SCADA industrial controls still vulnerable to stuxnet virus
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
March 20, 2013
Critical internet-facing industrial systems controlling crucial equipment used by nuclear power plants, airports, factories and other sensitive systems are still subjected to sustained attacks within a few hours of appearing online, according to new research by Trend Micro.
The security vulnerabilities of SCADA (supervisory control and data acquisition) industrial control systems are numerous, and have been a major focus of interest in information security circles for the last three years or so thanks to Stuxnet, Duqu, and other similar noteworthy virus attacks.
A security expert has challenged a theory on how the infamous Stuxnet worm, best known for tampering with Iranian lab equipment, somehow escaped into the internet. New York Times reporter David Sanger wrote what's become the definitive account of how Stuxnet was jointly developed by a U.S. / Israeli team. The sophisticated malware virus was deployed to sabotage high-speed centrifuges at Iran's nuclear fuel processing plant by infecting and commandeering the site's control systems.
According to Sanger's sources, an Iranian technician's laptop was plugged into a Stuxnet-sabotaged centrifuge device and was almost immediately infected by the malfunctioning equipment.
Trend Micro researcher and SCADA security expert Kyle Wilhoit set out to look into this phenomenon in greater depth by setting up an internet-facing 'honeypot' and record numerous attempted attacks. The honeypot architecture developed by Wilhoit directly mimics those of real industrial control systems and SCADA devices.
The researcher, who was once the lead incident handler and reverse engineer at a large energy company, focusing on ICS/SCADA security and persistent threats, created a total of three honeypots. All three were internet-facing and used three different static IP addresses in different subnets scattered across the United States.
One honeypot featured a programmable logic controller (PLC) system running on a virtual instance of Ubuntu hosted on Amazon EC2, and configured as a web page that mimics that of a water pressure station. Another honeypot featured a web server that mimicked a control interface connected to a PLC production system.
The final honeypot was an actual PLC device set up to mimic temperature controller systems in a factory. All three honeypots included traditional vulnerabilities found across the same or similar systems. Various steps were taken to make sure the honeypots were easily discovered.
The sites were then optimized for searches and published on Google. The researchers also made sure that that honeypot settings would be seeded on devices that were part of HD Moore’s Shodan Project, which indexes vulnerable routers, printers, servers and internet-accessible industrial control systems. Once a search latches onto a vulnerable embedded device, then Metasploit provides a library of possible attacks, which - as security strategist Josh Corman points out - can be run without any detailed knowledge or skill.
The Trend Micro security researchers excluded simple port scans and focused on recording anything that might pose a threat to internet-facing ICS/SCADA systems. This includes unauthorized access to secure areas of sites, attempted modifications of controllers, or any other attack against a protocol specific to SCADA devices, such as Modbus/TCP.
They also logged any targeted attempt to gain access or take out servers running the system. Various tools including popular open-source intrusion detection package Snort, honeyd (modified to mimic common SCADA protocols), tcpdump and some analysis of server log files were used to monitor and record the attacks the honeypots attracted.
The researchers waited less than a day before the attacks began, as Wilhoit explains in a research paper Who’s Really Attacking Your ICS Equipment? It took only 18 hours to find the first signs of attack on one of the honeypots. While the honeypots ran and continued to collect attack statistics, the findings concerning the deployments proved disturbing.
The statistics of this report contain data for 28 days with a total of 39 attacks from 14 different countries. Out of these 39 attacks, 12 were unique and could be classified as “targeted” while 13 were repeated by several of the same actors over a period of several days and could be considered “targeted” and/or “automated.”
All of these attacks were prefaced by port scans performed by the same IP address or an IP address in the same subnet. The attacks included attempts to spear-phish a site administrator, bids to exploit fundamental ICS protocols and malware exploitation attempts on the servers running the honeypot environment.
Other attacks included bids to change the CPU fan speed on systems supposedly controlling a water pump and attempts to harvest systems information. Four samples were collected over the four-week testing period, two of which have not been seen in the wild.
Trend Micro is currently analyzing these pieces of malware to determine their functionality. As well as looking at the type of attack getting thrown against the honeypot system, researchers at Trend Micro also looked at the origin of attempted attacks.
About 34 percent of attacks against the industrial control system honeypot originated in China but one in five (19 percent) originated in the U.S. Security researchers also discovered that a surprisingly high (12 percent) of attacks against a honeypot control system they had established came from the southeast Asian nation of Laos.
Wilhoit, presented his research at the BlackHat Europe conference in Amsterdam, the Netherlands last Friday. “Trend Micro's research reveals that attackers have enough knowledge to analyze and affect industrial control devices' infrastructures,” said Raimund Genes, CTO at Trend Micro.
“This is an alarming wake-up call for operators of these infrastructures to check the security of these systems and ensure they are properly separated from the internet/open networks. The research also shows that it is not only usual suspects attacking, but that these attacks also happen in your own backyard.”
