October 26, 2012

The U.S. Department of Homeland Security is warning that a witches brew of recent events make it increasingly likely that politically or ideologically motivated hackers may launch digital attacks against industrial control systems. The alert was issued the same day that security researchers published information about an undocumented software backdoor in industrial control systems sold by hundreds different manufacturers and widely used in power plants, military environments and nautical ships.

The information about the backdoor was published by industrial control systems (ICS) security vendor Digital Bond, which detailed how a component used in industrial control systems sold by 261 manufacturers contains a functionality that will grant remote access to anyone who knows the proper command syntax and inner workings of the device, leaving systems that are connected to the public open to malicious tampering.

In an interview with Ars Technica, Reid Wightman, a researcher formerly with Digital Bond and now at security firm ioActive, said there was “absolutely no authentication needed to perform this privileged command.” Of the two specific programmable logic controllers (PLCs) Wightman tested, both allowed him to issue commands that halted the devices’ process control.

“Imagine if your laptop had a service that accepted an unauthenticated ‘shutdown’ command, and if someone sent it your laptop [would] shut off and you [would lose] all your work,” Wightman told Ars. “Anybody on the network could shut off your laptop without needing your password. That would suck. And that’s the case here.”

Potentially aiding would-be attackers are specialized search engines like Shodan and the Every Routable IP Project, which were designed specifically to locate online devices that may be overlooked or ignored by regular search engines. Indeed, according to Wightman, a quick search using Shodan revealed 117 vulnerable devices directly connected to the Internet, although Wightman said he suspected the computer location service could turn up far more with a more targeted search. To complicate matters further, Wightman said tools for automating the exploitation of the backdoor will soon be made available for Metasploit, a penetration testing tool used by hackers and security professionals alike.

In an alert (PDF) issued Thursday, DHS warned that these search engines are being actively used to identify and access control systems over the Internet, and that combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before.

“Multiple threat elements are combining to significantly increase the ICSs threat landscape,” DHS warned. “Hacktivist groups are evolving and have demonstrated improved malicious skills. They are acquiring and using specialized search engines to identify Internet facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems. In addition, individuals from these groups have posted online requests for others to visit or access the identified device addresses. Asset owners should take these changes in threat landscape seriously…and should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities.”

But according to Digital Bond, asset owners — such as power utilities, water treatment facilities — aren’t moving fast enough to take such steps. Indeed, this is the driving premise behind “Project Basecamp,” the company’s endeavor to publish and expose control systems vulnerabilities: Only when control system operators begin to see how these vulnerabilities could be used to disrupt their operations will they be motivated enough to demand that ICS hardware and software vendors make security a priority.

“The goal of Project Basecamp is to make the risk of these fragile and insecure devices so apparent and easy to demonstrate that a decade of inaction will end,” the company explained on its blog. “Everyone knows PLC’s are vulnerable — or so we have heard for ten years now since the 9/11 attacks…Not only do they lack basic security features, they are also fragile. Warnings abound about the dangers of even running a port scan on a PLC. Yet even though “everyone knows” there has been little or no progress on developing even the option of purchasing a secure and robust PLC.”

The homepage of the Shodan search engine.

The DHS alert released this week does not mention Project Basecamp’s most recent disclosure, although it does allude to a spate of other disclosures by the project in February 2012, when it released exploits that allow attackers to target weaknesses in PLCs from ICS hardware and software vendors GE, Rockwell Automation, Schneider Electric, and Koyo. Wightman can be seen in this video detailing those vulnerabilities, some of which affected vendors said would only be fixed in future generations of the hardware. (Update, 5:13 p.m. ET: US-CERT just issued a separate alert (PDF) on the most recent Project Basecamp disclosure).

Rather, DHS noted that it recently was contacted by a team of researchers that had used Shodan and specialized search terms to compile a list of more than a half million control systems-related devices that are reachable via the Internet. On Thursday, I spoke at length with Bob Radvanovsky, a security expert with the security consultancy Infracritical and among several ICS experts who reached out to DHS after enumerating the half-million devices.

Radvanovsky and his partner Jake Brodsky compiled the list over the past six months, using a set of scripts they devised that made targeted queries at the Shodan search engine each night and recorded the results.

