Security researchers made good on a promise to release new exploits for programmable logic controllers (PLCs). The exploits include one targeting a flaw in the implementation of the EtherNet/IP (Industrial Protocol) used in many IP-enabled PLCs. The security hole, if left unaddressed, could enable a remote attacker to crash or unexpectedly reboot the devices, which are critical components of almost every industrial – and critical infrastructure installation.
The publication of new exploits is the second for Project Basecamp, a volunteer effort to call attention to the woeful state of security on many industrial control systems. It follows a release in January of exploits and automated testing tools for holes in products by GE and Schneider Electric, according to a post by Reid Wightman, a security researcher for the industrial consulting firm Digital Bond.
Along with the EtherNet/IP vulnerability, researchers disclosed vulnerabilities in
PLCs by leading industrial control vendors, including products from Rockwell Automation, Schneider, WAGO, Omron and others. They include hard coded administrative passwords in some versions of the Modicon Quantum PLC by Schneider Electric. Also, Koyo DirectLogic PLCs were found to be vulnerable to brute force password attacks because they lack a password lockout feature, Wightman wrote.
Two new modules for the penetration testing platform MetaSploit will automate tests for the vulnerabilities, according to Digital Bond. The EtherNet/IP vulnerability is the most serious and far reaching, said Dale Peterson, founder and CEO of Digital Bond.
“This is a case where the products that are affected are half insecure by design and half vulnerable,” Peterson said.
The vulnerability was found in the EtherNet/IP specification, which is managed by ODVA, an international association made up of the world’s leading industrial automation firms. As a result, the vulnerability affects any devices by those vendors which implements the ODVA standard for EtherNet/IP communications in its products. Wightman, writing for Digital Bond, said devices by Schneider Electric, WAGO, Omron, Opto 200, Phoenix Contact and ABB were found to be vulnerable, but the list of affected vendors and devices is likely much, much longer.
Using the exploit developed by Basecamp researchers, vulnerable PLCs can have their CPU stopped on command, have the Ethernet/IP controller disabled or be forced to reboot. Peterson said that commands causing PLCs to stop operating should have to be authenticated by the administrator before being executed, but that none of the vulnerable devices require that extra security step.
Firms in sectors ranging from manufacturing, to energy generation and distribution to water treatment are finding that industrial systems they long believed to be isolated from the public Internet are, in fact, accessible using tools like the Shodan search engine. Wightman, writing for Digital Bond, said that vulnerable systems by all three vendors mentioned in the latest release could be found using a search on the Shodan search engine.
Speaking with Threatpost, Peterson said that the fix for the EtherNet/IP vulnerability will be a long time coming, because it lies in the underlying specification for the protocol itself, not in any particular implementation of it.
“ODVA control that protocol, so Rockwell or other vendors can’t say ‘We’re going to ad security to the protocol.’ They have to raise a work item in ODVA and go through the whole process. And that hasn’t started yet.”
To compensate, Rockwell and other vendors will need to find ways to wrap the vulnerable protocol in an encrypted tunnel, and then push that change out to customers.
Peterson said he and the other Basecamp researchers continue to face backlash from vendors, customers and government officials over what many saw as a glaring example of irresponsible disclosure of security holes. Its an argument Peterson, Wightman and others reject. “Vendors have had forever-and-a-half in the world of computer security to respond,” Wightman wrote. Among other things, he noted that ‘major issues’ with the EtherNet/IP protocol have been known about by vendors and the U.S. Department of Homeland Security since at least 2009. Warnings about hard coded and back door accounts and weak password protections are even older, Wightman said, revealing that Basecamp researchers ignored a request by the U.S. Department of Homeland Security to hold off on releasing a module to exploit weak password protection in Koyo DirectLogic PLCs until the vendor had a chance to fix the flaw.
“Koyo has had three years to deal with existing problems, and have apparently done nothing to mitigate the oldest issue (unauthenticated/unsigned firmware upload), so I’m not sure that waiting is the Right Thing To Do. It certainly hasn’t worked so far.”
Peterson said he hopes that the revelations force vendors and the government to adopt a different attitude about disclosures: helping customers mitigate vulnerabilities rather than disparaging those who find them and providing guidance on what kinds of security features to demand of vendors.
“I’m a little disappointed that people are not upset that these devices are so insecure. There were a lot of people who said ‘Yeah we know that,’ but not too many people who stood up and said ‘This is terrible!’ and ‘We can’t live with this anymore,'” Peterson said.
Design flaws, not software coding errors are often the source of security problems in SCADA and ICS products, according to expert Ralph Langner of Langner Communications. Langner and other industrial control security experts have suggested that closer government oversight may be the only way to ensure better security for industrial control systems, given the failure of the market to address security weaknesses in products.
CORRECTION: An earlier version of this story incorrectly mentioned the EtherNet/IP (Internet Protocol). The story has been updated to refer to the correct name: EtherNet/IP (Industrial Protocol).