SCADA systems security issues

SCADA systems are used to monitor and control critical installations in oil and gas refineries, water and power distribution plants, manufacturing plants and other industrial facilities. There has been a lot of discussion about malware and security in industrial automation systems after Stuxnet. Widely viewed as the most complex piece of computer malware ever created, Stuxnet is believed to have been designed to sabotage uranium enrichment centrifuges at the Iran’s Natanz nuclear plant. If nasty malware can do that, other similar malware can do something else nasty as well.

Attacks against SCADA systems can have potentially very serious consequences. I think that we have been quite lucky that we have not seen any big disasters yet. Even though the attacks are rare at the moment, security researchers are confident that their number will increase, especially since the Stuxnet industrial sabotage worm set a successful precedent. And now there are many news on Dugu worm.

News around one month ago told that SCADA hack shut down a US water plant at 8 November 2011. This hacking attack at a US water plant has been credited to an unknown attacker (handle “pr0f” took credit) who according to hacker sources managed to access a SCADA controller and take over systems. Once again caused security experts to question the security of SCADA systems. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System. “This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site On the other hand Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery. What is the truth in this case it is hard to say.

What is known that many industrial systems are vulnerable. Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers according to Siemens industrial control systems are vulnerable to attack that can cause serious problems. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned earlier that Siemens’ SIMATIC S7-1200 programmable logic controllers (PLCs) are vulnerable to so-called replay attacks that can interfere with the normal operations. An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation. ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.

White Paper On Industrial Automation Security In Fieldbus And Field Device Level is an interesting white paper (from Vacon, Nixu and F-secure) that focuses on presenting a generic overview about security in industrial automation. Security aspects of traditional fieldbuses, Ethernet-based networks and wireless communication technologies are presented. Challenges regarding data security in the field of industrial automation are discussed. The properties of industrial automation devices are described with a focus on security, tampering possibilities, and risk mitigation methods.

Many protocols used in industrial control systems were intentionally designed to be open and without security features. As long the the networks that run those protocols are kept physically separate from public network you are quite safe. For the most part SCADA systems are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access. Anytime you do this you put in a pathway where someone can get in. And there are often case where remote devices are accessed using those non-secure protocols though unsafe networks (public telephone network, cellular network, radio waves, even Internet).

There has been long time the belief that SCADA systems have the benefit of security through the use of specialized protocols and proprietary interfaces (security through obscurity), networks are physically secured and disconnected from the Internet. Today those beliefs all do not hold anymore. There are nowadays you can find many tools on Internet to work with standard SCADA protocols (for example Wireshark can be used to decode several commonly used SCADA protocols).

The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Modern SCADA systems should be designed so that they can be withstand the situation they are accidentally connected to Internet (it will happen sooner or later). In addition to making SCADA system itself secure, you should separate it from Internet (no connection at all or very strictly configured series of firewalls). FACT CHECK: SCADA Systems Are Online Now article tells at nearly everything is connected now. Nearly all SCADA systems are online. The addition of a simple NAT device is far from bulletproof security access control.

Most of SCADA systems in use are are old computer systems. They are usually horribly patched (“if it ain’t broken, don’t fix it”) and often run very old operating system version. Windows is very commonly used operating systems on SCADA applications, because only few SCADA-packages support other than Windows operational systems. It seems that there are many people who are not happy with the security stance being taken within their organizations around SCADA hosts. Even if you have patches up to date and current anti-malware on a host, all you have done is eliminated some of the risk (and maybe created new risks caused by fact that anti-malware software can sometimes disturb normal system operation). Add a firewall and you have reduced some of the risk. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable.

I wish no one had to worry about hackers in any application, but we do. Unfortunately, data security is never a non-issue.

FACT CHECK: SCADA Systems Are Online Now article mentions an interesting story on Boeing 747 (For those who do not know, modern 747′s are big flying Unix hosts with lots of Ethernet). They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. The security researchers managed to break the VLANs and access other systems (including Engine management systems). The issue here is that all that separated the engine control systems and the open network was VLAN and NAT based filters.


  1. Tomi Engdahl says:
    Super Stuxnet’s SCADA slaves: security is atrocious
    153 computers, six SCADA systems, most C&C points to Iran

    Botnet boffin Peter Kleissner says at least 153 computers are still slaves to Stuxnet.

