Posts Tagged ‘SCADA’
Tuesday, January 14, 2014 @ 03:01 PM gHale
Schneider Electric created a new version of its SCADA Expert ClearSCADA software that mitigates an uncontrolled resource consumption vulnerability, according to a report on ICS-CERT.
Adam Crain of Automatak, who discovered the problem along with independent researcher Chris Sistrunk, tested the new version to validate it resolves the remotely exploitable vulnerability.
The following Schneider Electric versions suffer from the issue:
• ClearSCADA 2010 R2 (Build 71.4165)
• ClearSCADA 2010 R2.1 (Build 71.4325)
• ClearSCADA 2010 R3 (Build 72.4560)
• ClearSCADA 2010 R3.1 (Build 72.4644)
• SCADA Expert ClearSCADA 2013 R1 (Build 73.4729)
• SCADA Expert ClearSCADA 2013 R1.1 (Build 73.4832)
• SCADA Expert ClearSCADA 2013 R1.1a (Build 73.4903)
• SCADA Expert ClearSCADA 2013 R1.2 (Build 73.4955)
Successful exploitation of this vulnerability may cause a denial of service (DoS) of the DNP3 process. Specially crafted, unsolicited frames may cause excessive event logging. This condition may slow driver operation and may lead to a DoS.
Schneider Electric is a France-based company that maintains offices in 190 countries worldwide.
ClearSCADA sees use across several sectors including energy and water and wastewater systems, according to Schneider Electric.
Specially crafted IP frames may cause DNP3Driver.exe to hang. If the DNP3 driver ends up flooded with frames containing multiple errors, an excessive number of event journal messages could end up logged, resulting in a starvation of resources, leading to a DoS attack. This condition cannot cause data corruption, crash the driver, or allow execution of arbitrary code but will affect operational response.
CVE-2013-6142 is the case number assigned to this vulnerability, which has a CVSS v2 base score of 4.3.
No known public exploits specifically target this vulnerability. An attacker with a medium skill would be able to exploit this vulnerability.
Schneider Electric has fixed this issue in the latest released software version of SCADA Expert ClearSCADA 2013 R2.
ClearSCADA users should contact the local Schneider Electric office to obtain the latest software version for ClearSCADA; alternatively this new version is available for direct download from the Schneider Electric Web site. To upgrade, customers must complete and submit an online form.
Click here for general instructions on how to upgrade the ClearSCADA license.
Detailed instructions on how to upgrade a ClearSCADA installation are available.
Schneider Electric advises all ClearSCADA users to take steps to secure the interfaces to the ClearSCADA system. The following guidelines are a starting point only in establishing an appropriate level of system security:
• Monitor DNP3 traffic and system Event Journal to detect excessive amounts of traffic/logging that may be representative of a fuzzing attack.
• Upgrade the ClearSCADA server to SCADA Expert ClearSCADA 2013 R2 or newer, or Service Packs released later than November 2013.
Schneider Electric has also published security notification SEVD-2013-339-01.
The researchers suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an intrusion prevention system or firewall with DNP3-specific rule sets to add an additional layer of protection.
Thursday, January 9, 2014 @ 03:01 PM gHale
Ecava Sdn Bhd created an update that mitigates the project directory information disclosure vulnerability in the IntegraXor application, according to a report from ICS-CERT.
Ecava Sdn Bhd IntegraXor – 4.1.4360 and earlier suffer from the remotely exploitable vulnerability. ICS-CERT received the report from the Zero Day Initiative (ZDI) who got the details from security researcher “Alphazorx aka technically.screwed.”
An attacker can use a crafted URL to download certain files in the project directory, compromising the confidentiality of the system.
Ecava Sdn Bhd is a Malaysia-based software development company that provides the IntegraXor SCADA product. Ecava Sdn Bhd specializes in factory and process automation solutions.
The affected product, IntegraXor, is a suite of tools used to create and run a Web-based human machine interface (HMI) for a SCADA system. IntegraXor is in several areas of process control in 38 countries with the largest installation based in the United Kingdom, United States, Australia, Poland, Canada, and Estonia.
IntegraXor does not properly restrict access to files in the project directory. An attacker may use a specially crafted URL to download project backup files from the system project directory without any authentication.
CVE-2014-0752 is the case number assigned to the vulnerability, which has a CVSS v2 base score of 7.5.
No known public exploits specifically target this vulnerability, however, an attacker with a low skill would be able to exploit this vulnerability.
Ecava Sdn Bhd issued a notification that details this vulnerability and provides mitigations to its customers. Ecava Sdn Bhd recommends users download and install the update, IntegraXor SCADA Server 4.1.4369.
