ICS-CERT has issued a warning about an offline brute-force password tool discovered by Russian researchers, which uses a proof-of-concept (PoC) exploit code targeting Siemens S7 programmable logic controllers. The S7 controllers are used in a variety of industrial applications, including energy, water and wastewater, oil and gas, chemical, building automation and manufacturing – and as such are intrinsic pieces of critical infrastructure.
The researchers found that a password can be obtained by forcing the challenge-response data extracted from TCP/IP traffic files. An attacker must be on an adjacent network to capture this traffic. The possibility exists that the code may be modified to be used against other vendor products, ICS-CERT warned.
ICS-CERT has notified Siemens, it said, and has asked it to confirm the attack vector and identify mitigations.
ICS-CERT recommends that users take defensive measures to lessen the risk of exploitation, by minimizing network exposure for all control system devices. Control system devices should not directly face the internet, most certainly. Also, SCADA administrators should locate control system networks and devices behind firewalls, and isolate them from the business network.
If remote access is required, ICS-CERT said to employ secure methods, such as a VPN, but noted that admins should recognize that a VPN is only as secure as the connected devices.
SCADA software, used for industrial control mechanisms in utilities, airports, nuclear facilities, manufacturing plants and the like, is increasingly a target for hackers looking to exploit what appears to be a growing numberof vulnerabilities – giving rise to fears that critical infrastructure may be at risk.
“With SCADA software being primarily responsible for critical operations and national infrastructures, an attack of this nature could not only result in the loss of data, but can also cause damage to physical assets and in certain scenarios, the loss of life,” said Ross Brewer, vice president and managing director International Markets at LogRhythm, in an email to Infosecurity. “As such it’s no surprise that arguably most notorious cyber attacks of the past couple of years – such as the Stuxnet and Flame viruses – have been SCADA breaches.”
This is not the first time that Siemens has been targeted specifically. In July 2012 the German industrial giant plugged a dynamic link library (DLL) hijacking vulnerability in SIMATIC STEP 7 and PCS 7 software, which are used to configure the same S7 programmable logic controllers that the password-cracker is targeting.