While there were some great talks at AppSecDC, the attendance at their Critical Infrastructure track was not very high. Critical Infrastructure is a new topic area for the AppSec conference this year and it’s unclear if it will survive. OWASP has a lot of web testing experience to draw upon, which could be really helpful in securing control systems.
There were a lot of presentations in AppSecDC’s Critical Infrastructure track about methodologies used in pen-testing and exploiting control systems. We seem to be at a very ugly point in control systems security where we’re dealing with both massive numbers of backdoors and unauthenticated protocols, as well as genuine and exploitable software bugs. Let’s not forget that basic security practices aren’t in place by a lot in the control systems space, with by some estimates a hundred thousand controllers directly connected.
Denial of Surface
Éireann Leverett gave a refreshed version of his ‘Denial of Surface’ talk that we first saw at S4 (link). In the updated talk, Éireann showed numerous building energy management systems within a few miles of the Washington Convention Center, as well as a stunning 15,000 management systems from a single vendor. I raised the issue of what number of vulnerable HVAC controllers would be sufficient to disrupt grid operations. Digital Bond recently added Michael Toecker to our roster (he’s a PE), and he was able to work out some napkin math. The short answer is, “it depends,” on how close together electrically the buildings are, but localized blackouts are not out of the question if loads are bounced simultaneously. I do enjoy Éireann challenging the definition of ‘critical,’ as he so often does. Seeming non-critical controllers are often critical to the right people.
Given how not seriously security is often taken by vendors in control systems that do more dangerous jobs, we’ll probably be hearing more about this one someday.
Among the more ‘curio’ online controllers Éireann showed is a series of petrol stations in Turkey. The embedded controllers perform OCR (Optical Character Recognition) on car license plates, allowing for easy people-tracking. The most recent purchases may be observed, as well as the underground storage tank level. We managed to find backdoor credentials to the gas tank refueling controller in about fifteen minutes.
Justin Searle at Utilisec discussed pen-testing smartgrid apps. Pen-testing live systems is always a dicey proposition, and smartgrid applications are no different. Web interfaces sometimes present interesting options, such as mass-disconnect commands, which is why pen-testing any kind of control app needs to be approached with extreme caution.
Justin’s experience suggests to me that more logic and security could be built into end devices, or at least into command dispatch systems. His comment that control changes should be rate-limiting was particular interesting…for example, limiting the number of feeder switches that can be opened in a given unit of time for Smartgrid operations could stop programming bugs, controller mistakes, and attackers. Such features would not add much in terms of inconvenience for operators.
Kevin Hemsley with ICS-CERT presented on vulnerability and exploitation trends in the ICS space. The talk focused on the increase in disclosure in the ICS space, as well as increased hacktivist interest in control systems. While I agree with Dale that it would be nice to see proof that people are actively targetting control systems (as opposed to going after any network they they can, which happens to include control systems), I’m inclined to give ICS-CERT the benefit of the doubt.
In a perfect world we would get better data; in a world with ongoing investigations and several government organizations sharing data (gasp) I’m sure that it can be difficult to release details.
Real-World Backdoors on Industrial Devices
Rubén Santamarta made a presentation at AppSecDC on ‘Real-World backdoors on Industrial Devices.’ He showed how he discovered backdoors in numerous firmwares, including his famous Dell DRAC remote root backdoor and a new disclosure regarding another Schneider device.
He showed how backdoor access in the Schneider ION series of smart meters could allow rogue a firmware update, among other outcomes. What was most curious about his backdoor finding was that googling for backdoor revealed documents detailing exactly how to use it. The documents were not meant for the public to see, and have since been removed.
Schneider was surprisingly fast at fixing this vulnerability, producing and pushing an updated firmware in just five months. As a firmware guy I can say that that’s hard. Kudos to Schneider’s metering division for getting an update out so quickly.
It’s difficult to judge a company by one division. Schneider’s PLC division has had well-known backdoors in their products since 2006 (the backdoors existed before that, but 2006 is when they were disclosed). Those backdoors are still present six years later.
Beer O’Clock Encounters
My favorite part of any conference are the after-hours meetings, and AppSec was no exception. I missed a talk by Jon McCoy on .NET application reverse engineering, but got to meet him later after-hours. He makes a fantastic .NET reverser that can output C# source code. C# is not a very widely adopted language in the ICS space yet, although I grew to love the language after a few years of near-constant use. The language really makes event-driven programming too easy, although Jon shows that it also makes reverse-engineering your new-fangled app a kindgergartien task. Check out Graywolf at his website.
After-hours discussions also focused on monetizing all of the recent ICS vulnerabilities that have been released. I smell an opportunity for someone with an economics background to show us how it’s really done.
Image courtesy of NISTIR 7628