    Of those, six are tied to supervisory control and data acquisition (SCADA) systems which the malware is designed to exploit to destroy the attached machinery.

    Kleissner told a presentation at an information security conference in Vienna last week that half of all infections stem from Iran, where the super worm was first targeted.

    “The amount of unique identifiers basically equals to unique Stuxnet infections; it is safe to say that in 2013 and 2014 there were at least 153 distinct infected machines with Stuxnet,” Kleissner says in the paper Internet Attacks Against Nuclear Power Plants [PDF].

    “It is inevitable that existing malware infections lower the overall security of the particular machines and the entire networks and therefore make it easier (or possible at all) for anyone else to intrude the system.”

    The infected boxes appear to be isolated puppets no longer being controlled by the United States attackers, but are nonetheless exposed to hijacking by anyone in control of those servers.

    “… any capable intelligence service (or individual with the knowledge and skills) could seize control and potentially cause considerable damage leveraging the remaining infection,” Kleissner says.

  2. Tomi Engdahl says:
    Config file wipe blunder caused deadly Airbus A400M crash – claim
    Probe insiders indicate engine shutdown due to missing data

    A dodgy software installation that deleted vital files caused last month’s Airbus 400M transport plane crash in which four people died, it is claimed.

    On May 9, a test flight of the A400M, intended to replace the aging Hercules as a mainstay of NATO’s air mobility fleet, crashed in Spain, killing four of the six crew. According to Reuters today, a faulty software installation on the aircraft’s systems deleted configuration information, and caused three of the four turboprop engines to shut down after takeoff.

    People familiar with the investigation said the torque calibration parameters for the engines were wiped during the installation. This data is needed to measure and interpret information coming back from the A400M’s engines, and is crucial for the Electronic Control Units (ECU) that control the aircraft’s power systems.

    Without that sensor data, the ECU automatically shut down the engines, or at least put them into the lowest power settings. According to safety documentation, the pilots would only get a warning from the ECUs when the aircraft is 400 feet (120 metres) off the ground.

    “Nobody imagined a problem like this could happen to three engines,” a person familiar with the 12-year-old project said.

    The crashed A400M was being tested before delivery to the Turkish Air Force.

    On May 20, Airbus warned A400M customers to conduct “specific checks of the Electronic Control Units (ECU) on each of the aircraft’s engines.”

  3. Tomi Engdahl says:
    7 benefits of integrating human-machine interfaces, historians

    Cover story: Human-machine interfaces (HMIs) and historians differ but need to be tightly integrated to provide company operations with optimal value. Big data has little value without analysis and access in real time. Seven application examples explain HMI-historian integration benefits, including troubleshooting, analysis, and regulatory compliance.

    Human-machine interfaces (HMIs) and historians differ in purpose but need to be tightly integrated to provide great value to companies’ operations. HMIs provide effective control and interactions between humans and machines. Historians collect high-speed time-series data to maintain a chronology of events.

    Oriental Motor

    With today’s PC standard technology and capabilities, a typical historian system should be able to store and access more than 10 years of raw data. Aggregated manufacturing big data is good for certain reports, and historians should have the features to get access to this data, but it should not be stored as aggregates. Raw data streams are needed for true analysis. A well-performing historian should be able to easily exceed 1 million updates per second when storing data while retrieving more than 3 million updates per second at the same time. Users become quickly frustrated if they cannot get access to the data they need for analysis within a few seconds.

  4. Tomi Engdahl says:
    SCADA systems can be old because “it it works don’t fix it”

    The ancient Amiga been on for 30 years – 19 schools fully dependent on it

    If it works, do not fix it. The ancient Amiga has been responsible for 19 of the American school ventilation and heating for 30 years, says WoodTV.

    The device has to be renewed for a long time, but so far it has not been successful due to lack of money. Responsible for real estate management Tim Hopkins, the spare parts are hard to find.
    Hopkins describes the device “as a unique product.”

    Computer software encoded in due course local high school student. If you have any problems with software, the school asks for help from the same person, who still lives in the community.

    If the device is broken up, all schools systems should be switched on and off manually.


    1980s computer controls GRPS heat and AC

    A 30-year-old computer that has run day and night for decades is what controls the heat and air conditioning at 19 Grand Rapids Public Schools.