“I don’t think they entirely believed what we truly had,” Radvanovsky said, of his initial contact with DHS. “After some convincing on both Jake’s and my part, they started getting the picture that this is a lot more serious. If it’s easy for us to come with something like this to find and enumerate these devices, just imagine what our adversaries are doing.”

Radvanovsky says his enumeration project — dubbed SHodan INtelligence Extraction, or “SHINE” — for the most part does not reveal which organization is running the exposed control system devices. Many of these systems are running on ISP networks that serve businesses, and SHINE’s curators are wary of probing the systems for more information about asset owners — preferring instead to leave that outreach to DHS.

Radvanovsky said he agrees that ICS hardware and software vendors need prodding to build security into their products, and to respond more quickly with feasible solutions when researchers discover and report vulnerabilities. But he said even when such fixes are available, implementing them can be a laborious, costly and painful affair for asset owners.

“Change for these organizations is not easy, in part because many of them have to follow certain regulatory requirements saying if you want to make a change, here’s the path that you will have to follow or else risk not being in compliance with some regulations,” Radvanovsky said. “This is a very difficult and daunting task. I feel that there are safer ways of being able to bring this to asset owners’ attention than simply publishing information about how they’re vulnerable.”


48 thoughts on “DHS Warns of ‘Hacktivist’ Threat Against Industrial Control Systems

  1. Macke

    Do these vital and vulnerable systems HAVE TO face the Internet?
    WHY? Can’t they have local controls whereby they connect with
    the Internet when actually needed, then disconnected?
    I just don’t understand…

    1. Uzzi

      .oO(Ignorance and cost cuts – so called rationalization – I suppose…)

    2. MarkH

      Even if a sensitive system is placed on the public internet, well-established technologies are available (without license fees!) to provide strong security, like SSH and VPN.

      Failure to use these elementary precautions is an invitation for attack.

  2. donald brent

    I need link to atm skimmer vendor,I will love get one.

  3. JimV

    Ain’t it just a “Brave New World” every day in so many more and more unsettling ways….

  4. Peter Ninen

    You’re doing the world a great service by publicizing these vulnerabilities.

    Keep up the good work. I’m constantly telling people to read your blog.

  5. JCitizen

    Good thing our plant had a totally separate network using obsolete serial port cabling, with no possibility of WAN facing connectivity. However – as new machinery hit the factory floor, it was always a good idea to check to make sure some manufacturer didn’t put some newfangled wireless device into one of them in the default on condition. We now would have had to assure this wasn’t stand alone WAN capable, but when I was there, this wasn’t even heard of yet.

    The way everything is going in the industry, I wouldn’t be surprised if every machine didn’t sing like a movie rental Redbox before long.

  6. Darren Martyn

    Even a solution like a VPN for engineers to use is better than the current system of leaving these things completely network accessable.

    A whole bunch of ICS gear me and my fellow researchers looked at had hardcoded credentials that the vendor ignores as “they are not present in our new product” (I also saw no EOL statement for the products we audited and located in the wild, ergo some serious lack of giving a shit from said vendor). We have not been able to validate if newer versions have the same issues.

    I do not think ICS systems are quite ready for the modern internet. Foreign and domestic threats are a reality, and they would be high value strategic targets for disruption in the event of any kind of dispute.

    TL;DR Firewall that shit off. And fix it.

    1. Rabid Howler Monkey

      I was sent here from Mars.

      P.S. For those interested, the Australian Defence Signals Directorate has updated their top 35 mitigation strategies from 2010 to October, 2012. The top four mitigation strategies remain the same; however, application whitelisting has moved to the top of the top four. More here:

      http://www.dsd.gov.au/infosec/top35mitigationstrategies.htm

        1. Rabid Howler Monkey

          Thanks. Another very good article from Marcus Ranum. Mr. Ranum was on to the benefits of default deny quite early.

