it. So we want to deliver the information the operator needs. We’ve implemented this on many different kinds of control platforms. It’s easy to do. And it doesn’t impact your control network traffic at all,” he said. “By better designing the HMIs, I can help operators catch things while they are still small and help mitigate them. At a Level 3 graphic, you can see the trends — the bottom levels are going up and top levels are going down.”
The graphic allowed Carrigan to see more detail at the various pumps from the overhead and flow control and pressure controls. In his demo, he right-clicked on the alarm for a menu of available options to respond to it (inbound, loop sheets, control map, correlation matrix, and more). “I can see this is a process condition, so it doesn’t make sense to shelve the alarm. If I click on alarm details, I can get all the information I need to see the consequence of not responding is loss of controls,” he said. “So clearly, I need to respond. I can look at different potential causes. The controller is not in manual; it’s 100 percent open. That’s not what the problem can be. The next one is ‘valve stuck’ or ‘pump tripped.’ A bad instrument means I’m getting a bad reading. But that’s not the problem. Yet I do want to do further investigation on ‘valve stuck.’ But I need to understand more about operational limits. I’ve been told if I don’t respond, I’ll end up shutting the process down.”
After checking other options in the dropdown menu, Carrigan could see there was just a small amount of time before the process shut down. With each option, the operator can see more information. “I can also check the impact of making changes to the controller. I have pressure indicators, which let me see various outputs. So I know if I make a change, I will cause a problem to my APC application,” he said. “I have a complex loop, so I better be careful before making changes to the process controller. Next I need to know if there are any control problems with this loop or any performance problems, such as hysteresis.”
Finally, the operator can look at incident reports to discover whether he’s seen the same problem in the past. The incident report database ties everything back to the integrity database. “So we can bring those over to the platform as well,” he said. “We can see in June of last year there was an incident report of the very same thing — the controller was stuck. So we can put in a work order.”
All in all, systems are complex and interactive, and they come from so many different vendors, he said. “Perhaps with better HMI tools, there’s a chance to improve operational reliability so operators can get the information they need quickly — without having to look it up in five different places.”
Ellen Fussell Policastro is a freelance writer in Raleigh, NC. Her email is email@example.com.
Thursday, January 9, 2014 @ 03:01 PM gHale
Ecava Sdn Bhd created an update that mitigates the project directory information disclosure vulnerability in the IntegraXor application, according to a report from ICS-CERT.
Ecava Sdn Bhd IntegraXor – 4.1.4360 and earlier suffer from the remotely exploitable vulnerability. ICS-CERT received the report from the Zero Day Initiative (ZDI) who got the details from security researcher “Alphazorx aka technically.screwed.”
An attacker can use a crafted URL to download certain files in the project directory, compromising the confidentiality of the system.
Ecava Sdn Bhd is a Malaysia-based software development company that provides the IntegraXor SCADA product. Ecava Sdn Bhd specializes in factory and process automation solutions.
The affected product, IntegraXor, is a suite of tools used to create and run a Web-based human machine interface (HMI) for a SCADA system. IntegraXor is in several areas of process control in 38 countries with the largest installation based in the United Kingdom, United States, Australia, Poland, Canada, and Estonia.
IntegraXor does not properly restrict access to files in the project directory. An attacker may use a specially crafted URL to download project backup files from the system project directory without any authentication.
CVE-2014-0752 is the case number assigned to the vulnerability, which has a CVSS v2 base score of 7.5.
No known public exploits specifically target this vulnerability, however, an attacker with a low skill would be able to exploit this vulnerability.
Ecava Sdn Bhd issued a notification that details this vulnerability and provides mitigations to its customers. Ecava Sdn Bhd recommends users download and install the update, IntegraXor SCADA Server 4.1.4369.
For additional information, click here to view Ecava’s vulnerability note.
Tuesday, January 7, 2014 @ 06:01 PM gHale
Advantech provided a free version upgrade that mitigates a Remote Procedure Call (RPC) vulnerability in the Advantech WebAccess and legacy BroadWin WebAccess software (WebAccess), according to a report on ICS-CERT.