For additional information, click here to view Ecava’s vulnerability note.
Wednesday, November 20, 2013 @ 10:11 AM gHale
Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Eric Byres
Previously, we discussed how new vulnerabilities discovered in DNP3 SCADA masters are carving big holes in the NERC’s concept of the Electronic Security Perimeter (ESP).
Dale Peterson started the ball rolling in his blog “Why the Crain/Sistrunk Vulnerabilities are a Big Deal”. Then Darren Highfill posted a blog explaining the vulnerabilities don’t even require the attacker climb a fence. DNP3 serial links connect millions of physically insecure pad and pole-mounted devices. Accessing just one of those devices opens the door to a system wide attack. Since there is no way that every one of these devices can be inside the perimeter, the concept of NERC’s ESP is fatally flawed.
Darren is a great asset to the industry, as demonstrated by the careful analysis he has put into how an attacker might find a way in to a system via a remote pole or pad mounted device. But as I hinted last week, I think that Darren makes a technical error in his blog.
DNP3 Vulnerabilities: Intruder Just Walk In
Time to Fix SCADA Security
SCADA, ICS Security: Face the Facts
More Than Discussion, Security is Vital
Securing SCADA: Compensating Controls
When I noticed it, I tried to post a comment on Darren’s site, but he had closed the blog to comments. So instead I decided to respond via our blog. Here is my comment to Darren:
“Great article. These are serious attack scenarios and the industry needs to deal with them immediately. To me, the key take-away is not that there are security issues in DNP3 Masters, but the fact that these types of attacks expose a problem in all ICS protocols.
“Now I disagree with your statement: “Put all the deep packet inspection on it you want – you won’t find a signature.” My experience is that Deep Packet Inspection (DPI) is a valid defense in these scenarios – in fact it may be one of the only.
“DPI firewalls don’t use signatures. Intrusion Detection Systems (IDS) like Snort might, but any good DPI firewall uses packet validity analysis that determines if a packet is malformed in any way. We call that “Sanity Checking” of the packet stream.
“For example, one of Adam Crain’s vulnerabilities occurs when a start value in the DNP3 message is greater than the corresponding end value. This tends to break applications, because it violates a common implicit assumption that the master has asked for at least one measurement. And that creates loops with a negative count.
“Now a good DNP3 implementation would ensure that end values in any message are always greater than the starting values, discarding messages that do not comply. But as Crain shows, we have some bad DNP3 implementations out in the real world. So we need either a patch or a compensating control.
“One solution is a good DNP3 DPI firewall. (Tofino Security doesn’t make a DPI firewall for DNP3 yet, but we are working on it.) Well designed, it would ensure that end values are greater than the starting values. If this isn’t the case, the firewall should drop the packet REGARDLESS of data content. Thus, no matter what the attacker puts in his/her payload, or how he/she tried to obfuscate it with techniques like NOP slides, the firewall’s checks will detect and block the attack. If the attacker uses a valid pair of values in the packet, then the exploit fails because the vulnerability requires the end value to be less than the start value to create the negative counter problem.
“Certainly DPI firewalls are not the silver bullet to fix all security issues. For example, if there is some sort of yet unknown vulnerability strategy based on some obscure combination of invalid fields that are not checked in a DPI implementation, then the attack might be successful. But the key point is the entire class of vulnerabilities has to be unsuspected. If the DPI firewall’s designers can even imagine that a vulnerability is possible, then hopefully they can design a check for that general class of attack. They definitely do not design for a specific instance or exploit signature like a traditional IDS would – that is a proven waste of time.
“So in closing, your scenario analysis is great work Darren. Just be careful when you say a technology will or won’t address the problem. Some times.
Good Test Tools
I would like to point out that the above is one reason that fuzzers like Adam’s are so useful. If Adam can think of a way to fuzz a packet, then DPI firewall designers can think of a way to detect and block that packet, regardless if a vulnerability has even been discovered. Think of it as security focused on vulnerability prevention rather than exploit detection.
So the fact is, unless we want to cut the communications between the Master and RTU, DPI firewalls are probably industries only choice today. Either that, or end users could wait until every possible vulnerability in their SCADA products has been discovered by researchers like Adam and then fixed by the vendors. Given our progress so far, I am not counting on the second option.
Eric Byres is vice president and chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.
Friday, November 8, 2013 @ 02:11 PM gHale
Editor’s Note: This is an excerpt from the Practical SCADA Security blog at Tofino Security.