          The Australian Defence Signals Directorate also has a publication specific to application whitelisting that was updated in August, 2012:

          http://www.dsd.gov.au/publications/csocprotect/application_whitelisting.htm

          In this article, they list enterprise products that provide application whitelisting capability:
          o Microsoft’s Software Restriction Policy
          o Microsoft’s AppLocker
          o Bit9 Parity Suite
          o CoreTrace Bouncer
          o Lumension Application Control
          o McAfee Application Control

          In addition to the above list, there’s Faronics’ Anti-Executable Enterprise (and their Deep Freeze Enterprise reboot-to-restore product).

          1. Nick P

            I appreciate you posting that list. I planned to review some whitelisting software in the future. This should make that easier. 🙂

  7. wiredog

    When I worked in industrial automation we enabled remote access in everything we sold. But you had to plug in the network (in our case, telephone) cable first. It’s impossible to remotely attack a device that isn’t physically connected.

    So why are people leaving them connected now? And why would such a system care if it was disconnected? Seems that just pulling the plug is a good security strategy.

    1. meh

      Because of cheapness and greed, when you lay off all but 5 people and expect them to do the work 15 people used to do, it involves cutting corners in security and wiring everything up for instant access from everywhere.

  8. Nick P

    We’ve discussed this issue plenty on Schneier’s blog. We agree it’s mostly an issue with management, poor incentives, & staff that know nothing about security. Heck, many people designing the control systems use visual programming environments because they couldn’t code even in VB6. The systems also have long life time, are likely to be a hack job of sorts, & are expensive to change. Put it all together: SCADA had every reason to get in the bad place it is & will probably be a nightmare to fix.

    Worse: many bugs won’t be called bugs or get vulnerability notices
    http://threatpost.com/en_us/blogs/dhs-thinks-some-scada-problems-are-too-big-call-bug-092611

    Clive’s failed struggle against connected SCADA over the decades
    http://www.schneier.com/blog/archives/2011/11/hack_against_sc.html#c630754

    Clive on labor issue & parallels to Microsoft legacy stuff
    http://www.schneier.com/blog/archives/2010/07/internet_worm_t.html#c449919

    I’d link to posts of mine on including remote access or update without major security risks but… I’m honestly almost tired of discussing the issue. The key players in SCADA don’t care too much. They’re practicing denial. The govt is stockpiling vulnerabilities for offensive “cyberwar” & pushing non-solutions that increase their surveillance/control. So, I’m not talking real solutions unless the person I’m talking to is paying me for it & intends to try to put it to work.

  9. PB

    It suddenly occurs to me. We have numerous reports that corporations are sitting on record amounts of cash and liquid assets. We have an impending crisis of systems security shortcomings. It seems that many entities would have the means at hand to train and/or hire some appropriate systems security staff and consultants. Good paying positions that our economy (U.S., and others) could use right now.

    Of course, (effective) security is one of the most difficult task. And we can’t create qualified experts out of thin air.

    Nonetheless, there is, and apparently has been for some considerable time, a disconnect, here.

    I find I have very, very limited sympathy for organizations with resources available, who have continued to turn a blind eye to and refuse to spend on these needs.

  10. Neej

    I don’t know (not just saying that as a preamble for effect , I actually really have no idea about this stuff) but I’ve read a couple of articles that maintain that these claims and general background noise regarding industrial control systems are wildly overblown and really don’t have much genuine legitimacy in the real world.

    More or less the thrust of the argument was that in the only cases where these attacks have been successful the attackers have had large amounts of intelligence regarding the system they’re attacking and even then they haven’t managed to do much. The attackers have usually been whitehats who have access to priviledged regarding the systems they’re attacking to start with.

    Another point was you have to ask why would attackers go to the lengths required to gather all this insider information that’s needed when the payoff is so low: you’re not talking blowing up or destroying infrastructure here, you’re talking about creating issues that will knock critical infrastructure offline for mere hours or a few days – it just seems absurd to go to those lengths for a payoff like this.

    Also telling IMO is the fact that it hasn’t happened: surely with a crime like this being *so* easy to get away with determined attackers would be all over it – but no.

    So far it seems the biggest user of attacks like this has been the USA itself. Which one could read as somewhat hypocritical I suppose.

    Of course no harm in taking steps to warn in the aid of prevention but I do think the media generally is portraying this as a major threat when it is not.

