A class of SCADA vulnerabilities discussed at a recent conference is getting attention not only for the risks they pose to master control systems at electric utilities, but also for illuminating a dangerous gap in important critical infrastructure regulations.
Researchers Adam Crain and Chris Sistrunk demonstrated several weaknesses in vendor implementations of the DNP3 communication protocol in a number of products during the S4 Conference last week. The flaws, many of which have been patched, demonstrate how an attacker could target a non-critical, serial-based piece of field equipment at an electrical substation and knock out visibility over all of a utility’s substations. The vulnerabilities in some DNP3 implementations could allow attacks against master control systems from a field device by sending a malicious frame, or message to the control system.
“What’s different about our research is that most have focused on actual field devices—devices in substations or devices on poles—and 50 percent of our testing was on the master systems, things that communicate to all of the field devices and bring that data back to the operations center,” Crain said. “The difference is, if you had access, here you could knock out visibility to a whole system, hundreds of substations, by affecting one or two servers that are monitoring all of that.”
An attacker would need to be targeting a particular utility and gain physical access to a substation in order to drop code on a serial-based field device. While regulations spelled out by the North American Electric Reliability Corp. (NERC) cover TCP/IP communication between devices, the same isn’t true for serial-based communication.
“Where serial lines come into a master station, for instance, they won’t have the same level of protection that a TCP/IP-based connection would have,” said Michael Toecker, an ICS security consultant and engineer at Digital Bond. “There’s a complete regulatory blind spot there in the current version of the NERC standards.”
Toecker said the current NERC standards were developed shortly after the 2003 blackout in parts of the United States and they haven’t been updated according to new threats and vulnerabilities since their full implementation in the 2006 timeframe. And until the Stuxnet attack in 2010, Toecker said, there had been a relative quiet period around electric utility security. Stuxnet, however, has sparked a renewed interest in critical infrastructure cybersecurity.
“I think Stuxnet proved that: 1) there was a case for going after industrial control systems; 2) there was an impact in going after industrial control systems; and 3) showed that the devices and protocols were a valid target,” Toecker said. “And that caused interest in the security research community and they found this place is rife with vulnerabilities, low-hanging fruit.”
Crain and Sistrunk hope their research, which stems from a fuzzing tool developed by Crain called Project Robus, will spark a renewed interest in updating this part of the NERC standards. Plenty of work has been done investigating SCADA and ICS vulnerabilities, including Project SHINE, which is an enumeration of vulnerable control system equipment exposed online and reachable using the Shodan search engine. Those projects, however, don’t necessarily focus on master control systems, rather they concentrate on smaller field devices that could have a Web-enabled interface that is protected with just a default or weak credential.
Some of the non-critical devices Crain and Sistrunk talked about at S4 rely largely on physical security to keep them safe, and are not covered by NERC regulations. Initiatives such as the Smart Grid are all about pushing intelligence away from substations and into areas where it may not be practical to have adequate physical security.
“No camera. No fence. Just a lock pick away from somebody getting at that cabinet and then affecting visibility for a huge subset of the distribution system,” Crain said.
DNP3 is the primary SCADA protocol used for electricity distribution in North America, Crain said. The majority of electric utilities use the protocol for some portion of their SCADA infrastructure, pulling measurements from field devices and the ability to send controls to the field, he said.
“As far as the digital controls on critical assets that communicate to random substations, if it’s done over IP, there’s capability there to put in place protections, things like deep packet inspection,” Toecker said. “The problem exists on the serial side; I’ve yet to see any technology that looks directly at the bare serial protocol and looks for these types of events. There are ways to re-architect systems to look at these things, I’m not sure everyone’s done it.”
Crain and Sistrunk’s research has resulted in 15 advisories being issued by the ICS-CERT, all around DNP3 and all found using Crain’s Project Robus fuzzer; the fuzzer will be released as open source, Crain said, and said that soon it will also be scanning for other protocols beyond DNP3.
“We have not found anything that would suggest there is anything wrong with the specification,” Crain said. “These are all bugs in implementations from various vendors. There were two vendors we tested out of the 30 products where we didn’t find any detectable vulnerabilities. So at this point, it’s possible to implement the standard without a security or robustness defect.”
In the meantime, Toecker said the industry is still in the beginning stages of creating a standard for serial-base network security for electric utilities. NERC, Toecker said, takes its direction from the Federal Energy Regulatory Commission (FERC), which has mandated discussions on the topic, but a new set of regs could be as far as a year away.
“We’re in the very beginning stages of addressing these concerns from FERC,” Toecker said. “Stay tuned.”