SCADA systems vulnerable, and are under attack

    There have been some frightening items in the news this week. It’s one thing to read your credit card information has likely been compromised because a retailer was hacked and didn’t encrypt your data, but it’s quite another to read your municipal water supply system has been compromised:

Author(s): Dan Ducey

Published: November 22, 2011

World War Two Era Forward Observer (European Theatre)


  There have been some frightening items in the news this week. It's one thing to read your credit card information has likely been compromised because a retailer was hacked and didn't encrypt your data, but it's quite another to read your municipal water supply system has been compromised:

U.S. investigates cyber attack on water system

(Reuters) - Federal investigators are looking into a report that hackers managed to remotely shut down a utility's water pump in central Illinois last week, in what could be the first known foreign cyber attack on an industrial system on U.S. soil.

The November 8 incident was described in a one-page report from the Illinois Statewide Terrorism and Intelligence Center, according to Joe Weiss, a prominent expert on protecting infrastructure from cyber attacks.

State police investigators believe the hackers broke into the water utility's network by using credentials stolen from an undisclosed U.S. company that produces software to control industrial systems, said Weiss, who read excerpts from the report to Reuters over the phone.

"An information technology services and computer repair company checked the computer logs of the system and determined the computer had been hacked into from a computer located in Russia," Weiss said, quoting the report.

First "known" attack - Here's the kicker: "It is unknown at this time the number of SCADA user names and passwords acquired from the software company's database and if any other additional SCADA systems have been attacked as a result of this theft," Weiss cited the report as saying.

DHS made the following statement: The U.S. Department of Homeland Security and the Federal Bureau of Investigation are examining the matter, said DHS spokesman Peter Boogaard. "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," he said, declining to elaborate further.

Mere hours after that statement was published, a 'researcher' responded, pointing out what may be the second known attack, although while saying it wasn't an attack, but merely a demonstration, which runs counter to DHS claims (thankfully, no damage was done):

South Houston's Water Supply Network Hacked: "This was stupid. You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely F****D the state of national infrastructure is. I've also seen various people doubt the possibility an attack like this could be done," 'pr0f' posted on Pastebin.

"I'm not going to expose the details of the box. No damage was done to any of the machinery; I don't really like mindless vandalism. It's stupid and silly. On the other hand, so is connecting interfaces to your SCADA machinery to the internet. I wouldn't even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic," 'pr0f' wrote.

Later in an e-mail interview with Threatpost, the hacker said the district had software that manages water and sewage infrastructure accessible from the Internet and had used a weak three character password to protect the system, making it child's play to hack.

And now we read that the three character password may be a hard-coded default password assigned to all new user accounts: Was the three character password used to hack South Houston's water treatment plant a Siemens default?

A Siemens spokesman could not confirm that the hack in South Houston, Texas, took advantage of a default password used by the application, or one configured by officials in South Houston. However, he acknowledged that older versions of the WinCC application do use three character default passwords.


This is alarming, to say the least. One damaged pump might not be a thought of as a big deal, but what if all pumps on a delivery system were destroyed? What if chemicals commonly used to treat water like fluoride or chlorine were introduced in harmful quantities? How long would it take to recover a system from damages like the above?

Does all this mean it's time to start hoarding water? Plan for the meltdown of all utilities? Of course not, for we assume DHS is working with the software vendor to determine who's at risk and mitigate, but we do need to start taking the security of these systems far more seriously, and start asking questions:

How many customers use this particular software vendor? (How many systems are compromised?)

Why do supply vendors of critical systems store customer credentials in the first place? These could be handed over in a simple phone call when support is needed, and changed afterwards.

Why are passwords hard-coded? They shouldn't be, or at least a change of password should be forced upon setup or at first logon. If not, it inevitably leads to one compromise becoming many, and in seconds, in an internet-connected world.

Is such critical data stored encrypted? It should be, if one has to store it at all, and implementing encryption shouldn't take over four years.

Do we really need federal regulation for security policies of these critical systems? With the possibility of incredibly weak passwords being used, at the very least some sort of security auditing on the federal level would be prudent.

Should these systems even be connected to the public internet? Sure, it creates efficiency, and is convenient for troubleshooting, repair, and maintenance, but that doesn't mean it's the smart thing to do.