  11. Macke

    I’d be interested in reading these articles you mention. Links?
    In event of war, the ‘payoff’ in knocking critical infrastructure
    offline ‘for a few days’ would be quite high. I don’t think we can
    afford to downplay these threats. That’s already the case, and it’s
    gotten us where we are today, practically unsecured.

    1. Neej

      Yeah honestly can’t remember where I read them – might have got to them from /. or something.

      To quote someone from Brian’s article: “Imagine if your laptop had a service that accepted an unauthenticated ‘shutdown’ command, and if someone sent it your laptop [would] shut off and you [would lose] all your work,”

      I mean seriously? Systems stop working all the time LMAO – we’ll live.

      And in all honesty let’s be realistic here: the US military is so dominant knocking some parts of either civilian or military infrastructure offline for some period is not going to be a major tactical advantage.

      Look I’m not trying to say these threats aren’t there or that they shouldn’t be looked at seriously but I just see them as a very remote possibility that will only result in some inconvenience, little more.

      1. MP

        @Neej Maybe you should have stopped at, “I don’t know (not just saying that as a preamble for effect , I actually really have no idea about this stuff).”, because “but I just see them as a very remote possibility that will only result in some inconvenience, little more.” that makes you sound as ignorant as you state.

        1. Neej

          Telling me that I stated that I’m ignorant which I did and then saying I sound ignorant is a little redundant don’t you think?

          And yet I challenge you to give me any examples of ICS systems being sabotaged through the internet where anything has happened beyond systems going offline let alone people being hurt.

          If you can great – you’ll make me reconsider my view about it being a media beat up.

          Also for all the people saying “What if [some scenario where a hacker causes some disaster]” that’s a pointless game in all honesty. I too can imagine any catastrophic scenario I wish but that really doesn’t have anything to do with how likely it is to happen.

          So come on: examples please.

          1. Neej

            Oh and also whitehat demonstrating attacks don’t count in my books.

            The reason being that they possibly have access to information given out by vendors or others that is required for the attack to happen.

          2. MP

            In my opinion, the consequences of some intrusions are so disastrous that everything possible must be done to insure that they can’t happen. Examples are of no use to the dead.

          3. JCitizen

            I would never call you ignorant, Neej; but with all due respect, I saw a demonstration staged for the benefit of DHS on 60 minutes. They gave enough detail to totally convince me. I have two engineering degrees, and have worked in the industry for more than 30 years. Even if you simply burn up a generator – timing is everything. If done in a sensitive moment, like during Hurricane Sandy – lets say – destroy hospital generators – many folks could get hurt.

            I can think of many scenarios where a falling house of cards could cause serious disaster, by simply pulling the BB from the bottom of the BB stack. We don’t even need to affect nuke plants to hurt a lot of people.

            1. Neej

              Hey – I stated ignorance so feel free to call me that if you wish 😉

              That’s fair enough and thanks for your opinion but it’s still a whitehat attack. Please do understand that I don’t think completely ignoring the issue is wise just rather that the risks are overstated by various media outlets and government departments.

              1. JCitizen

                Gotcha Neej; and thanks – I just guess I hate that word – although I will admit all the time to being truly ignorant on many subjects. I got too much respect for you and many posters on here to use the “i” word! 😀

                I may occasionally use the word “misinformed”, but – oh well! HA!

            2. Nick P

              There are existing (free) technologies that can drastically improve security of these things from remote attacks at many levels. There are OS’s like INTEGRITY and low TCB frameworks like PERSEUS/Nizza that provably make certain concerns nonexistent or small. Then you have safer/verifiable languages (Cyclone/SPARK/Modula2), better versions of current managed runtimes (Aonix PERC), alternative protocols with implementation advantages (eg UDT), etc. There’s VPN’s, port knocking, & even message-oriented tricks for comms over untrusted networks.

              We have a ton of stuff to use. I promote it all the time from 1970’s-80’s stuff that still works all the way to cutting edge developments (Galois’ tools). The “cyberwar,” SCADA mess & others really just boil down to INFOSEC. In other words, you stop those threats by using proven security approaches that prevent, reduce, react to, contain or recover from the threats. The US Govt should be taking the lead on this, many Americans believe. So, what are they doing? Short answer: stuff that bothers me.

