SCADA and vulnerabilities to critical infrastructures

Over the last few months there have been different events that led to the story than they can be dangerous attacks on SCADA systems used to control production processes in industrial plants of various kinds, from industrial production to the provision of electricity supply or water.
The concern is high, it could materialize the nightmare of every responsible government. An incident can undermine the safety of millions of individuals and of the entire nation. Dozens, hundreds, thousands of installations all over the country potentially vulnerable to attack from anywhere on the planet, offensiva that happened in what we might call the fourth dimension, cyberspace, and that could also lead to the loss of many human lives. Not necessarily our minds must fly at a nuclear plant and led to an accident in its of government systems, you can just think about the impact it could have on a chemical plant as many. Unfortunately, as mentioned systems in question are very popular and a census is certainly not very easy, and even more difficult is to coordinate joint action of prevention on a global scale.

Events such as the virus Stuxnet and the alleged incident to the water facility in Illinois helped make popular SCADA systems and how to highlight them even though used in critical processes, are actually very vulnerable. Defense mechanisms virtually absent, the SCADA system components are often under the government of local authorities who do not deal with adequately trained personnel and that operates with limited budgets. This means that this kind of control devices are installed everywhere without being qualified in the installation phase. There are many system deployed with factory settings, pre-set standard configurations and common to entire classes of devices. To this we add that even those who maintain them should not exceed security thus making it accessible for remote diagnostics without necessary attention.
Fortunately, something is changed, precise guidelines identify best practices to follow in the management of SCADA systems and operations groups monitor the operation of facilities around the country. In the United States as in Europe.

News of the day is that Industrial Control System – Cyber emergency Response Team (ICS-CERT ) has distribuited a new alert to provide timely notification to critical infrastructure owners and operators concerning threats or activity with the potential to impact critical infrastructure computing networks.

ICS-CERT has informed that some models of the Modicon Quantum PLC used in industrial control systems contain multiple hidden accounts that use predetermined passwords to grant remote access Palatine, Illinois–based Schneider Electric, the maker of the device, has produced fixes for some of the weaknesses and continues to develop additional mitigations. ICS-CERT encourages researchers to coordinate vulnerability details before public release.

Let consider that the programmable logic controllers (PLC) are directly conneted to in field sensors that provide data to controle critical component (e.g. centrifugals or turbines). Often the default passwords are hard-coded into Ethernet cards the systems use to funnel commands into the devices allowing administrators to remotely log into the machineryt.

An independent security researcher Rubén Santamarta, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals. Even in cases where the passcodes are obscured using cryptographic hashes, they are trivial to recover thanks to documented weaknesses in the underlying VxWorks operating system. As a result, attackers can exploit the weakness to log into devices and gain privileged access to its controls.

Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens. Because the systems control the machinery connected to dams, gasoline refineries, and water treatment plants, unauthorized access is considered a national security threat because it could be used to sabotage their operation.

Making a search on the server search engine known as Shodan revealed what appear to be working links to several of the vulnerable Schneider models.  Santamarta said there is no fix for the devices other than to retire the faulty Ethernet cards and replace them with better-designed ones. Tuesday’s ICS-CERT advisory said the fixes from Schneider removes the telnet and Windriver services. The advisory made no mention of changes to FTP services
The scenario is very worrying and reveals the need for a radical change, fortunately, the emergency has been perceived by most Nations. The ENISA (European Network Information Security Agency, has produced a recommendations for Europe and Member States on how to protect Industrial Control Systems.

The report describes current scenario of Industrial Control Systems security and proposes seven recommendations to improve it. The recommendations call for the creation of the national and pan-European ICS security strategies, the development of a Good Practices Guide on the ICS security, fostering awareness and education as well as research activities or the establishment of a common test bed and ICS-computer emergency response capabilities.

That is right way to proced to secure our assets.

Pierluigi Paganini

References

http://www.theregister.co.uk/2011/12/14/scada_bugs_threaten_criticial_infrastructure/