SCADA systems are used to monitor and control critical installations in oil and gas refineries, water and power distribution plants, manufacturing plants and other industrial facilities. There has been a lot of discussion about malware and security in industrial automation systems after Stuxnet. Widely viewed as the most complex piece of computer malware ever created, Stuxnet is believed to have been designed to sabotage uranium enrichment centrifuges at the Iran’s Natanz nuclear plant. If nasty malware can do that, other similar malware can do something else nasty as well.
Attacks against SCADA systems can have potentially very serious consequences. I think that we have been quite lucky that we have not seen any big disasters yet. Even though the attacks are rare at the moment, security researchers are confident that their number will increase, especially since the Stuxnet industrial sabotage worm set a successful precedent. And now there are many news on Dugu worm.
News around one month ago told that SCADA hack shut down a US water plant at 8 November 2011. This hacking attack at a US water plant has been credited to an unknown attacker (handle “pr0f” took credit) who according to hacker sources managed to access a SCADA controller and take over systems. Once again caused security experts to question the security of SCADA systems. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System. “This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site pastebin.com. On the other hand Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery. What is the truth in this case it is hard to say.
What is known that many industrial systems are vulnerable. Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers according to Siemens industrial control systems are vulnerable to attack that can cause serious problems. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned earlier that Siemens’ SIMATIC S7-1200 programmable logic controllers (PLCs) are vulnerable to so-called replay attacks that can interfere with the normal operations. An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation. ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.
White Paper On Industrial Automation Security In Fieldbus And Field Device Level is an interesting white paper (from Vacon, Nixu and F-secure) that focuses on presenting a generic overview about security in industrial automation. Security aspects of traditional fieldbuses, Ethernet-based networks and wireless communication technologies are presented. Challenges regarding data security in the field of industrial automation are discussed. The properties of industrial automation devices are described with a focus on security, tampering possibilities, and risk mitigation methods.
Many protocols used in industrial control systems were intentionally designed to be open and without security features. As long the the networks that run those protocols are kept physically separate from public network you are quite safe. For the most part SCADA systems are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access. Anytime you do this you put in a pathway where someone can get in. And there are often case where remote devices are accessed using those non-secure protocols though unsafe networks (public telephone network, cellular network, radio waves, even Internet).
There has been long time the belief that SCADA systems have the benefit of security through the use of specialized protocols and proprietary interfaces (security through obscurity), networks are physically secured and disconnected from the Internet. Today those beliefs all do not hold anymore. There are nowadays you can find many tools on Internet to work with standard SCADA protocols (for example Wireshark can be used to decode several commonly used SCADA protocols).
The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Modern SCADA systems should be designed so that they can be withstand the situation they are accidentally connected to Internet (it will happen sooner or later). In addition to making SCADA system itself secure, you should separate it from Internet (no connection at all or very strictly configured series of firewalls). FACT CHECK: SCADA Systems Are Online Now article tells at nearly everything is connected now. Nearly all SCADA systems are online. The addition of a simple NAT device is far from bulletproof security access control.
Most of SCADA systems in use are are old computer systems. They are usually horribly patched (”if it ain’t broken, don’t fix it”) and often run very old operating system version. Windows is very commonly used operating systems on SCADA applications, because only few SCADA-packages support other than Windows operational systems. It seems that there are many people who are not happy with the security stance being taken within their organizations around SCADA hosts. Even if you have patches up to date and current anti-malware on a host, all you have done is eliminated some of the risk (and maybe created new risks caused by fact that anti-malware software can sometimes disturb normal system operation). Add a firewall and you have reduced some of the risk. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable.
I wish no one had to worry about hackers in any application, but we do. Unfortunately, data security is never a non-issue.
FACT CHECK: SCADA Systems Are Online Now article mentions an interesting story on Boeing 747 (For those who do not know, modern 747’s are big flying Unix hosts with lots of Ethernet). They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. The security researchers managed to break the VLANs and access other systems (including Engine management systems). The issue here is that all that separated the engine control systems and the open network was VLAN and NAT based filters.
GE study pimps ‘industrial Internet’
How’s that SCADA security going, gentlemen?
http://www.theregister.co.uk/2012/11/26/ge_pimps_industrial_internet/
General Electric thinks that as much as $US15 billion could be added to global industrial output, merely by connecting global industrial operations to the Internet.