Update - FBI: No evidence of water system hack destroying pump, probe into SCADA breach continues

in an email sent on Tuesday afternoon to members of the Industrial Control Systems Joint Working Group, officials with the ICS-CERT, an offshoot of the US Computer Emergency Readiness Team, said investigators from the US Department of Homeland Security and the FBI have been unable to confirm the claims, which were made in a November 10 report issued by the Illinois Statewide Terrorism and Intelligence Center, also known as the Fusion Center.

The update went on to say that officials are still investigating additional claims that a second water plant in Texas was breached by someone who gained unauthorized access to systems controlling its machinery.

Russian IP address mystery solved - Comedy of Errors Led to False 'Water-Pump Hack' Report

"I could have straightened it up with just one phone call, and this would all have been defused," said Jim Mimlitz, founder and owner of Navionics Research, who helped set up the utility's control system. "They assumed Mimlitz would never ever have been in Russia. They shouldn't have assumed that."

Mimlitz's small integrator company helped set up the Supervisory Control and Data Acquisition system (SCADA) used by the Curran Gardner Public Water District outside of Springfield, Illinois, and provided occasional support to the district. His company specializes in SCADA systems, which are used to control and monitor infrastructure and manufacturing equipment.

Mimlitz says last June, he and his family were on vacation in Russia when someone from Curran Gardner called his cell phone seeking advice on a matter and asked Mimlitz to remotely examine some data-history charts stored on the SCADA computer.


Update - The War Over SCADA - An Insider's Perspective on the Hype and Hyperbole

Excerpt: "In the past few days, we have seen two reports of attacks against water facilities. In one instance, the assessment as to the source and nature of the attack is still a matter of discussion. In the other, it is pretty clear that simple security policies were not being followed in that 1) the system was connected to an external network and 2) that the password was trivial. We have seen far more sophisticated attacks against non-critical infrastructure than was in evidence in this attack. Again, these attacks were against the water infrastructure segment, which does not have a federal agency with the same power as NERC does over the energy industry governing its operations. I can say with confidence that in at least the second case, the NERC CIP requirements would have forbidden such a configuration, and a NERC auditor assessing the facility would have recommended fines levied by FERC for the infraction. The issue, as with any network, is not the standards, or lack thereof, but the lack of oversight in the design and implementation of the control network."


Update - The deputy assistant director of the FBI's Cyber Division says hackers recently accessed the infrastructure of three cities through SCADA systems

Hackers recently accessed the critical infrastructure of three unnamed cities by compromising their SCADA (supervisory control and data acquisition) systems, the deputy assistant director of the FBI's Cyber Division said today.

Speaking at the Flemings Cyber Security conference in London, Michael Welch said the hackers could theoretically have dumped sewage into a lake or shut off the power to a shopping mall.

"We just had a circumstance where we had three cities, one of them a major city within the US, where you had several hackers that had made their way into SCADA systems within the city," Welch said.


Update - U.S. power grid is a big, soft target for cyberattack, MIT study shows

The U.S. electrical grid in particular is not only just as vulnerable as it was before the risk of cyberattack became obvious, the negative impact of a real hack keeps rising, according to a two-year study published today by researchers at the MIT Energy Initiative in Massachusetts Institute of Technology Sloan School of Management.

U.S. utilities are building more intelligence into their networks to make power distribution more efficient, but the mesh of regulations and regulators involved is such that their security efforts are incomplete, inadequate and uncoordinated, according to the 268-page study (PDF of full report, or by section), which also examined risks from weather, the impact of federal regulations, rising prices for fossil fuels and competition from sources of renewable energy.


Update - Homeland Security Warns SCADA Operators Of Internet-Facing Systems

In the wake of the hack of water and sewer infrastructure operated by a Texas community, the Department of Homeland Security is again warning owners and operators of critical infrastructure to take note of SCADA and industrial control systems that may be accessible from the Internet.

DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) reiterated a warning from last year that such systems can be detected by a new breed of Internet scanners such as Sh0dan (PDF), citing an "uptick in related activity" by researchers, and evidence that "thousands" of ICS systems may be discoverable.


Update - Researcher Alleges Siemens Cover-up Over Security Holes In Simatic Product

Rios notes that Siemens's Simatic software ships with a weak, three character default password ("100") which is used to secure the default administrative account and fails to require customers to immediately update the default password to a unique, hardened password upon installation. Security experts have speculated that the hacker known as "Pr0f" took advantage of the default Simatic password to get access to systems controlling water and sewer infrastructure in South Houston, Texas.

