Wired reports a group of researchers have discovered serious security holes in 6 of the top industrial control systems used in critical infrastructure and manufacturing facilities. They have also made it easier for hackers to attack systems before they can be patched or otherwise remediated. They’ve packaged up the exploits in nice little modules for the MetaSploit tool so that any script-kiddie or organized crime team can just point and click.
The vulnerabilities exist in programmable logic controllers made by GE, Rockwell, Schneider Modicon, Koyo Electronics and Schweitzer Engineering Laboratories. Apparently, the SCADA vendors were not quick enough for the researchers’ liking to acknowledge the vulnerabilities or release patches. PLCs are used in industrial control systems to control functions in critical infrastructure such as water, power and chemical plants, gas pipelines, nuclear, and manufacturing facilities.
The various vulnerabilities provide backdoors, as well as authentication and encryption by-passes that could allow attackers to gain access to systems, and the ability to send malicious commands in order to crash, halt, and interfere with specific critical processes, such as the opening and closing of valves.
Nice… Time to examine your SCADA environments and mitigate these vulnerabilities ASAP, and start elevated monitoring. I don’t believe that this is the way to move vendors forward, but that is just me I suppose. What do I know? I wonder if there are any good litigation lawyers out there that might want to monitor the exploitation of some critical infrastructure and take action against those who provide such tools to the masses when harm is done to the public?
InfoWorld reports that the hacktivists “Anonymous” have published a list of Internet-facing Israeli SCADA systems and log-in details. Anonymous is currently engaged in an effort to hack Israeli websites as part of a campaign called Operation Free Palestine. The information was posted on Pastebin with the message: “Who wanna have some fun with israeli scada systems?”
The pastebin post contains a list of IPs said to correspond to Web administration interfaces for monitoring automated equipment in industrial facilities. Most of the URLs in the original post are no longer accessible, however, the hacker has since released a second list which contains newly found Israeli SCADA systems.
The original Pastebin post also contains a list of email addresses and passwords belonging to people from the Israeli Ministry of Defense, Ministry of Foreign Affairs, Ministry of Health, and the Israel Defense Forces. It’s not clear if those also serve as log-in details for the listed SCADA systems.
According to Dark Reading, Siemens will release security updates in January to fix product vulnerabilities in the wake of public disclosure of vulnerabilities that could let an attacker take over a control system without need of a username or password. Billy Rios posted details in his blog of some of the vulnerabilities he and Terry McCorke found and reportedin May.
Siemens confirmed it was in the process of fixing the flaws after initially denying their existence. Riosclaims to have reported roughly 1,000 bugs in industrial control system products during the past few years, and decided to go public after a Siemens PR representative told a reporter that the company had no outstanding bug reports.
He went public with the authentication bypass bug as well as two other issues: Simatic uses a default password, and changing that password to one containing a special character (question mark, exclamation point, etc.), the password automatically reverts back without the user’s knowledge. That default password likely aided the hacker “prof,” who accessed the water utility system in South Houston.
A Siemens spokesperson says it was all a big misunderstanding. The firm had no intention of denying vulnerabilities it was working on. Siemens issued a statement on its website: “Siemens was notified by IT experts about vulnerabilities in some of its automation products. These are the WinCC flexible RT versions from 2004 to 2008 SP2 and WinCC Runtime Advanced V11 and multiple Simatic panels. We are aware of the reported vulnerabilities, first reported in May 2011. Our development had immediately taken action and addressed these issues. The vulnerabilities will be fixed by security updates, first is planned to be issued in January 2012. In December 2011 further vulnerabilities have been reported which are currently under investigation. We thank Billy Rios and Terry McCorke for reporting the vulnerabilities.”
The deputy assistant director of the FBI’s Cyber Division, Michael Welch, says hackers recently accessed the infrastructure of three cities through SCADA systems. The hackers could theoretically have dumped sewage into a lake or shut off the power to a shopping mall. At least one attack is being cast as a “a tease to law enforcement and the local city administration, saying ‘I’m here, what are you going to do about it”.
Welch would not clarify whether these attacks were related to an earlier SCADA attack on a water facility in Springfield, Illinois, which the Department of Homeland Security denied.
Security researcher Luigi Auriemma has revealed details and proof of concept code for multiple vulnerabilities in Siemens supervisory control and data acquisition (SCADA) systems, affecting the WinCC and Automation License Manager. The vulnerabilities reported could allow remote execution of malicious code and cause denial of service interruptions.
Mister Auriemma has a history of not following responsible disclosure procedures, and most likely provided little or no vendor notification and reaction time before going public with his findings. These vulnerabilities pose a significant potential threat, in my opinion, since they can be exploited remotely on improperly configured SCADA systems. It is worthwhile for administrators of such networks to review their configurations in light of these findings to ensure that they are not exposed.
According to NetWorkWorld, the Department of Homeland Security and the FBI are stating that there was no security breach at the Illinois water treatment plant. Apparently, everything is peaches and rainbows, there is no Russian plot to burn out water pumps, and there is no evidence to back up claims that the unnamed software vendor had to deal with any sort of credential compromise. Federal agencies didn’t offer any alternative reasons for the pump problem.
The federal statement provided is at odds with a statement made by the chairman of the water authority, Don Craver, to Chicago’s WLS-TV. “There’s some indication there was a breach of some sort into a software program — the SCADA system — that allows remote access to the wells, and the pumps, and those sorts of things,” Craver is quoted as saying.
I guess we will just have to wait and see what develops. Personally, I hope there WAS no breach. I will sleep, bathe and drink with more ease…
InfoWorld is reporting that today, a hacker has posted images and details from the systems that control the water supply for the city of South Houston, Texas. 5 images show the water levels at various pumping stations, and indicate that the user can enable and disable equipment at will.
According to the PasteBin posting, “The city of South Houston has a really insecure system. Wanna see? I know ya do,” ‘pr0f’ said in a post that links to the images. “This required almost no skill…”
In an earlier water distributor incident, attackers got usernames and passwords for the system from a 3rd-party, raising the concern that other companies and utility services may already have been breached.
Meanwhile, Norwegian Oil, gas and defence firms have been hit by a series of attacks. According to the BBC article, Norway’s National Security Agency (NSM) reports that industrial secrets and information about contract negotiations have been stolen. At least 10 firms and potentially more were targeted in the biggest wave of attacks to hit the country. Much like the RSA attacks, these attacks made use of targeted malware-laden emails, sent to specific individuals involved in contract negotiations. The socially engineered email messages had been carefully crafted to look like they were from legitimate sources.
The NSM is reported to have said that it was likely many companies had been hit, but do not know that hackers have penetrated their systems and stolen documents. Many other nations and industrial sectors have been targeted by data thieves in recent months, including the chemical industry, hi-tech firms, and utilities.
The Register reports that the SCADA system of a public water district in the US has been compromised. The attackers caused a water pump and/or its control system to fail by rapidly turning the pump on and off repeatedly. Few other details are known at this time.
The utility experienced intermittent computer problems for a number of months before the attack was identified. It is believed that the SCADA software vendor was first compromised, system credentials were stolen, and then used in this attack. The name of the SCADA software vendor has not been disclosed, and there are no reports of similar incidents elsewhere so far.
SCADA systems run critical infrastructure, like power, oil, natural gas, and water distribution, and like any software based systems, are not without their own vulnerabilities. Since these networks are involved in the management of infrastructure devices critical to our modern daily lives, it is essential that access to these networks and systems be carefully controlled and monitored.