UPDATE: Project Basecamp, a volunteer effort to expose security holes in industrial control system software, unveiled new modules on Thursday to exploit holes in common programmable logic controllers (PLCs). The new exploits, which are being submitted to the Metasploit open platform, include one that carries out a Stuxnet-type attack on programmable logic controllers made by the firm Schneider Electric, according to information provided to Threatpost by Digital Bond, a private consulting firm that has sponsored the effort.
It was the third major release from researchers working for Project Basecamp and included three new modules for the Metasploit platform that can exploit vulnerable programmable logic controllers used in critical infrastructure deployments. The exploits rely on a mix of software vulnerabilities and insecure “features” of common programmable logic controllers, which serve a variety of purposes in industries as varied as power generation, water treatment, manufacturing and others.
“These modules make demonstrating the ease of compromise and potential catastrophic impact possible for owners/operators,” said
Dale Peterson, founder and CEO of Digital Bond in an e-mail.
The module affecting Schneider’s Modicon PLCs is of particular interest, he said. The module, which has been added to the Metasploit Framework, a free penetration testing tool that is owned and managed by the security firm Rapid7, is capable of uploading and downloading so-called “ladder logic” from Modicon PLCs.
Ladder logic is a programming language used to create software programs for PLCs that graphically represents a program based on the circuit diagrams of relay logic hardware. The Stuxnet worm, which attacked S7 model PLCs by Siemens loaded ladder logic created by the Worm’s authors to replace the existing logic on the S7 PLCs, which was used to control centrifuges for enriching uranium.
The new Basecamp module shows that downloading the ladder logic from the Modicon Quantum PLC is trivial, because the PLC does not require authentication.
“It is a bit baffling and a failure by all in the ICS community that 571 days have passed since Ralph Langner exposed the PLC attack nature of Stuxnet and there is still almost total inaction on the ladder logic upload/download authentication issue — and by extension the critical command authentication issue,” Peterson wrote on the Digital Bond Web site.
“Anyone with network access can do it,” Peterson said. “An owner/operator with a Modicon Quantum can have no assurance of the integrity of their SCADA or DCS.”
The new module includes a blank that will overwrite the PLC’s existing ladder logic as a proof of concept. In an actual attack, however, an attacker – probably with the assistance of a process engineer – would analyze the captured ladder logic, write a modification and then upload his rogue ladder logic to the compromised device, Peterson wrote in an e-mail.
Metasploit modules that work with industrial control systems are a relatively new addition to the framework, which was developed in 2003 as a free and open source tool for testing the security of remote systems.
“This module is a great way to show owner/operators that a Stuxnet-like attack is not that difficult,” Peterson wrote. “The only thing difficult about the Stuxnet modification of the PLC was (that) the ladder logic they developed to load into the S7 was quite sophisticated.”
Peterson said that many owner/operators of critical infrastructure that use PLCs have not held vendors’ feet to the fire on security.
“We remain baffled that post-Stuxnet owner/operators did not demand vendors address this problem. We can only assume that they do not understand the risk, and how easy it is to modify PLC programming. This is why we created this Metasploit module.”
Peterson said that the Metasploit module affecting Schneider’s PLC merely takes advantage of a feature of the product, and a lack of native security protections. “They are how it is suppose (sp) to work. There is nothing to disclose,” told Threatpost. “It is insecure by design because they have chosen not to provide effective authentication of these very powerful commands.”
The prevalence of industrial control systems that are ‘insecure by design’ has been a focal point for security researchers in the wake of the Stuxnet worm, which used a hard-coded password in Siemens management software to compromise target systems. Siemens was put in the uncomfortable position of having to instruct customers not to change the password even as the Stuxnet worm spread, for fear of crippling the S7 management software.
Peterson said that he found it discouraging that, more than a year after Stuxnet was identified, there has been little movement to fix other insecure features in common industrial control platforms.
“Stuxnet should have been a clear example to Schneider of the danger of this,” he said.
The Project also released a module that can be used to stop a Modicon Quantum PLC from operating using a single packet sent to the device. A third module targets GE’s D20 PLC and takes advantage of a buffer overflow affecting the TFTP service on the D20. That hole was disclosed at the S4 Conference.
Project Basecamp was launched at the S4 Conference in Miami in January with exploit modules for PLCs by Schneider, GE, Rockwell and Koyo. Researchers followed that with a February 14th release of exploits for ICS software and hardware by Rockwell Automation, Schneider, WAGO, Omron and others.
The project has stirred controversy within the small world of industrial control sector software development, with vendors accusing the researchers of conducting irresponsible disclosure. Peterson said that neither Schneider nor GE had been contacted by Project Basecamp, but that both of the Modicon exploits merely took advantage of features of the products, while the GE vulnerability has been public for more than two months. “Schneider had no interest in talking to us about Basecamp,” he said of the Modicon exploits.