Mapping it out

In his presentation at S4, doctoral student Eireann Leverett presented his research showing how more than 10,000 Internet acccessible industrial control systems can be found online, including HVAC systems, building management systems, PLCs and other industrial systems. Here, Leverett shows a Google Map displaying the location of vulnerable ICS devices in North America.

More from Basecamp

The Project Basecamp presentation received a rousing response from the audience, many of whom are industrial control security experts who have long warned, quietly, about the woeful state of software security in the industry. But not everyone was enthused. Kevin Hemsley of ICS-CERT questioned Peterson about the decision to go public with the Project’s findings before notifying vendors. Here, Wightman presents his findings at S4.

Ladder logic

The devices tested by the Basecamp Project included the D20 PLC by GE, The Modicon Quantum by Schneider Electric, Rockwell and Koyo Electronics. Each device was tested using a number of additional attack vectors. Researchers attempted to upload custom firmware or so-called “ladder logic” for the device, looked for back door accounts, weak authentication, undocumented features that could be exploited and fuzzed each device for vulnerable services. Here, a grid presents the results of the tests. A green check means the device passed the test.

(Not) making the grade

The researchers working on Project Basecamp found significant security issues with programmable logic controller (PLC) they tested. Some PLCs were too brittle and insecure to even tolerate security scans and probing.

Security audits

A presentation on Project Basecamp was a highlight of the conference. The talk presented the findings of a volunteer-led security audit of leading programmable logic controllers (PLCs). The audit found that decrepit hardware, buggy software and pitiful or nonexistent security features make thousands of PLCs vulnerable to trivial attacks by external hackers that could cause PLC devices to crash or run malicious code. Here Reid Wightman of the firm Digital Bond shows a closeup of the Modicon Quantum PLC displaying a “fail” signal after researchers succeeded in crashing the device.

Examining Natanz

Langner was among the first independent researchers who argued that Stuxnet was designed to attack a specific target, namely: the Iranian nuclear facility at Natanz. Within recent weeks, his theory has been given a boost after the office of Iranian President Mahmoud Ahmadinejad issued publicity photos of the President’s visit to Natanz. Included in the photos, inadvertantly, were shots of computer screens used to manage the centrifuges used for uranium enrichment.

Bits of code

Ralph Langner was a highlight of the S4 Conference, taking attendees through his detailed analysis of Stuxnet source code used to manipulate the Siemens 400 series programmable logic controllers (PLCs). This shows a snippet of the Stuxnet code on display during Langner’s talk.

Reading material

Stuxnet expert and industry gadfly Ralph Langner was in attendance at S4 this year, as he has been in past years. This year, however, Langner had a new book to promote: Robust Control System Networks – a kind of call to arms for the industrial control sector to respond to a ‘post Stuxnet’ world. Attendees got a free copy.

An exclusive gathering, the conference takes place in a single meeting room at Florida International University. Talks are short – most limited to around 30 minutes, with quite a few clocking in at around 15 minutes. The organizers also leave room for so-called unsolicited response sessions, where folks get up to pose questions to the group for debate. In all, it’s very collegial. This is a shot of the conference room at FIU during a presentation by Sean McBride of Critical Intelligence.

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.