Friday, November 26, 2010

SCADA Exploit Vulnerabilities

Readers of this blog will have noted that I have been writing more often about identified vulnerabilities in various industrial control systems and even the existence of published exploits to use those vulnerabilities to attack such control systems. Earlier this week I did a posting about the Stuxnet man-in-the-middle attacks that Ralph Langner has identified. On Wednesday Ralph posted a new entry into his blog that builds on the dangers identified in that attack methodology.

Not Patchable

One important point that Ralph continues to make is that we should not be expecting a ‘patch’ from Siemens to ‘correct’ the vulnerabilities used by Stuxnet. He points out that these vulnerabilities are “regular product features that you find in the majority of these systems, regardless of vendor [emphasis added]”. To eliminate these potential attack points is not going to just require a revision of the Siemens soft ware, but also a complete reworking of the programming for each of the millions of controllers currently in place in manufacturing facilities around the world.

It is not realistic to suppose that the multitude of controllers currently in use will be re-worked to avoid the attack techniques that Stuxnet utilized. I’m not sure about future PLC’s (I’ll leave that discussion to the engineers and security professionals), but it is just not practical to make such radical changes to all of the devices currently in the field. It cannot be done piece meal, it will require a simultaneous reload of all control software and PLC firmware in a facility to minimize the risk of compatibility issues. This would make for a very long turnaround time, with extensive (expensive) pre-installation testing and post-installation trouble shooting. Even then, subsequent process problems will be almost inevitable.

Not Limited to Stuxnet

Ralph makes the point that the two attack modes he describes in his Stuxnet analysis blogs are not limited to being used by Stuxnet (they could be carried by other attack vectors) nor are they limited to being applied to just Siemens controlled systems. Since the attacks actually takes aim at the PLC’s not the Siemens work stations, any industrial control system that utilizes programmable logic controllers could be attacked using these two modes.

One of the things that Ralph doesn’t explicitly state in his blog, yet is clearly implicated by his discussion, is that any vulnerability in control systems that allows an attacker to gain system access to allow code injection to the controllers would allow for a Stuxnet like attack on those systems. Ralph does note that the “development tools to aid in the [code injection technique] development are [available] in the wild”.

The hard work has been done. Now all it takes is a reasonably technically proficient person with the necessary intent to launch the next attack on industrial control systems. An attacker without any process knowledge could launch an attack that could randomly disrupt control system operations to the extent that facility shutdown would be required. An attacker with basic process knowledge (from a disgruntled, or cash strapped insider for instance) could cause worst case process upsets resulting in catastrophic failures of processes and/or equipment that could seriously affect the neighboring community.

No comments:

 
/* Use this with templates/template-twocol.html */