The report (PDF), Unleashing the Industrial Internet: “Pushing the Boundaries of Minds and Machines”, paints the kind of futuristic picture that Vulture South seems to recall from the 1990s.
“We estimate that the technical innovations of the Industrial Internet could find direct application in sectors accounting for more than $32.3 trillion in economic activity. As the global economy grows, the potential application of the Industrial Internet will expand as well. By 2025 it could be applicable to $82 trillion of output or approximately one half of the global economy”, the report continues.
While there’s no doubt that industrial automation is at best a work in progress, with a lot of efficiency still to be achieved, The Register can’t help but wonder whether the public Internet can ever be a good place for industrial control systems.
Researcher Finds Nearly Two Dozen SCADA Bugs In a Few Hours
http://it.slashdot.org/story/12/11/26/2114214/researcher-finds-nearly-two-dozen-scada-bugs-in-a-few-hours
“It is open season on SCADA software right now. Last week, researchers at ReVuln, an Italian security firm, released a video showing off a number of zero-day vulnerabilities in SCADA applications from manufacturers such as Siemens, GE and Schneider Electric.”
“now a researcher at Exodus Intelligence says he has discovered more than 20 flaws in SCADA packages from some of the same vendors and other manufacturers, all after just a few hours’ work.”
What does a flightless bird and SCADA software have in common?
http://blog.exodusintel.com/2012/11/25/what-does-a-flightless-bird-and-scada-software-have-in-common/
Researcher Finds Nearly Two Dozen SCADA Bugs in a Few Hours’ Time
https://threatpost.com/en_us/blogs/researcher-finds-nearly-two-dozen-scada-bugs-few-hours-time-112612
“The most interesting thing about these bugs was how trivial they were to find. The first exploitable 0day took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison. The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself,” Portnoy said in a blog post.
In fact, he said that locating the software was more difficult than finding the bugs themselves.
Power station, airport SCADA defences ‘dead as a dodo’
Security bod promises to help fix holes rather than flog exploits
http://www.theregister.co.uk/2012/11/27/scada_vulns/
Researchers have discovered yet more security vulnerabilities in crucial equipment used by power plants, airports, factories and other critical systems.
Exodus Intelligence said it has found more than 20 flaws in SCADA (supervisory control and data acquisition) software from vendors including Rockwell Automation, Schneider Electric, Indusoft, RealFlex and Eaton Corporation. The bugs expose machinery to the risk of either remote code execution or denial of service attacks.
Last week, researchers at Maltese startup ReVuln recorded a video in which they boasted of discovering zero-day vulnerabilities in SCADA applications from vendors such as Siemens, GE and Schneider Electric.
ReVuln intends to sell information on these vulnerabilities, potentially to government agencies, rather than report them to equipment manufacturers to fix.
That is the proper weblog for anybody who wants to find out about this topic. You realize a lot its nearly arduous to argue with you (not that I actually would want…HaHa). You undoubtedly put a brand new spin on a topic thats been written about for years. Nice stuff, simply nice!
Howdy! Someοne іn mу Myspaсe group shared
this sіte wіth us ѕo I came tо gіvе іt a look.
I’m definitely enjoying the information. I’m boοκmarking anԁ wіll bе tweeting thiѕ to my follοwers!
Оutstanding blοg аnd fantaѕtic style and ԁesign.
Virtual patching for process control systems
http://www.controleng.com/home/single-article/virtual-patching-for-process-control-systems/81e89c06c35f85f68d13bb0a10a88a23.html
Increase protection from software vulnerabilities sooner while allowing more control of your industrial network maintenance.
In today’s industrial organizations, patching process control system software to remove security vulnerabilities is a regular, ongoing activity that is fraught with risk. Significant issues, such as a software regression, can be the result of installing a patch. At the same time, there is a potential for the system to become compromised if a patch has not been applied.
The calculation of whether to patch or not is governed by the trade-off between the risk of installing a defective patch versus the risk of a penetration, which pits two equally important objectives against one another. Patching a critical system may “break it”—but failing to do so could leave it open to a security vulnerability.
In addition to the security risk trade-off, there is a more pragmatic trade-off relative to the use of resources. Whether carried out automatically or manually, patching involves the application of resources, whose utilization and cost must be factored into the overall frequency of patching decisions.