    The Commodore Amiga was new to GRPS in the early 1980s and it has been working tirelessly ever since. GRPS Maintenance Supervisor Tim Hopkins said that the computer was purchased with money from an energy bond in the 1980s. It replaced a computer that was “about the size of a refrigerator.”

    The computer is responsible for turning the heat and the air conditioners on and off for 19 school buildings.

    “The system controls the start/stop of boilers, the start/stop of fans, pumps, [it] monitors space temperatures, and so on,” Hopkins explained.

    Parts for the computer are difficult to find, Hopkins said. It is on its second mouse and third monitor.

    “It’s a very unique product. It operates on a 1200-bit modem,” said Hopkins. “How it runs, the software that it’s running, is unique to Commodore.”

    Hopkins said the system runs on a radio frequency that sends a signal to school buildings, which reply within a matter of seconds with the status of each building. The only problem is that the computer operates on the same frequency as some of the walkie-talkies used by the maintenance department.

    “Because they share the same frequency as our maintenance communications radios and operations maintenance radios — it depends on what we’re doing — yes, they do interfere,” Hopkins said.

    If the computer stopped working tomorrow, a staff person would have to turn each building’s climate control systems on and off by hand.

    A new, more current system would cost between $1.5 and 2 million.

  5. Tomi Engdahl says:
    MicroLogix 1400 PLC Teardown

    Introducing the MicroLogix 1400 PLC (1766L32BXBA) from Allen Bradley.

    Taking a close look at the large PCB reveals that this is where all the grunt work takes place. The hardware for this PLC was probably designed about 5-6 years ago – the date stamps for the ICs suggest their manufacture was in 2010. Onboard is an Altera Cyclone 2 FPGA and this is where I expect the user’s logic is executed. An FPGA would allow the user to include many more hardware based timers, counters and math operations than is possible with a microcontroller or microprocessor.

    Located underneath the FPGA on the other side of the PCB is 16Mbit of Flash memory. This would be where the FPGA’s bit file resides and is loaded from each time the FPGA is reset.

    Additionally there is a Freescale ColdFire MC5275 microprocessor. A quick check of this device’s datasheet reveals that it is a respectable piece of hardware. My thoughts are this is the device that performs the overall operation of the hardware, where your programming PC interfaces to when monitoring, loading new ladder logic or performing ladder logic online edits. Your new PLC code would some how pass through this device before it is executed in the FPGA.

    The IO interface is handled with the following board. The 2x white ICs are opto-isolators manufactured by Toshiba and used for regular digital inputs.

  6. Tomi Engdahl says:
    Increasingly large numbers of unprotected automation systems

    29.06.2015 at 14:23

    Finnish Communications Regulatory Authority Kyberturvallisuuskeskus is concerned about the large number of unprotected automation equipment. Mapping the Finnish networks doing during the Kyberturvallisuuskeskus spring 2015 is still found in thousands of different types of unprotected automation equipment. The survey discovered devices and device correspond to those observed in previous similar studies unit quantities.

    The largest group consists of a single real estate related automation equipment on which thousands were observed even in this survey. Automation equipment affect the physical world, which can make security incidents related particularly serious. Unprotected automation device can be a threat to other Internet users, for example, if an attacker to harness easily frangible devices denial of service attacks. The owner may not notice inducing addition to their own vulnerability harm to others.


  7. Tomi Engdahl says:
    Monitor aging equipment without replacement

    Electrical gateways provide an inside view of a facility’s electrical distribution and control equipment. Older pieces of large equipment, including motor-control centers, switchgear, and panelboards, were not engineered when proactive energy management was a primary concern. See five key benefits to using electrical gateways.

    Modern gateways also use open protocols, enabling communications with devices that communicate via an open protocol like Modbus, regardless of the manufacturer—allowing for seamless integration into energy management, building management, and facility monitoring systems.

    But how do these new features translate into the actionable intelligence needed to drive continuous improvement?

    Five key benefits

    1. Safety: Monitoring systems can limit the exposure of personnel to potentially hazardous electrical environments by providing remote status and operational parameters.

