Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

8/10/2017
11:00 AM
Connect Directly
Google+
Twitter
RSS
E-Mail
100%
0%

Air Gap FAILs, Configuration Mistakes Causing ICS/SCADA Cyberattacks

A utility's cautionary tale, and how a popular ICS/SCADA network protocol failed a fuzzing test miserably.

It had the markings of a possible sabotage operation. Stealthy, patient cyber attackers had wrested control of an ICS/SCADA controller in a power plant and were rooting around in what appeared to be a reconnaissance effort to map out the plant's infrastructure. The attackers were scanning for a specific type of PLM (product lifecycle management) controller when they unknowingly pinged a deception trap in place at the plant that blew their cover and ultimately alerted the security team.

Turns out the attackers' point of entry had been an open port in the compromised controller that inadvertently had been left open after a vendor-maintenance engagement. The attackers used that hole to to gain a foothold in the process control network and to tap the PLM controllers in order to map out the plant's operations.

"They took hold of a single device … and they were scanning for a specific kind of controller," says Ori Bach, vice president of products at TrapX, whose firm revealed the attack of its utility customer in a new report published today.

The report by TrapX, a security firm that specializes in so-called deception technology akin to advanced honeypots that act as lures for attackers, provides a glimpse of some real-world cyberattacks hitting ICS/SCADA networks in manufacturing and utility plant floors.

The utility – which TrapX declined to name – had installed the security vendor's deception product, which creates emulated servers, workstations, PLMs, and other devices as a way to detect attacks. The attackers had been gathering intel that could be used to help them disrupt the plant's operations or even damage it. The utility initially added the deception traps due to ransomware concerns.

The attackers gained access because of a failure to close the controller from outside access: "It was supposed to be shut down, but third-party maintenance for some reason left it open and the attackers were able" to exploit that, Bach notes.

Configuration mistakes are one of the most common ways attackers are infiltrating ICS/SCADA networks today, he says. Other common entry points for attackers are spear-phishing and bridging so-called air gapped systems, where an industrial network is isolated from other internal networks for security reasons but ends up either infected or open to the entire network via a a maintenance worker's laptop joining the plant floor network, or via an infected USB stick with maintenance software.

Security experts point to the aftermath of the 2003 power blackout in the Northeastern US that affected eight states, parts of Canada, and took two days to restore power to some 50 million people, as the turning point for ICS/SCADA vulnerability. The power industry went all out on resiliency and continuity to prevent another mass outage, adding remote monitoring and control of plants, basically exposing them to the Internet. "Unfortunately, by solving one problem, manufacturers have in fact exposed themselves to another. Critical infrastructure which was historically shielded due to isolation from the Internet is now at significant risk for cyber-attack," TrapX wrote in its report.

Tom Kellermann, CEO of Strategic Cyber Ventures, says this created a massive attack surface for ICS/SCADA systems. "They were told to overlay fiber optic networks with wireless," for example, he says. "The wide distribution of the smart grid is compounded by the tremendous amount of remote access allowed."

In the case of the power plant, the attackers had been inside for several weeks, but not long enough to do any actual damage to the plant. Even so, they gathered some information about the plant's layout and operations before they were spotted and removed.

"The power company is now moving from a perimeter security approach to a defense-in-depth approach. Now they have people and technology in the process that assume they will be breached and [that the breach] needs to be detected," Bach says. "They also added a lot more security people" and instituted more oversight of third-party vendor security and operations, he says, to prevent another misconfiguration misstep.

While human error-instigated security weaknesses are often the attacker's way in, many older ICS/SCADA systems and protocols come with their own set of vulnerabilities that an attacker can exploit.

ICS/SCADA network protocols didn't fare so well in a recent global fuzzing experiment by Synopsys: the IEC-61850 MMS network protocol used in ICS and Internet of Things networks crashed within an average of 6.6 seconds of the fuzzing test.

"ICS protocols haven't been as exposed to the Internet as much and not tested as much … But what we found was IEC within the first six seconds.

Robert Vamosi, security strategist with Synopsys, which yesterday published a fuzzing report of some 4.8 billion fuzz tests it conducted on customer sites in 2016.

Fuzzing is a longtime method of rooting out unknown security vulnerabilities that basically sends random inputs to the targeted software or protocol to see how it reacts. It's mostly used in conjunction with penetration testing. Synopsys found that MMS crashed within seconds of its fuzzer input, which was based on a template rather than random inputs. "We build our fuzzing around the RFCs and iterate off that," he says.

But just because a network protocol crashes in the fuzzing test doesn't necessarily confirm that there's an exploitable bug in the code. "Why it behaves badly requires additional investigating: not every vulnerability can be exploited. In some cases, you need a chain of them to make an active exploit," he says.

An attacker could wage a denial-of-service attack against MMS's vulnerability, he says, or insert malware when the software reboots after crashing, for example. "This could impact a SCADA system dramatically," he says.

Other network protocols in Synopsys' testing fared much better: TLS, the secure HTTPS protocol typically used for ecommerce and online banking, took on average nine hours to fall to the fuzzer.

Overall, the various network protocols fuzzed by Synopsys on average crashed within 1.4 hours. Interestingly, medical equipment and automobile network protocols landed in the middle of the pack in terms of most fuzzable. "ICS is the least mature" of the protocols, Vamosi says.

Related Content:

Kelly Jackson Higgins is Executive Editor at DarkReading.com. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
7 Truths About BEC Scams
Ericka Chickowski, Contributing Writer,  6/13/2019
DNS Firewalls Could Prevent Billions in Losses to Cybercrime
Curtis Franklin Jr., Senior Editor at Dark Reading,  6/13/2019
Can Your Patching Strategy Keep Up with the Demands of Open Source?
Tim Mackey, Principal Security Strategist, CyRC, at Synopsys,  6/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-1874
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog Software could allow an unauthenticated, remote attacker to conduct a cross-site request forgery (CSRF) attack on an affected system. The vulnerability is due to insufficient CSRF protection mechanisms on the web-ba...
CVE-2019-1875
PUBLISHED: 2019-06-20
A vulnerability in the web-based management interface of Cisco Prime Service Catalog could allow an authenticated, remote attacker to conduct a cross-site scripting (XSS) attack against a user of the web-based interface. The vulnerability is due to insufficient validation of user-supplied input by t...
CVE-2019-1876
PUBLISHED: 2019-06-20
A vulnerability in the HTTPS proxy feature of Cisco Wide Area Application Services (WAAS) Software could allow an unauthenticated, remote attacker to use the Central Manager as an HTTPS proxy. The vulnerability is due to insufficient authentication of proxy connection requests. An attacker could exp...
CVE-2019-1878
PUBLISHED: 2019-06-20
A vulnerability in the Cisco Discovery Protocol (CDP) implementation for the Cisco TelePresence Codec (TC) and Collaboration Endpoint (CE) Software could allow an unauthenticated, adjacent attacker to inject arbitrary shell commands that are executed by the device. The vulnerability is due to insuff...
CVE-2019-1879
PUBLISHED: 2019-06-20
A vulnerability in the CLI of Cisco Integrated Management Controller (IMC) could allow an authenticated, local attacker to inject arbitrary commands that are executed with root privileges. The vulnerability is due to insufficient validation of user-supplied input at the CLI. An attacker could exploi...