Posts Tagged ‘SCADA’

Friday, August 22, 2014 @ 01:08 PM gHale

The move to using open standards such as Ethernet, TCP/IP, and web technologies in supervisory control and data acquisition (SCADA) and process control networks has begun to expose these systems to the same cyberattacks that have wreaked so much havoc on corporate information systems.

That is why aeSolutions is offering a course that provides a detailed look at how the ANSI/ISA99 standards can help protect your critical control systems. It also explores the procedural and technical differences between the security for traditional IT environments and those solutions appropriate for SCADA or plant floor environments. Cost of the course is $1,510.

This course is required for the ISA99/IEC 62443 Cybersecurity Fundamentals Specialist Certificate Program. You can register for the exam through ISA after completing the course.

Those who successfully complete this course and pass the exam receive the designation of ISA99/IEC 62443 Cybersecurity Fundamentals Specialist.

The course is Wednesday, September 17, at 8 a.m. to Thursday, September 18, at 4 p.m. at the JL Towers, 3800 Centerpoint Drive, Suite 620, Anchorage, AK 99503.

The course will allow you to :
• Discuss the principles behind creating an effective long term program security Interpret the ANSI/ISA99 industrial security guidelines and apply them to your operation
• Define the basics of risk and vulnerability analysis methodologies
• Describe the principles of security policy development
• Explain the concepts of defense in depth and zone/conduit models of security
• Analyze the current trends in industrial security incidents and methods hackers use to attack a system
• Define the principles behind the key risk mitigation techniques, including anti-virus and patch management, firewalls, and virtual private networks

You will cover:
• Understanding the Current Industrial Security Environment: What is Electronic Security for Industrial Automation and Control Systems? | How IT and the Plant Floor are Different and How They are the Same
• How Cyberattacks Happen: Understanding the Threat Sources | The Steps to Successful Cyberattacks
• Creating A Security Program: Critical Factors for Success/Understanding the ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009)- Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
• Risk Analysis: Business Rationale | Risk Identification, Classification, and Assessment | The DNSAM Methodology
• Addressing Risk with Security Policy, Organization, and Awareness: CSMS Scope | Organizational Security | Staff Training and Security Awareness
• Addressing Risk with Selected Security Counter Measures: Personnel Security | Physical and Environmental Security | Network Segmentation | Access Control
• Addressing Risk with Implementation Measures: Risk Management and Implementation | System Development and Maintenance | Information and Document Management
• Monitoring and Improving the CSMS: Compliance and Review | Improve and Maintain the CSMS

Classroom/Laboratory Exercises:
• Develop a business case for industrial security
• Conduct security threat analysis Investigate scanning and protocol analysis tools
• Apply basic security analysis tools software

Includes ISA Standards:
ANSI/ISA-62443-1-1 (ANSI/ISA-99.00.01-2007) – Security for Industrial Automation and Control Systems Part 1: Terminology, Concepts & Models
ANSI/ISA-62443-2-1 (ANSI/ISA-99.02.01-2009) – Security for Industrial Automation and Control Systems: Establishing an Industrial Automation and Control Systems Security Program
ANSI/ISA-62443-3-3 – Security for industrial automation and control systems: System security requirements and security levels

For more information, contact Jodi Pietrowski at aeSolutions.

Tuesday, August 12, 2014 @ 01:08 PM gHale

The National Institute of Standards and Technology wants to create a test bed to examine industrial control systems for cyber security vulnerabilities.

Industrial control systems (ICS) or SCADA (Supervisory Control and Data Acquisition) systems operate critical infrastructure, such as dams, gas plants, petroleum refineries and chemical manufacturing plants.

RELATED STORIES
Security Framework Workshop in FL
IoT Devices Vulnerable to Attacks: Report
Organizations ‘More Vulnerable Than They Think’
Endpoints Need More Security: Report

Hackers can potentially wreak havoc with assaults on such systems. In late June, for example, a targeted malware attack on SCADA systems called Havex ended up discovered by the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) at the Department of Homeland Security (DHS) that could have allowed intruders to take over Internet-connected systems.

