Posts Tagged ‘SCADA’
Friday, November 8, 2013 @ 02:11 PM gHale
Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Eric Byres
If you have been following SCADA news in the last month, you might have noticed an avalanche of reports and blogs on new security vulnerabilities in power industry equipment. So far, vulnerability disclosures for nine products using the DNP3 protocol have been released by the ICS-CERT, with another 21 SCADA product disclosures on their way. Even the New York Times and Wired Magazine have picked up this story.
Now, more vulnerabilities in SCADA products is hardly news, so why all the fuss?
RELATED STORIES
Time to Fix SCADA Security/
SCADA, ICS Security: Face the Facts
More Than Discussion, Security is Vital
Securing SCADA: Compensating Controls
Vulnerabilities in All the Wrong Places
All 25 vulnerabilities have been discovered by just two researchers, Adam Crain and Chris Sistrunk, using an impressive new security test tool that Adam developed under his AEGIS Project. The scary part is Adam’s tool is finding these vulnerabilities in SCADA master stations, rather than just in the RTU and IED slave devices past tools have tested.
This introduces a new world of attack possibilities against the power industry. Successfully attack an RTU in a substation and you might knock that station off line. Successfully attack a SCADA master and you can knock a whole system off line.
To make matters worse, these attacks work great over serial links, not just TCP/IP networks. Since NERC-CIP exempts serial communications from any security controls, the hundreds of millions of dollars the power industry has spent to date to secure the power grid could be for naught.
NERC-CIP Electronic Security Perimeter Full of Holes
Last week Darren Highfill posted a blog explaining that the situation is worse than many thought. The vulnerabilities in DNP3 masters don’t even require that the attacker climb a fence:
“The first place that most people have started talking about these [DNP3] devices is a substation. Too many engineers are searching for ways to make themselves feel better because there is a fence and/or a locked building keeping the bad guys out. Maybe even a camera, too… no half-way informed attacker is going to mess with a substation when they have much easier access to many more pad-mount and pole-mount devices in more remote and less noticeable locations. With no cameras.”
Darren has a valid point – DNP3 communication links run into millions of physically insecure pad and pole devices around the world. Get at just one of these and you can control a much larger power system.
Darren’s scenario completely defeats NERC-CIP’s vision of an Electronic Security Perimeter (ESP): A pull-up-the-drawbridge model where everything (and everyone) bad is kept out by a perfect electronic fortress. To be effective against these attacks, NERC’s ESP now has to include the entire country. Like other bastion models of security that I have discussed in the past, the ESP concept is fatally flawed.
A Serious Technical Error
Unfortunately, I believe Darren makes a serious technical error in his discussion, which I will discuss in my blog next week. In the meantime, consider the fact this is NOT just a DNP3 or a power industry problem. Any ICS protocol that uses a master/slave (aka client/server) polling scheme (i.e. 99 percent of them) will suffer from similar vulnerabilities in the masters (aka clients). This means that any industry that has remote assets in poorly secured locations could be vulnerable to Darren’s proposed “client-side” attacks.
Think about these types of attacks the next time you drive by a sewage lift pump box in a suburban neighborhood. Or when you see an oil well at the side of a prairie road. These are all potential backdoors into much larger critical infrastructures. All it will take is another well designed test tool to find those backdoors in the devices using other ICS protocols like Modbus, EtherNet/IP or PROFINET. That, plus a few people with malicious intent.
Eric Byres is vice president and chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.
Monday, November 4, 2013 @ 09:11 AM gHale
Eric Byres, chief technology officer with Belden’s Tofino Security, will receive the 2013 International Society of Automation (ISA) Excellence in Leadership Award at a ceremony today in Nashville, TN.
In only its second year, this award recognizes an individual who has made significant contributions to the industry, including advancements in automation. “When considering nominations, we look for someone whose vision has fostered a paradigm shift, whose leadership has profoundly impacted the profession, and whose contributions have enhanced social value,” said Terrence G. Ives, ISA president. “This award is a way to express our appreciation for Eric’s outstanding achievements to the industry.”
