The media storm over the Stuxnet worm may have passed, but many of the software holes that were used by the worm remain unpatched and leave Siemens customers open to a wide range of potentially damaging cyber attacks, according to industrial control system expert Ralph Langner.
Writing on his personal blog, Langner said that critical vulnerabilities remain in Windows-based management applications and software used to directly manage industrial controllers by Siemens Inc., whose products were targeted by the Stuxnet worm.
Siemens did not immediately respond to a request for comment on Langner’s statement.
Langner, a principal and founder of Langner Communications GmbH is an independent expert on industrial control system security. He was among the first to connect the Stuxnet worm to an attack on uranium enrichment facilities within Iran. He was also among those who pinned responsibility for the attack on the United States and Israel.
Langner’s company sells security software and services to firms in the industrial control field. In the past, he has been critical of both the media coverage of the Stuxnet worm and of Siemens response to revelations that software vulnerabilities and other structural weaknesses in its products contributed to the creation of Stuxnet and the success of the attack.
Writing on his blog on Tuesday, Langner said that the media paid too much attention to the four, zero day Windows vulnerabilities that enabled the Stuxnet worm, but overlooked the other security holes used by the worm. Unlike the Windows vulnerabilities, which Microsoft quickly fixed, many of the holes in Siemens’ products remain unpatched, he contends.
Langner enumerates three types of exploits used by Stuxnet – only one category of which (Windows operating system exploits) have been closed. The other two are Windows applications exploits aimed at Siemens Siemens Simatic Manager and the Siemens WinCC SCADA application, and controller exploits aimed at Siemens S70-300 and 400 series controllers.
In the case of the Siemens Windows-based management software, attackers could use a combination of strategies to compromise these vulnerable components, including a hard coded password in the WinCC product that was leveraged by Stuxnet. Siemens famously advised customers not to change that password out of fear that doing so would disrupt communications between WinCC and its back end database. Langer says that Stuxnet combined the hard coded password backdoor with SQL injection attacks to compromise systems running WinCC. Without a software fix, other attackers could also follow in Stuxnet’s footsteps: hijacking a Siemens driver or tricking the software to run arbitrary code placed in engineering folders used by the products.
Even more serious are unpatched and exploitable vulnerabilities on the controllers themselves. Langner said this category of vulnerability “opens the door to extremely aggressive attacks that do not have to be nearly as surgical as it (sp) was seen in Stuxnet.”
Stuxnet has provided a model that less sophisticated hackers can copy in future attacks. Attackers could, for example, learn from Stuxnet which code to insert into the vulnerable controller to freeze it in its current operating state. Such an attack would be hard to detect and require little knowledge of how the Siemens S7 controllers actually work. Fixing the holes is also difficult, because they are considered “features” of the Siemens controllers, rather than security holes, Langner said.
Siemens customers have few choices to protect vulnerable installations. One is to use white listing technology to prevent unauthorized applications from running on the systems that are also running the Siemens software. However, firms using industrial control systems haven’t necessarily purchased white listing tools, and not all whitelisting products recognize and support the Siemens applications.
Beyond that, Langner said Siemens should update its industrial control products to recognize and support digitally signed code, preventing rogue attack code from being run by the devices.
Long overlooked by malicious hackers, firms managing critical infrastructure and the vendors that serve that market now find themselves in the cross hairs of security researchers, as well as sophisticated cybercriminal groups and nation-state sponsored hackers. Both have been buffeted by reports of serious security holes in recent years that revealed a laissez faire attitude towards IT security.
To that point, Langner said that even the patched Windows holes could be used to attack
Siemens customers. Exploits for those holes are now part of commonly
available penetration testing tools like Metasploit and Canvas, and its likely that some Siemens customers have applied the patches to vulnerable
systems. Siemens customers should be very concerned about attacks and warned against the complacency that might result from coverage of Stuxnet’s uniqueness and complexity.
“Operation Myrtus required one or two geniuses to design Stuxnet,” he warns. “Understanding and copying the design can be achieved by average engineers. Even worse, the design AND PRODUCTION process can be packaged into a software tool , enabling immoral idiots and geniuses alike to configure highly aggressive cyber weapons.”