Miami, Florida - A no-holds barred presentation at the S4 Conference laid bare the woeful state of security for many industrial control systems that power the world’s critical infrastructure. Organizers have also cooperated with security scanning firms Rapid7 and Tenable to release modules for the Metasploit and Nessus products that can test for the discovered security holes.
The talk presented the findings of “Project Basecamp,” a volunteer-led security audit of leading programmable logic controllers (PLCs). The audit found that decrepit hardware, buggy software and pitiful or nonexistent security features make thousands of PLCs vulnerable to trivial attacks by external hackers that could cause PLC devices to crash or run malicious code.
Dale Peterson, CEO of SCADA security firm Digital Bond Project Basecamp to FireSheep, the browser plugin that laid bare vulnerable Web sessions. That demonstration , at the 2010 TorCon Conference, highlighted weaknesses in the security of Web sessions that had been discussed within security circles for years and made it easy for even non-technical users to hijack user sessions on Facebook, Gmail and Twitter.
“We were looking for a firesheep moment in PLC security,” Peterson told the audience of ICS security experts.
They got one. The project assembled some of the top ICS security researchers, including Dillon Beresford, an independent researcher who has uncovered security holes in Siemens Simatic systems, as well as Ruben Santamarta, an independent security researcher based in Europe, Reid Wightman, an ICS security consultant at Digital Bond, Jacob Kitchell of the firm Industrial Defender, as well as two researchers who chose to work anonymously.
The group tested PLC devices from a number of different vendors.
Programmable Logic Controllers are a kind of general purpose computing system that are used to control a wide range of mechanical systems – from water pumps to elevators to building ventilation systems. PLCs are designed for a wide variety of inputs and outputs and can operate in rugged environments. The Stuxnet worm, which targeted a uranium enrichment facility within Iran, was programmed to modify the behavior of PLCs manufactured by the German firm Siemens that were being used to operate highly sensitive centrifuges within the Iranian facility in Natanz.
The devices tested by the Basecamp Project included the D20 PLC by GE, The Modicon Quantum by Schneider Electric, Rockwell and Koyo Electronics. Each device was tested using a number of additional attack vectors. Researchers attempted to upload custom firmware or so-called “ladder logic” for the device, looked for back door accounts, weak authentication, undocumented features that could be exploited and fuzzed each device for vulnerable services.
The results were not encouraging.
“It’s a blood bath mostly,” said Wightman of Digital Bond. “Many of these devices lack basic security features.”
While the results of analysis of the various PLCs varied, the researchers found significant security issues with every system they tested, with some PLCs too brittle and insecure to even tolerate security scans and probing.
The D20 ME PLC by GE – a widely deployed industrial system – fared the worst. Wightman’s analysis of the device, which retails for around $15,000, revealed that the D20 relied on both hardware and firmware that was more than two decades old and was rife with hidden “back door” administrative accounts, remotely exploitable vulnerabilities and absent any security controls. Among other things, the D20 allows any attacker who knew the IP address of a device and the proper command to download the device’s configuration file. That file, in turn, can be used to obtain account usernames and passwords for accessing its administrative interface.
The D20 also fared poorly when it came to “fuzzing” – testing to uncover exploitable software vulnerabilities. Wightman found buffer overflow vulnerabilities associated with many of the services running on the D20. Attempts to scan the device using conventional tools, such as Nessus, caused the device to crash.
Those attempting to test the device should use “kid gloves,” he said, because the D20 was so prone to unexpected crashes.
Wightman called the results of the tests “shameful,” and that statements from GE suggest that fixes for any of the issues raised are unlikely, because of the age and fragility of the hardware used in the device.
GE wasn’t the only vendor whose products missed the mark. An analysis of the Koyo DirectLogic PLC revealed a weak, 8 byte password implementation and no password timeout to protect against brute force login attempts. Furthermore, an integrated Web server lacked any authentication protections at all, meaning that any user who could access the DirectLogic PLC could access the integrated Web server, modifying the IP address of the device, changing e-mail alert settings and so on.
The Modicon Quantum PLC turned up a raft of problems including serious buffer overflows in an embedded HTTP server and an FTP server buffer overflow that was documented a decade ago. The device was also rife with hardcoded backdoor administrative accounts – 12 in all.
To help push changes, the researchers also collaborated with security firms Rapid7 and Tenable to create modules to test for vulnerable PLCs.
Rapid7 on Thursday announced new modules targeting General Electric’s D20 PLCs. One would allow Metasploit Framework users to connect to the embedded TFTP server on the D20 and download the configuration file for the device, then parse the plaintext username and password values for the PLC users from it. A second module would demonstrate an asynchronous backdoor functionality in the D20 via the TFTP interface that would allow anyone who could connect to the TFTP server to issue a command by writing to a special location on the filesystem.
Tenable announced seven new plugin modules for its Nessus scanner for the GE D20, Schneider Modicon Quantum and SEL 2032 SCADA PLCs or controllers. Tenable said the new plugins will identify insecure PLC configurations that would allow an attacker to take control of a critical infrastructure such as the electric grid, an oil pipeline, a chemical manufacturing plant or water treatment plant.
The presentation received a rousing response from the audience, many of whom are industrial control security experts who have long warned, quietly, about the woeful state of software security in the industry. But not everyone was enthused. Kevin Hemsley of ICS-CERT questioned Peterson about the decision to go public with the Project’s findings before notifying vendors.
But organizers argued that most of the security problems they discovered were features and design flaws that have long been known to manufacturers, not hidden software vulnerabilities.
“We’re talking about backdoors and the TFTP service. A large percentage of these vulnerabilities the vendor already knows about and has chosen to live with, so this is not news to them,” said Peterson of Digitalbond.
The best way to avoid uncomfortable diclosures, he suggested, is to do a better job making secure products.
“The truth is that whoever finds the (security flaws) gets to decide what to do with them,” Peterson of Digital Bond responded. Peterson also took a jab at Siemens and the Department of Homeland Security for applying last minute pressure on security researcher Dillon Beresford to cancel a talk at TakeDownCon about a similar collection of undisclosed holes in Siemens PLC products. Beresford eventually gave the talk at the Black Hat Briefings. “We heard about DHS and Siemens visiting Dillon in Houston. Maybe we just wanted a Good night’s sleep,” said Peterson.
Hemsley of ICS-CERT said that vendors were notified of the Basecamp Project’s findings and that ICS-CERT and the vendors would be working on addressing the issue. While declining to comment specifically on the group’s work, Hemsley said that he was concerned that many of the flaws concerned hardware-based and design flaws that would be much more difficult to address than software based vulnerabilities.
“That’s my concern,” he said.