    2. Reliability: Assessment of data from the monitoring system can reveal issues that could adversely affect the operation and productivity of a facility. Historical data from power monitoring systems can help locate and correct both acute and chronic problems, resulting in increased productivity. Alarm notifications also can be proactively set to warn of underperforming equipment and conditions threatening uptime.

    3. Energy efficiency: A better knowledge of how energy is used within a facility allows for identification of an array of prospects to improve efficiency, minimize waste, and reduce energy consumption. The ability to benchmark performance and export in-depth reports allows for verification of energy management program success.

    4. Simplified maintenance: Trended data and reporting capabilities allow users to better forecast when defined equipment parameters may be exceeded, allowing facility management to plan ahead instead of facing an unscheduled shutdown of equipment.

    5. Operational costs: Each benefit discussed above either directly or indirectly influences a business’ bottom line. In most cases, the monetary impact from even one or two benefits can quickly justify the purchase and installation of a power monitoring system. Monitoring systems also can be scaled from one single piece of equipment to an entire facility—allowing for incremental expansion with budget and facility growth.

  8. Tomi Engdahl says:
    Teardown: Ruggedness and flexibility keep PLCs strong in industrial–Ruggedness-and-flexibility-keep-PLCs-strong-in-industrial?_mc=NL_EDN_EDT_EDN_weekly_20150709&cid=NL_EDN_EDT_EDN_weekly_20150709&elq=0387bc473ecc4fd9886d085dea87d0b6&elqCampaignId=23847&elqaid=26929&elqat=1&elqTrackId=84189b6995e54a69a95ec64248ad3589

    The modern programmable logic controller (PLC) is at the nexus of two debates that are taking place daily at opposite ends of the control-system spectrum. At one end is the debate over the ideal technology for digital I/O isolation and protection. At the other end, and at a much higher architectural level, is the debate over which is better: PLC-based control or PC/embedded computer-based control.

    Given the increasing importance of factory, industrial, and manufacturing automation, we jumped on the opportunity to tear down a popular PLC, the Allen-Bradley Micro850, and explore some of the choices made in its design to shed light on core I/O isolation options along with some of the elements that go into a well-known PLC design.

    PLCs have a long and storied history, with Allen-Bradley itself coining the term “programmable logic controller” in 1971 when it introduced its version of what was then called the “programmable controller.” Allen-Bradley was since bought by Rockwell Automation. The term PLC quickly took hold,

    For anyone who cut their teeth on ladder logic can testify, PLCs at the time were an elegantly simple solution to an age-old problem: making control systems reconfigurable without having to manually rewire or reconnect the hardware.

    For industrial control and automation, these Windows-based PCs and embedded computers offered higher processing power, greater programming flexibility, more ecosystem support and lower cost.

    Meanwhile, PLCs held on to their core advantages of ruggedness, simplicity, reliability, durability and “trust,” a critical factor when downtime can result in losses ranging from thousands to many millions of dollars. Control engineers and technicians knew they could rely upon PLCs and knew how to troubleshoot or swap them out quickly and easily if anything ever did go wrong.

    While PCs may have been invading the factory floor, PLCs weren’t standing still. PCs seemed to be winning the battle in the late nineties and 2000s, but PLCs were becoming more powerful and adopting more standard operating systems and programming languages and methodologies, such as C, while also becoming more open.

  9. Tomi Engdahl says:
    Embedded automation computer with multiple connectivity ports

    Advantech’s UNO-1372G small-size control DIN-rail embedded automation computer features has multiple connectivity, sensor, communication, and data transfer ports and can operate in harsh conditions.

    Advantech’s UNO-1372G DIN-rail embedded automation computer features three GbE ports for fast data transfer, two mPCIe slots to enable connection to 3rd party devices, one mSATA connector, and one SATA for a SSD or HDD, two COM ports, three USB ports, eight digital I/O ports, and HDMI/VGA ports.

    The UNO-1372G has an operating temperature range of -20 C to 60 C

    Options available include fieldbus protocols such as Profibus, Profinet, EtherCAT, and Powerlink

    Communication options include GPS, 3G, LTE, ZigBee, RFID, and Bluetooth.

  10. Tomi Engdahl says:
    SCADA cyber security

    Securing control systems with supervisory control and data acquisition (SCADA): SCADA software, part of many industrial control systems, can use the U.S. National Institute of Standards and Technology (NIST) framework for cyber security.

