Industrial control systems (ICS) that run the valves and switches in factories may suffer from inherent weaknesses that cropped up only after they were installed and the networks they were attached to became more widely connected.
The problems are as far ranging as hard-coded passwords that are publicly available to vulnerabilities in Windows operating systems that are no longer supported but are necessary to run the aging gear, says Sean McBride, attack-synthesis lead analyst at FireEye iSIGHT Intelligence and author of “What About the Plant Floor? Six subversive concerns for industrial environments.”
These weaknesses are often found in the ICS devices supporting critical infrastructure such as water systems and power grids, he says.
There’s nothing shocking or new about the weaknesses, but decision makers need to pay attention to them. Awareness has increased over the past few years, but there’s still room for improvement, he says.
“They need to wrap their minds around what it means,” McBride says. They should seek mitigating controls that can bolster the vulnerable gear and ask, “Which of these apply to me and what responses do I have in place?”
The big 6 vulnerabilities
These are six vulnerabilities that are particularly worrisome:
- Use of unauthenticated protocols
- Outdated hardware
- Weak authentication
- Weak file-integritiy checks
- Vulnerable Windows operating systems
- Undocumented third-party relationships
McBride recommends that security pros for these networks inventory all their control devices and check whether they contain any of the major weaknesses. If so, depending on the risk they represent, it may be financially unviable to replace them. But buying more secure devices when it’s time to refresh gear should be part of the purchasing decision, he says.
The most severe of the problems is the use of unauthenticated protocols. “Anyone can plug in and, with the right client, change how a plant operates without authenticating,” he says. That can translate into altering the smarts in programmable logic controllers (PLC) so they, for instance, open or close switches and valves that control flows of fluids or electricity, and turn motors on and off.
Beyond the unauthenticated protocols, some of these industrial control systems, for a variety of reasons, have weak authentication to individual computers and applications. Some have hard-coded passwords, weak passwords, passwords sent in the clear and passwords stored in easily recoverable formats.
As of last September, a publicly available list of hard-coded and default passwords was maintained by researchers, providing information that attackers could use. An element of the Stuxnet attack exploited hard-coded passwords, he says. Exploiting them accounts for a small number of attacks in the real world, but, “The key is they could happen really easily,” McBride says.
Also publicly available are at least eight exploits that are effective against Windows XP, which is now unsupported, the report says. Use of XP and other unsupported platforms such as Windows Server 2003 in human-machine interface (HMI) computers leaves a weakness that could compromise the machines and the devices they control.
The outdated hardware problem stems from gear that was never intended to be on high-volume, internet-connected networks and now is kept online for years during which the network they connect to is upgraded. The high bandwidth traffic on these networks can cause the gear to malfunction, as happened at the Brown’s Ferry Nuclear Generating Station in 2006. In other cases, innocuous network scans turned out not to be so innocuous and crashed PLCs.
Reliance on third parties for software used in industrial control systems can leave the systems vulnerable to attack, the report says. “In our experience, ICS asset owners seldom document and track third-party dependencies in ICS software they operate,” it says.
Heartbleed, which still has not been eradicated, was a third-party problem that affected ICS devices over the past few years, the report says.
File integrity checks are important to ICS because without them, malicious updates to legitimate applications can turn them into weapons. One example cited in the report says that a software vendor’s website was compromised by replacing a vendor’s file with a malicious one. Without an effective integrity check, that swap would go unnoticed.