I’ve written here a couple of times previously about the Stuxnet worm, an unusually sophisticated bit of malware that targeted certain industrial control systems supplied by Siemens. More generally, I’ve discussed some of the security concerns about such control systems (sometimes called SCADA systems, for Supervisory Control and Data Acquisition) generally, especially when these systems have direct or indirect connections to the Internet.
The ThreatPost blog, published by the security firm Kaspersky Labs, reports on a presentation, at the recent Black Hat security conference, that suggests that these concerns are not misplaced. Dillon Beresford, a security researcher for NSS Labs, examined various models of Siemens programmable logic controllers [PLCs]. The results of the analysis were not reassuring.
Dillon Beresford used a presentation at the Black Hat Briefings on Wednesday to detail more software vulnerabilities affecting industrial controllers from Siemens, including a serious remotely exploitable denial of service vulnerability, more hard-coded administrative passwords, and even an easter egg program buried in the code that runs industrial machinery around the globe.
Many of these SCADA systems began to be put in place many years ago, without much attention paid to security, and may have originally used dedicated, private communication lines. Some of those communications may have been subsequently transferred to the Internet, for economic reasons, without much consideration of the security implications of the change. The kinds of errors Beresford found are the kind that are made by rookies, like having hard-coded passwords (that is, passwords included in an application’s compiled code). The presence of an “Easter Egg”, which reportedly displayed an animation of dancing monkeys, is another example. (An Easter Egg is a small application embedded within a larger one; it’s often activated by a special “secret” sequence of keystrokes. Early versions of Microsoft’s Excel spreadsheet program had a flight simulator program as an embedded Easter Egg.)
The suspicion that security is lagging in these systems also seems to be justified.
Many of the core components and protocols of such systems, such as the ISO Transport Service on top of the TCP weren’t designed with security in mind, and havent been updated for more than two decades, Beresford noted.
Security that may have been adequate in an era of private networks is just not up the job of securing devices on the Internet. The Stuxnet worm was clearly the product of some fairly sophisticated hackers, but there are already copies of its code circulating on the net, and do-it-yourself kits for amateurs cannot be far off.