Hackers Can Cause Damage to Industrial Systems by Abusing Design Weaknesses
An analysis of industrial control systems (ICS) has shown that many products contain features and functions that have been designed with no security in mind, allowing malicious hackers to abuse them and potentially cause serious damage.
PAS, which provides industrial cybersecurity and operations management solutions, has analyzed data collected over the past year from over 10,000 industrial endpoints housed by organizations in the oil and gas, refining and chemicals, power generation, pulp and paper, and mining sectors.
The company’s researchers discovered that many of the industrial control systems used by these organizations are affected by design flaws and weaknesses that could be leveraged by malicious actors for a wide range of purposes, including to cause disruption and physical damage.
On the 10,000 industrial endpoints it has analyzed, PAS discovered a total of more than 380,000 known vulnerabilities, a majority impacting software made by Microsoft. However, the company found not only typical vulnerabilities that can be patched with a software or firmware update, but also weaknesses introduced by the existence of legitimate features and functionality that can be abused for malicious purposes.
These issues can impact various types of ICS, including human-machine interfaces (HMIs), programmable logic controllers (PLCs) and distributed control systems (DCS), and exploitation in most cases only requires network access or low/basic privileges.
An attacker does need to have an understanding of how the targeted system works in order to exploit these weaknesses. However, if they do know how a feature or function works, abusing it is an easy task, Mark Carrigan, chief operating officer at PAS, told SecurityWeek in an interview.
PAS has identified two types of issues: ubiquitous weaknesses, which affect a wide range of products, and unique weaknesses, which are specific to one product.
One example of a ubiquitous issue provided by Carrigan is related to a control function parameter, known as the output characteristic, that is present in a wide range of control systems. This parameter, whose name is unique to each product, has a binary setting that determines whether a control system is direct acting (i.e. the controller output rises if the measurement increases) or reverse acting (i.e. the controller output drops when the measurement rises).
If the system controls a valve, for instance, and the operator wants to increase the flow from 80% to 100%, they will open the valve to reach the desired flow. However, if the aforementioned setting is flipped, the valve will actually close, and if that controller is part of a safety function it could have serious consequences.
Modifying the binary setting is easy for someone who has knowledge of these types of systems, and an attacker could target multiple devices at the same time, Carrigan said.
Another example involves an HMI for a specific control system. PAS researchers found a single-line command which grants admin privileges to the entire network if it’s injected into the HMI. An attacker who has low-privileged access to the system can use this command, which is also used by engineers for legitimate purposes, to gain administrator permissions. Worryingly, this is a capability that exists in every single control system from this manufacturer.
A problem with HMIs in general, Carrigan noted, is that most of them use HTML and they are implemented on stations with elevated privileges. This allows an attacker to inject malicious code into the HMI and conduct various activities, including change flow controller settings, launch SQL injection attacks on configuration databases, and redirect users to arbitrary websites when they perform certain actions (e.g. hover over a certain element on a page).
Another issue identified in a specific control system shows how old products designed with no security in mind can pose a serious risk today. This example involves a flow indicator and a flow controller, which need to have the same sample rate and the same calculation period in order to function properly. Carrigan told SecurityWeek that the system was designed for older CPUs, where the workload needs to be efficiently distributed.
If an attacker makes some changes to the system so that the sample rates are different, the operator will see some weird problems. However, if one component is set to make calculations faster, an old CPU will not be able to handle the load and it will crash, and there is no safety check to prevent an incident.
A final example shared by Carrigan is related to a device manufacturer using the same hardcoded username and password for system engineers. The account in question is used for background functions and changing it could “break things,” the expert explained.
PAS has not named any of the impacted vendors and it’s not making any technical information public in an effort to prevent abuse.
While there is no evidence that these types of flaws have been exploited in attacks, Carrigan said many of them have been known to cause problems in production when triggered by accident. The expert has also pointed out that these issues, which have been viewed as safety and reliability issues, are now becoming security concerns.
The vendor whose products have been found to contain the hardcoded credentials is reportedly working on a patch — even in this case there is some concern that the fix could cause problems — but in most cases there is nothing that can actually be patched.
The solution for mitigating risks is to have good configuration management practices, and routinely audit systems for unexpected changes, which can improve not only security but also reliability.
According to Carrigan, security solutions can analyze configuration data in an effort to detect changes, but it’s often difficult to determine if a modification is legitimate or malicious.
The OT security community can also contribute to addressing the risks associated with these types of features and functions by developing best practices for OT configuration management.