According to Rios, even organizations that think they've switched to a hardened password may be surprised to learn that they haven't. During the Simatic installation, three different services are created: a Web service for the Web interface, a Telnet service for remote management of the device and a virtual network computing (VNC) service that is used for remote access and control of the Simatic software. All three are configured with the weak default password, but maintain their credentials separately. "Changing the default password for the Web interface doesn't change the VNC password (and vice versa)," Rios writes. "I've found MANY of these services listening on the Internet." In addition, customers who attempt to harden their Simatic password, but attempt to reset it to a non-conforming password (for example: one that uses special characters) may inadvertently reset the password to the weak default password,


Update - Siemens Says It Will Patch Remote Authentication Holes

After first denying their existence, a Siemens spokesman acknowledged on Thursday that his company was aware of a series of security vulnerabilities in its software that could allow remote attackers to take control of industrial control systems.

Siemens issued a statement in response to complaints by security researcher Billy Rios that it was trying to cover up reported software holes in its Simatic WinCC HMI (human machine interface) software. The company said it was aware of "vulnerabilities in some of its automation products" and was working on fixing the issues. Siemens said patches for the holes will be issued in January.


Update - Anonymous publishes Israeli SCADA log-in details

A member of the Anonymous hacktivist collective has published a list of Internet-facing Israeli SCADA (supervisory control and data acquisition) systems and alleged log-in details.

The user, who uses the Twitter handle of FuryOfAnon, posted the information on Pastebin with the message: "Who wanna have some fun with israeli scada systems?"

The pastebin post contains a list of IP-based URLs that allegedly correspond to Web administration interfaces of systems that are used to monitor automated equipment in industrial facilities.

Most of the URLs in the original post are no longer accessible. However, the hacker has since released a second list which contains newly found Israeli SCADA systems.

"Find their systems. Login using default logins ('100' being the password)" FuryOfAnon said. In December 2011, Google security engineer Billy Rios, disclosed that the default Web log-in credentials for the Siemens SIMATIC SCADA software are Administrator:100.

The same default log-in credentials might have been used by a hacker named pr0f to access a South Houston water utility's SCADA back in November 2011. The hacker claimed at the time that the system was protected by a three-character password.

FuryOfAnon's original Pastebin post also contains a list of email addresses and passwords belonging to people from the Israeli Ministry of Defense, Ministry of Foreign Affairs, Ministry of Health and the Israel Defense Forces (IDF). It's not clear if those also serve as log-in details for the listed SCADA systems.


Update - Hoping to Teach a Lesson, Researchers Release Exploits for Critical Infrastructure Software

A group of researchers has discovered serious security holes in six top industrial control systems used in critical infrastructure and manufacturing facilities and, thanks to exploit modules they released on Thursday, have also made it easy for hackers to attack the systems before they're patched or taken offline.

The vulnerabilities were found in widely used programmable logic controllers (PLCs) made by General Electric, Rockwell Automation, Schneider Modicon, Koyo Electronics and Schweitzer Engineering Laboratories.


Update - New Tool Will Automate Password Cracks on Common SCADA Product

The fallout from last month's S4 Conference continues in February, with a planned Valentine's Day release of tools that make it easy to test and exploit vulnerable programmable logic controllers and other industrial control systems. Among the releases will be a tool for cracking passwords on the common ECOM programmable logic controllers by Koyo Electronics, a Japanese firm, according to a blog post by Reid Wightman for Digital Bond.

Writing on Wednesday, Wightman said that a Valentine's Day release would include a 'module to brute-force' passwords for Koyo's ECOM and ECOM100 PLCs. Researchers revealed that those devices have limited password space (forcing customers to implement short, weak passwords) and, even worse, no lockout or timeout feature to prevent multiple login attempts used in brute force attacks.

By marrying their vulnerability research to popular (and free) testing tools, the researchers hope to turn up the heat on vendors who, they claim, have created vulnerable, buggy products and then turned a deaf ear to complaints from independent security researchers and customers...


Update – Project Basecamp adds Stuxnet-type attack module to Metasploit

Project Basecamp, a volunteer effort to expose security holes in industrial control system software, unveiled new modules on Thursday to exploit holes in common programmable logic controllers (PLCs). The new exploits, which are being submitted to the Metasploit open platform, include one that carries out a Stuxnet-type attack on programmable logic controllers made by the firm Schneider Electric..