NIST is trying to get ahead of attackers by developing a simulation system that emulates the operations of specific industrial situations.

The simulation rack will provide NIST’s researchers the opportunity to probe systems for flaws and examine the efficacy of certain network security approaches, including deep packet inspection of network traffic, encryption, user authentication, and security software like anti-virus protection.

In a request for information , NIST is soliciting feedback from vendors interested in designing and building simulation racks of SCADA systems for testing purposes.

Wednesday, June 25, 2014 @ 01:06 PM gHale

A malware threat used in attacks against energy sector companies is now pointing toward organizations that use or develop industrial applications and machines.

During the spring, attackers began distributing new versions of a remote access Trojan (RAT) program called Havex by hacking into the websites of industrial control system (ICS) manufacturers and infiltrating their software downloads, said researchers from security firm F-Secure.

RELATED STORIES
New Trojan Targets Banks, For Now
New Trojan Starts from Scratch
Ransomware Infections Drop after Takedown
Cybercrime Costs Businesses $445 Billion

“Our research uncovered three software vendor sites that were compromised in this manner,” the F-Secure researchers said in a blog post. “The software installers available on the sites were Trojanized to include the Havex RAT. We suspect more similar cases exist but have not been identified yet.”

http://www.f-secure.com/weblog/archives/00002718.html

F-Secure did not name the affected vendors, but said that two of them develop ICS remote management software and the third supplies high-precision industrial cameras and related software. According to the security firm, the vendors are in Germany, Switzerland and Belgium.

The attackers modified the legitimate software installers to drop and execute an additional file on computers. The file is mbcheck.dll and is actually the Havex malware.

The new distribution technique was in addition to more traditional attacks like spam emails and Web-based exploits, and indicates those behind the operation are specifically interested in targeting organizations that use ICS and SCADA (supervisory control and data acquisition) applications.

In addition, there a new malicious Havex component whose purpose is to scan local area networks for devices that respond to OPC requests. OPC is a communications standard that allows interaction between Windows-based SCADA applications and process control hardware.

The Havex component leverages the OPC standard to gather information about industrial control devices and then sends that information back to its command-and-control (C&C) server for the attackers to analyze, the F-Secure researchers said. “It appears that this component is used as a tool for intelligence gathering. So far, we have not seen any payloads that attempt to control the connected hardware.”

Further evidence of this operation’s goals comes from the identity of the victim organizations, which are in one way or another associated with industrial applications and machines.

“The majority of the victims are located in Europe, though at the time of writing at least one company in California was also observed sending data to the C&C servers,” the F-Secure researchers said. “Of the European-based organizations, two are major educational institutions in France that are known for technology-related research; two are German industrial application or machine producers; one is a French industrial machine producer; and one is a Russian construction company that appears to specialize in structural engineering.”

In a report released in January, security intelligence firm CrowdStrike associated the Havex RAT with targeted attacks against energy sector organizations that took place in September 2013 and ended up perpetrated by a group of attackers with links to the Russian Federation. The security firm dubbed the attack group “Energetic Bear” and said that its malicious campaigns go as far back as August 2012.

Tuesday, June 24, 2014 @ 05:06 PM gHale

By Gregory Hale
You are under attack and you don’t even know it.

That was the subject of a demonstration and talk Tuesday entitled “ICS Security Today Awareness and Practice” at the 2014 Siemens Automation Summit.

RELATED STORIES
Summit: Safety, Security Add to Complexity
Chemical Safety Report Updated
West, TX, Blast First Responders Unprepared
Fertilizer Industry Talking Chemical Safety

“We are trying to protect people, production, property, environment and the economy,” said Marc Ayala, senior technical advisor at security provider Cimation. He talked about how many people that are qualified and actually know something about enterprise security and the number he came up with was 50,000 true experts. When it comes to Industrial Control System (ICS) or Supervisory Control and Data Acquisition (SCADA) security, Ayala said there were “500 people that know ICS security.”

The industries most likely targeted, Ayala said, were energy and transportation.