RELATED STORIES
Big Boost in Cyber Investment
Energy Sector Attacks on Rise
DoE Awards to Boost Security Tools
Petrobras Moves to Hike Security
Byres received the ISA Fellow in 2009 for his outstanding achievements in science and engineering. Now, his ISA peers have elected to recognize him for his leadership in developing best practices in industrial cyber security.
“Eric brings a unique combination of deep technical knowledge, combined with practical field experience to his role at Belden,” said Dhrupad Trivedi, president of Belden’s Industrial IT business. “We’re extremely proud of his efforts and that he’s being recognized as a leader by his peers. He is a key driver of Belden’s security strategy, which is focused on the unique needs of our industrial customers.”
Byres’ vision centers around two key pillars to protecting SCADA (supervisory control and data acquisition) and industrial control systems: Robust security tailored for industrial requirements and simple deployment.
Byres’ innovative approach helped invent the Tofino Industrial Security Solution – a system that protects industrial networks from external threats and internal network incidents. Its plug-and-play design allows facilities to easily implement robust security without operational downtime. This approach is a foundational piece of Belden’s Industrial IT strategy.
Frost & Sullivan named Byres’ company – at the time known as Byres Security – the 2010 World Award Winner for Industrial Network Security Solutions. This honor marked recognition for the Tofino Industrial Security Solution as the product that best enhanced customer value in the industrial automation and electronics industries in 2010.
Byres chairs several groups that are working to establish industry standards (ISA99), assess current risks and develop a framework to protect facilities from cyber attacks. He also serves as one of the industry’s go-to subject matter expert.
Thursday, October 24, 2013 @ 04:10 PM gHale
The energy sector is at an elevated risk of brute force and malware/botnet attacks, a new report said.
“The energy sector is a big part of the global economy and therefore has extremely high-stakes security risks compared to other industries,” said Stephen Coty, director, security research with Alert Logic, which examined the rise of cyber attacks targeting the energy sector.
RELATED STORIES
DoE Awards to Boost Security Tools
Petrobras Moves to Hike Security
NIST Grants to Improve Security, Privacy
FBI: Public, Private Support can Defeat Threat
Just take a look: 67 percent of energy companies experiencing brute force attacks, compared to 34 percent of Alert Logic’s entire customer set. Attackers look for opportunistic points of vulnerability in networks housing confidential business information, according to the Alert Logic report. Breaches of geophysical data, in particular, intend to damage or destroy the data used in energy resource exploration. Brute force attacks also see use in stealing a company’s intellectual property for the purpose of industrial espionage.
Another point of attack: 61 percent of energy companies experienced malware/botnet infiltration attacks, versus 13 percent of entire customer set. These attacks seek access to physical infrastructure systems that control pipelines and other key energy plant operations. Alert Logic found technologies such as Supervisory Control and Data Acquisition (SCADA) systems are vulnerable to hacking, while the emerging business practices of BYOD and BYOA (bring your own applications) in the workplace can be carriers of viruses and other malware.
“Unlike an attack on an e-Commerce site or SaaS application provider, a malware infiltration attack on an energy company could grow to catastrophic proportions if hackers were able to block or flood the oil and gas pipeline infrastructure,” Coty said. “This industry doesn’t see the typical web application attacks. It experiences a greater magnitude of security threats that could have global repercussions for years to come.”
Monday, October 21, 2013 @ 06:10 PM gHale
There is an improper input validation vulnerability on numerous slave and/or master station software products that is not with the DNP3 stack but with the implementation.
DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems. Its main use is in utilities such as electric and water companies. Usage in other industries is not common. It is for communications between various types of data acquisition and control equipment. It plays a crucial role in SCADA systems, where it sees use with the SCADA Master Stations (aka Control Centers), Remote Terminal Units (RTUs), and Intelligent Electronic Devices (IEDs).
