PLC Hacking

First a reminder of the goal:

The goal of Project Basecamp is to make the risk of these fragile and insecure devices so apparent and easy to demonstrate that a decade of inaction will end. SCADA and DCS owner/operators will demand a secure and robust PLC, and this will drive vendors to finally provide a product worthy of being deployed in the critical infrastructure.

It’s too early to evaluate the success or failure of Project Basecamp. January 2013 is a good time to evaluate this. If a majority of vendors have announced plans for a secure PLC, then we will claim success. If by January 2014 a majority of the critical infrastructure has replaced their PLCs or have active projects to do this we will claim total victory. If nothing changes beyond some token patching and damage control, Project Basecamp is a total failure. And there are all levels of success and failure between those criteria.

So what’s the future of Project Basecamp?

Short Term (0-2 months)

Let me start with something beyond Digital Bond’s control, the biggest impact to beginning to solve this problem would be DHS and other authorities admitting this is a problem that needs to be addressed. Amongst all the bulletins, conferences, scary announcements of increased risk, we have yet to hear DHS say that the critical infrastructure should upgrade or replace these fragile and insecure PLCs now. DHS/ICS-CERT provides all sorts of security advice, so this would not be breaking any policy. The May ICSJWG conference would be a great time for DHS to step up.

Here’s what we are going to do through mid-June:

  1. Track the vendor responses to Project Basecamp. Reid’s Koyo blog is an example. We are looking at the Schneider compensating controls (can’t get the access list to work yet), and we will follow patches and security feature upgrades.
  2. Work on more IDS signatures and monitoring information to detect this type of PLC hacking activity. We gladly will accept and publish contributions in this area. Tenable Network Security and other vendors are eager to get this information to integrate ICS detection capabilities into their products.
  3. Develop the Metasploit modules related to the WAGO / CoDeSys findings that Reid presented at AppSec.
  4. Attempt to characterize the impact of the CoDeSys vulnerabilities across the 250 vendors that have integrated this into their controller.

Medium Term (3-12 months)

We have run out of products to test in our lab, and our self-funding is limited. So we will have to rely on the kindness of strangers.

  1. Siemens – This is a big one. We have a couple of avenues to get our hands on an S7, and we want to create the Stuxnet-type and Beresford metasploit modules this summer. The real win would be to get our hands on the new secure communications processor (CP) module that Siemens says is coming out this spring. The Scalance firewall vulns that were announced yesterday increase our desire to test this solution (brute force password vuln and stack overflow DoS in a security gateway?). And the CP module is based on Scalance technology?
  2. Loaned products – If you have a PLC, RTU or other controller with an Ethernet interface, we would like to add it to Project Basecamp. A couple of loans are already scheduled for this year. We have a number of new pro bono researchers who want in on Basecamp, so we can handle quite a few at once. Contact us if you have a product you can loan Project Basecamp for 1 to 3 months.
  3. Kickstarter Funding – We are opening up a Kickstarter project to fund Project Basecamp next week. Digital Bond will match the first $5,000 raised, donors of $50 will get a chance to vote on the PLC purchase, and a Project Basecamp coffee mug. We have no idea if this will work, but thought it would be interesting to try.

There is tremendous inertia in the PLC/controller space. The typical PLC vendor reaction is to ride out the temporary bad news because no one really wants to deal with this. The people that should be demanding and driving the change, owner/operators, don’t want to spend the time and money. Vendors and the automation press play along because no one wants to rock the boat and make customers upset. DHS and even many of the most respected ICS security professionals play along and say there is nothing we can do about this except the defense in depth mantra.

The fact that Project Basecamp has not broken through this inertia in three months is no surprise. In the words of Maxwell Smart, “Well of course it’s a suicide mission, 99, so what? Our next mission will be easier.”

Image by Greg Peterson