Joel Langill, SCADAHacker.com, and Eric Byres, TofinoSecurity.com, have taken an in depth look at the vulnerabilities reported earlier this week in the Genesis32 and Genesis64 HMI software and have produced a white paper on the subject. They describe the vulnerabilities, the potential consequences of an attack using the vulnerability, and provide a short list of ‘compensating controls’ to put into place pending the expected patch from ICONICS.
The blog post on the Tofino Security website introducing the white paper does make a brief pitch for some of the Byres Security technology that would be used in the compensating controls (they are in ‘the business’ after all). The White Paper only provides a brief mention of a Tofino product in one footnote [corrected mispelling of Tofino. Sorry Eric, et al, 17:41 3-26-11]. I think that this is a completely justifiable level of advertising in this type of information product.
One of the interesting things that comes out clearly in this report is the fact that these vulnerabilities (13 identified by Luigi in these two ICONICS products) are exploitable because of the inherent design of the system. Because the purpose of a human machine interface is to facilitate communications between the operator and the various components of the SCADA system, communications ports on the system must be enabled. This provides a potential route for remote exploitation of any security flaws in the system.
This is the reason that Joel and Eric address two communications issues in their compensating controls. First they recommend changing the default port used by the Genesis systems; this makes it harder for a hacker to find the access point to the system. They also recommend the installation of an industrial firewall on this port to limit the traffic that can enter the system.
I asked Eric if this necessarily open communications port, even with a firewall installed, could allow the type of peer-to-peer network communications utilized by Stuxnet to keep that worm updated. Eric noted that, using a firewall that auto generated the rules for allowing transmission, the diligent user approving those rules would probably notice the P2P traffic if it “was on a port or to a machine that wasn’t part of the regular ICS traffic patterns”. Unfortunately, auto approving those auto-generated rules would leave the system very vulnerable.
This is quickly becoming an important part of ICS security. The facility must be aware of the routine communications to, from and between various parts of their control systems. It is probably no longer practical (or perhaps even possible) to completely air-gap a complex control system (safety systems are a completely different story). This means that the cyber security manager must be aware of routine required communications so that the intrusion attempts can be identified. This requires communications logging and routine and frequent reviews of those logs.
The six compensating controls described in this white paper will not fully protect the system against exploits of the 13 vulnerabilities identified by Luigi. They can reduce the threat and make it easier to detect an exploit, but to remove the vulnerabilities requires a system patch. There is no official word from ICONICS on how long it will take to get a patch in place. Eric believes that the fix will be relatively simple (I always worry when software people talk about relatively simple fixes). He did tell me that he knows that ICONICS is “working really hard on getting something out to their users”.
Eric also makes another interesting point about patches. He told me that: “The question after that is ‘how quickly will users deploy the patch’? Unfortunately many companies still are not that efficient at getting patches deployed in an ICS.” This is too true and with a reported 250,000 copies of Genesis installed world wide it doesn’t take too high a percentage of non-patched or slow-patched systems to leave a large number vulnerable.
Other Luigi Vulnerabilities
I also asked Eric if he and Joel plan on doing a similar white paper on the three other systems (Siemens Tecnomatix FactoryLink, 7-Technologies IGSS, and DATAC RealWin 2.1) that Luigi identified as having vulnerabilities. The simple answer is yes. They hope to have the next one out on Monday (it will be a long weekend for those two).
One other issue; you have to be a registered user on the TotfinoSecurity.com web site to be able to download the white paper. I know that many people object to registering with a web site figuring that it opens them to receiving SPAM. This is the way the Eric runs his business and he is still giving away the fruits of his labor for free, so he gets to set the rules. I will say this; I have been registered on this site for quite some time and have not received any communications from Byres Security, commercial or otherwise on the email address that I used on that registration.