Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

8/1/2013
10:28 PM
Connect Directly
Twitter
RSS
E-Mail
50%
50%

SCADA Experts Simulate 'Catastrophic' Attack

Lack of security in remote oil drilling stations and other similar environments vulnerable to rudimentary but potentially disastrous attacks

LAS VEGAS -- BLACK HAT USA -- SCADA experts here today demonstrated just how easy it is to commandeer the antiquated networking protocols used in an oil-well pumping station and other SCADA environments, causing a simulated oil tank to nearly overflow using spoofed commands to the programmable logic controller (PLC).

Click here for more of Dark Reading's Black Hat articles.

While the live demo by Cimation researchers Brian Meixell and Erick Forner drew audience laughter with the model-simulated oil well and pump contraption -- at one point spraying some of the bluish-green dyed liquid, and the grand finale when they hacked the remote terminal unit's HMI interface and inserted a game of Solitaire on its screen -- their message was sobering.

"We only had a 24-volt pump in the demo, but this [attack] could cause a complete environmental catastrophe" in a real oil-well drilling environment, Forner said.

The researchers, whose day jobs include installing and supporting SCADA systems in oil rigs, basically wrote a few basic Python scripts that told the remote controllers what to do. In the live demo, they commanded the valve and pump to work on "high" and to nearly overflow the simulated oil. They also showed how they could send phony data that convinced the system that the pump was empty when it was actually rising, forcing it to nearly overflow.

"So you can have the operator seeing something entirely different than what's happening in the process, causing the pipe to burst and the tank to overflow," Forner says. "The operator would see the tank levels decreasing, when, in fact, they were increasing."

No specific software vulnerabilities or bugs are required for this attack: It comes down to the lack of security in the serial Modbus/TCP protocol, a networking protocol that dates back to the 1970s and operates on port 502. "There is no authentication or security at all designed into it," Forner says.

"We are sending packets over the network, unauthenticated" and controlling the PLC devices with the scripts, he says. "We were able to disable the safety logic ... and force inputs and outputs" to turn a pump on, off, or sabotage its flow.

[How utilities could spot malware and cyberattacks on their automation environments on the fly merely by continuously monitoring the customarily predictable behaviors of those networks and systems. See Experiment Simulated Attacks On Natural Gas Plant .]

Meanwhile, the researchers say they've found via Shodan scans some 93,000 devices reachable via the Internet that speak Modbus. Preventing attacks on these systems, such as those the two demonstrated, would require command-level filtering for the PLCs, or removing the systems from the public IP network altogether, they said.

So are these environments getting hit by attacks yet? "A lot of why we're not seeing a lot of attacks here is that you don't know what you're looking for if you don't know what to do with it," Forner says. "These devices have been attached to the Net for years. Now people are starting to look at this and are starting to care."

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message. Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27706
PUBLISHED: 2021-04-14
Buffer Overflow in Tenda G1 and G3 routers with firmware version V15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"IPMacBindIndex "request. This occurs because the "formIPMacBindDel" function directly passes the parameter "IPMacBind...
CVE-2021-27707
PUBLISHED: 2021-04-14
Buffer Overflow in Tenda G1 and G3 routers with firmware v15.11.0.17(9502)_CN allows remote attackers to execute arbitrary code via a crafted action/"portMappingIndex "request. This occurs because the "formDelPortMapping" function directly passes the parameter "portMappingIn...
CVE-2021-28098
PUBLISHED: 2021-04-14
An issue was discovered in Forescout CounterACT before 8.1.4. A local privilege escalation vulnerability is present in the logging function. SecureConnector runs with administrative privileges and writes logs entries to a file in %PROGRAMDATA%\ForeScout SecureConnector\ that has full permissions for...
CVE-2021-30493
PUBLISHED: 2021-04-14
Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the ChromaBroadcast subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other wor...
CVE-2021-30494
PUBLISHED: 2021-04-14
Multiple system services installed alongside the Razer Synapse 3 software suite perform privileged operations on entries within the Razer Chroma SDK subkey. These privileged operations consist of file name concatenation of a runtime log file that is used to store runtime log information. In other wo...