Researcher tracks down compromised ICS systems

In two Digital Bond posts last week, first Dale Peterson describes the SCADA vulnerability problem, and then Michael Toecker demonstrates how to find such systems that have already been compromised. SCADA/ICS “software is fatally flawed because it was not designed with good coding practices or any part of a reasonable security development lifecycle,” claims Peterson. He points to the findings of Sergey Gordeychik, CTO of Moscow-based Positive Technologies, presented at a conference in Seoul last Thursday and reported in Computerworld. “The team has found more than 50 vulnerabilities in WinCC's latest version, so many that Siemens has worked out a roadmap to patch them all, Gordeychik said in an interview. Most are problems that would allow an attacker to take over a WinCC system remotely,” reports Computerworld.

It was WinCC that was cracked to allow the Stuxnet attack on the Iranian centrifuges; and vulnerabilities still exist. “Siemens could patch these 50 vulns and attackers would easily find additional vulns.” warns Peterson. “What Siemens and other vendors need to do is stop and do a security code review of the product.” He uses Microsoft as an example. “Bill Gates famously stopped all work for a few months back in 2002 for a security code review on all development efforts,” he comments, but adds, “Even after that Microsoft had a huge legacy code issue, but they realized just fixing identified vulns was a treadmill not a solution.”

Meanwhile, fellow researcher Michael Toecker discussed his use of malware support forums to locate ICS systems that are already compromised. Such forums allow users who have been infected with malware to post details for remedial analysis by the forum community. “These users can run a set of programs, including HijackThis, DDS, OTS, and others, to pull information from the system.” The posted details, however, also provide a lot of information about the ‘infected’ system – if you know what to look for. 

Toecker concentrates on one particular system he found, ‘an extremely detailed DDS log.’ “First off,” he writes, “this system has the SEL AcSELerator Quickset and GE Enervista, so it was used to either review relay configurations or install relay configurations on SEL and GE digital protective relays.” In other words, it effectively plugs into the national power grid. “This suggests a technician’s laptop, one who works on a wide variety of electric power systems and other automation systems.”

But the laptop was infected with two pieces of malware: the fake AV and backup program ‘Malware Protection Designed to Protect’ and ‘Windows XP Recovery.’ Such malware is usually installed either by drive-by downloading or direct installation. “That’s right,” says Toecker, “if this post is a representative sample, the cyber security and reliability of the electric power grid could be in the hands of the normal computer user who will click on and install just about anything.”

What’s Hot on Infosecurity Magazine?