SCADA systems control everything from escalators in metro stations in Madrid to milk-processing factories in Mali and uranium enrichment centrifuges in Iran.
"Security in an ICS/SCADA network is often considered 'bolt-on' or thought of 'after the fact'. When these systems were first brought into service more than 20 or so years ago, security was typically not a concern," Wilhoit explains.
"However, as things changed over time, most of these systems’ purposes have been reestablished, along with the way they were originally configured. A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the internet, with very little hindrance."
Wilhoit called for further research into motives, sources and delivery techniques of the increasingly sophisticated attackers who target industrial control systems. "Internet-facing ICS are readily targeted," Wilhoit warns. "Until proper ICS security is implemented, these types of attack will likely become more prevalent and advanced or destructive in the coming years."
A recent study by InfraCritical discovered that 500,000 SCADA (supervisory control and data acquisition) networks were susceptible to attack, highlighting the wide-scale vulnerability of systems that control the operations of power and water plants, among other critical facilities.
According to recent research conducted by ICS-CERT, 171 unique vulnerabilities affecting 55 different ICS vendors were found last year alone. And patching of industrial control systems creates its own issues, according to a study by Tofino Security published last week.
Eric Byres, CTO and vice president of engineering at Tofino Security, says there are as many as 1,805 as-yet-undiscovered security vulnerabilities existing on control system computers. IC systems need FREQUENT patches, but if they're buggy, it ALL falls apart.
The frequency of patching needed to address future SCADA/ICS vulnerabilities in both controllers and computers likely exceeds the tolerance of most SCADA operators for system shutdowns. Unlike IT systems, most industrial processes operate around the clock and demand high uptime. Weekly shutdowns for patching are unacceptable.
But even when patches can be installed, they can be problematic. According to Tofino Security, there is a one in 12 chance that any patch will affect the safety or reliability of a control system, and there is a 60 percent failure rate in patches fixing the reported vulnerability in control system products.
Additionally, security patches often require staff with special skills to be present. In many cases, such experts are often not certified for access to safety regulated industrial sites.
Tofino Security markets industrial network security and SCADA security products that protect industrial control systems from potential attack, even if they aren't patched, so it has a vested interest in talking up the problems of patching.
But the overall picture of exposed and vulnerable industrial control systems is constant with findings from experts at Trend Micro and elsewhere. A SCADA network ought to be segregated from a corporate intranet and air-gapped from the internet - or at least firewalled - but even the most rudimentary protections are often completely absent.
Sean McGurk, former head of cybersecurity for the U.S. Department of Homeland Security turned managing principal for investigative response on Verizon’s RISK Team, say that attacks against the enterprise systems behind utilities are a bigger risk than Stuxnet-style attacks.
The networks of both Saudi Aramco and Rasgas in Qatar were both hobbled by conventional malware attacks last year, for example. Both attacks were later linked to the Shamoon data wiper. Part of the issue is that industrial control systems have a far longer timeline than enterprise servers, computers and routers - typically up to 20 years instead of three to five years.
Additionally, industrial control equipment works with different ports and protocols than conventional enterprise networks, so simply adding a firewall or network segmentation is adequate as a defensive strategy. In addition, industrial control systems often have to work in real time, with low latency and high availability.
"But just to set the record straight, the security patching of legacy systems is ongoing," McGurk said. "But patching is difficult for five-9s high-availability systems. Secure connectivity can only be enhanced with layers of security but you can't gold-plate everything."
Despite the several difficulties, McGurk suggested that many in the security segment are being slow to react to the various threats, and that's a real issue. The U.K. energy sector has been particularly slow to adopt security measures that match new technological developments, such as smart grids - potentially leaving them exposed to large-scale cyber-attacks as a result.
But he acknowledged that the technology was certainly not without its issues, such as potentially making it easier to disconnect the vulnerable or elderly, and no panacea.
"Introducing smart-grid technology is a double edged sword," McGurk explained. "Although you can still enhance interoperability, you can't just throw it in there. There's a greater security focus and it's not just about interoperability anymore," he concluded.
McGurk added that government and industry need to work together to improve both the security and interoperability of the industrial control systems that monitor and manage power generation and distribution systems.
McGurk, who has more than thirty years of experience in ICS cybersecurity and critical infrastructure protection, traveled to London last week to speak at the European Smart Grid Cyber and SCADA Security Conference, a closed event restricted to industry participants and suppliers.
In other internet security news
James Clapper, Director of National Intelligence told Congress on March 12 that America's biggest national security threat could come not from bullets or bombs in a terrorist attack, but from computer hackers, located in the U.S. as well as in other countries.
That's the assessment of a group of the nation's top intelligence officials, who told Congress Tuesday that cyber attacks lead the numerous national security threats the United States has ever faced in its history.