              Long answer. US Govt has historically and currently done things to encourage use of insecure “security” products/techs & prevent people from obtaining good stuff. In the past, Clipper chip, limiting key size in crypto & classifying a B3/A1 (read: secure as we could make) system as a “munition” subject to export restrictions didn’t make us safer [1]. Today, they’re doing more of the same in SCADA security.

              For one, CERT changed their policy to not consider design level security flaws as publicized vulnerabilities. (See my pastebin link in OTHER comment below). They would be too hard or expensive to change. Clive’s shown that the industry can’t or won’t do it themselves, so they’ll need pushing. Govt seems to have mostly failed with Common Criteria: few vendors aimed above EAL4 in about anything & EAL4 is “certified insecure” (shapiro). The NSA security review for Siemens resulted, rather than tightening it up good, in some weaponized code named Stuxnet. Finally, the main project the govt was doing was about inserting probes in all kinds of infrastructure for monitoring & with a potential remote control option. (Is that IT security or just IT CONTROL? wink)

              So, what of it? Our enemies have had opportunities to slam us hard on SCADA security for a while now. Pretty much nothing has happened & low tech attacks are often more dangerous [2]. So, if anything happens, it will probably be lone actors or rogue organizations. There is a need to secure it. It will take good INFOSEC application much like we’ve done in other systems. The military, govt and news are more interested in hyping danger for financial gain. Private companies with credentials in securing IT infrastructure are the best bet. They should be supported by well-thought legislation establishing reasonable baselines & amenable to case-by-case decisions for specific security requirements.

              “two engineering degrees”

              Nice. Also glad you pay attention to security.

              [1] & [2]
              http://pastebin.com/jetRw6uS

      2. JCitizen

        I saw on TV about this white hat that is proving he can hack into vehicles through the built in cell service an issue break commands. Imagine if he issued the auto park command while you’re going 70 mph!!!!??

        In an SUV with On-Star this would cause one heck of a roll over wreck!!! And I doubt the Highway Patrol would even investigate it as a murder!! Talk about the perfect crime!! :O !

        1. AlphaCentauri

          JCitizen, if the SUV has OnStar, it may have a black box, too. There might well be a record of how the accident occurred.

          1. JCitizen

            Yes AlphaCentauri; but you have to have investigating cops smart enough to be suspicious, other than – “Well he suddenly lost control – probably drinking too much rum!”

            Or – “Probably texting when it happened”

  12. Shadow

    The Obvious solution, if you want your Scada devices connected to the internets, is to have them only accessible from a secured gateway, probably a VPN tunnel. Not bulletproof, but they won’t be publishing to Shodan, and the adversary would have to compromise the VPN, or a VPN user account with Scada access, to proceed to attack the Scada. Assuming the VPN gateway is watched, an attacker that makes their way through this first security wall could be detected and kicked out before they get in the Scada system… at least it would be easier to keep them out than if they’re hitting the Scada by IP.

  13. Steve Lembark

    Schneier has pointed out how, how many times that until there are economic consequences there is no real reason for the manufacturers or users of known-buggy technology to act.

    Want the users to start caring? Fine: Send the information to their insurance carriers with specifics about what their potential exposure would be if the backdoor is really used. Then watch people start to take sensical [please don’t call it common] steps to mitigate their exposure and replace the devices.

    Aside: If sense were common Mssr. Krebs would be largely out of work with nothing to report on. The only hope is for those of us who are willing to understand these issues to explain them in terms of the *cost* to everyone else. Thanks for BK to at least being one voice in the [rather vast, cold] wilderness.

  14. Nick P

    We’ve discussed this issue plenty on Schneier’s blog. We agree it’s mostly an issue with management, poor incentives, & staff that know nothing about security. Heck, many people designing the control systems use visual programming environments because they couldn’t code even in VB6. The systems also have long life time, are likely to be a hack job of sorts, & are expensive to change. Put it all together: SCADA had every reason to get in the bad place it is & will probably be a nightmare to fix.