One of the first things a user needs to accomplish is to evaluate risk, said Eric Forner, ICS/SCADA security engineer at Cimation.

Threats are coming from hackers that could be conducting automated attacks, or from nation states that develop exploits and know how control systems work, Forner said. A third area is from internal attacks, “which is more of a threat than the other two.”

Another area that is a big attack area and has the potential to get bigger is social media attacks, Ayala said.

All you have to do is send a person a malicious email with an attachment from a person they may be familiar with and that person now becomes a victim.

“That is the pivot point where an attacker can then go in and start viewing the system,” Ayala said. “You have to be very careful with who you connect with.”

Keeping bad guys out of the system is vital as the demonstration by Forner proved.

In the demo, Forner was able to bypass a firewall and jump right into a system and take it over.

Most firewalls are usually in place because a standard has told people to put them in, but they end up having an “allow anything command,” Forner said.

That ends up being important as Forner was able to use various commands to work his way through a PLC without too much of a problem.

But the way in to any system is through IP addresses found on the Internet, the researchers said.

One of the problems, Forner said, was the industry’s reliance on incredibly old Modbus/TCP protocol.

Port 502 is the Modbus TCP port and it is one of the top ports under attack,” Ayala said.

In the demo, there was a level transmitter that would shut the system down when the fluid reached a certain level, but when they issued a few commands to get into the system, they essentially owned the process.

When that happened all indicators showed the operator the tank was not at an overflow level and is actually decreasing, but in reality the tank ended up overflowing. They were able to override the safety interlock and take down the process.

As an extra added bonus, after overflowing the tank, the researchers then took command of the HMI in the system and downloaded a game of solitaire.

Yes, this was a demo at a conference, but that could be a real life experience that could cause an incident.

“Cyber security in ICS/SCADA is a life safety issue and must be treated as such,” Ayala said. “Safety is everywhere and it is constant. With all our total interconnections, safety is all the time now.”

Wednesday, June 4, 2014 @ 07:06 PM gHale

By Gregory Hale
There are heavy challenges facing automation professionals in the years to come and cyber security ranks up there at the top.

“There are issues like skills availability, working in remote locations and cyber security,” said Vimal Kapur, the brand new president of Honeywell Process Solutions (HPS) during his keynote address Tuesday at the 2014 Honeywell Users Group in San Antonio, TX. “We can’t ignore (cyber security). It is an undesired event and we have to do something about it.”

RELATED STORIES
Ineffective Password Security Practices
Insider Threat Real; Protection Weak
Aware of Info Loss, Data Still Not Secured
Major Update to ICS Security Guide

Kapur, just named president of HPS in May, talked about trends and outlooks he sees in the industry. While newly named as president, Kapur has been with Honeywell for 25 years so he is very aware of industry nuances and trends.

One of the areas he wants to focus on collaborating to ensure global coverage as the world markets emerge from long standing recessions.

“China and the Americas continue to lead in capital spending, but Europe, Middle East and Asia (EMEA) and Asia Pacific are recovering,” he said.

Closer to home in North America, Kapur said natural gas is continuing its growth curve.

“The Americas oil and gas industries continue to dominate capital spending in the region, especially as they migrate to new natural gas sources,” said Kapur. “These changes have been having a profound impact for the past two or three years, and this trend is going to continue for several more years.”

He also pointed out how Honeywell will be able to leverage its capabilities in upstream oil and gas, midstream and downstream with new SCADA, RTU, DCS, safety, advanced and field instrumentation solutions.

Also understanding and designing the systems properly from the beginning is more vital now than it ever has been.

“Large capital expenditure projects are growing more complex, expensive and time-consuming. So instead of us coming in and adding automation and control at the end of a project before start-up, it’s becoming critical for us to execute automation and get it out of the critical path of these projects,” Kapur said.

Planning the project is one thing, but the next step is applying operational integrity and operational excellence.

“Being able to accomplish operational integrity means operating safely. Operational excellence means running a process more efficiently,” he said. “That all includes making people and assets safer, and running processes more reliably.”

One other trend Kapur discussed was cloud computing.