This is a web browser based human-machine interface (HMI) product. The RPC vulnerability affects the WebAccess Network Service on Port 4592/TCP and allows remote code execution. Independent security researcher Rubén Santamarta found the vulnerability and released exploit code.
This vulnerability affects all versions of WebAccess prior to Version 7.1 2013.05.30, including all legacy versions of either Advantech WebAccess or BroadWin WebAccess.
The successful exploit of this vulnerability could allow an attacker to remotely execute arbitrary code.
Advantech/Broadwin WebAccess is a Web-based HMI product used in energy, manufacturing, and building automation systems. The installation base is across Asia; North, Central, and South America; North Africa; the Middle East; and Europe. WebAccess Client software is available for desktop computers and laptops running
Windows 2000, XP, Vista, Server 2003, Windows 7, and Windows 8. A thin-client interface is available for Windows CE and Windows Mobile 5.0.
The code injection vulnerability exploits an RPC vulnerability in WebAccess Network Service on 4592/TCP.
CVE-2011-4041 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 10.
An attacker can initiate this exploit from a remote machine without user interaction.
An exploit of this vulnerability went public and it requires a moderate level of skill to leverage it.
Advantech released a new version of WebAccess that mitigates this vulnerability. Users may upgrade to the latest version from any previous version of WebAccess at no charge. Download the latest version of WebAccess (V 7.1 2013.05.30) from the Advantech web site.
Advantech has also created the following site to share additional information about WebAccess.
Prior to the release of this new version, customers using WebAccess should refer to security considerations recommended by Advantech in the WebAccess Installation Manual.
Wednesday, November 20, 2013 @ 06:11 PM gHale
Catapult Software created an update that fixes the improper input validation in its DNP3 Driver software, according to a report on ICS-CERT.
Adam Crain of Automatak and independent researcher Chris Sistrunk, who found the vulnerability, tested the updated software to validate that it resolves the vulnerability.
This driver sees use with General Electric (GE) Intelligent Platform’s Proficy iFIX and CIMPLICITY products.
The following Catapult Software product suffers from the remotely exploitable issue:
• Catapult Software DNP driver (“DNP”): Version 7.20.56
• Proficy human-machine interface/supervisory control and data acquisition (HMI/SCADA) – iFIX or CIMPLICITY servers with the vulnerable I/O Driver installed (this includes iFIX or CIMPLICITY installations that are part of Proficy Process Systems).
The use of this driver can cause the human-machine interface (HMI) to go into a denial-of-service (DoS) condition by sending a specially crafted transmission control protocol (TCP) packet from the outstation on an IP-based network. If the device connects via a serial connection, the same attack can occur with physical access to the outstation. The device must shut down and then restarted to recover from the DoS.
New Zealand-based Catapult Software specializes in SCADA/HMI software development. The affected product, DNP 3.0 driver, sees use with GE Intelligent Platforms’ iFIX and CIMPLICITY products, which are Web-based SCADA/HMI systems. According to Catapult Software, the driver and SCADA systems deploy across several sectors, including oil and gas, water and wastewater, and electric utilities.
As this vulnerability affects Internet Protocol-connected and Serial-connected devices, there are two CVSS scores.
The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop by sending a specifically crafted TCP packet, causing the process to crash.
CVE-2013-2811 is the number assigned to this vulnerability, which has a CVSS v2 base score of 7.1.
The Catapult Software DNP3 driver, used in the GE iFIX and CIMPLICITY products, does not validate input correctly. An attacker could cause the software to go into an infinite loop, causing the process to crash. The system must restart manually to clear the condition.
The following scoring is for serial-connected devices: CVE- 2013-2823 is the number assigned to this vulnerability, which has a CVSS v2 base score of 4.7.
No known public exploits specifically target this vulnerability and an attacker with a moderate skill would be able to exploit this vulnerability.
