Vulnerable industrial controls directly connected to Internet? Why not?
Yesterday, Siemens issued an update to a year-old product vulnerability warning for its SIMATIC S7-300 and S7-400 families of programmable logic controllers (PLCs)—industrial control systems used to remotely monitor and operate manufacturing equipment. The alert, originally issued in December of 2016, was updated on Wednesday to include another version of the S7-400 line. The Department of Homeland Security pushed out an alert through the Industrial Control Systems Computer Emergency Response Team (ICS-CERT) today. The systems in both device families are vulnerable to remote attacks that could allow someone to obtain login credentials to the system or reset it into a "defect" mode, shutting down the controller—essentially executing a denial-of-service attack on whatever equipment it is attached to.
You might not think that factory industrial controls would be directly accessible from the Internet. But a quick survey of devices open on the network port mentioned in the advisory (TCP port 102) using the Shodan search engine revealed over 1,000 Siemens devices directly accessible on the Internet (plus a certain number of honeypots set up to detect attacks).
Many of the devices are vulnerable based on Siemens' alerts and do not have the firmware updates required to mitigate the threat. The only good news, as security researcher Kevin Beaumont said in an exchange with Ars on Twitter, is that "I've seen no evidence of anybody trying to wipe them, etc., yet."
Ironically, the credential-stealing vulnerability may not even be an issue in some cases, because a substantial number of the devices surveyed in the Shodan search had no authentication configured at all. The only reason that these systems may not have been attacked yet is that no one has figured out how to make attacking them into a profitable enterprise—or they haven't read the (downloadable) Siemens manuals yet.
As Beaumont said, "It's an open own goal." And this particular advisory doesn't stop with the PLCs. Some PLC manufacturers haven't even responded to inquiries from the DHS' National Cybersecurity and Communications Integration Center (NCCIC) about recently-discovered vulnerabilities, such as one in the Nari PCS-9611 Feeder Relay, a control system used to manage some electrical grids. The vulnerability, reported by two Kaspersky Labs researchers, "could allow a remote attacker arbitrary read/write abilities on the system."
While a cursory Shodan search did not reveal any Nari feeder relays specifically, a check of one of the International Electrotechnical Commission protocols used by the PCS-9611 and many other devices that control power distribution systems found over 14,000 systems connected directly to the Internet, largely by 3G cellular modems. The results for many of these screened by Ars were indicative of electrical ICS devices.
Dam bad security
While the DHS and various security vendors have been warning of the vulnerability of industrial control systems to "cyberwarfare" over the past decade, relatively few actual industrial control system attacks have bee documented, and those that have been reported have been largely overblown. A 2013 attempt (attributed to Iranians) to "hack" a dam in upstate New York failed, largely because the dam's flood control systems had been broken for some time. That attack was staged by gaining access to the dam's local network over a broadband cellular modem set up to allow remote access.
Other, more recent attacks have been from insiders. They include a possibly drunk former employee of an industrial control-system vendor who used default login credentials to remotely shut down tower gateway base stations (TGBs) that collect data from smart water meters.
Yet some of these attacks may go undocumented simply because the companies affected by them have had no cause to report them. At the Black Hat USA security conference in 2015, Marina Krotofil, a researcher at Hamburg University of Technology told attendees that utilities had been regularly blackmailed by ICS hackers on a large scale since at least 2006. And despite efforts to better secure electrical grid control infrastructure, researchers have continued to find that even the protective devices used on some systems are prone to abuse and attack.
In a presentation at the RECON Brussels security conference last January, researchers Kirill Nesterov and Alexander Tlyapov discussed the general absence of security in the IEC protocols used in electrical grid substation systems, including relay protection terminals. Many of these systems have their own Web interfaces for remote management, often with hard-coded passwords that can be discovered by examining firmware downloadable from the manufacturers' web sites.
Apparently, protecting this stuff is hard. Part of the issue is that many of these systems are outside of the usual domain of IT departments and run by separate organizations with a much different sort of security ethos. The rapid adoption of remote access for industrial systems has allowed workers to keep track of manufacturing, chemical and electrical systems from a distance, saving money and time. But in many cases, that remote access has been achieved with very little security planning, if any at all. After all, why would anyone need a virtual private network to protect the PLC controlling a dam or a piece of factory equipment?