“Cloud computing in automation has huge potential,” Kapur said. “That is something that is happening now; not something that will happen in the future.”

Another trend is universality, Kapur said. By that he said there would be one universal device that handles multiple capabilities. A case in point is a smartphone that can handle computing, video, phone and general communications capabilities.

In the past one device could handle one function, but why not have one device that handles multiple functions.

He then translated that to the Honeywell environment where, in one case, he pointed to Universal IO which transformed from a single device to one that can handle multiple tasks.

Universal I/O and cloud computing capabilities form the core of the company’s Lean Execution of Automation Projects (LEAP) program for taking automation out of the critical path on customers’ projects.

The goal behind LEAP is to cut engineering time

  • No repeat engineering
  • Drives efficiency
  • Lean execution
  •  Standardized processes and tools

Monday, April 28, 2014 @ 10:04 AM gHale

There is a directory traversal vulnerability affecting the InduSoft Web Studio application, according to a report on ICS-CERT.

Successful exploitation of this remotely exploitable vulnerability could allow remote execution of arbitrary code. This vulnerability ended up reported by the Zero Day Initiative (ZDI) who received the initial dispatch from security researcher John Leitch.

RELATED STORIES
Festo Not Fixing Controller Holes
Siemens Fixes SIMATIC Family Holes
Certec Fixes Heartbleed Vulnerability
Siemens Fixes SINEMA Vulnerabilities

Web Studio Version 7.1 suffers from the issue.

Successful exploitation of the reported vulnerability could allow an attacker to read files outside the web root and possibly perform arbitrary code execution. These actions can result in adverse application conditions and ultimately impact the production environment on which the supervisory control and data acquisition (SCADA) system works.

InduSoft Web Studio is a collection of automation tools to develop human-machine interfaces, SCADA systems, and embedded instrumentation systems.

InduSoft Web Studio often ends up integrated as a third-party component in other vendors’ products. According to Austin, TX-based InduSoft, Web Studio sees uses across several sectors including commercial facilities, critical manufacturing, energy, food and agriculture, healthcare and public health, and water and wastewater systems.

The NTWebServer (test web server installed with InduSoft Web Studio) contains a flaw that enables a malicious user to read files outside the web root. This can end up exploited to read APP files that may contain application passwords. It may be possible to achieve remote code execution by exfiltrating credentials for Web Studio itself, then using them to remotely administer the targeted instance to deploy attacker controlled server-side code.

CVE-2014-0780 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 7.5.

No known public exploits specifically target this vulnerability. However, an attacker with a low skill would be able to exploit this vulnerability.

InduSoft did not intend for this web server to see action in real applications. It was a demonstration/training software (as stated in user manuals). They have created a mitigation for this vulnerability in InduSoft Web Studio v7.1+Service Pack 2+ Patch 4. Users may obtain this patch at the following location (you must log into your InduSoft account).

For more information, you can email InduSoft technical support.

Wednesday, April 23, 2014 @ 05:04 PM gHale

Revealing sensitive source code is a very difficult proposition for manufacturers and some new software may help alleviate that issue.

Belden Inc. released the Tofino Enforcer Software Development Kit (SDK), which allows third parties to create next generation security solutions using the company’s Deep Packet Inspection (DPI) technology.

RELATED STORIES
Cisco’s Hadoop-Based Security Tool
Attackers Use a Malware Potpourri
PowerShell Used for Power Malware
Email Trojan Malware Within Malware

Tofino Enforcer modules developed with the SDK protect supervisory control and data acquisition (SCADA) and industrial control system (ICS) protocols.

Using the toolkit, developers can design custom loadable security modules (LSMs) for the wide variety of SCADA and ICS protocols currently in use:
• For major automation vendors, the Tofino Enforcer SDK enables them to secure their proprietary protocols with DPI technology, without having to disclose sensitive internal information. Companies can create a custom solution, controlling their own development cycle and the management of future updates.
• System integrators can create custom DPI modules to secure unusual SCADA protocols or devices. Instead of starting from scratch, they can take advantage of DPI firewall technology in any scenario or application.

