In one incident involving a New Jersey manufacturing company, reports ICS-CERT, “intruders were able to identify internet facing devices using the SHODAN search engine and compromised the system by taking advantage of weak authentication credentials.” The second incident involved a state government facility. Here, “an intruder who was able to exploit weak authentication settings on the system’s internet-accessible Niagara interface and manipulate set points to change the temperature settings.”
The hacks highlight two fundamental problems with ICS systems: their age and their connection to the internet. “Critical management applications and portals for SCADA and ICS are increasingly becoming accessible from the internet as organizations seek to benefit from a connected world,” explains Gunter Ollmann, CTO at IOActive. “Unfortunately the development maturity of most of these interconnected systems is still exceedingly poor. In too many cases it’s like a timewarp to the days of Windows 95 and NT – before major software houses really grasped the reality of internet security.”
The credentials vulnerability had been reported to ICS-CERT by researchers Billy Rios and Terry McCorkle, who were highly critical of Tridium’s original response to their research. ICS-CERT contacted Tridium, which developed and issued a patch along with a security advisory detailing mitigation steps for their customers. The two reported breaches occurred prior to this patch and advice, but after Rios and McCorkle discovered the vulnerabilities. Ollmann notes that “Even the proposed fix to the flaw would be classed as lesser vulnerability when compared to other non-ICS commercial software product security expectations today.”
According to CSO, the Niagara software is “used widely by the military and hospitals to control electronic door locks, lighting systems, elevators, electricity and boiler systems, video surveillance cameras, alarms and other critical building facilities.” CSO quotes McCorkle saying, “It's a brilliant piece of software. It solves a huge need for the industry. It's just that the software security practices aren't very good.” He believes there are many other vulnerabilities in the product that are being addressed, but not yet solved.
One of the biggest problems, suggests Ollman, is the ease with which attackers can locate potentially vulnerable ICS systems. “One of the earliest and most important stages of hacking an unknown and potentially complex system is the process of device enumeration. Organizations should take great care to limit the type and detail of information concerning the systems they operate – because it allows the attacker to tune and focus upon the most vulnerable devices. In this age of state-endorsed hacking and espionage, mapping out the systems of critical infrastructure installations is a high priority as it allows future attackers to target specific equipment in rapid succession.”
Ollmann points out that, “Armed with a particular unique software identifier (a web service named ‘Shodan), a simple query using Google can reveal the location of 21,000 candidates for attack – without the attacker having to touch the vulnerable systems even once.”