    To meet cyber security concerns, software and hardware vendors, system integrators, and other stakeholders need to work with end users to achieve a secure supervisory control and data acquisition (SCADA) solution. The U.S. National Institute of Standards and Technology (NIST) offers the Cybersecurity Framework (“the Framework”) for systematically identifying the critical assets of the organization, identifying threats, and securing these critical assets. The Framework opens the door to partnerships that are more effective with cyber security prioritized so that the needs of the end user are fully met.

    Cyber financial attacks such as the 83 million household and small-business records stolen from JPMorgan Chase Bank (Reuters, 2014) contribute to the 78% increase in financial impact of cybercrime in the past four years. In this same period, 40% of cyberattacks have been directed against energy companies (Siegel, Josh; Motorola Solutions, 2014). The U.S. government is focusing on the threat to the nation’s critical infrastructure such as our electric grid, oil and gas pipelines, water and wastewater treatment facilities, and transportation infrastructure like tunnels and bridges.

  11. Tomi Engdahl says:
    Cyber security in process plants: Recognizing risks, addressing current threats

    As attacks on industrial control systems (ICSs) become more frequent and increasingly sophisticated, defensive strategies must evolve to keep up. Fortunately, the tools are getting better. See related video.

    Process industries are no place for uncertainty and risk. Companies in the oil and gas, refining, petrochemical, and power-generation industries, among others, must prevent and mitigate cyber security threats that jeopardize their production operations, including risks to plant infrastructure, assets, personnel, and the environment.

    Industrial firms should need to take certain steps to protect critical facilities. Taking those steps is easier with an understanding of current and future cyber security risks, past incidents in process sectors, and knowledge of ever-changing security challenges.

    In recent years, industrial cyber security threats have grown from the esoteric practice of a few specialists to a problem of general concern. All stakeholders now have a new responsibility in promoting the safety, reliability, and stability of critical industrial infrastructure.

    Taking steps to address ICS cyber security should also improve the control system’s resilience to other adverse incidents, reducing unplanned downtime and facilitating a more rapid return to “business as usual” following an incident.

    For industrial sites, vulnerabilities to cyber threats include:

    Lack of security policies and procedures
    Communications between the Internet to the corporation
    Communications between the business LAN (local area network) and process-control network
    Insufficient or out-of-date cyber security controls, such as anti-malware software
    Obsolete or missing security patches
    Inadequate security configurations
    Incomplete or infrequent backups.

  12. Noel Martinez says:
    Very well written article with ample knowledge on scada security. all though scada system is meant to help in making work easier but there is security issues also there.
  13. Tomi Engdahl says:
    Yokogawa patches widespread SCADA vulnerability
    Networking process crashed by crafted packets

    One of the world’s major suppliers of industrial networking kit, Japanese company Yokogawa, has alerted the world to a vulnerability in 21 of its products.

    The ICS-CERT advisory, here, identifies the company’s CENTUM, ProSafe-RS, STARDOM, FAST/TOOLS and other systems as being at risk.

    The vulns are “stack-based buffer overflow vulnerabilities”, the advisory states.

    The overflows are in systems both with a Windows interface, and with embedded versions (such as the ProSafe’s human-machine interface).

    There are two denial-of-service vulnerabilities that can be triggered by a remote attacker by sending a crafted packet to “the process that executes over network communications”, cutting off communications to the targeted system.

    More seriously, the network communication process can also be crashed by a crafted packet allowing the attacker to execute arbitrary code.

  14. Tomi Engdahl says:
    Nuclear power plant bosses not too cyber-security savvy – report
    No ‘executive-level awareness’ + legacy issues = quite worrying

    The nuclear industry is ignorant of its cybersecurity shortcomings, claimed a report released today, and despite understanding the consequences of an interruption to power generation and the related issues, cyber efforts to prevent such incidents are lacking.

    Nuclear plants don’t understand their cyber vulnerability, stated the Chatham House report, which found industrial, cultural and technical challenges affecting facilities worldwide. It specifically pointed to a “lack of executive-level awareness”.

    The study was conducted over an 18-month period and involved 30 interviews with “experts from several different countries, including the US, UK, Canada, France, Germany, Japan, Ukraine and Russia.”