It's the first time since the Sept. 11, 2001 terrorist attacks that anything other than the an extremist threat has been the top concern in the Intelligence Community Worldwide Threat Assessment, which is presented annually to the Senate Select Committee on Intelligence and Security.
Clapper told the panel that cyber and financial threats were being added "to the list of weapons being used against the United States" and which help define a new "soft" kind of war.
"When it comes to the distinct threat areas, our statement this year leads with cyber and it's hard to overemphasize its significance" said Clapper.
According to him, state and non-state actors are increasingly gaining "cyber expertise" which they use "to achieve strategic objectives by gathering sensitive information from public- and private-sector entities, controlling the content and flow of information, and challenging perceived adversaries in cyberspace."
He said that those cyber capabilities "put all sectors of our country at risk, from government and private networks to critical infrastructures."
Clapper warned that the intelligence community is seeing indications that some terror groups are interested "in developing offensive cyber capabilities and that cybercriminals are using a growing black market to sell cyber tools that fall into the hands of both state and non-state actors."
He also warned that the budget cuts and civilian furloughs being imposed by sequestration will have an impact on the intelligence community's efforts to counter a cyber threat.
"Critical analysis and tools will be cut back, so we'll reduce global coverage and may risk missing the early signs of a threat," added Clapper.
When Senator Angus King (I-Maine) asked if cyber threats were accelerating, newly-minted CIA Director John Brennan gave an unequivocal "Absolutely."
Brennan explained that "the seriousness and the diversity of the threats that this country faces in the cyber domain are increasing on a daily basis".
Despite the widespread recognition of the threat, Brennan said the U.S. still has a lot of work to do to prepare itself for the future of cyber warfare -- "to address the security vulnerabilities that we have and take the steps that we need to take in order to protect our infrastructure, our networks from these types of cyber attacks."
FBI Director Robert Mueller also told the panel that the cyber threat is one that keeps him awake at night. What is happening in the cyber arena, he said, "cuts across any of our disciplines, whether it be counterintelligence or counterterrorism as well as criminal."
Mueller described the convergence of "the various objectives, goals and discrete individuals utilizing the cyber arena, whether it be for criminal purposes or for terrorist purposes, has grown to be right up there with al Qaeda affiliate AQAP, homegrown terrorists and cyber attackers."
In other internet security news
New cryptographic security vulnerabilities have been discovered this week in the technology used by Google and other large companies to encrypt online shopping, banking and web browsing.
The attack, developed by security researchers at Royal Holloway, University of London and University of Illinois at Chicago, targets weaknesses in the ageing but popular RC4 stream cipher.
RC4 is quick and simple, and is used in the Transport Layer Security (TLS) and Secure Sockets Layer (SSL) protocols of the HTTPS protocol to protect sensitive internet traffic from prying eyes.
However, data encrypted by the algorithm can be carefully analyzed to silently extract the original information, such as an authentication cookie used to log into a victim's Gmail account.
But cracking the encryption on a user's web traffic is difficult to pull off, at least for now. The security researchers explain: "We have found a new attack against TLS that allows a hacker to recover a limited amount of plaintext data from a TLS connection when RC4 encryption is used. The attacks arise from statistical flaws in the keystream generated by the RC4 algorithm which become apparent in TLS cyphertexts when the same plaintext is repeatedly encrypted at a fixed location across many TLS sessions."
Doing so sends the victim's RC4-encrypted authentication cookie, created the last time the user logged in, this time using a new session key.
Ideally, this data should appear to be random, but RC4 suffers from statistical biases that will reveal parts of the encrypted sensitive information over time, provided the attacker can gather millions of samples to process.
In this manner, it is similar to the earlier BEAST attack on SSL connections. The Royal Holloway and Chicago team argue that the most effective countermeasure against the attack is to stop using RC4 in TLS.
"There are other, less-effective countermeasures against our attacks and we are working with a number of TLS software developers to prepare patches and security advisories," the computer scientists revealed in an advisory on their research.
Overall, RC4 is used by many websites to provide HTTPS encryption, including Google. Dan Bernstein, one of the researchers, unveiled the attack at the Fast Software Encryption conference in Singapore this week.
"Unfortunately, if your internet connection is encrypted using RC4, as is the case with Gmail, then each time you make a fresh connection to the Gmail site, you're sending a new encrypted copy of the same cookie," explained Matthew Green, a cryptographer and research professor at Johns Hopkins University in Maryland.
"If the session is renegotiated (ie, uses a different key) between those connections, then the attacker can build up the list of ciphertexts he needs.
Other security experts say there's no need to panic. "It's not a very practical attack in general, requiring at least 16,777,216 captured sessions, but as mentioned, attacks will only improve in time," said Arnold Yau, lead developer at mobile security firm Hoverkey.
Get a powerful Linux Dual-Core dedicated server for less than $2.67 a day!Tweet Share on Twitter.
Source: Trend Micro.
You can link to the Internet Security web site as much as you like.