Industrial Control Systems (ICS) security represents a significant challenge in today’s world. Some months ago I gave a presentation on ICS Cybersecurity in the ISACA’s EuroCACS/ISRM Conference in Copenhaguen, and now, I’m going to explain in this post some concepts we were discussing there about security concerns.
Industrial infrastructure has a very long life cycle (over 20 or 25 years) and for this reason, most of the implemented security measures in control systems are outdated and rely upon a sort of “security through obscurity” (if an attacker doesn’t know what to attack, we are secure) but of course this is wrong, -it has been proven that this is a wrong approach!
However, the fact that industrial systems adopt IP protocols certainly introduces a new security risk, but we must not forget that other risks already existed before and they had nothing to do with the Internet.
Let’s look at some of these security concerns:
1) Weak communication protocols
We’re working with communication protocols designed in the 70’s and in the 80’s: (DNP3, Modbus, ProfiNet, etc.) and most of them do not incorporate either authentication or encryption. Without authentication anyone who can access the network could send control signals to a specific device, and -as you know- a “bad guy” can gain access to the network in many different ways. And without encryption, the data transmitted over the network can easily be obtained using a network sniffer (i.e., Wireshark).
2) Weak passwords
On one hand, we have lots of systems working with default usernames and passwords, that are not changed by the user, and they still remain as admin/admin, root/1234 … and so on (or even blank passwords). On the other hand, manufacturers are sometimes using hardcoded usernames and passwords to be used by its own technical service and they cannot be changed. If they’re known (most of them are included in technical documentation available on the Internet) anyone who gets access to the device could log in with a privileged account. In 2013 ICS-CERT published an advisory related to a hardcoded vulnerability found within roughly 300 medical devices, manufactured by some 40 different vendors, which could be exploited to gain access to the devices, including pacemakers, surgical and anesthesia devices, drug infusion pumps, patient monitors, as well as laboratory and analysis equipment.
3) Poor QoS
Quality of Service (QoS) has to do with the overall performance of the network. Unlike a business network, an ICS network often needs a real-time communication, without latency, without packet loss, or any other “noise” that affects the quality of the communication. This situation may be exploited to perform a Denial of Service (DoS) attack (i.e., via the insertion of rogue Ethernet frames into the network). And here, this is not about restarting a web server or having a delay in e-mail delivery, a DoS attack could bring very important systems off-line, and could even trigger a shutdown.
4) Internet connected web servers without protection
Many control systems have integrated web servers allowing maintenance and configuration tasks. If these systems are directly connected to the Internet it is possible to find them with specialized search engines like SHODAN. When the system has been discovered, if there are not well implemented security measures, the system becomes vulnerable.
In addition, when using an IDS/IPS as a countermeasure, common IDS/IPS do not take into account specific payloads and port numbers related to ICS protocols, such as Modbus or DNP3, leaving the system unprotected.
5) Difficult or nonexistent patching
Patching is the main countermeasure against known vulnerabilities that have been corrected by the vendor but, in critical systems, depolyment of patches must be scheduled with some weeks or months in advance, because there are many other tasks that must be executed before the process may be interrupted. That creates a “window of exposure” in which systems are vulnerable.
Furthermore, there are many old systems operating continuously and there is a reluctance to touch them all. If a patch (or a software update) is not tested it can also be a risk, as it might change the behavior of a component in a way that endangers the process stability.
As an example: the Japanese company who owns the Fukushima nuclear power plant is still running about 48,000 computers on Windows XP (an outdated operating system without support nor upgrades).