    Among its more frightening discoveries is that the notion “nuclear facilities are ‘air gapped’” is a “myth”, as “the commercial benefits of internet connectivity mean[s] that nuclear facilities” are increasingly networked.

    Cybersecurity problems facing the industry largely result from legacy issues. As most industrial control systems at nuclear facilities were developed in the 1960s and 1970s (“when computing was in its infancy”) cybersecurity was not a consideration in their design.

    “One example of the ‘insecure by design’ nature of industrial control systems is the lack of authentication and verification,” found the report. This obedience leaves nuclear facilities’ control systems “particularly vulnerable to man-in-the-middle attacks that alter the communication between two devices”.

    The report (PDF) details seven “known cyber security incidents at nuclear facilities” between 1992 and 2014:

    At Ignalina nuclear power plant (1992) in Lithuania, a technician intentionally introduced a virus into the industrial control system, which he claimed was “to highlight cyber security vulnerabilities”.
    The David-Besse nuclear power plant (2003) in Ohio was infected by the Slammer worm which disabled a safety monitoring system for almost five hours.
    The Browns Ferry nuclear power plant (2006) in Alabama experienced a malfunction of both the reactor recirculation pumps and the condensate deminerliser controller (a type of PLC).
    The Hatch nuclear power plant (2008) was shutdown as an unintended consequence of a contractor’s software update.
    An Unnamed Russian nuclear power plant (circa 2010) was revealed by Eugene Kaspersky to have been “badly infected by Stuxnet”.
    South Korea’s Korea Hydro and Nuclear Power Co. commercial network (2014) was breached, and information was stolen. The attack was subsequently attributed to North Korea.
    Natanz nuclear facility and Bushehr nuclear power plant (2010)

    The most well-known incident dated back to 2010, when a worm was found to be burrowing into industrial Supervisory Control And Data Acquisition (SCADA) systems on a global level.
    Dubbed Stuxnet, the worm was programmed to remain dormant unless it detected the particular hardware fingerprint of an industrial software system manufactured by Siemens.

    “The point is that risk is probability times consequence. And even though the probability might be low, the consequence of a cyber incident at a nuclear plant is extremely high.

    Cyber Security at Civil Nuclear Facilities: Understanding the Risks – See more at:

  15. Tomi Engdahl says:
    Search engine can find the VPN that NUCLEAR PLANT boss DIDN’T KNOW was there – report
    No ‘exec-level awareness’, warns research

    The nuclear industry is ignorant of its cybersecurity shortcomings, claimed a report released today, and despite understanding the consequences of an interruption to power generation and the related issues, cyber efforts to prevent such incidents are lacking.

    The report adds that search engines can “readily identify critical infrastructure components with” VPNs, some of which are power plants. It also adds that facility operators are “sometimes unaware of” them.

    Nuclear plants don’t understand their cyber vulnerability, stated the Chatham House report, which found industrial, cultural and technical challenges affecting facilities worldwide. It specifically pointed to a “lack of executive-level awareness”.

    Cybersecurity problems facing the industry largely result from legacy issues. As most industrial control systems at nuclear facilities were developed in the 1960s and 1970s (“when computing was in its infancy”) cybersecurity was not a consideration in their design.

    “One example of the ‘insecure by design’ nature of industrial control systems is the lack of authentication and verification,” found the report. This obedience leaves nuclear facilities’ control systems “particularly vulnerable to man-in-the-middle attacks that alter the communication between two devices”.

    Cyber Security at Civil Nuclear Facilities: Understanding the Risks – See more at:

  16. Tomi Engdahl says:
    Heartbleed, Other Flaws Found in Advantech ICS Gateways

    Researchers at security firm Rapid7 discovered that the latest firmware version for some Advantech EKI products is plagued by several known vulnerabilities.

    Advantech EKI are Modbus gateways designed for connecting serial devices to TCP/IP network-based devices in industrial control environments.

    The Taiwan-based industrial automation company recently released new firmware versions for EKI-136X, EKI-132X and EKI-122X products to address a security flaw related to the existence of hardcoded SSH keys (CVE-2015-6476).

    While analyzing one of the new firmware versions, Rapid7’s HD Moore discovered that it includes version 2.05 of the bash shell, which is known to be vulnerable to Shellshock attacks.