By Eric Byres
If you have been following SCADA news in the last month, you might have noticed an avalanche of reports and blogs on new security vulnerabilities in power industry equipment. So far, vulnerability disclosures for nine products using the DNP3 protocol have been released by the ICS-CERT, with another 21 SCADA product disclosures on their way. Even the New York Times and Wired Magazine have picked up this story.
Now, more vulnerabilities in SCADA products is hardly news, so why all the fuss?
Vulnerabilities in All the Wrong Places
All 25 vulnerabilities have been discovered by just two researchers, Adam Crain and Chris Sistrunk, using an impressive new security test tool that Adam developed under his AEGIS Project. The scary part is Adam’s tool is finding these vulnerabilities in SCADA master stations, rather than just in the RTU and IED slave devices past tools have tested.
This introduces a new world of attack possibilities against the power industry. Successfully attack an RTU in a substation and you might knock that station off line. Successfully attack a SCADA master and you can knock a whole system off line.
To make matters worse, these attacks work great over serial links, not just TCP/IP networks. Since NERC-CIP exempts serial communications from any security controls, the hundreds of millions of dollars the power industry has spent to date to secure the power grid could be for naught.
NERC-CIP Electronic Security Perimeter Full of Holes
Last week Darren Highfill posted a blog explaining that the situation is worse than many thought. The vulnerabilities in DNP3 masters don’t even require that the attacker climb a fence:
“The first place that most people have started talking about these [DNP3] devices is a substation. Too many engineers are searching for ways to make themselves feel better because there is a fence and/or a locked building keeping the bad guys out. Maybe even a camera, too… no half-way informed attacker is going to mess with a substation when they have much easier access to many more pad-mount and pole-mount devices in more remote and less noticeable locations. With no cameras.”
Darren has a valid point – DNP3 communication links run into millions of physically insecure pad and pole devices around the world. Get at just one of these and you can control a much larger power system.
Darren’s scenario completely defeats NERC-CIP’s vision of an Electronic Security Perimeter (ESP): A pull-up-the-drawbridge model where everything (and everyone) bad is kept out by a perfect electronic fortress. To be effective against these attacks, NERC’s ESP now has to include the entire country. Like other bastion models of security that I have discussed in the past, the ESP concept is fatally flawed.
A Serious Technical Error
Unfortunately, I believe Darren makes a serious technical error in his discussion, which I will discuss in my blog next week. In the meantime, consider the fact this is NOT just a DNP3 or a power industry problem. Any ICS protocol that uses a master/slave (aka client/server) polling scheme (i.e. 99 percent of them) will suffer from similar vulnerabilities in the masters (aka clients). This means that any industry that has remote assets in poorly secured locations could be vulnerable to Darren’s proposed “client-side” attacks.
Think about these types of attacks the next time you drive by a sewage lift pump box in a suburban neighborhood. Or when you see an oil well at the side of a prairie road. These are all potential backdoors into much larger critical infrastructures. All it will take is another well designed test tool to find those backdoors in the devices using other ICS protocols like Modbus, EtherNet/IP or PROFINET. That, plus a few people with malicious intent.
Eric Byres is vice president and chief technology officer at Tofino Security. Click here to read the full version of the Practical SCADA Security blog.
Monday, November 4, 2013 @ 09:11 AM gHale
Eric Byres, chief technology officer with Belden’s Tofino Security, will receive the 2013 International Society of Automation (ISA) Excellence in Leadership Award at a ceremony today in Nashville, TN.
In only its second year, this award recognizes an individual who has made significant contributions to the industry, including advancements in automation. “When considering nominations, we look for someone whose vision has fostered a paradigm shift, whose leadership has profoundly impacted the profession, and whose contributions have enhanced social value,” said Terrence G. Ives, ISA president. “This award is a way to express our appreciation for Eric’s outstanding achievements to the industry.”
Byres received the ISA Fellow in 2009 for his outstanding achievements in science and engineering. Now, his ISA peers have elected to recognize him for his leadership in developing best practices in industrial cyber security.
“Eric brings a unique combination of deep technical knowledge, combined with practical field experience to his role at Belden,” said Dhrupad Trivedi, president of Belden’s Industrial IT business. “We’re extremely proud of his efforts and that he’s being recognized as a leader by his peers. He is a key driver of Belden’s security strategy, which is focused on the unique needs of our industrial customers.”
Byres’ vision centers around two key pillars to protecting SCADA (supervisory control and data acquisition) and industrial control systems: Robust security tailored for industrial requirements and simple deployment.
