The DHS ICS-CERT issued three security advisories on industrial control systems (ICS) this week, again showing that critical infrastructure and industrial networks continue to face serious issues.
In a recent blog post summarizing the current ICS threat landscape, Fortinet’s Ruchna Nigam highlights one important thing: “Most industrial control systems come from very different vendors and run proprietary operating systems, applications, and protocols (GE, Rockwell, DNP3, Modbus). As a result, host-based security developed for IT is generally not available for ICS.”
Ivan Sanchez, who found a recent Rockwell IAB vulnerability is surprised at this. He is constantly looking for, and continuously finding, new ICS vulnerabilities. Last year he reported more than 150 high risk issues to Rockwell alone. Usually when he reports an issue he is consulted over the fix.
“In 95% of cases I am asked to retest the application before the advisory is published,” Sanchez told SecurityWeek. “I think these companies should ask me for the rest of the vulnerabilities [I’ve found] rather than just say ‘thanks’ for this one.”
Advisory ICSA-16-056-01 describes an access violation memory error in Rockwell Automation’s Integrated Architecture Builder (IAB) application. If successfully exploited it would allow an attacker to execute malicious code with the same privilege level as the IAB tool. It could only be exploited by a local user, and has now been fixed. Until the latest version can be installed, users are advised to avoid opening any untrusted project files with IAB.exe; and run all software as ‘user’ and not as ‘administrator.’
Advisory ICSA-16-061-03 describes a cookie-based vulnerability that allows a remote attacker to configure Eaton Lighting Systems via the EG2 Web Control. Eaton has fixed the vulnerability but is in the process of replacing the entire system.
Advisory ICSA-16-096-01 describes four vulnerabilities in Pro-face’s GP-Pro EX HMI software: one information disclosure, two buffer overflows and hard-coded credentials. All four have been fixed.
Empirical evidence like this suggests that ICS security is a much bigger problem than is implied by the Fortinet blog.
Indeed, Ivan Sanchez told SecurityWeek, “The ICS industries have to improve their code and insert security and audit controls. I have reported 30% of the issues I’ve found, and the industry hasn’t had time to fix all of these – so I would say we have a big problem.”
Despite this, everyone knows there is a problem – but for the moment it is largely a potential problem.
Patrick Coyle, author of Chemical Facility Security News, explains. “On one hand there are so many vulnerabilities in almost any control system that you would care to mention that just about anybody could hack into a control system. On the other hand the systems that these ICS control are so complex that to do something that looks like an effective attack takes a great deal of system (as opposed to ICS) expertise.”
He expects attacks to increase, but more in quantity than in quality. “I think we are going to start to see more of the ineffective attacks on ICS like that water system hack reported by Verizon; random changes to valve settings that upset things, but that are caught and corrected by safety systems or alert operators.” The danger is that something serious will happen as much by accident as intent.
But he warns, “My biggest fear right now is that someone will put a critical infrastructure on lockdown with ransomware. That does not take any great process knowledge; just access to the system.”
Related: Learn More a the 2016 ICS Cyber Security Conference
