Hackers halt plant operations in watershed cyber attack
https://www.reuters.com/article/us-cyber-infrastructure-attack/hackers-halt-plant-operations-in-watershed-cyber-attack-idUSKBN1E8271

Hackers likely working for a nation-state recently invaded the safety system of a critical infrastructure facility in a watershed attack that halted plant operations, according to cyber investigators and the firm whose software was targeted.

FireEye Inc (FEYE.O) disclosed the incident on Thursday, saying it targeted Triconex industrial safety technology from Schneider Electric SE (SCHN.PA).

Schneider confirmed that the incident had occurred and that it had issued a security alert to users of Triconex, which cyber experts said is widely used in the energy industry, including at nuclear facilities, and oil and gas plants.

Compromising a safety system could let hackers shut them down in advance of attacking other parts of an industrial plant, potentially preventing operators from identifying and halting destructive attacks, they said.

Safety systems “could be fooled to indicate that everything is okay,” even as hackers damage a plant

“This is a watershed,” said Sergio Caltagirone, head of threat intelligence with Dragos. “Others will eventually catch up and try to copy this kind of attack.”

The U.S. government and private cyber-security firms have issued public warnings over the past few years about attempts by hackers from nations including Iran, North Korea and Russia and others to attack companies that run critical infrastructure plants in what they say are primarily reconnaissance operations.

EcoStruxure™ Triconex Safety Systems
https://www.schneider-electric.com/b2b/en/products/industrial-automation-control/triconex-safety-systems/

Israeli industrial cybersecurity startup SCADAfence has secured $10 million in funding through a recently announced Series A round.

The Tel Aviv-based company explains that it helps industrial network operators bridge the cybersecurity gap that comes when connecting operational technology (OT) and IT networks to ensure operational continuity and the security of valuable assets.

SCADAfence’s solutions provide visibility of day-to-day operations, detection of malicious cyber-attacks as well as non-malicious operational threats, and risk management tools.

Siemens has patched several vulnerabilities, including authentication bypass and denial-of-service (DoS) flaws, in its SWT 3000 teleprotection devices.

The SWT 3000 teleprotection devices are designed for quickly identifying and isolating faults in high-voltage power grids. This Siemens product is used in the energy sector worldwide.

According to advisories published by both Siemens and ICS-CERT, medium severity vulnerabilities have been found in the EN100 Ethernet module used by SWT 3000 devices running IEC 61850 and TPOP firmware.

The flaws can be exploited to bypass authentication to the web interface and perform administrative operations (CVE-2016-7112, CVE-2016-7114), and cause devices to enter a DoS condition by sending specially crafted packets (CVE-2016-7113).

Flaws related to the product’s web server can be leveraged by a network attacker to obtain sensitive device information (CVE-2016-4784), and data from the device’s memory (CVE-2016-4785).

The security holes have been addressed in IEC 61850 firmware with the release of version 4.29.01. The TPOP firmware is affected by only three of the flaws. These have been fixed with the release of version 01.01.00.

Potentially serious vulnerabilities have been found in some Siemens SICAM remote terminal unit (RTU) modules, but patches will not be released as the product has been discontinued.

Researchers at IT security services and consulting company SEC Consult discovered the flaws in the SICAM RTU SM-2556 COM modules, which can be attached to SICAM 1703 and RTU substation controllers for LAN/WAN communications. The product is used worldwide in the energy and other sectors.

The most serious of the security holes is CVE-2017-12739, a critical vulnerability in the integrated web server that allows an unauthenticated attacker with network access to remotely execute code on affected devices.

The vulnerabilities affect devices running firmware versions ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00. Since the product has been discontinued, Siemens has decided not to release patches. However, users can prevent potential attacks by disabling the affected web server, which is designed for diagnostics and is not needed for normal operation.

In its own advisory, SEC Consult said it reported the vulnerabilities to Siemens in late September. According to the company, the GoAhead webserver used by the RTU module was released in October 2003 and it’s affected by several known vulnerabilities.

You don’t need state-sponsored hackers to crack industrial control systems, just an empty Intel AMT login – something Siemens started patching against last week.

The bug in Intel’s Active Management Technology emerged in June. It allowed a user to exploit AMT features with an empty login string, and has been shipping in processors since 2010.

In Siemens’s case, 38 product series use vulnerable Intel chipsets (the company lists them in this PDF). They include SIMATIC industrial PCs, SINUMERIK control panels and SIMOTION P320 PCs.