The new Basecamp module shows that downloading the ladder logic from the Modicon Quantum PLC is trivial, because the PLC does not require authentication.

“It is a bit baffling and a failure by all in the ICS community that 571 days have passed since Ralph Langner exposed the PLC attack nature of Stuxnet and there is still almost total inaction on the ladder logic upload/download authentication issue — and by extension the critical command authentication issue,” Peterson wrote on the Digital Bond Web site.

“Anyone with network access can do it,” Peterson said. “An owner/operator with a Modicon Quantum can have no assurance of the integrity of their SCADA or DCS.”


Update – Tough Love Triumphs: SCADA Vendor Koyo Fixes Basecamp Bugs

Industrial control system vendor Koyo moved to fix vulnerabilities in its ECOM brand programmable logic controllers (PLCs) after researchers, in January, revealed that the devices were vulnerable to brute force password guessing attacks.

The Department of Homeland Security’s ICS (Industrial Control System) CERT issued an advisory on Wednesday saying that the company issued a patch for affected ECOM modules that disables a vulnerable Web server and adds a “timeout” feature to prevent brute force attacks on the device password.


Update – Backdoor in mission-critical hardware threatens power, traffic-control systems

In the world of computer systems used to flip switches, open valves, and control other equipment inside giant electrical substations and railroad communications systems, you’d think the networking gear would be locked down tightly to prevent tampering by vandals. But for customers of Ontario, Canada-based RuggedCom, there’s a good chance those Internet-connected devices have backdoors that make unauthorized access a point-and-click exercise.

That’s because equipment running RuggedCom’s Rugged Operating System has an undocumented account that can’t be modified and a password that’s trivial to crack. What’s more, researchers say, for years the company hasn’t bothered to warn the power utilities, military facilities, and municipal traffic departments using the industrial-strength gear that the account can give attackers the means to sabotage operations that affect the safety of huge populations of people.

“You treat these embedded appliances as a device that you don’t have a window to see into,” says researcher K. Reid Wightman of industrial machinery, which is often designed to withstand extreme heat and cold, dust, and other brutal conditions where they’re housed. “You can’t really patch it. You have to rely on the vendor to do the right thing when they set the device up and when they install the OS. And the vendor really fell down on this one.”

The backdoor uses the login ID of “factory” and a password that’s recovered by plugging the MAC, or media access control, address of the targeted device into a simple Perl script, according to this post published on Monday to the Full Disclosure security list. To make unauthorized access easy, paying customers of the Shodan computer search engine can find the IP numbers of more than 60 networks that use the vulnerable equipment. The first thing users who telnet into them see, as the picture above demonstrates, is its MAC address.

More – Equipment Maker Caught Installing Backdoor Account in Control System Code

“If the vendor actually had played along and wanted to fix this and responded in a timely manner, this would have been perfect,” Clarke said. “I wouldn’t have gone full-disclosure.”


Update – Researcher releases smart meter hacking tool

The tool, called Termineter, is available for public download from SecureState's website and will be demonstrated at the BSides security event in Las Vegas next week. The company had earlier sent out a stripped down version of the tool to a limited number of individuals.

Security consultancy InGuardians had planned to publicly release details of a similar tool called OptiGuard at the Shmoocon security conference a few months ago. The company however pulled the talk at the last minute in after a unnamed smart grid vendor and several utilities expressed concern that the tool would allow hackers to exploit vulnerable smart meters.


Update – ICS-CERT: Siemens Synco OZW web server vulnerability

Siemens has reported to ICS-CERT that a default password vulnerability exists in the Siemens Synco OZW Web Server device used for building automation systems. Siemens urges their customers to set a secure password on their device’s web interface. This vulnerability could be exploited remotely.

For the listed products, all firmware versions prior to Version 4 do not force users to change their password on initial login.


Update – U.S. looks into claims of security flaw in Siemens gear

The U.S. government is looking into claims by a cyber security researcher that flaws in software for specialized networking equipment from Siemens could enable hackers to attack power plants and other critical systems.

The Department of Homeland Security said in an alert released on Tuesday that it had asked RuggedCom to confirm the vulnerability that Clarke, a 30-year-old security expert who has long worked in the electric utility field, had identified and identify steps to mitigate its impact.

RuggedCom, a Canadian subsidiary of Siemens that sells networking equipment for use in harsh environments such as areas with extreme weather, said it was investigating Clarke's findings, but declined to elaborate.

