Quick Search

Enter word or key phrases

Advanced Search
Intelligence

Intelligence

SIFT Note 2009-01 - 9 Feb 09

SCADA Exposed – The Devil is In the Defaults

Often the only viable business case is to expose a SCADA device over the Internet or other high risk network. While this may be the only scenario that is viable, SIFT’s research shows that little is done to mitigate the security risk when this is the case. The most common problem, and therefore opportunity to improve, is the default settings and deployment configurations.

  • Default ports
    By far the easiest way to identify the presence of a SCADA device is by its default ports, for example, Modbus on TCP port 502. Attackers know this and can scan vast sections of the Internet targeting only a single port. As a result, often the best way to remain undetected is to change the port on which a device is configured.

  • Web by default
    Traditionally SCADA devices were controlled through extremely simple numeric interfaces – integers were either read or written to relatively small storage areas, or registers, each of which was capable of holding 16 bits of data. Recently, this has changed as manufacturers are including increasingly complicated web-based interfaces to control their devices. It is often said that “complexity is the enemy of security”, and nowhere does it apply more than in SCADA environments. It is recommended that where possible, web interfaces be disabled or restricted to the smallest possible user base.

  • Default passwords
    While some SCADA devices do not include any authentication mechanisms, the vast majority of modern devices do. Unfortunately, the usernames and passwords of these devices are often unaltered from the default. Moreover, the default credentials are easily identifiable through simple Google searches for the appropriate user manuals. It is recommended that organizations change device usernames and passwords prior to enabling any network connectivity.
When deploying new SCADA devices or evaluating current exposure, it is recommended the above areas be at the forefront of the exercise.


SCADA Vulnerabilities 2008 – The Year That Was

2008 brought the revelation and disclosure of a number of significant security issues in SCADA systems. Some of these received considerable media attention and affected a large number of deployment sites. A summary of the SCADA vulnerabilities published in 2008 is presented below.

2008-01-25 - Multiple Vulnerabilities in GE Fanuc products
GE Fanuc produces a number of systems for controlling, monitoring, and reporting on SCADA systems. A number of these products were found to have critical security issues including a buffer overflow and the ability to upload and execute arbitrary files.

2008-05-05 - Wonderware SuiteLink Denial of Service vulnerability
The Wonderware SuiteLink service, which is a protocol and set of services used by a number of Wonderware and other SCADA products as an integration mechanism, could be crashed by an unauthenticated attacker. Given that SuiteLink is a key integration component, many SCADA systems were affected.

2008-06-11 - CitectSCADA ODBC service vulnerability
Perhaps the most significant SCADA security issue to come to light in 2008 was the CitectSCADA ODBC service buffer overflow issue. CitectSCADA is a system for collecting data and providing an interface to control equipment with an integrated Human Machine Interface (HMI).

Not only was the issue serious enough to allow an attacker to compromise and control a SCADA HMI but the vendor required five (5) months to release a patch for the issue, exposing customers to a significant period of vulnerability. Additionally, the issue gained significant media following the publishing of a Metasploit exploit for the issue, allowing point-and-click compromise of CitectSCADA systems.

2008-09-25 - ABB PCU400 buffer overflow vulnerability
ABB PCU400 primarily serves as protocol translator between the field devices and a control centre. The ABB PCU400 diagnostic web application was found to contain a buffer overflow which could allow a compromise of the host system.

Further information:

US-CERT VU#308556 - GE Fanuc CIMPLICITY HMI heap buffer overflow

US-CERT VU#339345 - GE Fanuc Proficy Information Portal allows arbitrary file upload and execution

US-CERT VU#180876 - GE Fanuc Proficy Information Portal transmits authentication credentials in plain text

US-CERT VU#596268 - Wonderware SuiteLink null pointer dereference

US-CERT VU#476345 - Citect CitectSCADA ODBC service buffer overflow

US-CERT VU#343971 - ABB PCU400 vulnerable to buffer overflow


The SCADA Device Fingerprinting Challenge

The process an attacker or penetration tester follows to compromise a system requires them to first ‘fingerprint’ or identify the target and its characteristics. In doing so, they can analyse the system for entry points and identify paths of least resistance. This process is universal and applies equally to security testing of SCADA devices and other systems, however SCADA devices are particularly suited to creating a choke point in the penetration testing process at fingerprinting phase.