RELATED STORIES
Wonderware Fixes InTouch Vulnerability
Alstom Patches Software Vulnerability
Additional Patches for Rockwell
Philips Fixes Buffer Overflow
The research, conducted by Adam Crain of Automatak and independent researcher Chris Sistrunk, showed some implementations were third-party components in other software packages.
This vulnerability can end up exploited remotely (over an IP-based implementation) as well as from the local system (through a serial-based implementation).
Below is the noninclusive list of advisories that NCCIC/ICS-CERT created in conjunction with the vendors producing a patch or update to mitigate the reported vulnerability.
GE ICSA-13-297-02, Catapult Software ICSA-13-297-01, Alstom ICSA-13-282-01A, IOServer ICSA-13-161-01, IOServer ICSA-13-213-03, Kepware Technologies ICSA-13-226-01, MatrikonOPC ICSA-13-213-04A, Schweitzer Engineering Laboratories ICSA-13-219-01, Software Toolbox ICSA-13-234-02, SUBNET Solutions Inc. ICSA-13-252-01, and Triangle MicroWorks ICSA-13-240-01.
The outstation/slave can go into an infinite loop or Denial of Service (DoS) condition by sending a specially crafted TCP packet from the master station on an IP-based network. If the device connects via a serial connection, the same attack can occur with physical access to the master station. The device must shut down and then restart to reset the loop state.
The master station can go into an infinite loop by sending a specially crafted TCP packet from the outstation/slave on an IP-based network. If the device connects via a serial connection, the same attack can occur with physical access to the outstation. The device must shut down and then restarted to reset the loop state.
As this vulnerability affects Internet protocol-connected and serial-connected devices, there are two CVSS scores.
An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. The system must restart manually to clear the condition. The following is for IP-connected devices: A CVSS v2 base score of 7.1.
For serial-connected devices, an attacker could cause the software to go into an infinite loop, causing the process to crash. The system must restart manually to clear the condition. The following is the CVSS v2 base score: 4.7.
The IP-based vulnerability is remotely exploitable, while the serial-based vulnerability is not. An attacker would need local access to the serial-based outstation.
An attacker with a moderate skill could craft an IP packet that would be able to exploit this vulnerability for an IP-based device.
An attacker with a high skill could exploit the serial-based vulnerability because physical access to the device or some amount of social engineering is required.
Because researchers identified this vulnerability with fuzzing tools, they said developers should use extensive negative testing during quality control of products. The researchers also suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets.
Monday, October 14, 2013 @ 05:10 PM gHale
The Transportation and water and waste water industry sectors endured large increases in the number of reported cyber security incidents in recent years; 160 percent and 60 percent respectively, a new report said.
One of the true barometers of the cyber health of the manufacturing automation industry, the Repository for Industrial Security Incidents (RISI) database published the 2013 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.
RELATED STORIES
Cost of Cyber Crime Skyrockets
Threats: Manufacturers use ‘Yesterday’s Technology’
Cost of Cyber Crime Skyrockets
Crime Snapshot: UK Saves a Billion
RISI is an industry-wide repository for collecting, analyzing and sharing information regarding cyber security incidents that directly affect industrial control and supervisory control and data acquisition (SCADA) systems. Industrial automation system suppliers, end-users and international government agencies and research institutes have relied on RISI since 2009 to provide them with insight into the trends affecting ICS security.
ICS and SCADA security have been serious concerns for more than a decade, but have come under increased scrutiny following the discovery of the Stuxnet virus in 2010, the Duqu virus in 2011 and the Shamoon virus in 2012. All of these viruses specifically targeted industrial control systems.
The 2013 Annual Report includes detailed analysis of the 240 incidents recorded in the RISI database ranging from 2001 through the end of 2012.
The analysis identifies where and when the incidents occurred while also identifying the types of incidents and the threat agents that executed them, including the methods and techniques used to gain entry. The financial and operational impacts on the “victims” also undergo analysis.
The report also includes detailed results and analysis from the second annual RISI Control System Security Benchmark Survey.
The survey data provides insight into the current state of control system security, especially when compared with the data regarding actual incidents.