An updated driver is available from Catapult Software. Installing Version 7.20.60 (GE IP 7.20k) of the DNP driver or newer will address this issue. The driver is available for download by registering for support.
In addition, the driver update is also available from GE.
The researchers suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets to add an additional layer of protection.
Thursday, October 10, 2013 @ 04:10 PM gHale
Invensys created an update that mitigates the improper input validation vulnerability in the Wonderware InTouch human-machine interface (HMI), according to a report on ICS-CERT.
Independent researchers Timur Yunusov, Alexey Osipov, and Ilya Karpov of the Positive Technologies Research Team discovered the vulnerability in the Wonderware InTouch application. The Positive Technologies Research Team tested the update to validate that it resolves the vulnerability.
The following Invensys Wonderware products suffer from the version: InTouch HMI 2012 R2 and all previous versions.
Successful exploitation of this vulnerability could allow an attacker to affect the confidentiality and availability of the Invensys Wonderware InTouch.
Invensys is a global technology company that works with industrial, commercial, rail operators, and appliance operators, while operating in over 180 countries. Invensys develops software, systems, and equipment that enable users to monitor, automate, and control their processes.
The Invensys Wonderware InTouch HMI works across several sectors including critical manufacturing, energy, food and agriculture, chemical, and water and wastewater.
Wonderware InTouch HMI allows access to local resources (files and internal resources) via unsafe parsing of XML external entities. By using specially crafted XML files, an attacker can cause Wonderware InTouch HMI to send the contents of local or remote resources to the attacker’s server or cause a denial of service of the system.
CVE-2012-4709is the number assigned to this vulnerability, which has a CVSS v2 base score of 6.3.
This vulnerability is not remotely exploitable and needs user interaction for any kind of exploit. The exploit triggers when a local user runs the vulnerable application and loads the malformed XML files.
No known public exploits specifically target this vulnerability and an attacker with a low skill would be able to exploit this vulnerability.
Instructions and a link to the application update are on the Invensys download page.
Any machine running InTouch 2012 R2 or earlier versions suffers from the issue, according to Invensys. Users should install the update using instructions provided in the ReadMe file for the product and component installed. Invensys recommends users:
1. Read the installation instructions provided with the patch.
2. Shut down any of the affected software products.
3. Install the update.
4. Restart the software.
Friday, August 2, 2013 @ 03:08 PM gHale
By Gregory Hale
One of the many things Stuxnet taught the manufacturing automation world was operators cannot always believe what they see. That same axiom came true Thursday at Black Hat as researchers showed how easy it was to force a process out of control.
If you look at most standard DCS or SCADA networks, you can see the same type of basic design, but security still seems to be lacking, said Brian Meixell and Eric Forner, both researchers at Houston-based security provider Cimation during their session at the Black Hat conference in Las Vegas entitled, “Out of control: Demonstrating SCADA device exploitation.”
“Most firewalls are usually in place because a standard has told people to put them in, but they end up having an ‘anything can pass through.’ So there is no security there,” Meixell said.
That ends up being a very vital aspect as the two researchers were then able to demonstrate how they could work their way through a SCADA system without too much of a problem. “You don’t even have to go through the enterprise, you can just get to the system by going through a cell phone connection (in some cases),” Forner said.
But the way in to any system is through IP addresses found on the Internet, the researchers said.
One of the problems, Forner said, was the industry’s reliance on incredibly old Modbus/TCP protocol.
Modbus is an ancient protocol, you never know what you are actually driving,” Forner said.
They could talk about the problem all day, but the researchers showed the proof was in the pudding as they conducted a demonstration where a process was bringing water into a tank. There was a level transmitter that would shut the system down when the fluid reached a certain level, but when they issued a few commands to get into the system, the essentially owned the process.
When that happened all indicators showed the operator the tank was not at an overflow level and is actually decreasing, but in reality the tank ended up overflowing. They were able to override the safety interlock and take down the process.
“That could be oil or gas or some chemical leaking out of that tank,” Forner said.