The company has shipped patches for the SIMATIC PCs, but is still working on the control panel products.

https://support.industry.siemens.com/cs/document/109747626/updating-the-intel-management-engine-bios-extension-for-simatic-ipcs-and-simatic-field-pgs?dti=0&lc=en-WW

ICS-CERT published an advisory on one of my reports this week –
https://ics-cert.us-cert.gov/advisories/ICSA-17-164-01

An update released by Trihedral for its VTScada product patches several vulnerabilities, including high severity weaknesses that can be exploited even by less skilled hackers.

VTScada, Trihedral’s flagship product, is a software suite designed for creating human-machine interfaces (HMI) for supervisory control and data acquisition (SCADA) systems. The product is used in various industries, mainly in North America and Europe.

Security researcher Karn Ganeshen discovered several vulnerabilities affecting VTScada versions prior to 11.2.26. The expert told SecurityWeek that a Shodan search showed a few systems running VTScada accessible from the Internet, but he believes there are more vulnerable instances that are exposed to attacks.

In an advisory published on his website, Ganeshen said an attacker with a non-privileged account can cause excessive CPU and RAM usage by submitting a large payload (up to roughly 80,000 characters) in the username field of the login window.

ndustrial Control System Design Flaws Have a Profound Impact on Security Posture of Operational Networks

It’s a generally known fact that most Industrial Control System (ICS) environments were not built with cyber security in mind because they were designed before the cyber threat existed. For decades these networks were protected by an air-gap, disconnected from the outside world. With the introduction of commercial off the shelf (COTS) technology in the 1990s (which replaced proprietary, purpose-built industrial hardware and software) and the increasing connectivity to corporate networks and the Internet, these systems have become more exposed to cyber threats and the risk of compromise.

The impact of vulnerabilities and design flaws

Like IT networks, ICS environments are susceptible to software and hardware vulnerabilities. In recent years there has been a significant increase in the number of ICS vulnerabilities reported.

ICS networks have become easy targets because they lack basic security controls such as authentication, and do not support encrypted communication. In IT security terms, this represents a major design flaw that adversely impacts the overall security of the ICS environment. This means that anyone with network access can make changes to controller logic and configuration which can severely affect operations and have a catastrophic impact on plant safety and reliability.

Visibility and control in ICS networks

ICS networks suffer from a lack of visibility which prevents engineering and security staff from identifying a malicious actor compromising critical assets, or a contractor that may be making an unauthorized change to the configuration of a controller. Not knowing with certainty what’s happening in these networks severely impacts the staff’s ability to detect and respond to incidents, whether caused by cyber threats or human error.

As long as security controls aren’t available to prevent unauthorized/malicious changes, the design flaws of ICS will continue to affect their security posture and put them at a high risk of compromise. No amount of vulnerability remediation can prevent access to the controllers on ICS networks or mitigate the risk of compromise resulting from a lack of security controls.

The world may be close to a “serious act of digital sabotage” which could trigger unrest, “chaos and disorder,” Dutch spy chief Rob Bertholee warned Tuesday.

Sabotage of critical infrastructure “is the kind of thing that might keep you awake at night,” Bertholee told a timely cyber security conference in The Hague, as global experts grapple with the fallout of a massive cyberattack over the past days.

Digital threats “are not imaginary, they are everywhere around us,” the head of the country’s intelligence services (AIVD) told the conference organised by the Dutch government.

“In my opinion, we might be closer to a serious act of digital sabotage than a lot of people can imagine,” he told hundreds of experts and officials.

The world’s infrastructure was heavily interconnected, which had huge benefits, but also “vulnerabilities”.

“Imagine what would happen if the entire banking system were sabotaged for a day, two days, for a week,” he asked.

“Or if there was a breakdown in our transportation network. Or if air traffic controllers faced cyberattacks while directing flights. The consequences could be catastrophic.”

Added Bertholee: “Sabotage on one of these sectors could have major public repercussions, causing unrest, chaos and disorder.”

The threat of “cyber terrorism” from terror groups such as the so-called Islamic State jihadist and Al-Qaeda was still limited, he said, but “jihadist-inspired terrorism is the number one priority” of the Dutch intelligence services.

“The level of technical expertise available to a jihadist group is still insufficient to inflict significant damage or personal injury through digital sabotage,” Bertholee said.

“They may not yet have the capability but they definitely have the intent,” he warned.

That “don’t use hard-coded passwords” infosec rule? Someone needs to use a needle to write it on the corner of Schneider Electric’s developers’ eyes so they don’t forget it.

Yes, it’s happened again, this time on the SCADA vendor’s Schneider Modicon TM221CE16R, Firmware 1.3.3.3 – and without new firmware, users are stuck, because they can’t change the password.

It’s a real Friday-afternoon-special: someone encrypted the user/password XML file with the fixed key “SoMachineBasicSoMachineBasicSoMa”.

That means an attacker can open the control environment (SoMachine Basic 1.4 SP1), get and decrypt the user file, and take over.