In one case, RISI data indicates 33 percent of all ICS security incidents were the result of remote access. This data gain support with 48 percent of survey respondents reporting remote access to the controls systems ends up allowed at their facilities.
Friday, August 2, 2013 @ 03:08 PM gHale
By Gregory Hale
One of the many things Stuxnet taught the manufacturing automation world was operators cannot always believe what they see. That same axiom came true Thursday at Black Hat as researchers showed how easy it was to force a process out of control.
If you look at most standard DCS or SCADA networks, you can see the same type of basic design, but security still seems to be lacking, said Brian Meixell and Eric Forner, both researchers at Houston-based security provider Cimation during their session at the Black Hat conference in Las Vegas entitled, “Out of control: Demonstrating SCADA device exploitation.”
RELATED STORIES
Black Hat: Compromising Wireless Devices
Black Hat: ICS SCADA Honeypot Finds Threats
Black Hat: Weeding Out Insider Threats
Black Hat: NSA Know the Facts
“Most firewalls are usually in place because a standard has told people to put them in, but they end up having an ‘anything can pass through.’ So there is no security there,” Meixell said.
That ends up being a very vital aspect as the two researchers were then able to demonstrate how they could work their way through a SCADA system without too much of a problem. “You don’t even have to go through the enterprise, you can just get to the system by going through a cell phone connection (in some cases),” Forner said.
But the way in to any system is through IP addresses found on the Internet, the researchers said.
One of the problems, Forner said, was the industry’s reliance on incredibly old Modbus/TCP protocol.
Modbus is an ancient protocol, you never know what you are actually driving,” Forner said.
They could talk about the problem all day, but the researchers showed the proof was in the pudding as they conducted a demonstration where a process was bringing water into a tank. There was a level transmitter that would shut the system down when the fluid reached a certain level, but when they issued a few commands to get into the system, the essentially owned the process.
When that happened all indicators showed the operator the tank was not at an overflow level and is actually decreasing, but in reality the tank ended up overflowing. They were able to override the safety interlock and take down the process.
“That could be oil or gas or some chemical leaking out of that tank,” Forner said.
“Because the operator saw something other than reality, when he goes to correct the problem, he may do something worse,” Meixell said.
“The operator is just doing what the PLC is telling him,” Forner said.
As an extra added bonus, after overflowing the tank, the researchers then took command of the HMI in the system and downloaded a game of solitaire.
These were not magic tricks to take over a system, it was two guys that knew about some of the ins and outs of a SCADA system making some solid basic moves.
That was an enlightening demo that showed just how fragile a system could be if the right layers of protection are not in play. Seeing is believing.
Wednesday, July 17, 2013 @ 04:07 PM gHale
A maker of supervisory control and data acquisition (SCADA) equipment, IntegraXor, said it would implement a bug bounty program offering points redeemable for company services to researchers that disclose security vulnerabilities in the IGX SCADA system.
In most bug bounty programs, with Google being the best example, vendors pay researchers for responsibly disclosing bugs in their products. Most vendors offer monetary payments. Although Microsoft just revealed it would dole out six figures payouts for severe vulnerabilities. However, that is for a white hat endeavor. If a researcher wants to go over to the dark side, he or she can make much more cash on the private vulnerability sales marketplace.
RELATED STORIES
Browser Security Warnings Effective
Survey: Security Metrics Too Complicated
Cyber Report: Attackers on Network
SMBs Need Data Breach Awareness
SCADA machines play a central role in the maintenance of critical infrastructure systems.
In this case, IntegraXor is not offering money for vulnerability reports. It has set up a system where researchers earn points for disclosing vulnerabilities in the company’s IGX SCADA systems. More severe bugs warrant more points for the researcher that disclosed them. The company is calling the program “non-monetary,” but the points can end up exchanged for IntegraXor products and services and the company said the researcher can sell their points for whatever value they can attract on the open market. The company claims their lowest payout is roughly the equivalent of $149 and their highest payout is just short of $4000.
