The US-CERT said the vulnerabilities affected the Sunway ForceControl 6.1 and pNetPower Version 6 software that is used to run supervisory control and data acquisition systems (SCADA) in industrial plants. Sunway SCADA products are used in a wide variety of industries including petroleum, petrochemical, defense, railways, coal, energy, pharmaceutical, telecommunications, water, and manufacturing.
“Successful exploitation of these vulnerabilities could allow an attacker to perform a remote denial of service or to remotely execute arbitrary code against the ForceControl and pNetPower server applications. This action can result in adverse application conditions and ultimately impact the production environment on which the SCADA system is used”, US CERT said in its bulletin.
Beijing-based Sunway has issued two patches that address the vulnerabilities, and the China National Vulnerability Database has confirmed the effectiveness of the patches.
US-CERT said that Dillon Beresford of NSS Labs identified the Sunway vulnerabilities. Earlier this year, Beresford identified vulnerabilities in Siemens programmable logic controllers (PLC), which were the target of the Stuxnet worm, and made news because he decided not to deliver a presentation on the vulnerabilities due to concerns that Siemens did not have a fix ready. Siemens subsequently fixed the vulnerabilities, according to US-CERT.
While exploiting vulnerabilities in software is one way to go after an industrial control system, taking down a SCADA system only requires a network connection, a way to route packets to PLC, and a way to bypass traffic filters, warned Avishai Wool, chief technology officer with AlgoSec.
Wool told Infosecurity that most industrial control systems use antiquated protocols that were designed before the systems were hooked up to integrated communications networks. Should an attacker gain access to a vulnerable network, the attackers could use network links to manipulate the PLC and possibly destroy the infrastructure.
While the Stuxnet worm was sophisticated, its delivery mechanism, a USB drive, was “old fashioned”, Wool noted. Stuxnet “used the same distribution mechanism as the very first virus in the late 20th century”, he observed. The worm jumped from computer to computer until it found its way onto a PLC, he added.
But a sophisticated attacker could get access to the network and control the functioning of the PLC directly. This could be done through an unsecured wireless network or an electricity company website connected to a vulnerable network that also connects to a power plant, he explained.
“The PLC is connected to some piece of machinery and you have the SCADA system that talks to it. In between these two devices, there is a communications network….The communications protocols for this network were designed 20 to 30 years ago. So they were not designed with internet in mind….The protocols are fundamentally weak”, Wool explained.
“Potentially, someone could takeover an unprotected network, use their own SCADA system unbeknownst to the network owner, and could set up a homegrown control station with all of the controls of the actual operator. They could send controls to the machines on the network and instruct them to do whatever – shutdown, power-up, work too fast, anything. The destruction would be proportional to the machine being manipulated”, he said.
Wool stressed that plant operators need to update their communications network to reduce this vulnerability.
In a related development, the National Institute of Standard and Technology unveiled this week the final version of its Industrial Control Systems Security Guide. The guide provides recommendations for pipeline operators, power producers, manufacturers, air traffic control centers and other managers of critical infrastructures to secure their SCADA systems.