Byres’ innovative approach helped invent the Tofino Industrial Security Solution – a system that protects industrial networks from external threats and internal network incidents. Its plug-and-play design allows facilities to easily implement robust security without operational downtime. This approach is a foundational piece of Belden’s Industrial IT strategy.
Frost & Sullivan named Byres’ company – at the time known as Byres Security – the 2010 World Award Winner for Industrial Network Security Solutions. This honor marked recognition for the Tofino Industrial Security Solution as the product that best enhanced customer value in the industrial automation and electronics industries in 2010.
Byres chairs several groups that are working to establish industry standards (ISA99), assess current risks and develop a framework to protect facilities from cyber attacks. He also serves as one of the industry’s go-to subject matter expert.
Thursday, October 24, 2013 @ 04:10 PM gHale
The energy sector is at an elevated risk of brute force and malware/botnet attacks, a new report said.
“The energy sector is a big part of the global economy and therefore has extremely high-stakes security risks compared to other industries,” said Stephen Coty, director, security research with Alert Logic, which examined the rise of cyber attacks targeting the energy sector.
Just take a look: 67 percent of energy companies experiencing brute force attacks, compared to 34 percent of Alert Logic’s entire customer set. Attackers look for opportunistic points of vulnerability in networks housing confidential business information, according to the Alert Logic report. Breaches of geophysical data, in particular, intend to damage or destroy the data used in energy resource exploration. Brute force attacks also see use in stealing a company’s intellectual property for the purpose of industrial espionage.
Another point of attack: 61 percent of energy companies experienced malware/botnet infiltration attacks, versus 13 percent of entire customer set. These attacks seek access to physical infrastructure systems that control pipelines and other key energy plant operations. Alert Logic found technologies such as Supervisory Control and Data Acquisition (SCADA) systems are vulnerable to hacking, while the emerging business practices of BYOD and BYOA (bring your own applications) in the workplace can be carriers of viruses and other malware.
“Unlike an attack on an e-Commerce site or SaaS application provider, a malware infiltration attack on an energy company could grow to catastrophic proportions if hackers were able to block or flood the oil and gas pipeline infrastructure,” Coty said. “This industry doesn’t see the typical web application attacks. It experiences a greater magnitude of security threats that could have global repercussions for years to come.”
Monday, October 21, 2013 @ 06:10 PM gHale
There is an improper input validation vulnerability on numerous slave and/or master station software products that is not with the DNP3 stack but with the implementation.
DNP3 (Distributed Network Protocol) is a set of communications protocols used between components in process automation systems. Its main use is in utilities such as electric and water companies. Usage in other industries is not common. It is for communications between various types of data acquisition and control equipment. It plays a crucial role in SCADA systems, where it sees use with the SCADA Master Stations (aka Control Centers), Remote Terminal Units (RTUs), and Intelligent Electronic Devices (IEDs).
The research, conducted by Adam Crain of Automatak and independent researcher Chris Sistrunk, showed some implementations were third-party components in other software packages.
This vulnerability can end up exploited remotely (over an IP-based implementation) as well as from the local system (through a serial-based implementation).
Below is the noninclusive list of advisories that NCCIC/ICS-CERT created in conjunction with the vendors producing a patch or update to mitigate the reported vulnerability.
GE ICSA-13-297-02, Catapult Software ICSA-13-297-01, Alstom ICSA-13-282-01A, IOServer ICSA-13-161-01, IOServer ICSA-13-213-03, Kepware Technologies ICSA-13-226-01, MatrikonOPC ICSA-13-213-04A, Schweitzer Engineering Laboratories ICSA-13-219-01, Software Toolbox ICSA-13-234-02, SUBNET Solutions Inc. ICSA-13-252-01, and Triangle MicroWorks ICSA-13-240-01.
The outstation/slave can go into an infinite loop or Denial of Service (DoS) condition by sending a specially crafted TCP packet from the master station on an IP-based network. If the device connects via a serial connection, the same attack can occur with physical access to the master station. The device must shut down and then restart to reset the loop state.
The master station can go into an infinite loop by sending a specially crafted TCP packet from the outstation/slave on an IP-based network. If the device connects via a serial connection, the same attack can occur with physical access to the outstation. The device must shut down and then restarted to reset the loop state.
As this vulnerability affects Internet protocol-connected and serial-connected devices, there are two CVSS scores.
An attacker could cause the software to go into an infinite loop with a specifically crafted TCP packet, causing the process to crash. The system must restart manually to clear the condition. The following is for IP-connected devices: A CVSS v2 base score of 7.1.
For serial-connected devices, an attacker could cause the software to go into an infinite loop, causing the process to crash. The system must restart manually to clear the condition. The following is the CVSS v2 base score: 4.7.
