Security Experts:

DTM Component Vulnerabilities Expose Critical Control Systems to Cyberattacks

AMSTERDAM - BLACK HAT EUROPE - Researchers have found that the components of a specification designed to ease the management of industrial control systems (ICS) contains serious vulnerabilities.

Alexander Bolshev and Gleb Cherbov, researchers at Russia-based Digital Security, have been analyzing the security of ICS with focus on the Field Device Tool / Device Type Manager (FDT/DTM) specification. The experts presented their findings at the Black Hat Europe security conference taking place in Amsterdam this week.

Industrial facilities can use thousands of field devices developed by various companies. The problem is that these devices can use different communication protocols, making their management a difficult task. The need to solve this challenge has led to the creation of the FDT Group, an organization that's responsible for the development of the FDT/DTM specification.

2014 ICS Cyber Security Conference
Learn About the 2015 ICS Cyber Security Conference!

FDT standardizes the communication and configuration interface between industrial field devices and host systems, while DTM provides a unified structure for accessing device parameters, configuring and operating the devices, and diagnosing problems. FDT/DTM enables the configuration, monitoring and maintenance of field devices from a single software system regardless of model, type or the industrial protocol they use.

While the specification is highly useful, DTM components rely on technologies such as OLE32, ActiveX, Visual Basic 6.0, .NET, COM and XML, which makes them highly vulnerable to cyberattacks, the researchers said.

For their tests, Bolshev and Cherbov selected a total of 114 DTM components from 24 vendors. The targeted DTMs are used for at least 752 devices that rely on the Highway Addressable Remote Transducer (HART) protocol, one of the first implementations of field bus protocol, which enables communications over a standard 4-20 mA current loop.

The research is ongoing, but so far a total of 32 vulnerable components have been identified. While this might not sound like much, the vulnerable components are actually used in over 500 devices, according to the researchers. The list of flaws includes denial-of-service (DoS), XML injection, race condition, and even remote code execution (RCE). For one of the RCE vulnerabilities, the experts have developed a proof-of-concept.

"If you have a vulnerable DTM component, and if you have the field devices that support these components, the attacker could connect to any point on the industrial hierarchy that lies between where the packets from the DTM components go to the device and back. If the attacker could change these packets, he could trigger the vulnerability," Bolshev said.

Close to half of the vulnerable devices are developed by Endress+Hauser, a company which, according to the researchers, has so far ignored some of their reports.

Bolshev and Cherbov told SecurityWeek in an interview that a total of four vendors have been notified up until now, but they plan on sending reports to all 24 companies by December. Some of the notified vendors have been responsive and are working on addressing the issues.

FDT 1.2.1 is currently the most widely used so the researchers have focused on this version. Version 2.0 also exists and it brings some significant improvements. However, its use is very limited in the industry - the researchers haven't been able to find a single component to perform tests on.

When it comes to securing DTM components against remote code execution, stack cookies, data execution prevention (DEP), and address space layout randomization (ASLR) can be efficient mechanisms. However, only 7 of the tested DTMs incorporate all three. Until patches are made available by vendors, the experts recommend the use of firewalls, solutions designed to detect and block attacks based on their signatures, and other specialized security products.

Companies must also not neglect physical security, which is an important element when it comes to defending ICS. For example, the HART current loop line, which can be used to conduct attacks, can be up to 2 miles long, and the HART transmitters are sometimes placed outside the plant building, which makes them highly exposed.

The researchers point out that addressing vulnerabilities in ICS is not a simple task. However, they say they are seeing a clear evolution as far as ICS security is concerned. Organizations such as ICS-CERT in the United States, legislation such as the one currently proposed in Russia, and the various security conferences that take pace worldwide all bring significant contribution to ICS security. 

Related: Project SHINE Reveals Magnitude of Internet-connected Critical Control Systems

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.