“Most major companies have proprietary network architectures, and for competitive reasons, they do not want to share things, like source code, publically. It’s been a concern of theirs for years,” said Frank Williams, senior product manager for security at Belden. “Now, with our SDK tool, they can address specific needs on their own timeframe — creating exactly what they need to protect their internal protocols.”

The Tofino Enforcer technology performs multi-level analysis and filtering of all SCADA messages. And unlike intrusion protection or detection (IPS/IDS) technologies, it offers very fast message forwarding for the time sensitive applications, like power distribution or manufacturing.

The combination of in-depth content inspection with fast packet processing allows owners of control and SCADA systems to regulate network traffic to a level of detail that has never before been possible. By using the Enforcer module for a particular SCADA protocol, engineers can block all attempts to write to a PLC or SCADA device, while still allowing access to data values over the network. The result is improved network reliability, availability, and security for any SCADA, process control or safety system.

Key features:
• A common virtual machine (VM) development platform, with pre-configured layer 3 and layer 4 firewalls and logging systems.
• The ability to utilize Tofino Enforcer DPI technology that provides the fine-grained inspection of SCADA protocols necessary to secure industrial systems.
• Example source code — illustrating a Tofino Enforcer Module for a well-known protocol.
• Easy creation of additional LSMs.
• Easy-to-use debugging tools.

Wednesday, March 26, 2014 @ 01:03 PM gHale

“Attacks on control systems are on the rise.” But “budgets for cyber security in SCADA ICS environments remain very slim, and organizations continue to be dependent on limited resources and staffing to detect breaches and attacks,” said Matt Luallen, SANS Institute Analyst and author of a control system survey.

SANS released results of its 2014 Survey on control system security, in which 268 IT professionals answered questions about their overall risk awareness, trends in threats and breaches, and effective means to mitigate vulnerabilities with regard to supervisory control and data acquisition/industrial control system (SCADA/ICS).

RELATED STORIES
Security Awareness: A Matter of Safety
Security Pros Fret Attacks, not NSA
Talk to Me: Elevating Security Awareness
Attacks a Top Risk after Target Hack

In the year since SANS’ last survey on this topic, the number of entities with identified or suspected security breaches increased from 28 percent to almost 40 percent. Only 9 percent said they were sure they did not suffer a breach.

Organizations want to be able to protect their systems and assets, which include computer systems, networks, embedded controllers, control system communication protocols and various physical assets. Respondents also noted they strive to protect public safety; increase leadership risk awareness; and expand controls pertaining to asset identification, communication channels and centralized monitoring.

Still, quite a few organizations do not or cannot collect data from some of the most critical SCADA and ICS assets, and many depend on trained staff, not tools, to detect issues. The survey also found 16 percent of respondents have no process in place to detect vulnerabilities.

The survey did note a tighter merging of ICS security and IT security, which was once a huge barrier to overcome.

“Respondents indicated that ICS security is being performed by specialists reporting to both engineering and IT,” said Derek Harp, business operations lead for ICS programs at SANS. “This places a real priority on cross-departmental coordination, effectively bridging competencies and building (as well as assessing) skill in an organized manner.”

Tuesday, January 14, 2014 @ 03:01 PM gHale

Schneider Electric created a new version of its SCADA Expert ClearSCADA software that mitigates an uncontrolled resource consumption vulnerability, according to a report on ICS-CERT.

Adam Crain of Automatak, who discovered the problem along with independent researcher Chris Sistrunk, tested the new version to validate it resolves the remotely exploitable vulnerability.

RELATED STORIES
Ecava Fixes Project Directory Hole
Advantech Fixes Hole with Upgrade
Sierra Wireless Discontinues Gateway
NovaTech DNP3 Vulnerability

The following Schneider Electric versions suffer from the issue:
• ClearSCADA 2010 R2 (Build 71.4165)
• ClearSCADA 2010 R2.1 (Build 71.4325)
• ClearSCADA 2010 R3 (Build 72.4560)
• ClearSCADA 2010 R3.1 (Build 72.4644)
• SCADA Expert ClearSCADA 2013 R1 (Build 73.4729)
• SCADA Expert ClearSCADA 2013 R1.1 (Build 73.4832)
• SCADA Expert ClearSCADA 2013 R1.1a (Build 73.4903)
• SCADA Expert ClearSCADA 2013 R1.2 (Build 73.4955)

Successful exploitation of this vulnerability may cause a denial of service (DoS) of the DNP3 process. Specially crafted, unsolicited frames may cause excessive event logging. This condition may slow driver operation and may lead to a DoS.

