The U.S. Department of Homeland Security is warning that a witches brew of recent events make it increasingly likely that politically or ideologically motivated hackers may launch digital attacks against industrial control systems. The alert was issued the same day that security researchers published information about an undocumented software backdoor in industrial control systems sold by hundreds different manufacturers and widely used in power plants, military environments and nautical ships.
The information about the backdoor was published by industrial control systems (ICS) security vendor Digital Bond, which detailed how a component used in industrial control systems sold by 261 manufacturers contains a functionality that will grant remote access to anyone who knows the proper command syntax and inner workings of the device, leaving systems that are connected to the public open to malicious tampering.
In an interview with Ars Technica, Reid Wightman, a researcher formerly with Digital Bond and now at security firm ioActive, said there was “absolutely no authentication needed to perform this privileged command.” Of the two specific programmable logic controllers (PLCs) Wightman tested, both allowed him to issue commands that halted the devices’ process control.
“Imagine if your laptop had a service that accepted an unauthenticated ‘shutdown’ command, and if someone sent it your laptop [would] shut off and you [would lose] all your work,” Wightman told Ars. “Anybody on the network could shut off your laptop without needing your password. That would suck. And that’s the case here.”
Potentially aiding would-be attackers are specialized search engines like Shodan and the Every Routable IP Project, which were designed specifically to locate online devices that may be overlooked or ignored by regular search engines. Indeed, according to Wightman, a quick search using Shodan revealed 117 vulnerable devices directly connected to the Internet, although Wightman said he suspected the computer location service could turn up far more with a more targeted search. To complicate matters further, Wightman said tools for automating the exploitation of the backdoor will soon be made available for Metasploit, a penetration testing tool used by hackers and security professionals alike.
In an alert (PDF) issued Thursday, DHS warned that these search engines are being actively used to identify and access control systems over the Internet, and that combining these tools with easily obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before.
“Multiple threat elements are combining to significantly increase the ICSs threat landscape,” DHS warned. “Hacktivist groups are evolving and have demonstrated improved malicious skills. They are acquiring and using specialized search engines to identify Internet facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems. In addition, individuals from these groups have posted online requests for others to visit or access the identified device addresses. Asset owners should take these changes in threat landscape seriously…and should not assume that their control systems are secure or that they are not operating with an Internet accessible configuration. Instead, asset owners should thoroughly audit their networks for Internet facing devices, weak authentication methods, and component vulnerabilities.”
But according to Digital Bond, asset owners — such as power utilities, water treatment facilities — aren’t moving fast enough to take such steps. Indeed, this is the driving premise behind “Project Basecamp,” the company’s endeavor to publish and expose control systems vulnerabilities: Only when control system operators begin to see how these vulnerabilities could be used to disrupt their operations will they be motivated enough to demand that ICS hardware and software vendors make security a priority.
“The goal of Project Basecamp is to make the risk of these fragile and insecure devices so apparent and easy to demonstrate that a decade of inaction will end,” the company explained on its blog. “Everyone knows PLC’s are vulnerable — or so we have heard for ten years now since the 9/11 attacks…Not only do they lack basic security features, they are also fragile. Warnings abound about the dangers of even running a port scan on a PLC. Yet even though “everyone knows” there has been little or no progress on developing even the option of purchasing a secure and robust PLC.”
The DHS alert released this week does not mention Project Basecamp’s most recent disclosure, although it does allude to a spate of other disclosures by the project in February 2012, when it released exploits that allow attackers to target weaknesses in PLCs from ICS hardware and software vendors GE, Rockwell Automation, Schneider Electric, and Koyo. Wightman can be seen in this video detailing those vulnerabilities, some of which affected vendors said would only be fixed in future generations of the hardware. (Update, 5:13 p.m. ET: US-CERT just issued a separate alert (PDF) on the most recent Project Basecamp disclosure).
Rather, DHS noted that it recently was contacted by a team of researchers that had used Shodan and specialized search terms to compile a list of more than a half million control systems-related devices that are reachable via the Internet. On Thursday, I spoke at length with Bob Radvanovsky, a security expert with the security consultancy Infracritical and among several ICS experts who reached out to DHS after enumerating the half-million devices.
Radvanovsky and his partner Jake Brodsky compiled the list over the past six months, using a set of scripts they devised that made targeted queries at the Shodan search engine each night and recorded the results.
“I don’t think they entirely believed what we truly had,” Radvanovsky said, of his initial contact with DHS. “After some convincing on both Jake’s and my part, they started getting the picture that this is a lot more serious. If it’s easy for us to come with something like this to find and enumerate these devices, just imagine what our adversaries are doing.”
Radvanovsky says his enumeration project — dubbed SHodan INtelligence Extraction, or “SHINE” — for the most part does not reveal which organization is running the exposed control system devices. Many of these systems are running on ISP networks that serve businesses, and SHINE’s curators are wary of probing the systems for more information about asset owners — preferring instead to leave that outreach to DHS.
Radvanovsky said he agrees that ICS hardware and software vendors need prodding to build security into their products, and to respond more quickly with feasible solutions when researchers discover and report vulnerabilities. But he said even when such fixes are available, implementing them can be a laborious, costly and painful affair for asset owners.
“Change for these organizations is not easy, in part because many of them have to follow certain regulatory requirements saying if you want to make a change, here’s the path that you will have to follow or else risk not being in compliance with some regulations,” Radvanovsky said. “This is a very difficult and daunting task. I feel that there are safer ways of being able to bring this to asset owners’ attention than simply publishing information about how they’re vulnerable.”