Black Hat: Industrial Controller Security At Risk

In the wake of Stuxnet, Black Hat researchers disclosed vulnerabilities found in industrial-control systems

Security researchers pointed out the vulnerability of industrial-control systems, such as programmable logic controllers and other units, during the recent Black Hat security conference in Las Vegas.

SCADA (Supervisory Control and Data Acquisition) systems are used to run power plants, manufacturing processing, petrochemical production and other critical infrastructure. At the Black Hat conference in Las Vegas, SCADA systems kept popping up in various panels as researchers discussed various ways they were vulnerable.

Hacking power plant controllers

Dillon Beresford, a researcher with NSS Labs, revealed a backdoor in Siemens S7-300, S7-400 and S7-1200 devices that allowed him to hack inside and capture passwords. In a live demonstration, he showed how he could reprogram and control the programmable logic controllers. These Siemens devices are used in power and manufacturing plants around the world, and were vulnerable to this hack, which could cause them to shut down or crash attached systems.

Beresford claimed it took him only two-and-a-half hours to write the exploit code after he found a hard-coded password that allowed him to open a command shell. He was able to do “other things”, such as perform a memory dump and capture passwords. The backdoor was likely put in place for diagnostic purposes, Beresford said.

There are plenty of PLCs connected to the Internet, and “an attack on PLCs for 24 hours could cause it to blow up a plant”, Bereseford said, adding that he wasn’t trying to “freak” anyone out. Hacking SCADA systems is no longer in the hands of nation-states, but in those of independent researchers as well, and it was just a “matter of time”, according to Beresford.

“It’s not just the spooks who have these capabilities. Average guys sitting in their basements can pull this off,” said Beresford.

Thomas Brandstetter, acting head of Siemens’ product computer emergency response team, was on stage with Beresford and confirmed the company was working on fixes for its devices.

“Siemens created a product CERT eight months ago to handle vulnerabilities in its products and to work with the security community,” Brandstetter said.

Default passwords

In a more light-hearted finding, Beresford also found an “Easter egg” of animated dancing monkeys in the Siemens firmware.

In a different session on 4 August, Tom Parker, CTO of FusionX, typed in some search terms associated with a programmable logic controller, in Google. A page referencing the Remote Terminal Unit’s pump status, like those used in water-treatment plants and pipelines that connect to the Internet, appeared in the search results page. The search also yielded up the RTU’s default password, “1234”.

Attackers are increasingly using search engines to discover vulnerable systems, default passwords and sensitive files, Noa Bar Yosef told eWEEK. With Google and Microsoft compiling and maintaining very thorough search indexes, attackers have access to valuable vulnerability information when planning and executing attacks, Yosef said. Attackers use automated tools to generate more than 80,000 daily queries to probe the web for vulnerable web applications, according to Yosef.

Most SCADA protocols have no security built in, so when a PLC receives a command, it assumes it’s from a legitimate source and executes it without performing any checks or authentication, according to Jonathan Pollet, founder of Red Tiger Security, who co-presented with Parker. Anyone who discovers the PLC’s IP address can send commands to the device, Pollet said.

UK power plant

In the case of Parker’s presentation, if that RTU had any motors attached to it, remote attackers could use the information available online to turn it off or create an outage. Parker and Pollet discovered through a series of Google searches that an electricity substation in the United Kingdom was running a transformer with no password required. They were able to see circuit breaker statuses, when it was last worked on and the unit’s status, Pollet said.

Interest in SCADA security has increased since last year when Stuxnet, a worm that targets Siemens SCADA systems, emerged. Exploiting the auto-run vulnerability in Windows systems and other security flaws in Siemens systems, the worm damaged centrifuges in Iran’s nuclear enrichment facility.

During a panel on how GSM networks can be used to hack into cars, Don Bailey, a researcher with security consulting company iSec Partners, also mentioned how SCADA systems were vulnerable as they could be controlled via text messages.