SCADA systems are used to monitor and control critical installations in oil and gas refineries, water and power distribution plants, manufacturing plants and other industrial facilities. There has been a lot of discussion about malware and security in industrial automation systems after Stuxnet. Widely viewed as the most complex piece of computer malware ever created, Stuxnet is believed to have been designed to sabotage uranium enrichment centrifuges at the Iran’s Natanz nuclear plant. If nasty malware can do that, other similar malware can do something else nasty as well.
Attacks against SCADA systems can have potentially very serious consequences. I think that we have been quite lucky that we have not seen any big disasters yet. Even though the attacks are rare at the moment, security researchers are confident that their number will increase, especially since the Stuxnet industrial sabotage worm set a successful precedent. And now there are many news on Dugu worm.
News around one month ago told that SCADA hack shut down a US water plant at 8 November 2011. This hacking attack at a US water plant has been credited to an unknown attacker (handle “pr0f” took credit) who according to hacker sources managed to access a SCADA controller and take over systems. Once again caused security experts to question the security of SCADA systems. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System. “This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site pastebin.com. On the other hand Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery. What is the truth in this case it is hard to say.
What is known that many industrial systems are vulnerable. Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers according to Siemens industrial control systems are vulnerable to attack that can cause serious problems. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned earlier that Siemens’ SIMATIC S7-1200 programmable logic controllers (PLCs) are vulnerable to so-called replay attacks that can interfere with the normal operations. An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation. ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.
White Paper On Industrial Automation Security In Fieldbus And Field Device Level is an interesting white paper (from Vacon, Nixu and F-secure) that focuses on presenting a generic overview about security in industrial automation. Security aspects of traditional fieldbuses, Ethernet-based networks and wireless communication technologies are presented. Challenges regarding data security in the field of industrial automation are discussed. The properties of industrial automation devices are described with a focus on security, tampering possibilities, and risk mitigation methods.
Many protocols used in industrial control systems were intentionally designed to be open and without security features. As long the the networks that run those protocols are kept physically separate from public network you are quite safe. For the most part SCADA systems are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access. Anytime you do this you put in a pathway where someone can get in. And there are often case where remote devices are accessed using those non-secure protocols though unsafe networks (public telephone network, cellular network, radio waves, even Internet).
There has been long time the belief that SCADA systems have the benefit of security through the use of specialized protocols and proprietary interfaces (security through obscurity), networks are physically secured and disconnected from the Internet. Today those beliefs all do not hold anymore. There are nowadays you can find many tools on Internet to work with standard SCADA protocols (for example Wireshark can be used to decode several commonly used SCADA protocols).
The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Modern SCADA systems should be designed so that they can be withstand the situation they are accidentally connected to Internet (it will happen sooner or later). In addition to making SCADA system itself secure, you should separate it from Internet (no connection at all or very strictly configured series of firewalls). FACT CHECK: SCADA Systems Are Online Now article tells at nearly everything is connected now. Nearly all SCADA systems are online. The addition of a simple NAT device is far from bulletproof security access control.
Most of SCADA systems in use are are old computer systems. They are usually horribly patched (“if it ain’t broken, don’t fix it”) and often run very old operating system version. Windows is very commonly used operating systems on SCADA applications, because only few SCADA-packages support other than Windows operational systems. It seems that there are many people who are not happy with the security stance being taken within their organizations around SCADA hosts. Even if you have patches up to date and current anti-malware on a host, all you have done is eliminated some of the risk (and maybe created new risks caused by fact that anti-malware software can sometimes disturb normal system operation). Add a firewall and you have reduced some of the risk. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable.
I wish no one had to worry about hackers in any application, but we do. Unfortunately, data security is never a non-issue.
FACT CHECK: SCADA Systems Are Online Now article mentions an interesting story on Boeing 747 (For those who do not know, modern 747′s are big flying Unix hosts with lots of Ethernet). They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. The security researchers managed to break the VLANs and access other systems (including Engine management systems). The issue here is that all that separated the engine control systems and the open network was VLAN and NAT based filters.
256 Comments
Tomi Engdahl says:
Siemens Patches Several Flaws in Teleprotection Devices
http://www.securityweek.com/siemens-patches-several-flaws-teleprotection-devices
Siemens has patched several vulnerabilities, including authentication bypass and denial-of-service (DoS) flaws, in its SWT 3000 teleprotection devices.
The SWT 3000 teleprotection devices are designed for quickly identifying and isolating faults in high-voltage power grids. This Siemens product is used in the energy sector worldwide.
According to advisories published by both Siemens and ICS-CERT, medium severity vulnerabilities have been found in the EN100 Ethernet module used by SWT 3000 devices running IEC 61850 and TPOP firmware.
The flaws can be exploited to bypass authentication to the web interface and perform administrative operations (CVE-2016-7112, CVE-2016-7114), and cause devices to enter a DoS condition by sending specially crafted packets (CVE-2016-7113).
Flaws related to the product’s web server can be leveraged by a network attacker to obtain sensitive device information (CVE-2016-4784), and data from the device’s memory (CVE-2016-4785).
The security holes have been addressed in IEC 61850 firmware with the release of version 4.29.01. The TPOP firmware is affected by only three of the flaws. These have been fixed with the release of version 01.01.00.
Tomi Engdahl says:
Industrial Cybersecurity Startup SCADAfence Secures $10 Million
http://www.securityweek.com/industrial-cybersecurity-startup-scadafence-secures-10-million
Israeli industrial cybersecurity startup SCADAfence has secured $10 million in funding through a recently announced Series A round.
The Tel Aviv-based company explains that it helps industrial network operators bridge the cybersecurity gap that comes when connecting operational technology (OT) and IT networks to ensure operational continuity and the security of valuable assets.
SCADAfence’s solutions provide visibility of day-to-day operations, detection of malicious cyber-attacks as well as non-malicious operational threats, and risk management tools.
Tomi Engdahl says:
Jim Finkle / Reuters:
“Triton” malware, likely the work of a nation-state, found in Schneider Electric industrial safety systems often used in nuclear, oil and gas plants
Hackers halt plant operations in watershed cyber attack
https://www.reuters.com/article/us-cyber-infrastructure-attack/hackers-halt-plant-operations-in-watershed-cyber-attack-idUSKBN1E8271
Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted.
FireEye Inc (FEYE.O) disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE (SCHN.PA).
Schneider confirmed that the incident had occurred and that it had issued a security alert to users of Triconex, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants.
Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks, they said.
Safety systems “could be fooled to indicate that everything is okay,” even as hackers damage a plant
“This is a watershed,” said Sergio Caltagirone, head of threat intelligence with Dragos. “Others will eventually catch up and try to copy this kind of attack.”
The U.S. government and private cyber-security firms have issued public warnings over the past few years about attempts by hackers from nations including Iran, North Korea and Russia and others to attack companies that run critical infrastructure plants in what they say are primarily reconnaissance operations.
EcoStruxure™ Triconex Safety Systems
https://www.schneider-electric.com/b2b/en/products/industrial-automation-control/triconex-safety-systems/