Photo: Kolin Toney/Flickr
MIAMI, Florida — A group of researchers has discovered serious security holes in six top industrial control systems used in critical infrastructure and manufacturing facilities and, thanks to exploit modules they released on Thursday, have also made it easy for hackers to attack the systems before they’re patched or taken offline.
The vulnerabilities were found in widely used programmable logic controllers (PLCs) made by General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics and Schweitzer Engineering Laboratories.
PLCs are used in industrial control systems to control functions in critical infrastructure such as water, power and chemical plants; gas pipelines and nuclear facilities; as well as in manufacturing facilities such as food processing plants and automobile and aircraft assembly lines.
The vulnerabilities, which vary among the products examined, include backdoors, lack of authentication and encryption, and weak password storage that would allow attackers to gain access to the systems. The security weaknesses also make it possible to send malicious commands to the devices in order to crash or halt them, and to interfere with specific critical processes controlled by them, such as the opening and closing of valves.
As part of the project, the researchers worked with Rapid7 to release Metasploit exploit modules to attack some of the vulnerabilities. Metasploit is a tool used by computer security professionals to test if their networks contain specific vulnerabilities. But hackers also use the same exploit tool to find and gain access to vulnerable systems.
“We felt it was important to provide tools that showed critical infrastructure owners how easy it is for an attacker to take control of their system with potentially catastrophic results,” said Dale Peterson, founder of DigitalBond, the SCADA security company that led the research.
Chart listing the vulnerability types found in PLCs the researchers examined. A red "x" indicates the vulnerability is present in the system and is easily exploited; a yellow exclamation point indicates the vulnerability exists but is difficult to exploit; the green checkmark indicates the system lacks this vulnerability.
Peterson, speaking Thursday at the annual S4 conference that he runs, said he hoped the presentation would serve as a “Firesheep moment” for the SCADA community.
Firesheep refers to a Wi-Fi hacking tool that was released by a security researcher last year to call attention to how easy it is to hijack accounts on social networking sites like Facebook and Twitter and web e-mail services. The release of Firesheep forced some companies to begin encrypting customer sessions by default so that attackers on a Wi-Fi network couldn’t sniff their credentials and hijack their accounts.
Peterson said he hoped the vulnerability announcement and exploit release would similarly jolt PLC makers into taking the security of their products more seriously. Security researchers have been warning for years that critical infrastructure facilities were vulnerable to hackers, but it wasn’t until the Stuxnet worm hit Iran’s nuclear facilities in 2010 that infrastructure vulnerabilities got widespread attention.
“We kind of view this as just a first step maybe to help prod the industry to move forward to do something about it,” Peterson said.
The vulnerabilities were discovered by a team of six researchers as part of DigitalBond’s Project Basecamp. The researchers included Reid Wightman, who works for DigitalBond, and five independent researchers who volunteered their time to examine the systems — Dillon Beresford, Jacob Kitchel, Ruben Santamarta and two unidentified researchers whose companies didn’t want them publicly associated with the work.
The vulnerable products include:
General Electric D20ME
Koyo/Direct LOGIC H4-ES
Rockwell Automation/Allen-Bradley ControlLogix
Rockwell Automation/Allen-Bradley MicroLogix
Schneider Electric Modicon Quantum
Schweitzer SEL-2032 (a communication module for relays)
The researchers were asked to focus on several attack categories, based on vulnerabilities previously discovered in other PLCs — such as ones Beresford found last year in popular PLCs made by Siemens.
Those included a hardcoded password, a backdoor inadvertently left in the system by company engineers and lack of strong authentication gateways that would prevent a non-legitimate user from sending malicious commands to the Siemens PLC.
It was a PLC made by Siemens that was targeted by the Stuxnet worm, a sophisticated piece of malware discovered last year that was designed to sabotage Iran’s uranium enrichment program. During a talk at S4 on Wednesday, industrial control system security expert Ralph Langner — one of the leading experts on Stuxnet — described how a read/write capability the Siemens programmers put in their system was leveraged by the attackers to capture legitimate data on the Siemens system in order to play it back to operator monitors so that administrators at the targeted plant would see only legitimate data on their screens and think the plant was functioning normally while it was being sabotaged.
Of the systems discussed on Thursday, the General Electric D20ME was the most expensive PLC the researchers examined — costing about $15,000 — and had the most vulnerabilities. Wightman referred to his findings on the system as a “bloodbath” and said it took him just 16 hours to uncover the most glaring vulnerabilities.