An innovative technique known as virtual patching, however, allows industrial organizations to improve the patch process while raising a system’s security posture. Components like vulnerability filters provide security for the unpatched systems, allowing better alignment of the patch process with production requirements.
Today’s security risks
In manufacturing plants and other industrial facilities, the advent of open control system architectures and standard protocols has been a mixed blessing for enterprises. On one hand, the evolution from isolated proprietary applications to open technology has expanded process and business information availability. On the other hand, open technology has exposed the manufacturing enterprise to a variety of electronic threats. With the further integration of manufacturing assets to enterprise resource planning systems, the risks become even greater.
The increased vulnerability of the enterprise resulting from open architectures, coupled with increasing numbers of malware attacks, has made cyber security a major concern for manufacturers around the world. Accidental or malicious attacks can cause significant risk to the health and safety of personnel, production, and corporate reputation, to name only a few.
In order to minimize risks to plant automation and information systems, it is important to implement a defense-in-depth strategy, which incorporates multiple layers of protection. One such layer in particular includes hardening of the servers and stations.
Implementing patches in a process control network can be a time-consuming exercise, which apart from providing an increased resilience of the control system equipment against malware attacks, also introduces increased risk of failure during the patch installation process. Installing a software patch typically requires:
Coordination with the process operations staff to determine the appropriate time slot for patching
Actual installation of the patch
Swapping primary and secondary server functions to allow patching on the secondary server, and
Rebooting equipment to activate the modified software.
Together, these factors result in an average patch processing time for a server or station of between one and two hours per node. This exercise soon becomes costly, since security patches are normally issued monthly and are not necessarily aligned due to different patch release cycles from different manufacturers. While waiting for these elements to align, the vulnerability is public but the system is not patched, so there is an increased risk of a successful exploit—an infection by a network worm in the majority of the cases.
Virtual patching techniques
Virtual patching, unlike traditional patching, protects the system without touching the application, its libraries, or operating system. Additionally, virtual patches are available much sooner than actual software patches. Within days after disclosure of a vulnerability, a virtual patch can become active, where an application manufacturer might take weeks to months to modify and test the software.
The process is designed to place a shield around the control network that checks for the activity of known vulnerabilities and offers good protection against so-called “zero-day attacks” not indentified by protection mechanisms such as anti-virus software. A vulnerability filter is not impacted by this situation directly, since it filters the exploit of a specific vulnerability without being sensitive to changes in a particular signature.
The benefits of shielding are two-fold. Not only does it offer protection against network-based attacks or denial-of-service attacks, but it also stops the propagation of malware over the network.
Virtual patching in practice
Virtual patching filters the traffic between two points, using vulnerability filters which are designed to detect and block traffic that violates application protocols. These vulnerability filters behave like a network-based virtual software patch to protect downstream hosts from network-based attacks on unpatched vulnerabilities. The vulnerability filters are created as soon as new vulnerabilities are discovered to preempt any attacks. Specifically, this approach is used to shield the control network from traffic coming from Level 3 or above, or traffic flowing between communities.
Determining when and how to patch is a critical decision that should not be taken lightly.
Researchers find crippling flaws in global GPS
http://www.scmagazine.com.au/News/325731,researchers-find-crippling-flaws-in-global-gps.aspx
Researchers have developed three attacks capable of crippling Global Positioning System infrastructure critical to the navigation of a host of military and civilian technologies including planes, ships and unmanned drones.
The scenarios developed include novel remote attacks via malicious GPS broadcasts against consumer and professional- grade receivers which could be launched using $2500 worth of equipment.
A 45-second crafted GPS message could bring down up to 30 percent of the global GPS Continuously Operating Reference Stations (CORS), while other attacks could take down 20 percent of NTRIP networks, security boffins from Carnegie Mellon University and firm Coherent Navigation wrote in a paper
Together, attack scenarios created “serious ramifications to safety systems”.
“Until GPS is secured, life and safety-critical applications that depend upon it are likely vulnerable to attack,” the team of four researchers said
“The good news is that as far as we know, we are the only ones with a spoofing device currently capable of the types of attacks,” Nighswander said.
“The bad news is that our spoofer would not be prohibitively expensive and complicated for someone to build, if they had the proper skillset.