“Because the operator saw something other than reality, when he goes to correct the problem, he may do something worse,” Meixell said.
“The operator is just doing what the PLC is telling him,” Forner said.
As an extra added bonus, after overflowing the tank, the researchers then took command of the HMI in the system and downloaded a game of solitaire.
These were not magic tricks to take over a system, it was two guys that knew about some of the ins and outs of a SCADA system making some solid basic moves.
That was an enlightening demo that showed just how fragile a system could be if the right layers of protection are not in play. Seeing is believing.
Wednesday, July 3, 2013 @ 09:07 AM gHale
Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Heather MacKenzie
When engineers look at security, a topic they should know about is Deep Packet Inspection (DPI) and why offshore oil and gas networks need to use it if they want to be secure.
Let me give some context. You know the critical systems managing production and safety on offshore platforms are largely based on legacy SCADA and Industrial Control System (ICS) products and protocols. Many of these products are decades old and were never designed with security in mind.
People like Dale Petersen and his Basecamp team have made an industry out of showing just how vulnerable these devices really are. Unfortunately these same systems are now connected to external systems using Ethernet and TCP/IP. That has been great for efficiency, but it exposes mission critical production systems to malware.
Given the 20-year lifecycle common for industrial systems, it will be many years before more secure SCADA and ICS devices and protocols are in widespread use. This leaves the thousands of legacy platform control systems open to attack from even the most inexperienced hacker, who can then disable or destroy most industrial controllers.
Problem: No Granularity
The difficulty with legacy SCADA/ICS protocols is they have no granularity. To the average security device, a data read message looks exactly like a firmware update message.
Thus if you allow data read messages from an HMI to a PLC to pass through a traditional firewall, you are also allowing programming messages to pass through. This is a serious security issue.
You are faced with an impossible choice — keep the messages flowing that make the system run, but expose it to attacks, or block everything out. Since shutting systems down is not an option, accepting high risk has been the course taken by many. In a post-Macondo (Deepwater Horizon) world, this is not acceptable.
What can an engineer do? There is a solution.
Deep Packet Inspection
The solution is to find a firewall that can dig deep into industrial protocols to understand the purpose of a message. This is beyond the capability of IT firewalls and is called Deep Packet Inspection.
Here’s how it works: After applying traditional firewall rules, the DPI firewall inspects the content of messages and applies more detailed rules. For example, it determines if a message is a read or a write message and then drops all write messages.
In addition, good DPI firewalls can also “sanity check” traffic for strangely formatted messages or unusual behaviors (such as 10,000 reply messages in response to a single request message). These sorts of abnormal messages can indicate traffic created by a hacker trying to crash a PLC and users need to block them.
DPI in Need Now
Tofino’s Eric Byres said five years ago DPI would have been a “nice-to-have” capability. However, today’s generation of worms and advanced threats make it a “must-have” technology if you want a secure SCADA or ICS system.
The reason is that today’s malware designers and attackers know firewalls and intrusion detection systems will spot the use of an unusual protocol instantly. They know if the protocols on a network are normally HTTP (i.e. web browsing), Modbus and MS-SQL (i.e. database queries) then the sudden appearance of a new protocol like FTP will put the smart system administrator on his or her guard.
Thus worm designers work to stay under the radar by hiding their network traffic inside protocols that are already common on the network they are attacking. For example, many worms now hide their outbound communications in what appear to be normal HTTP messages.
Even if you suspected something was wrong, you would be stuck if all you had was a normal firewall. The simple blocking of all Modbus traffic would impact production. Without deep packet inspection, (i.e. tools to inspect the contents of messages and block suspicious traffic), your hands would end up tied.
DPI technology is a very powerful tool in the security tool box. It allows the engineer to block the bad stuff, yet avoid needless impact on the control system. Without it, the designers of modern worms clearly have the upper hand.
Certainly DPI is not a silver bullet for security – no technology is.
Heather MacKenzie is with Tofino Security, a Belden company. Click here to read the full version of the Practical SCADA Security blog.