The IP-based vulnerability is remotely exploitable, while the serial-based vulnerability is not. An attacker would need local access to the serial-based outstation.
An attacker with a moderate skill could craft an IP packet that would be able to exploit this vulnerability for an IP-based device.
An attacker with a high skill could exploit the serial-based vulnerability because physical access to the device or some amount of social engineering is required.
Because researchers identified this vulnerability with fuzzing tools, they said developers should use extensive negative testing during quality control of products. The researchers also suggest blocking DNP3 traffic from traversing onto business or corporate networks through the use of an IPS or firewall with DNP3-specific rule sets.
Monday, October 14, 2013 @ 05:10 PM gHale
The Transportation and water and waste water industry sectors endured large increases in the number of reported cyber security incidents in recent years; 160 percent and 60 percent respectively, a new report said.
One of the true barometers of the cyber health of the manufacturing automation industry, the Repository for Industrial Security Incidents (RISI) database published the 2013 Annual Report on Cyber Security Incidents and Trends Affecting Industrial Control Systems.
RISI is an industry-wide repository for collecting, analyzing and sharing information regarding cyber security incidents that directly affect industrial control and supervisory control and data acquisition (SCADA) systems. Industrial automation system suppliers, end-users and international government agencies and research institutes have relied on RISI since 2009 to provide them with insight into the trends affecting ICS security.
ICS and SCADA security have been serious concerns for more than a decade, but have come under increased scrutiny following the discovery of the Stuxnet virus in 2010, the Duqu virus in 2011 and the Shamoon virus in 2012. All of these viruses specifically targeted industrial control systems.
The 2013 Annual Report includes detailed analysis of the 240 incidents recorded in the RISI database ranging from 2001 through the end of 2012.
The analysis identifies where and when the incidents occurred while also identifying the types of incidents and the threat agents that executed them, including the methods and techniques used to gain entry. The financial and operational impacts on the “victims” also undergo analysis.
The report also includes detailed results and analysis from the second annual RISI Control System Security Benchmark Survey.
The survey data provides insight into the current state of control system security, especially when compared with the data regarding actual incidents.
In one case, RISI data indicates 33 percent of all ICS security incidents were the result of remote access. This data gain support with 48 percent of survey respondents reporting remote access to the controls systems ends up allowed at their facilities.
Friday, August 2, 2013 @ 03:08 PM gHale
By Gregory Hale
One of the many things Stuxnet taught the manufacturing automation world was operators cannot always believe what they see. That same axiom came true Thursday at Black Hat as researchers showed how easy it was to force a process out of control.
If you look at most standard DCS or SCADA networks, you can see the same type of basic design, but security still seems to be lacking, said Brian Meixell and Eric Forner, both researchers at Houston-based security provider Cimation during their session at the Black Hat conference in Las Vegas entitled, “Out of control: Demonstrating SCADA device exploitation.”
“Most firewalls are usually in place because a standard has told people to put them in, but they end up having an ‘anything can pass through.’ So there is no security there,” Meixell said.
That ends up being a very vital aspect as the two researchers were then able to demonstrate how they could work their way through a SCADA system without too much of a problem. “You don’t even have to go through the enterprise, you can just get to the system by going through a cell phone connection (in some cases),” Forner said.
But the way in to any system is through IP addresses found on the Internet, the researchers said.
One of the problems, Forner said, was the industry’s reliance on incredibly old Modbus/TCP protocol.
Modbus is an ancient protocol, you never know what you are actually driving,” Forner said.
They could talk about the problem all day, but the researchers showed the proof was in the pudding as they conducted a demonstration where a process was bringing water into a tank. There was a level transmitter that would shut the system down when the fluid reached a certain level, but when they issued a few commands to get into the system, the essentially owned the process.
When that happened all indicators showed the operator the tank was not at an overflow level and is actually decreasing, but in reality the tank ended up overflowing. They were able to override the safety interlock and take down the process.
“That could be oil or gas or some chemical leaking out of that tank,” Forner said.
“Because the operator saw something other than reality, when he goes to correct the problem, he may do something worse,” Meixell said.
“The operator is just doing what the PLC is telling him,” Forner said.
As an extra added bonus, after overflowing the tank, the researchers then took command of the HMI in the system and downloaded a game of solitaire.
These were not magic tricks to take over a system, it was two guys that knew about some of the ins and outs of a SCADA system making some solid basic moves.
That was an enlightening demo that showed just how fragile a system could be if the right layers of protection are not in play. Seeing is believing.