Siemens S7 programmable logic controllers, the same PLC family exploited by the Stuxnet malware, are in the crosshairs of a password-cracking tool that is capable of stealing credentials from industrial control systems.
PLCs are microprocessors that automate mechanical processes inside factories, including critical infrastructure utilities and manufacturers. The S7 protocol in question provides communication between engineering stations, SCADA systems, HMI interfaces and PLCs that is password protected.
Researchers at SCADA Strangelove presented at the recent Digital Bond SCADA Security Scientific Symposium (S4) a new offline brute force password cracker for S7 PLCs, along with proof of concept code.
ICS-CERT issued an advisory warning organizations running the PLCs in question of the availability of the tool.
“A password can be obtained by offline password brute forcing the challenge-response data extracted from TCP/IP traffic file,” the ICS-CERT advisory said. “This report was released without coordination with either the vendor or ICS-CERT.”
ICS-CERT said it has notified Siemens of the vulnerability and asked it to verify the attack vector and recommend mitigations.
The tool, written in Python, requires an attacker to be on an adjacent network in order to capture TCP/IP traffic. “The possibility exists that this code may be modified to be used against other vendor products,” ICS-CERT said.
In the meantime, ICS-CERT recommends operators isolate control systems from business networks, that they not be Internet-facing, and if remote access is required, that a VPN be installed and provide a secure connection.
This is the latest public blow to the security of SCADA and ICS devices. ICS-CERT recently released a report with some details on malware infections at a pair of power plants. In both cases, USB drives were used as the attack vector to infect control systems with malware.
In one case, an IT staffer at the plant used an infected USB stick to back up control system configurations; the removable drive infected more than a dozen engineering workstations. In the other incident, ICS-CERT reported that 10 machines were infected with malware from a USB drive used during a software update. The USB was infected and delayed the plant restart by three weeks, ICS-CERT said.
Since Stuxnet, plenty of attention has been focused on the security of SCADA and industrial control systems. For example, researchers at InfraCritical were able to find thousands of Internet-facing devices linked to U.S. critical infrastructure by using specially crafted search terms for the Shodan search engine. Bob Radvanovsky and Jacob Brodsky wrote automated scripts for Shodan, a search engine specifically developed to find ICS and SCADA servers, routers and networking gear sitting on the Internet. With some help from the Department of Homeland Security, an initial list of 500,000 devices was pared down to 7,200, many of which required online logins protected by default or poorly crafted passwords.
“The biggest thing is we are trying to assign a number–a rough magnitude–to a problem plaguing the industry for some time now,” Radvanovsky told Threatpost. “Until you identify the scope of a problem, no one takes steps to change things.”