Attacks were conducted against seven receiver brands including Magellan, Garmin, GlobalSat, uBlox, LOCOSYS and iFly 700.
Trimble was working with researchers to push out a patch for its affected products, Nighswander said.
Attacks included location spoofing in applications used by planes, cars, trucks and ships to prisoner ankle bracelets, mobile phone towers, traffic lights, and SCADA systems.
The researchers said their work differed from existing GPS jamming and spoofing attacks because it detailed a larger attack surface “by viewing GPS as a computer system”. This included analysis of GPS protocol messages and operating systems, the GPS software stack and how errors affect dependent systems.
“The overall landscape of GPS vulnerabilities is startling, and our experiments demonstrate a significantly larger attack surface than previously thought,” the researchers wrote.
“For example, we show that we can permanently de-synchronise the date of Phasor Measurement Units used in [a] smart grid. We also show we can cause UNIX epoch rollover in a few minutes, and year 100,000 (the first 6-digit year) rollover in about two days.”
Stuxnet strikes again, Iranian official says
http://www.theverge.com/2012/12/25/3803216/stuxnet-strikes-again-iranian-official-says
Is Stuxnet back? A provincial defense official in southern Iran is claiming that one of the largest power plants in the country and other industrial sites were again targeted by the notorious virus reported to be the creation of the Israeli and American governments.
This recent Stuxnet attack was successfully defeated, according to local Iranian civil defense chief Ali Akbar Akhavan.
Stuxnet is a powerful worm that was written to attack industrial systems manufactured by global megabrand Siemens. The virus is introduced via an infected USB drive, then establishes communication with a remote server. Attackers can then copy data or take control of a plant’s monitoring system.
FBI Memo: Hackers Breached Heating System via Backdoor
http://www.wired.com/threatlevel/2012/12/hackers-breach-ics/
Hackers broke into the industrial control system of a New Jersey air conditioning company earlier this year, using a backdoor vulnerability in the system, according to an FBI memo made public this week.
The intruders first breached the company’s ICS network through a backdoor in its Niagara AX ICS system, made by Tridium. This gave them access to the mechanism controlling the company’s own heating and air conditioning, according to a memo prepared by the FBI’s office in Newark
The breach occurred in February and March of this year, several weeks after someone using the Twitter moniker @ntisec posted a message online indicating that hackers were targeting SCADA systems, and that something had to be done to address SCADA vulnerabilities.
The individual had used the Shodan search engine to locate Tridium Niagara systems that were connected to the internet and posted a list of URLs for the systems online. One of the IP addresses posted led to the New Jersey company’s heating and air conditioning control system.
The backdoor URL gave access to a Graphical User Interface (GUI), “which provided a floor plan layout of the office, with control fields and feedback for each office and shop area,” according to the FBI. “All areas of the office were clearly labeled with employee names or area names.”
Forensic logs showed that intruders had gained access to the system from multiple IP addresses in and outside the U.S. The memo does not indicate if the intruders manipulated the system after obtaining access to it.
Five months after the breaches first began, Tridium and the Department of Homeland Security’s ICS-CERT division published alerts disclosing a directory traversal and weak credential storage vulnerability in the Niagara AX Framework system.
More than 300,000 Tridium Niagara AX Framework systems are installed worldwide
more than 20,000 of the Niagara systems connected to the internet.
Shodan pinpoints shoddy industrial controls.
http://www.shodanhq.com/
Hackers tap SCADA vuln search engine
Shodan pinpoints shoddy industrial controls.
http://www.theregister.co.uk/2010/11/02/scada_search_engine_warning/
A search engine that indexes servers and other internet devices is helping hackers to find industrial control systems that are vulnerable to tampering, the US Computer Emergency Readiness Team has warned.
The year-old site known as Shodan makes it easy to locate internet-facing SCADA, or supervisory control and data acquisition, systems used to control equipment at gasoline refineries, power plants and other industrial facilities. As white-hat hacker and Errata Security CEO Robert Graham explains, the search engine can also be used to identify systems with known vulnerabilities.
According to the Industrial Control Systems division of US CERT, that’s exactly what some people are doing to discover poorly configured SCADA gear.
Besides opening up industrial systems to attacks that target unpatched vulnerabilities, the information provided by Shodan makes networks more vulnerable to brute-force attacks on passwords, many of which may still use factory defaults, CERT warned.
