Lost Decade in SCADA

Where is the outrage?

We hoped for at least the start of outrage demanding fragile and insecure PLC’s in the critical infrastructure be either fixed or replaced.

Of course, we expected some aimed at us for pointing out the problem and creating tools to make it easy to see. Unfortunately that seems to be the extent of the outrage and most are settling back into the “we all knew PLC’s are vulnerable” status quo. This is not a complete surprise given Siemens was able to avoid admitting or fixing the S7 Stuxnet issues despite the publicity.

But it’s not over, there are more Basecamp Metasploit modules and other tools coming, and we are still hopeful that as people see how easy it is to compromise a PLC the reality will be too much for continued inaction.

Important Clarification

The biggest Basecamp misunderstanding is the GE D20 Metasploit Modules take advantage of some 0day vulnerability. This is not true.

The GE D20 Metasploit Modules do not leverage a vulnerability at all. One module just downloads the configuration file and extracts the user credentials – a feature in the product. The other uploads (TFTP) a text file containing commands to the GE D20, which the D20 then happily executes and writes results to another file — again a feature of the product.

Reid did find strcpy and memcpy overflows and other “0days” in the product, but those are not worth the trouble to an attacker. The main reasons we did the additional testing was to complete the results table and determine how fragile the device was. Extremely fragile as frustrated students in the PLC Hacking class found out. Even an nmap fingerprint crashes the D20.

Interim Results

The vendor response has been mixed and incomplete after one week. Fixes would be a surprise in one week, but preliminary analysis and communication should be done by now.

GE – Complete radio silence. We did not expect a lot of questions since this device is beyond saving, but we haven’t been able to find a customer bulletin or public statement. Please send us a link if you see one. How hard is it to say: “the GE D20 is an old system designed well before ICS security was an issue. We have a secure replacement, the xxx, that will be available in yyy. It will have the following security features and we strongly recommend any of our customers concerned with security plan on moving to this replacement product as soon as possible.”?

Rockwell Automation – They reached out to get the details, beyond what they heard at S4. RA issued a broadly worded bulletin that there are security issues in the ControlLogix and MicroLogix, and their Security Taskforce is looking into them. There are three more bulletins, but they just provide generic guidance. It’s a bit disappointing that the Security Taskforce has not put out more helpful info to customers one week later. We will have to wait for the more detailed bulletin and any patches or other remediation recommendations.

Schneider Modicon – Nothing. No questions, no contact. There may be a bulletin out to customers. Send us a link if you have one. Unlike the GE device, the Quantum should be able to be fixed/patched.

SEL – They reached out to get all the details and already have begun an effort to document the CAL level authentication in the older products. Hopefully they will respond to the SEL blog entry to explain why they believe the CAL level is required.

US Government – Incomplete for Basecamp. Fail on PLC Security. ICS-CERT quickly published the Basecamp bulletins, but nowhere does ICS-CERT or anyone else in the USG come out and say that owner/operators must replace the fragile and insecure PLC’s. Instead its simply publish the information, a la Stuxnet, issue some generic guidance such as defense-in-depth, and go back to sleep hoping nothing else bad happens.

When will they just bluntly tell owner/operators that they need to replace these fragile and insecure PLC’s? It’s not going to be done in months or even a year, but we are going on year 11 now. My expectation is any government would identify the most critical ICS and put them on a timetable either through the bully pulpit or regulation if it is necessary. Regulation has not gone well, but when has the USG or other governments spoken honestly about what needs to be done and the negligence of owner/operators if they don’t do it?

Automation Press – Fail. Basically a repeat of the behavior when Langner found the reality of Stuxnet. In that case members of the automation press had a two week head start and failed to write anything until the mainstream press picked it up. In this case, silence. It would be understandable if they did not like the result and chastised us, or even didn’t mention the Basecamp team in an effort to not encourage such efforts.

But how do you not tell your owner/operator readers that their PLC’s have proven to be fragile and vulnerable AND that there are tools out there to make it easily demonstrable. I don’t expect them to pick it up until it is everywhere else, and they have no choice. Friends have told me to get off this rant, but the automation press is a major source of information for ICS engineers and what they get are thinly disguised advertising.

My greater hope is the non-automation press, IT, IT Security and mainstream will eventually get the message to C-level executives.

Image by RTP