Schneider Electric is a France-based company that maintains offices in 190 countries worldwide.

ClearSCADA sees use across several sectors including energy and water and wastewater systems, according to Schneider Electric.

Specially crafted IP frames may cause DNP3Driver.exe to hang. If the DNP3 driver ends up flooded with frames containing multiple errors, an excessive number of event journal messages could end up logged, resulting in a starvation of resources, leading to a DoS attack. This condition cannot cause data corruption, crash the driver, or allow execution of arbitrary code but will affect operational response.

CVE-2013-6142 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.

No known public exploits specifically target this vulnerability. An attacker with a medium skill would be able to exploit this vulnerability.

Schneider Electric has fixed this issue in the latest released software version of SCADA Expert ClearSCADA 2013 R2.

ClearSCADA users should contact the local Schneider Electric office to obtain the latest software version for ClearSCADA; alternatively this new version is available for direct download from the Schneider Electric Web site. To upgrade, customers must complete and submit an online form.

Click here for general instructions on how to upgrade the ClearSCADA license.

Detailed instructions on how to upgrade a ClearSCADA installation are available.

Schneider Electric advises all ClearSCADA users to take steps to secure the interfaces to the ClearSCADA system. The following guidelines are a starting point only in establishing an appropriate level of system security:
• Monitor DNP3 traffic and system Event Journal to detect excessive amounts of traffic/logging that may be representative of a fuzzing attack.
• Upgrade the ClearSCADA server to SCADA Expert ClearSCADA 2013 R2 or newer, or Service Packs released later than November 2013.

Schneider Electric has also published security notification SEVD-2013-339-01.

The researchers suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an intrusion prevention system or firewall with DNP3-specific rule sets to add an additional layer of protection.

Thursday, January 9, 2014 @ 03:01 PM gHale

Ecava Sdn Bhd created an update that mitigates the project directory information disclosure vulnerability in the IntegraXor application, according to a report from ICS-CERT.

Ecava Sdn Bhd IntegraXor – 4.1.4360 and earlier suffer from the remotely exploitable vulnerability. ICS-CERT received the report from the Zero Day Initiative (ZDI) who got the details from security researcher “Alphazorx aka technically.screwed.”

RELATED STORIES
Advantech Fixes Hole with Upgrade
Sierra Wireless Discontinues Gateway
NovaTech DNP3 Vulnerability
Siemens COMOS Privilege Escalation

An attacker can use a crafted URL to download certain files in the project directory, compromising the confidentiality of the system.

Ecava Sdn Bhd is a Malaysia-based software development company that provides the IntegraXor SCADA product. Ecava Sdn Bhd specializes in factory and process automation solutions.

The affected product, IntegraXor, is a suite of tools used to create and run a Web-based human machine interface (HMI) for a SCADA system. IntegraXor is in several areas of process control in 38 countries with the largest installation based in the United Kingdom, United States, Australia, Poland, Canada, and Estonia.

IntegraXor does not properly restrict access to files in the project directory. An attacker may use a specially crafted URL to download project backup files from the system project directory without any authentication.

CVE-2014-0752 is the case number assigned to the vulnerability, which has a CVSS v2 base score of 7.5.

No known public exploits specifically target this vulnerability, however, an attacker with a low skill would be able to exploit this vulnerability.

Ecava Sdn Bhd issued a notification that details this vulnerability and provides mitigations to its customers. Ecava Sdn Bhd recommends users download and install the update, IntegraXor SCADA Server 4.1.4369.

For additional information, click here to view Ecava’s vulnerability note.

 
 
Archived Entries