SAN JUAN, Puerto Rico – The world of SCADA and industrial control system vulnerabilities is starting to mirror that of IT security, not only in the demonstration and exploitation of zero-day vulnerabilities, but in the brokering of flaws and exploits between hackers and organizations interested in buying research.

Today at the Kaspersky Security Analyst Summit, two researchers known for finding more than 1,000 vulnerabilities in Internet-facing industrial control systems, demonstrated a zero-day in vendor Tridium’s Niagara Framework, which is used to run building maintenance systems including elevators, HVAC, video surveillance systems and more.

The vulnerability was reported by Cylance researchers Billy Rios and Terry McCorkle in January 2012 and has yet to be patched; Rios and McCorkle said they’ve been working with Tridium, which acknowledged the flaw in April. Tridium, the researchers said, is expected to release a fix soon.

No details were released on the vulnerability, but from the demonstration, they were able to get root access to the Tridium device. The key was the ability to access a file (config.bog) that holds all the configuration files for the Niagara device. They were able to access to the framework’s station, which is the interface admins interact with to manage whatever the device is running. From there, they exploit a privilege escalation bug in order to get access to the platform level of the device stack which runs on Java. Once there, an attacker is able to own and interact with the device.

“Once you own the platform, you own everything the whole stack down,” McCorkle said. “You can do what you want to the OS, communicate to devices hooked up to it, anything.”

SCADA and ICS vulnerabilities pose risks not only to critical infrastructure, but every day services. These proprietary systems were purpose-built and most were not meant to be connected to the Internet. Many, however, have administration consoles that are Internet-facing, and can be found using search engines such as Shodan which was built for the purpose of finding servers, network gear and more that are exposed online, usually with default, or weak authentication.

And much like how zero-days for Microsoft and Adobe products, for example, are sold exclusively to governments or large organizations by researchers or companies that act as vulnerability brokers, the same environment exists for SCADA and ICS bugs.

“I got done presenting at a conference in D.C. and folks from respectable organizations were asking us why we’re giving away free software quality assurance to vendors,” Rios said. “Essentially what they mean is ‘Why don’t you give that stuff to us for money?’ There’s that market and a lot of people don’t realize that exists. And then there’s the underground, the black market. If folks are so brazen to walk up to researchers and say ‘Hey sell us your research,’ there’s probably a lot of activity going on.”

Unlike enterprise IT security, for example, where there is awareness of the need for incident response and security monitoring, that same dynamic doesn’t exist for SCADA and ICS operators, who often view legitimate security researchers in a negative light.

“The folks in the IT security world, they’re pretty battle hardened right now,” Rios said. “They see the news of people getting owned and passwords being robbed, now there are solutions where you can get intelligence and guidance and software to address their needs. That’s huge for them. That doesn’t exist for ICS guys.”

Most operators are engineers and operate outside the security realm.

“That world was not built for them and it’s not easily accessible to them,” Rios said. “When they see folks bashing on a product, they think we’re the bad guy. That’s not the case.”

Rios and McCorkle said there were three major problems with the Niagara Framework they addressed with Tridium, namely weak encryption for sessions, user names and passwords stored in session cookies, and the config.bog file holding all configuration files. Also, Niagara’s user manual for the product essentially instructs users to connect the devices to the Internet; they found 21,000 Niagara devices online using Shodan, including a number of hospital networks, military installations, manufacturers and financial institutions.

“Lots of times, clients might not realize they’re running this; it could be managed by a third party for them,” McCorkle said. “Most of the time, it does end up on their network and if you can get on the device, you’re usually just one hop from the network.

“Take it off the Internet and make sure it’s protected, and monitor that traffic,” McCorkle added. “Finding these is trivial. You can do privilege escalation on them and elevate to local admin on the LAN and pivot from there.”

Categories: Critical Infrastructure