IntegraXor said researchers will end up disqualified for running vulnerability tests on live systems. In order to be eligible for a reward, researchers must download their own testing environment, which is available on IntegraXor’s website. The company will only accept “closed disclosures.” Third party disclosures do not qualify.
A study from the University of California Berkeley found bug bounties are actually saving tech firms money in the end. Their research focuses mostly on the fact it costs less to pay bounties than is it does to hire a full-time security researcher or two.
Wednesday, July 3, 2013 @ 09:07 AM gHale
Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Heather MacKenzie
When engineers look at security, a topic they should know about is Deep Packet Inspection (DPI) and why offshore oil and gas networks need to use it if they want to be secure.
Let me give some context. You know the critical systems managing production and safety on offshore platforms are largely based on legacy SCADA and Industrial Control System (ICS) products and protocols. Many of these products are decades old and were never designed with security in mind.
RELATED STORIES
Right Tools will Secure Industrial Networks
SCADA, ICS Security: Face the Facts
More Than Discussion, Security is Vital
Securing SCADA: Compensating Controls
People like Dale Petersen and his Basecamp team have made an industry out of showing just how vulnerable these devices really are. Unfortunately these same systems are now connected to external systems using Ethernet and TCP/IP. That has been great for efficiency, but it exposes mission critical production systems to malware.
Given the 20-year lifecycle common for industrial systems, it will be many years before more secure SCADA and ICS devices and protocols are in widespread use. This leaves the thousands of legacy platform control systems open to attack from even the most inexperienced hacker, who can then disable or destroy most industrial controllers.
Problem: No Granularity
The difficulty with legacy SCADA/ICS protocols is they have no granularity. To the average security device, a data read message looks exactly like a firmware update message.
Thus if you allow data read messages from an HMI to a PLC to pass through a traditional firewall, you are also allowing programming messages to pass through. This is a serious security issue.
You are faced with an impossible choice — keep the messages flowing that make the system run, but expose it to attacks, or block everything out. Since shutting systems down is not an option, accepting high risk has been the course taken by many. In a post-Macondo (Deepwater Horizon) world, this is not acceptable.
What can an engineer do? There is a solution.
Deep Packet Inspection
The solution is to find a firewall that can dig deep into industrial protocols to understand the purpose of a message. This is beyond the capability of IT firewalls and is called Deep Packet Inspection.
Here’s how it works: After applying traditional firewall rules, the DPI firewall inspects the content of messages and applies more detailed rules. For example, it determines if a message is a read or a write message and then drops all write messages.
In addition, good DPI firewalls can also “sanity check” traffic for strangely formatted messages or unusual behaviors (such as 10,000 reply messages in response to a single request message). These sorts of abnormal messages can indicate traffic created by a hacker trying to crash a PLC and users need to block them.
DPI in Need Now
Tofino’s Eric Byres said five years ago DPI would have been a “nice-to-have” capability. However, today’s generation of worms and advanced threats make it a “must-have” technology if you want a secure SCADA or ICS system.
The reason is that today’s malware designers and attackers know firewalls and intrusion detection systems will spot the use of an unusual protocol instantly. They know if the protocols on a network are normally HTTP (i.e. web browsing), Modbus and MS-SQL (i.e. database queries) then the sudden appearance of a new protocol like FTP will put the smart system administrator on his or her guard.
Thus worm designers work to stay under the radar by hiding their network traffic inside protocols that are already common on the network they are attacking. For example, many worms now hide their outbound communications in what appear to be normal HTTP messages.
Even if you suspected something was wrong, you would be stuck if all you had was a normal firewall. The simple blocking of all Modbus traffic would impact production. Without deep packet inspection, (i.e. tools to inspect the contents of messages and block suspicious traffic), your hands would end up tied.
DPI technology is a very powerful tool in the security tool box. It allows the engineer to block the bad stuff, yet avoid needless impact on the control system. Without it, the designers of modern worms clearly have the upper hand.
Certainly DPI is not a silver bullet for security – no technology is.
Heather MacKenzie is with Tofino Security, a Belden company. Click here to read the full version of the Practical SCADA Security blog.