SINGAPORE — SECURITYWEEK 2018 ICS CYBER SECURITY CONFERENCE | SINGAPORE — Researchers have discovered a potentially serious vulnerability in industrial safety controllers and a significant number of the impacted devices are directly exposed to the Internet, making it easy for malicious actors to launch attacks and possibly cause damage.
Safety systems are designed to prevent incidents in industrial environments by restoring processes to a safe state or shut them down if parameters indicate a potentially hazardous situation. While these devices play an important role in ensuring physical safety, they can and have been targeted by malicious hackers. The best example is the Triton/Trisis/Hatman attack, which leveraged a zero-day vulnerability in Schneider Electric’s Triconex Safety Instrumented System (SIS) controllers.
Researchers at industrial cybersecurity firm Applied Risk have analyzed safety controllers from several major vendors, including Siemens, ABB, Rockwell Automation’s Allen Bradley, Pilz, and Phoenix Contact.
The research is ongoing, but they have identified a denial-of-service (DoS) flaw that may affect several products. Details of the vulnerability were disclosed on Wednesday at SecurityWeek’s ICS Cyber Security Conference in Singapore by Gjoko Krstic, senior ICS security researcher at Applied Risk.
The vulnerability allows a remote attacker to cause a safety controller to reboot and enter faulted mode. Manual intervention is required to restore the device, Krstic told SecurityWeek in an interview.
The security hole can be leveraged to cause the device to enter a DoS condition by sending it a specially crafted TCP packet. Specifically, the attack relies on EtherNet/IP, one of the most widely used industrial network protocols.
Applied Risk researchers discovered that an attacker can cause safety controllers to fail by sending them a TCP packet that starts with the No Operation (NOP) option. Experts determined that, for some reason, safety controllers cannot handle incorrect TCP options.
Krstic says there is no other requirement for the attack to work. An attacker with access to the targeted controller, either from the Internet or the local network, can cause the device to become inoperable simply by sending it a packet.
An exploit has been tested by Applied Risk on Rockwell Automation’s Allen Bradley 1769 Compact GuardLogix 5370 controllers, but since the underlying issue is related to Ethernet/IP, researchers believe products from other vendors are likely affected as well.
All impacted vendors have been informed. Rockwell Automation, which has assigned CVE-2017-9312 to this vulnerability, is expected to release a patch and an advisory sometime in May.
Applied Risk has identified nearly a dozen Allen Bradley 1769 Compact GuardLogix 5370 controllers exposed directly to the Internet. However, the total number of safety controllers accessible from the Web is much higher. A Shodan search for the popular Siemens Simatic S7 devices, which include safety controllers, reveals nearly 900 results.
Given the significant role of safety controllers in industrial environments, causing a device to enter a DoS condition could have serious consequences, including physical damage to equipment and physical harm to people.
As the Triton/Trisis attack on Schneider Electric devices showed, writing malicious programs to a controller requires that the device’s key switch is set to “Program” mode. As part of its research into safety controllers, Applied Risk has been trying to find a way to remotely bypass the key switch and, while they have yet to succeed, experts are optimistic based on their progress so far.