In general, SCADA field devices do not respond with any contextual or business information like typical enterprise systems. Instead, these devices typically return only raw data in the form of numeric values. Consequently, attempting to identify the make, model, and purpose of a system can be very difficult if it is configured appropriately.

From a testing perspective, the following actions can be taken to partly overcome this challenge:

  • Accessing non-control interfaces (such as HTTP) to identify unique device information.
  • Probing uncommon or custom functions.
  • Reviewing adjacent network devices for clues to device purpose.
SCADA engineers can take the following steps to ensure fingerprinting remains difficult and continues to provide a choke point:

  • Exposing only the required interfaces to the network, and where possible only the control interface.
  • Disabling device-specific functions and implementing only standard/common functionality.
  • Disabling diagnostic functions.
  • Where possible, removing version information from banners and any user interfaces, or configuring an intermediate security device to remove such information.
  • Removing vendor/supplier references from public websites and other publicly accessible information sources.


Personal Information, Privacy & Cloud Computing

Cloud computing has emerged as the latest phenomenon in the technology world. Although computer experts are yet to reach a consensus as to the precise scope of the term, cloud computing broadly refers to the ability of individuals and organisations to access files, software applications, data and other services via the Internet that are hosted remotely by a third party service provider. A recent example of cloud computing includes Amazon’s Simple Storage and Elastic Computer services, which allow for remote file and data storage and the creation of remote virtual computing platforms. Google, IBM and Oracle have also all recently launched their own cloud computing offerings.

The potential benefits associated with cloud computing services include increased ease of use (since users do not need to be concerned with interacting with the infrastructure which supports a service), , scalability, minimisation of software management burdens (patching and updating of the software is managed by the third party service provider) and reduced costs for corporations who need only pay for what they use rather than for a licence based on a lump sum fee. However, in many cases the IT infrastructure supporting cloud computing services may be physically located in a different jurisdiction to an end user who is making use of the service.

This is of particular concern because users may ‘disclose’ sensitive personal information and data when engaging in cloud computing, which could potentially be transferred to and stored in another jurisdiction. This is significant because if that jurisdiction has different legal, moral and cultural rules regarding the degree to which that information should remain confidential, it can affect the strength of the security controls implemented to protect that information. If the security controls in place are not sufficiently strong, then the privacy of that data could be compromised more easily than if the data were to have remained within Australia.

Efforts are being made to address this issue. The Asia Pacific Economic Co-operation (APEC) forum, for example, is embarking on a project to develop a set of common rules to apply in all member economies with respect to cross border data flows, whilst the Australian Law Reform Commission has recommended reforms to privacy laws to ensure that organisations transferring personal information offshore are to remain responsible for its protection in most circumstances. The latter measure enables end-users of cloud computing services to have recourse within Australia should they feel the privacy of their personal information has been breached, which is particularly useful since it is not always possible to easily ascertain what offshore entity has assumed responsibility for personal information, and where that entity is located.

There is no doubt that cloud computing represents an exciting development in the evolution of the Internet. At present, however, a significant amount of uncertainty remains with respect to the full implications that cloud computing services will have on the use, dissemination and handling of personal information. Whilst this uncertainty remains, end-users should favour using services that provide specific, legally binding assurances when a user signs up that their data will be protected to an acceptable standard (for example, in accordance with Australian privacy laws), and eschew from using those which fail to indicate that strong controls will be in place to protect the security of that data if and when it is transferred offshore.

Further information:

Australian Law Reform Commission, New cross-border privacy laws—greater certainty for all Australians

Department of the Prime Minister and Cabinet, APEC Cross-Border Privacy Rules

Infoworld, What Cloud Computing Really Means

Top

Enter your email address to subscribe

SIFT announces merger with stratsec

12 May 09

SIFT announces its official merger with stratsec, to form the largest independent information security consulting firm in Australasia, and a major player in the SE-Asian region.

more...

SIFT Team Delivering 3 Presentations at Ruxcon!

21 Nov 08

The Ruxcon information security conference is once again being held in Sydney on the 29th to the 30th of November. The not-for-profit conference is regarded throughout Australia and the world as one of the leading information security research events.
more...
© 2000-2010 SIFT Pty Ltd. All rights reserved.
Terms & Conditions | Privacy Policy
Developed by Get Started Australia Pty Ltd