Author : Pierluigi Paganini
Stuxnet case is considered by security expert the first concrete act of cyber warfare, a malware specifically designed to hit SCADA systems inside nuclear plants in Iran.
The event has alerted the international security community on the risks related to the effects of a cyber attack against supervisory control and data acquisition in industrial environment.
SCADA systems are adopted practically in every industrial control system (ICS) used for the control and monitor of industrial processes that are potential targets of a cyber attack such as a critical infrastructures or a utility facilities.
Manufacturing, production, power generation, water treatment facilities, electrical power transmission and distribution and large communication systems are all considered critical asset for every countries and represent privileged targets for cyber attacks.
Obtain access to SCADA systems is fundamental step for a attackers that desires to compromise the controlled processes and contrary to what you think it isn’t a rare event.
In majority cases the SCADA system aren’t protected despite they perform a crucial role in the control of processes, compromising it is possible to directly create serious damage to real life infrastructures, SCADA hacking is the classic example of impact on real world of attacks originated in the cyberspace.
Following an interesting proof of concept on attacks against Echelon SCADA Systems that I found on internet, following the architecture of iLON100 echelon SCADA system.
To start the target identification the researches must be limited to a specific IP-range on which start the final scan. To identify the range the hacker propose an example of ISP:
The targets are chosen analyzing the server responses, in particular all that responses that contain in web header the value WindRiver-WebServer for Server attribute and uses Basic realm-”i.LON” for WWW-Authentication.
The targets selected with methods described run echelon Smart server 2.0 that is affected by a couple of vulnerabilities one totally new (0-days) and one exposed some time ago, more information on i.LON system. are reported at following address: http://www.lon-catalog.ru/ .
After few research on internet the hacker found source code for WindRiver firewalls on the following website
Once analyzed the final target the attacker have only to execute the exploit for it. The post reports: “Then you should have the admin panel to change everything on the box”
The post reports a list of devices directly controlled from admin console of the SCADA, it is possible to note that its main use is for heating purposes.
Accessing to the single device it is possible to set its operating parameters, let’s imagine the effects on industrial processes or SCADA inside nuclear plant … it’s already happened and it could happen again!
The steps proposed are very simple and demonstrate how much vulnerable are critical infrastructures. Many security experts believe that the most complicated phase is the research of targets, SCADA system exposed on internet for various reasons. That’s wrong!
Many hackers “Shodan Computer Search Engine” to find SCADA systems exposed on internet, the popular website gives also a useful series of information on the possible targets, many of these system leak of proper authentication mechanisms and in many cases aren’t updated.
Shodan is the equivalent of Google for the machines exposed on internet, it is a search engine for servers, routers, load balances and any other network device.
“Search results include information like HTTP server responses to GET requests, FTP and Telnet service banners and client/server messages exchanged during login attempts, and SSH banners (including server versions).”
It’s fundamental that government will improve cyber strategies to protect SCADA systems, requiring the respect of strict regulation under security perspective to ensure their security and prevent external attacks.
• Deploy secure remote access methods such as Virtual Private Networks (VPNs) for remote access
• Remove, disable, or rename any default system accounts (where possible)
• Implement account lockout policies to reduce the risk from brute forcing attempts
• Implement policies requiring the use of strong passwords
• Minotor the creation of administrator level accounts by third-party vendors
If you think that SCADA system today are secure, and in case you had not convinced the criticality of the problem let me suggest you watch the video “ReVuln – SCADA 0-day vulnerabilities“.
It is a showcase of some SCADA 0-day exploits owned by ReVuln security company, the 0-day vulnerabilities are all server-side and remotely exploitable. This video shows issues affecting the following vendors: General Electric, Schneider Electric, Kaskad, ABB/Rockwell, Eaton, Siemens … nobody is secure. Note that many other 0-day vulnerabilities owned by ReVuln affecting other well known SCADA/HMI vendors have been not included in this video.
The attackers “can take control of the machine with the maximum privileges (SYSTEM on Windows) granted by the affected service,” ReVuln co-founder and security researcher Luigi Auriemma.
“They can install rootkits and other types of malware or obtain sensitive data (like passwords used on other computers of the same network) and obviously they can control the whole infrastructure.“