An alert from the Department of Homeland Security late last week urges private- and public-sector industrial control system (ICS) owners to be proactive in auditing the security, particularly, authentication controls of their systems. The alert is in response to a growing concern over the number of exploit tools available online targeting ICS and SCADA systems responsible for running critical infrastructure, as well as an evolving interest from hacktivists who are using specialized search engines to find control systems reachable online.
“Asset owners should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities,” the alert cautioned.
DHS identified the ERIPP and SHODAN search engines as those being used to find Internet-facing ICS devices and management consoles. This, in combination with a high number of new exploit kits available since February, has DHS on edge regarding the safety of these systems.
“Asset owners are encouraged to query various search engines using the vendor product, model, and version of a device, to determine if their IP address block is found within the search results,” DHS advises. “If control systems devices are found using these tools, asset owners should take the necessary steps to remove these devices from direct or unsecured Internet access as soon as possible.”
On Valentine’s Day, exploit kits were made publicly available that target programmable logic controllers for industrial control systems from GE, Rockwell Automation, Schneider Electric and Koyo. Another exploit was built for the Ethernet/IP protocol used by a number of PLC vendors that could cause these systems to shut down.
“Easy access to free or low cost exploit tools has dramatically lowered the skill level required for novice hackers and has likewise reduced the development time for advanced attackers,” said DHS.
ICS owners should double check device configurations and determine whether systems are reachable online. Many have Internet accessible devices unbeknownst to the owners, DHS said. DHS recommends owners isolate control system networks and devices behind firewalls and keep them separate from business networks. There should also be a VPN governing remote access to these systems. Default system accounts should be removed or renamed. Strong passwords and lockout policies should also be in place, DHS said.
All of this comes on the heels of the discovery of a backdoor in CoDeSys ladder logic system used by 261 PLC manufacturers to execute ladder logic. Reid Wightman, a researcher with ioActive and a former engineer at DigitalBond found the backdoor, which could give an outsider a command shell without the need for authentication. An attacker with such access could read or write files to the PLC, DigitalBond said.
The affected vendors have been notified, but according to the Digital Bond blog post, some updated code already in place from some vendors has not properly addressed the vulnerability.
“We are talking about 261 vendors with different OS and different versions of the runtime so it will take a while to work out of this insecure by design problem,” DigitalBond said.
The post adds that DigitalBond plans to add the code to Metasploit.
The general poor state of SCADA and industrial control system security is no secret. The Stuxnet attack on Iranian uranium enrichment facilities thrust it into the open in 2010, and since then the cry to batten down these systems has gotten only louder.
Recently, SCADA product manufacturer Telvent disclosed its network had been attacked and hackers had altered files used on networks managing smart grid deployments. Schneider Electric, Telvent’s parent company, is one of the vendors actively being exploited by new malware, DHS said.
In July, Siemens announced it had patched vulnerabilities in its Simatic STEP 8 and PCS 7 software that could have allowed attackers to remotely launch code on compromised systems via a malicious DLL.
In February, researcher Terry McCorkle called the state of ICS security “laughable” during a presentation at the Kaspersky Lab Security Analyst Summit. He presented research he and Billy Rios of Google conducted. The goal was to find 100 bugs in 100 days; they instead found more than 1,000, including 95 that were easily exploitable, including buffer overflow vulnerabilities, SQL injection flaw and other Web-based vulnerabilities primarily affecting Human Machine Interfaces that translate SCADA data into a visualization of a critical infrastructure.