Industrial controllers need security rewrite

The stripped down systems that control many manufacturing, utility and industrial processes have enormous security issues, researchers find.

. What's this?

By Robert Lemos

August 05, 2011CSO

The dedicated systems designed to control manufacturing, utility and industrial processes have fundamental and basic security issues that have allowed researchers to find serious vulnerabilities with trivial effort, researchers told attendees at the Black Hat Security Briefings in Las Vegas this week.

Siemens Simantic S7 programmable logic controllers (PLCs), for example, are vulnerable to replay attacks that allow adversaries to change settings and shutdown devices, said Dillon Beresford, a researcher with NSS Labs. The controllers are the same devices that the Stuxnet cyberattack targeted in 2009, as part of its attack on Iran's nuclear processing capabilities.

"These devices were designed to operate in an air-gapped network, that physical access was necessary," Beresford told attendees.

Programmable logic controllers are devices that are used to turn digital commands into physical actions, such as controlling valves in a water treatment facility or controlling assembly line machinery in a manufacturing plant. Because they typically are not connected to the Internet, vendors -- such as Siemens -- have not historically taken attacks on the systems as a serious threat, Beresford says.

For about two months, the researcher acquired and reverse engineered Siemens PLCs. He found that the popular models of the S7 products are vulnerable to serious, yet well-known, attacks. An adversary, for example, that observes an authenticated server session can reauthenticate by sending the same network data. In addition, Beresford found a hard-coded password that returned a backdoor command shell to PLCs.

Perhaps the most embarrassing revelation: The code contained an "easter egg," a hidden program, that took the form of an animation of dancing monkeys.

Beresford demonstrated his ability to manipulate the switches controlled by Siemens PLCs, turning a series of lights on and off. While the demonstration seemed somewhat anti-climatic, Beresford underscored the danger.

Also see: SCADA security arms race underway

"I don't want to freak anyone out, but if you mess with these things you could cause pressure to build up in a pipe, which could cause a cascade and even explode," he said.

An engineer from Siemens security team took to the stage midway through the presentation to assure attendees that the company was investigating the issues and improving product security.

Beresford stressed that Siemens is not alone. Similar security problems likely affected other manufacturers. While vendors have assumed that their PLCs and other industrial control systems operate alone and not connected to the Internet, many are connected, even indirectly. In addition, the wireless networks that connect many of the devices to engineering terminals can be attacked as well, he said.

Beresford recommended that the companies put better access controls in place to protect the PLCs.

Read more about critical infrastructure in CSOonline's Critical Infrastructure section.

What is Tech Briefcase?
TechBriefcase is a new, free service where IT Professionals can Search, Store and Share IT white papers and content like this. Learn more
Bookmark content
Speed up your research efforts with content across the web.
Search and Store
Find the white papers you need. Create folders for any topic.
View Anywhere
Open your briefcase on your iPhone, tablet or desktop. Share with colleagues.
Don't have an account yet?
RESOURCE CENTER