    In addition, the Advantech EKI firmware also includes version 1.0.0e of OpenSSL, which is vulnerable to Heartbleed attacks. The OpenSSL Project will end support for the 1.0.0 version starting with January 1, 2016.

    The DHCP client used by Advantech is also highly outdated and known to contain vulnerabilities, including a high-severity stack-based buffer overflow discovered in 2012.

    Beardsley has pointed out that while none of these flaws are new, the problem is that the vulnerable firmware can be found on production industrial control systems.

    Rapid7 contacted Advantech on November 11 and published a Metasploit module on December 1.

    This is the third time someone has found vulnerabilities in Advantech’s Modbus gateways. In February, the vendor patched a serious flaw that could have been exploited by remote attackers to execute arbitrary code.

  17. Tomi Engdahl says:
    Rockwell Patches Serious ‘FrostyURL’ PLC Vulnerability

    Rockwell Automation has patched a handful of vulnerabilities in its Allen-Bradley MicroLogix programmable logic controllers, including one that researchers say can be exploited with a single malicious URL.

    The so-called FrostyURL vulnerability affects the Allen-Bradley MicroLogix 1100 PLC used to control industrial processes in a number of critical industries. CyberX, a security vendor operating in the industrial control system and SCADA markets, said that a single click of a maliciously crafted URL could affect an operational network.

    “It blew our minds how simple it is,” said Nir Giller, CyberX CTO.

    “This was an ‘Open-Sesame’ moment, as it enabled us to dump all of the PLC’s memory and thus observe the effects of different exploitation techniques we tried later on,” said researcher David Atch. “We successfully reverse engineered the PLC firmware, and we are sure we can find and exploit additional vulnerabilities.” – See more at:

  18. Tomi Engdahl says:
    Iranian hackers ‘targeted’ New York dam

    Iranian hackers penetrated the computers controlling a dam near New York, reveals the Wall Street Journal.

    The 2013 attack did no damage but revealed information about how computers running the flood control system worked, said the paper.

    Hackers working for nation states regularly hit national infrastructure targets, said a separate AP report.

    About 12 times in the last decade hackers have won high-level access to power networks, it said.

    Detailed plans

    Extensive information about the Bowman Avenue dam in Rye, New York state was taken by the hackers, experts familiar with the incident told the newspaper.

    An investigation pointed to Iran as the likely source of the attack and alerted US authorities to the significant cyber warfare capabilities of that nation, said the report The same group of hackers that attacked Bowman Avenue was also implicated in separate attacks on three US financial firms, it added.

    The US power network has also come under regular attack by “sophisticated foreign hackers” said AP in an extensive investigation.

    Many times security researchers had found evidence that hackers had won access to these sensitive systems. So far, all the attacks seemed intent on gathering detailed information, including engineering drawings, about networks and facilities.

    One extensive campaign gave hackers access to 82 separate plants spread across the US and Canada.

    The knowledge accumulated by the attackers has not been used to shut down the power plants or change the way they work

    Hackers could get at the power plants and other parts of national infrastructure because many of the systems were set up long before the need to protect them against remote attacks became apparent.

  19. Tomi Engdahl says:
    Microsoft Windows XP Embedded ends extended support
    Ask Control Engineering: Extended support for Microsoft Windows XP Embedded has ended; what should I do?

    Ask Control Engineering: Since Microsoft has ended extended support for Microsoft Windows XP Embedded support as of Jan. 12, what should I do, if anything?

    Answer: Since Microsoft is no longer offering support for its 15-year-old operating system, Microsoft Windows XP Embedded, so those who have procrastinated now have additional concerns and risks to address.

    “What’s worse,” said one manufacturing IT expert, “is to not even know if you have any XP systems running.”

    warns that users still using Microsoft Windows XP Embedded systems in their facilities will be running into several additional security risks. Finding compatible software will be very difficult and this, in turn, will make the systems more vulnerable to cyber security attacks. Brandl explains that running a complete system inventory will at least make it clear if there’s a potential support problem.

    The long goodbye to Microsoft Windows XP Embedded

    There are those that get work done early, those that get it done on time, and those that procrastinate until every task is an emergency. Those still using Microsoft Windows XP Embedded in their industrial environments will fall into the latter category because Microsoft’s extended support for Windows XP Embedded ends on January 12, 2016. The 15-year-old operating system will no longer be supported or updated, no matter how much users clamor or beg.