Thousands of SCADA Devices Discovered On the Open Internet
http://it.slashdot.org/story/13/01/10/2013215/thousands-of-scada-devices-discovered-on-the-open-internet
“Never underestimate what you can do with a healthy list of advanced operator search terms and a beer budget. That’s mostly what comprises the arsenal of two critical infrastructure protection specialists who have spent close to nine months trying to paint a picture of the number of Internet-facing devices linked to critical infrastructure in the United States. It’s not a pretty picture.”
January 14, 2013, 9:22PM
Malware Infects Two Power Plants Lacking Basic Security Controls
https://threatpost.com/en_us/blogs/malware-infects-two-power-plants-lacking-basic-security-controls-011413
During the past three months, unnamed malware infected two power plants’ control systems using unprotected USB drives as an attack vector. At both companies, a lack of basic security controls made it much easier for the malicious code to reach critical networks.
In one instance, according to a recent report from the Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), malware was discovered after a power generation plant employee asked IT staff to look into a malfunctioning USB drive he used to back up control systems configurations.
A scan with updated antivirus software turned up three instances of malware, two common and one considered sophisticated.
That discovery prompted a more thorough on-site inspection that revealed “a handful of machines that likely had contact with the tainted USB drive.” This included two of 13 workstations in an engineering bay tied to critical systems.
“Detailed analysis was conducted as these workstations had no backups, and an ineffective or failed cleanup would have significantly impaired their operations,” according to the report.
Analysts noted the need for operators of the nation’s critical infrastructure networks to follow best practices. In recent years security researchers have tried to draw more attention to SCADA and ICS security (or the lack thereof) as a way of pushing companies, usually privately owned, to invest more resources in protecting their networks from cybercriminal activity.
Malware infects US power facilities through USB drives
ICS-CERT recommends power plants adopt new USB practices
http://www.techworld.com.au/article/446611/malware_infects_us_power_facilities_through_usb_drives/
Two U.S. power companies reported infections of malware during the past three months, with the bad software apparently brought in through tainted USB drives, according to the U.S. Department of Homeland Security’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).
ICS-CERT recommended that the power facility adopt new USB use guidelines, including the cleaning of a USB device before each use.
In the second incident, a power company contacted ICS-CERT in early October to report a virus infection in a turbine control system
The malware delayed the plant’s reopening by three weeks, the organization said.
Greetings from Idaho! I’m bored at work so I decided to browse your site on my iphone during lunch break. I enjoy the information you provide here and can’t wait to take a look when I get home.
I’m amazed at how quick your blog loaded on my mobile .. I’m
not even using WIFI, just 3G .. Anyways, excellent site!
ive been looking for the founder or creator? of the first forensic accountant in australia, would anyone know? Thanks
Software moles in your systems
http://www.controleng.com/home/single-article/software-moles-in-your-systems/5a0347ba765249f3926eb61201e7dd59.html
Old programs, utilities, and plug-ins languishing on your computer or control systems could threaten your security.
[...] connected to allow remote operation and some are unintentionally connected to Internet. Many control systems connected to Internet have serious security issues (for example some have default passwords in them and some have known security vulnerabilities in [...]
I have already been online on-line higher than 3 hours recently, yet I certainly not uncovered any attention-grabbing article such as the one you have. It is beautiful well worth ample for me. Personally, if perhaps most online marketers and web owners built great content material while you performed, the internet can be additional valuable than previously.
Heya i’m for the primary time here. I came across this board and I to find It really helpful & it helped me out a lot. I hope to present one thing again and help others such as you aided me.
Despite the fact that by now an abbreviation LOL is also sometimes abbreviated even much more
Fantastic goods from you, man. I have be aware your stuff previous to and you’re just too fantastic. I actually like what you have received right here, really like what you’re stating and the way in which wherein you are saying it. You’re making it enjoyable and you still care for to stay it sensible. I can not wait to learn far more from you. This is really a great web site.
I want to point out my appreciation for your generosity for all those that should have help on this important idea. Your special dedication to passing the message around came to be rather powerful and has continually allowed professionals much like me to reach their pursuits. Your amazing valuable suggestions entails a whole lot to me and still more to my office colleagues. Best wishes; from all of us.