    For example…
    http://pastebin.com/SK25MjB5

    I’d link to posts of mine on including remote access or update without major security risks but… I’m honestly almost tired of discussing the issue. The key players in SCADA don’t care too much. They’re practicing denial. The govt is stockpiling vulnerabilities for offensive “cyberwar” & pushing non-solutions that increase their surveillance/control. So, I’m not talking real solutions unless the person I’m talking to is paying me for it & intends to try to put it to work. Well, mostly. 😉

    Note: this is a repost. My original post has been “awaiting m0deration” for around a week now. (lol) I figured it was b/c it had 3 links, so I pastebined them & let’s hope that helps. 😉 I figured some of you might be interested in Clive’s insider view on the situation & the change in CERT SCADA reporting.

  15. genericviagrauk.org.uk

    I’m amazed, I have to admit. Seldom do I encounter a blog that’s both equally
    educative and interesting, and let me tell you, you have hit the nail on the head.
    The issue is something that not enough people are speaking intelligently about.
    I’m very happy that I came across this during my hunt for something concerning this.

  16. marcus

    so you guys asking why?
    so answer is here,so if hackers cant attac on place they will choose another infastructure,AS WE see northa america financial infrastructures including banks,SPECCALY online banks,make tought security..so then..what the hackers should do then?
    so…if they cant make money they still will make things worst,its specally eastern european people mentallity the way how they thinking,you can olny take these guys down with huges law enforcement operations…there is no onether way,for example if you put pressure on 1side they will go to onather side,so right now we have situation the people are calm..i mean not violant so much couse now they can make money with computers and internet its Cyber crime,so but if they realise they cant make money anymore peaceful way,.those kind of people will make money..then onether,way one way or another,…and it will be violant way,so IF WE WANT change something then we must change people the way how they thinking, if we contiune the same way,like all infarstructures do they not gona fix nothing the situation will be the more worst,need to find out WHAT IS THE REAL problem couse now we only dealing with results,but if we deal with real problems then we will solve the problem,and also its not solution to but this people in jail,.couse in jail people will meet more criminals and they will be even more connected in jail with others…so and after they will be couse more crimes,couse guys loook back the 90 when was the solveit union,so once again the goverment only has been deal with results,but they did not deal WITH REAL PROBLEMS,THE REAL PROblem center.and we are now very interesting situation,,the more they try to fix the situation the worst the things are going.so the question is were we we gona end up with all of this??

    1. Macke

      Marcus,
      What’s worrisome is the intruders who are working for
      their nation’s cyberwar operations, with the goal of setting
      up the capability to disable, at the beginning of a conflict,
      the various systems needed to run a modern civilization.
      Those people are not doing their dirtywork for money.
      The other ones who are cybercriminals doing what they
      do with the goal of making money, do not worry me as much.

    2. Nick P

      The “real problem” is that PC architecture is so fundamentally insecure that a lay person can subvert an entire OS with an email attachment that relies on a kit someone else built. There have been better ways of building OS’s & system software for decades. The real problem is that neither companies nor government have been willing to make the sacrifices necessary to increase overall robustness of software. And they won’t.

      Hence, we deal with this mess until the formal methods, RAD & frameworks guys come up with some real silver bullets. They haven’t even sent me more than a handful of bronze bullets yet. I have a policy about maintaining security in this situation: avoid risky stuff, be willing to do things the boring/uncool/obscure way, & put the rigorous enforcement/definitions at the interfaces. From there, keep an eye on things, have a quick recovery plan ready, & make your stuff a moving target by employing software diversity techniques. Worked so far.

  17. marcus

    its not about only money,its about…something deeper,its about feels control of others,its in blood,youcant change this way…to change this things you must use competly another way….nwo is nesecary in this case,new world.couse cant continue with the same way,its simpel need bigger changes

  18. marcus

    and one more thing….if you are not criminal career criminal then do not commit crime-you will get harder punishment:)
    just tought lol….:D

  19. Tyler

    Haven’t seen anything from Brian for a number of days. Anybody know what’s up?

      1. Tyler

        Thanks Brian – had to manually clear the cache. Hadn’t seen that before. The last three articles weren’t showing up for whatever reason.

Comments are closed.