    Companies still using Microsoft Windows XP Embedded systems in their facilities will be running into several additional risks. For example, it will be difficult to find compatible hardware and software, and it will be difficult, if not impossible, to get updates to the applications currently running, which will make the systems more vulnerable. If there are Microsoft Windows XP systems running and they can’t be replaced, then take measures to reduce potential risks. What is worse is to not even know if you have any XP systems running.

    It is vital to complete a software and IT hardware inventory of the entire facility, which includes far more than just the production systems. It is important to also consider your laboratory systems, maintenance systems, warehouse systems, tank farm systems, HVAC systems, physical security systems, document management systems, planning systems, and development systems. Without a complete inventory, “hidden” systems under employee’s desks, which are performing critical functions, might go unnoticed. For example, is the scheduling department still using a XP-based tool, or worse: a DOS-based tool; is the laboratory using XP-based test equipment; are the automated material movement systems running XP-based configuration and maintenance software; or is the security department using an XP-based badge scanning system

    At the very minimum, a complete system inventory will make it clear if there’s a potential support problem.

    The worst situation is to have high risk and obsolete systems where there are no readily available replacements.

    In these situations, the first step is to virtualize the hardware, which at least removes the risk of a hardware failure and provides backups in case of software failures. Second, the systems should be isolated from other networks through demilitarized zones (DMZs), firewalls, or physical separation. It is likely the Microsoft Windows XP system will be running vulnerable browsers, databases, applications, and drivers, which makes isolation even more vital. However, virtualization and isolation are only temporary fixes to give the manager time to implement long-term solutions.

    For machines that cannot be upgraded, what needs to change now that Microsoft Windows XP support has ended?
    Ask Control Engineering sought advice from industrial software developers related to the end of Microsoft Windows XP support. Here, Beckhoff Automation provides answers related to Microsoft Windows XP obsolescence.

    Ask Control Engineering: For manufacturers that may not be able to upgrade certain machines or systems past Microsoft Windows XP, what should change now that Microsoft Windows XP support has ended? Answers for related questions below are provided by Debra Lee, software specialist, Beckhoff Automation.

    A. Now that support from Microsoft for Windows XP has ended, machines with this operating system (OS) will no longer be able to get OS updates, including security updates. Naturally, best practices dictate that machines be kept up to date with the latest security updates. However, most of these machines are not connected to the Internet, and those that are generally are not used for surfing the Internet nor do they open files or attachments in software applications such as e-mail, both of which are notorious for the spread of viruses and malware. It is important to note as well that many machines are actually running Windows XP Embedded. Support for Windows XP Embedded is still active and does not end until Jan. 12, 2016.

    Q. If customers cannot upgrade, what should change, if anything, on April 9?

    A. If a security audit finds that access to the machine is secured and there is no Internet connectivity or e-mail “read” access with file download capability on the machine, nothing necessarily needs to change today even if a machine has devices with Windows XP OS on it. If the security audit finds a potential hazard in these areas, however, action may need to be taken to remove the access points, or if that is not possible for some reason, upgrade the device(s) on the machine. Of course, users should remember that Windows XP Embedded support is still active and will continue to be active until the beginning of 2016.

  20. Tomi Engdahl says:
    Security flaw in Advantech gateway leaves the industrial equipment were open – any password to visit

    Manufacturer programming mistake to leave Advantech gateway using embedded into industrial devices open to anyone. Advantech tcp / ip gateways parents serial port equipped industrial equipment can be connected to the Internet for remote management.

    Advantech updated their equipment the last time last fall and removed gateways kovakoodun ssh server password. However, the update does not lacked even greater problem with equipment modified ssh server accepts any password.

    Problem found Rapid7, the company’s researchers. The vulnerability effort published in the autumn of 1.98-versioned operating system software Advantech EKI-1322 gateway. The most recent, published at the end of December, 2.00 version corrects the problem.

    Rapid7 says that the problem arose when the Dropbear called ssh server was changed so much that it is no longer in effect required the users identification.



Leave a Comment

Your email address will not be published. Required fields are marked *