For an industry that traditionally has been cloistered and unaccustomed to cybersecurity threats to its systems, it has been a rough few months, with several security researchers exposing and poking some serious holes in the products that run in power plants, manufacturing floors, hospitals, and even prisons. Most recently, Metasploit late last month added a new exploit to the Metasploit Framework for an attack demonstrated by Digital Bond against the GE D20 PLC device. Other SCADA product exploits by the Digital Bound researchers are also in the works for Metasploit, including ones for Rockwell Automation, Schneider Modicon, and Koyo/Direct LOGIC. Last summer, researcher Dillon Beresford demonstrated a backdoor in Siemens S7-300, S7-400, and S7-1200 devices that allowed him to get inside and capture passwords and reprogram PLC logic in such a way that he could shut down the systems altogether or cause them to eventually crash.
ICS-CERT reported on Friday (PDF) that many organizations have been witnessing secure shell (SSH) scans of their Internet-facing control systems, including an electric utility that told ICS-CERT it had been hit by some brute force attempts against its networks that were "unsuccessful." The attackers are probing Port 22/TCP, the default SSL listening port, to look for SSH. Once they get a response from the probe, they can execute a brute-force attack for login credentials in order to acquire remote access.
It's an attractive attack vector because many control-system devices on networks run SSH by default. ICS-CERT recommends monitoring network logs for port scans and access attempts. "Hundreds or thousands of login attempts over a relatively short time period is an indicator of a brute force attack because systems running SSH normally do not receive high volumes of login attempts," the ICS-CERT alert says. "However, indication of an attack does not necessarily mean that the organization is the actual intended target. Scans are frequently executed against a wide range of IP addresses looking for any system meeting the attacker’s criteria (in this case, systems running SSH)."
This is just the latest in a string of painfully simple hacks to which critical infrastructure providers are vulnerable. Researchers Billy Rios and Terry McCorkle during the past year have been reporting bugs they find in industrial control systems products: They've found more than 1,000, of which 98 are easily exploitable. Among the most obvious bugs they found were via human management interface (HMI) applications that were accessible via the Internet, as well as file format and ActiveX flaws.
McCorkle, who spoke at the Kaspersky Lab Security Analyst Summit in Cancun last week, says some of the vulnerabilities he and Rios reported will never get patched. "We reported all we did through ICS-CERT," he said. "Some vendors never respond. Those [bugs] will sit there in limbo forever."
Among the bugs they found: an open command via ActiveX control. "The state of ICS is kind of laughable. I honestly don't know what else to say," said McCorkle, who describes the ICS industry as living in 1990s-era security.
One of the ActiveX control flaws they found manages an HMI. "HMI's are out there listening, and they give access to systems that are supposed to be segregated," McCorkle said.
[Digital Bond and Rapid7 partner to move additional Project Basecamp PLC exploits to the Metasploit Framework. See Metasploit Exploit Module Released For PLC SCADA Devices.]
Meanwhile, the SSH brute-force threat reported by ICS-CERT is really nothing new, experts say. "Someone should welcome ICS to 2002. The advisory doesn't even indicate that control system defaults are being tested," says HD Moore, chief security officer at Rapid7.
The best defense is basically to run SSH on a nonstandard port, he says. "Running SSH on a nonstandard port stops nearly all of these attacks. If someone attacks SSH on a nonstandard port, you know it's targeted," Moore says. "For what it's worth, this is how all of my own servers have been configured since '99. It separates background noise from real attacks."
Segregating the sensitive control systems with firewalls and VPNs and other layers is the best bet, he says. "It boils down to segmentation, still. The SCADA industry isn't mature enough to place their products on the Internet," Moore says.
Most of the time ICS systems are not firewalled, though, McCorkle says. "Power and water utilities do a better job [with this]," he said. "But it's been proved that segmentation doesn't [always] work: SIPERNET is segregated, and Stuxnet [bypassed those controls]," he said.
"If you want to it right, segmentation is very expensive. And if you do segmentation, you can get [overly] confident [such that] your controls are lacking," he said.
Meanwhile, ICS vendors need to come up with a way to automatically issue patches for their critical systems. "Now when they release it, it's totally on the customer," McCorkle said. "There's no automated way or a website to find the patches available for your products."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.