Saturday, May 17, 2008

SCADA Security unnoticed

Core Security released an advisory on a Denial of Service attack where an unauthenticated user can take down a Wonderware system running Suitelink with a malformed packet. This was first brought to Wonderware's attention at the end of January. They acknowledged the bug by late March and provided a fix by late April. The advisory published in June.


Is it just me? A lot of people talk the talk about how important stability is with industrial control software. But nobody really cares. Trivial bugs (by comparison) get much more press. Could you imagine if a simple program could send a packet to crash a Windows server application? The press would go nuts! By Wonderware's account, they've sold 500 thousand copies that are running in 100,000 plants worldwide in virtually every industry. These plants are not all on closed networks! Good thing terrorists don't have access to Google, like I do.

Besides not wanting to share details with the public and not recognizing the problem in a timely manner, Wonderware did their part. It's a learning process that will hopefully go more smoothly next time. What astounds me is the fact that you don't see or hear about this except in a few very specific sites and blogs. I bet there will be a significant percentage of vulnerable systems several years from now - a combination of the weak promulgation of information and the reluctance of industrial users to upgrade unless forced. The latter caused by vendors releasing patches that haven't been adequately QA'd. This is one point where Inductive Automation is ahead of the power curve. Since FactorySQL and FactoryPMI upgrades nearly always come with free feature additions, IA users have created a culture of frequently upgrading their software.

But I digress. SCADA security is a huge bomb waiting to go off. There's a little talk on the subject, but the industry fails to take it seriously. I hope we can figure things out before the next 9/11 forces government intervention - how would you like your plant to operation like an airport? I'd like to think that level of regulation is unnecessary. We should each do our part in tightening down industrial security.

http://www.coresecurity.com/?action=item&id=2187
http://isc.sans.org/diary.html?storyid=4390

5 comments:

Anonymous said...

Very interesting post!

Tallak Tveide said...

I have long been astonished, coming from a java/open source type programming job into a PLC/HMI job, the companies' practise of not informing the clients of problems before they actually contact support with a matching problem description. If they are doing this to avoid bad press of releasing bug reports, then I believe the companies are hurting themselves long term.

I am subscribing to the Wonderware support RSS feed which for us is a massive improvement, and in this respect WW is ahead of the game - but for a problem like this I would expect to have been notifoed by now (unless of course the news was released before my subscription started).

Also - Intouch is a tool to allow non-programmers to design HMI systems. Many of these people have little knowledge about making secure systems and ethernet/TCP/IP in general. So problems like these (quite unlikely that someone will exploit this for many systems) are probably one of their lesser concerns.

But I still agree that this is a quite serious issue.

Anonymous said...

Interesting post!
regards
our Project:
seguridad scada

Anonymous said...

Many SCADA systems are isolated from the internet and the public. Software will never be secure; that is the province of hardware. One must lock it in a safe. The safer it is the less likely it is to be useful. So in the interest of production many have opted for private networks and this obviously works. Have to know it's there and what it's for to attack it. We're all paying for the paranoia of a few i.e., the unstable shambles of Microsoft 'security' settings for example.

Nathan Boeger said...

Thanks for the Feedback

Tallak - Great points up until the very end of your 3rd paragraph. InTouch (and all commercial HMI packages) are designed to allow non-programmers to program. However, I strongly disagree that this should be of lesser concern. You cover most of the Industrial Automation spectrum with a few soft/buggy/clunky packages besides In Touch(Rockwell's RSView, Citect, and a few GE and Siemens apps). Nearly every Factory I've worked at, including power, ammonia refrigeration, etc and even a Navy warship are controlled by these packages - and they are quickly becoming more distributed. SCADA security is a huge point of National Security and I fear what happens when actual computer scientists start writing specific exploits using industry standard tools like Metasploit. It won't take much for bad things to happen.

Anonymous - you are correct. Many companies, like the US Military, use isolated "control" networks. However, there is increased reason to connect these to the "office" network in the interests of ERP systems. You want to log production data to your SQL database for trends and reports, allow QA to input data, even allow management to see process data from remote locations.

The proper response if for control systems to take a standard IT approach to protect their information systems. "Defense in Depth" should be applied, using routers, firewalls, VPNs, IDS/IPS, and such, with the networks as isolated as operational requirements allow.