He found that the system used no authentication to control the uploading of “ladder logic” to program the PLC. Backdoors in the system also allowed him to list processes, see where in memory they lived and to read and write to memory. He also had access to the configuration file, which listed, among other things, usernames and passwords that would allow an attacker to gain access to the system using legitimate credentials. Basic buffer overflow flaws in the system could also be used to crash it.
While a number of the systems the group tested used vulnerable web servers, the GE system did not have one at all. “Thank goodness, because if there was [one] I’m sure it would be done poorly, given everything else,” Wightman said.
The GE PLC is nearly two decades old but is still used in electric substations for power generation and in other key critical infrastructure systems. GE has said that it plans to release a new, more secure, version of the product this year, but it’s unclear whether that version fixes any of the vulnerabilities uncovered by the researchers. The company has said in a product bulletin published in 2010 that it has “no plans to develop additional cyber security features in previous generation D20 products due to limitations in the hardware and software platforms,” which leaves current customers using those systems potentially open to attack.
A GE spokesman said he couldn’t comment on the specific vulnerabilities uncovered until the company had more time to examine them.
“We want to take a look at the data they have and what are exactly the claims and make sure we investigate the product,” said Greg McDonald, spokesman for GE Digital Energy Business. He said he didn’t know offhand if the new version the company is working on fixes any of the vulnerabilities disclosed by the researchers.
The researchers found that the Koyo Direct Logic system, like the GE system, does not encrypt communication or require digitally signed messages, allowing an attacker to intercept commands and replay them to the PLC to take control of it. A web server used with the device also lacks basic authentication, allowing an attacker to reconfigure it to change basic settings such as the IP address and email alerts.
The Koyo system, however, is slightly more secure than the GE system, in that it at least requires a passcode for downloading and uploading ladder logic to the device. But Wightman said the system requires that the passcode start with the letter “A” and contain 7 digits between 0 and 9, making it easy to crack it by rapidly testing possible passwords, a method known as “bruteforcing.” Wightman said his group hopes to have a Metasploit module to bruteforce the passcode by Valentine’s Day.
“Just because I love that day and I want the vendors to love that day, too,” he said.
The Modicon Quantum system, another expensive key system for critical infrastructure that costs about $10,000, also has no authentication to prevent someone from uploading ladder logic and has about 12 backdoor accounts hard coded into it that have read/write capability. The system also has a web server password that is stored in plaintext and is retrievable via an FTP backdoor.
The Rockwell/Allen-Bradley and Schweitzer systems had similar vulnerabilities.
Wightman’s talk was not without controversy. Kevin Hemsley, a senior security analyst for the DHS’s Industrial Control System Computer Emergency Response Team and who was present at the conference, raised the issue that Wightman and his group hadn’t disclosed the vulnerabilities to the vendors in advance of his talk so that they could be prepared with patches or mitigation techniques.
Wightman and Peterson said they wanted to avoid the kind of situation that Beresford ran into last year when Siemens issued statements to customers downplaying the vulnerabilities he’d found and then swooped in at the last minute before his scheduled presentation to persuade him to cancel it until the company had more time to prepare patches.
“I didn’t want a vendor to jump out in front of the announcement with a PR campaign to convince customers that it wasn’t an issue they should be concerned with,” Wightman said.
Peterson added that “a large percentage of the vulnerabilities” the researchers found were basic vulnerabilities that were already known to the vendors, and that the vendors had simply “chosen to live with” them rather than do anything to fix them.
“Everyone knows PLC’s are vulnerable, so what are we really disclosing?” he said. “We’re just telling you how vulnerable they are.”
Marty Edwards, director of DHS’s Control Systems Security Program, wouldn’t comment on the release of the exploits and vulnerability information other than to say that the department “does not encourage the release of sensitive vulnerability information until a validated solution is available for distribution.”
“To better secure our nation’s critical infrastructure, DHS always supports the coordinated disclosure of vulnerability information—after we have provided actionable solutions and recommendations to our industry partners,” Edwards said in a statement.
Another DHS official attending the conference said that in releasing exploits before vendors and customers could mitigate them, the researchers were exposing the systems to attack by low-level hackers who are looking to cause mayhem.
“We have so many of these little scriptkiddies that are looking at these things and that are associating themselves with these anarchist groups,” said the official, who talked to Wired on condition that his name not be used since he was not authorized to speak to the press. “They want to create problems, and they’re just trying to figure out how. And that’s very concerning.”
Langner, who has long been an outspoken critic of both DHS and ICS vendors, said that although he supported the release of vulnerability information, he would not have released exploits with the announcement.
“I would never think about releasing this stuff. I’m not saying that Dale is irresponsible, I’m just saying I wouldn’t do it,” said Langner. “But this is an experiment, and hopefully good will come out of it.”