Users Need to Push Security

Monday, December 19, 2011 @ 04:12 PM gHale


Editor’s Note: This is an excerpt from Eric Byres’ Practical SCADA Security blog at Tofino Security.

By Eric Byres

Earlier this month, Rubén Santamarta released details of multiple vulnerabilities affecting the Schneider Electric Quantum Ethernet Module. These are serious vulnerabilities, involving hard-coded passwords that give an attacker complete access to the device.

“These accounts let a user do anything to the device — they all have the same privileges,” said security professional Reid Wightman. “By anything, I mean: you can upload a new firmware to the device and use the Ethernet module in a Modicon as a general-purpose computer. Want to run Linux on it? That’s possible. Want to install extra tasks in the vxWorks image to, say, randomly twiddle input and output data? Also possible. It takes time, but it isn’t rocket science.”

RELATED STORIES
Hacked Systems and Poor Passwords
Feds: No Cyber Intrusion at IL Water Plant
Water Utilities Breached
NJ Water Plant Victim of ‘Terrorism’
Three Legs to SCADA Security

Leaving aside the technical issues involved and how to mitigate these vulnerabilities, there are a number of interesting lessons to take from this event.

First, this has been one SCADA/ICS vulnerability disclosure where all the parties involved seem to be doing their best with a bad situation. Santamarta did share this information in advance with the ICS-CERT and Schneider Electric, giving Schneider several months to produce patches.

“I would like to thank the ICS-CERT and the Schneider security team, they have taken these issues very seriously and are working on a patch,” Santamarta said. “During the process they have been keeping me updated on every decision/progress.”

When the ICS-CERT Alert published last week, it included a list of other Schneider products that had the same vulnerability, but which Rubin had not discovered. That is a nice bit of openness on Schneider’s part – something that has been lacking from previous disclosures we have seen.

Schneider produced patches for two of the vulnerabilities in several of the products very quickly. It might seem like creating a patch should be easy, but in the embedded controller world it isn’t. Since responsible vendors have to follow extensive quality assurance processes to ensure that patches don’t impact all the existing products in the field, that takes time. After all, security isn’t the only consideration for a PLC; safety and reliability matter just as much (if not more). If rushed patches make customers nervous around possible downtime, they just won’t install them. That defeats the whole purpose of patches in the first place.

I am disappointed Santamarta released this disclosure before all the patches were ready. I don’t know what his timeline is, but would another month have made any difference? And making a disclosure as serious as this one two weeks before the holiday season? Even if all the patches were ready, most companies would not install them until the new year. So all this will achieve is giving every bad guy in the world three weeks to penetrate their favorite critical infrastructure, knowing that it won’t be secure until 2012 at the earliest.

But what has me worried the most is not hearing from the end users. They seem to be silent. I hear lots of yelling from the security researcher community, but the users of PLCs have said nothing. They don’t seem to be demanding security in their RFPs and they haven’t called out to their suppliers. The engineering and design teams for any vendor can only spend time on the features that customers demand. Everything else is a “nice-to-have”.

It is time that the ICS/SCADA end users start to make their voices heard regarding security. Until they make security part of their buying decisions, then we can’t expect secure control system products.

Eric Byres is chief technology officer at Byres Security. Click here to read the full version of the Practical SCADA Security blog.



Leave a Reply

You must be logged in to post a comment.