World news: March 2012
US security firm releases tools that exploit PLC weaknesses
Concern about the vulnerability of industrial control systems to cyber-attacks has grown after a US specialist in control system security, Digital Bond, published tools that could be used to exploit weaknesses in PLCs from GE, Koyo, Rockwell Automation and Schneider Electric. One of the tools targets the Ethernet/IP protocol and could affect any device using the protocol, allowing attackers to crash or restart these devices remotely.
Digital Bond says it posted the information to raise awareness about control system vulnerabilities. CEO Dale Peterson says that he has warned controls manufacturers about the vulnerabilities, but they have not addressed the problems adequately. He published the tools “as a kind of shock therapy” to force the manufacturers to deal with the problems.
The day after Digital Bond published the tools, the US Government’s Industrial Control Systems Cyber Emergency Control Team (ICS-Cert) issued an alert, warning of “multiple” threats that are “combining to significantly increase the risk to ICSs” (industrial control systems.
“Hacktivist groups are evolving and have demonstrated improved malicious skills,” ICS-Cert reported. “They are using specialised search engines to identify Internet-facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems.”
Control system owners “should take these changes in the threat landscape seriously,” ICS-Cert continued, advising them to take “immediate defensive action to secure their systems using defence-in-depth principles”.
Users “should not assume that their control systems are secure or that they are not operating with an Internet-accessible configuration,” ICS-Cert warned. Instead, they should “thoroughly audit their networks for Internet-facing devices, weak authentication methods, and component vulnerabilities.”
ICS-Cert named two search engines – Eripp and Shodan – that can be used to find Internet-connected control devices. “Combining these with easily-obtainable exploitation tools, attackers can identify and access control systems with significantly less effort than ever before,” it cautioned.
ICS-Cert is encouraging control system owners to use these search engines to audit their own IP (Internet Protocol) addresses. If they find their equipment linked to the Internet, they should remove these items from direct Internet access “as soon as possible”.
♦ A Dutch cyber-security researcher has warned that hackers could flood low-lying parts of his country by accessing Internet-connected systems that the control vital pumping stations and sluices designed to stop areas of the Netherlands that lie below sea level from being inundated by the North Sea. The researcher, Oscar Kouroo, found that the control systems were listed on the Shodan search engine.