Clarke said that the discovery of the flaw is disturbing because hackers who can spy on communications of infrastructure operators could gain credentials to access computer systems that control power plants and other critical systems.

"Clarke obtained RuggedCom's products by purchasing them through eBay."

More - ICS-ALERT-12-234-01 (PDF)

ICS-CERT is aware of a public report of hard-coded RSA SSL private key within RuggedCom’s Rugged Operating System (ROS). The vulnerability with proof-of-concept (PoC) exploit code was publicly presented by security researcher Justin W. Clarke of Cylance Inc. According to this report, the vulnerability can be used to decrypt SSL traffic between an end user and a RuggedCom network device.

ICS-CERT notified the affected vendor of the report and asked the vendor to confirm the vulnerability and identify mitigations. ICS-CERT is issuing this alert to provide early notice of the report and identify baseline mitigations for reducing risks to these and other cybersecurity attacks.


Update – Hard-coded password leaves GarrettCom infrastructure switches open to attack, ICS-CERT Warns

The Department of Homeland Security is warning users of some of GarrettCom's switches that there is a hard-coded password in a default account on the devices, which are deployed in a number of critical infrastructure industries, that could allow an attacker to take control of them.

"The Magnum MNS-6K Management Software uses an undocumented hard-coded password that could allow an attacker with access to an established device account to escalate privileges to the administrative or full-access level. While an attacker must use an established account on the device under attack, this vulnerability facilitates the circumvention of physical-connect safeguards and could allow complete administrative level access to the system, compromising system confidentiality, integrity, and availability," the ICS-CERT advisory says.

"Successful exploitation of this vulnerability from an established account on the system could allow escalation of privileges to full administrative access. The privilege escalation could provide the attacker a vector for making changes to settings, or initiating a complete device shutdown causing a denial of service (DoS)."

GarrettCom's switches are used in a variety of industries, including transportation, utilities and defense. The company issued a new version of the affected software in May, but didn't note that the fix for this vulnerability was included in it.


Update – Telvent Hit by Sophisticated Cyber-Attack, SCADA Admin Tool Compromised

A company that supplies remote administration and monitoring tools to the energy sector has warned customers it was a victim of sophisticated advanced persistent threat.

Telvent Canada discovered on Sept. 10 its internal firewall and security systems had been breached and notified its customers of the incident last week, Brian Krebs, the security expert behind, first reported on Wednesday. It's not clear when the initial breach occurred, and the incident itself was still under investigation. Televent had disconnected the clients and affected portions of its internal networks as a precautionary measure, according to the report.

"Every energy company in the Fortune 100 relies on our systems and information to manage their business, even in the most complex and volatile market conditions," Telvent claims on its Web site. "Telvent systems now manage more than 60 percent of the total hydrocarbon movements in North American and Latin American pipelines," they add.

After breaching the network and installing malware, the attackers stole project files related to the OASyS SCADA product, a remote administration tool, Telvent said. OASyS allows companies to combine older IT equipment with modern "smart grid" technologies.

It's possible the attackers wanted the code in order to find vulnerabilities in the software to launch future attacks against other energy companies directly. It's reminiscent of how it turned out attackers targeted RSA Security and stole information relating to the SecureID technology in order to launch attacks against defense contractors, Ghosh said.


Update – ICS-ALERT-12-284-01 - Exploit released to hack solar energy plants

ICS-CERT - Industrial Control Systems Cyber Emergency Response Team has released the Advisory titled ICS-ALERT-12-284-01 - Sinapsi eSolar Light Multiple Vulnerabilities. They Report about report multiple vulnerabilities with proof-of-concept (PoC) exploit code that affecting the Sinapsi eSolar Light Photovoltaic System Monitor which is a supervisory control and data acquisition (SCADA) monitoring product.

The US Department of Homeland Security is warning about vulnerabilities in a common SCADA (supervisory control and data acquisition) package that is used to remotely monitor and manage solar energy-generating power plants.

"According to researchers Roberto Paleari and Ivan Speziale, the vulnerabilities are exploitable remotely by authenticating to the service using hard-coded credentials."


Post a Comment
  • Leave this field empty
Please Enter Correct Verification Number

*All views and opinions expressed in ESG blog posts are intended to be those of the post's author and do not necessarily reflect the views of Enterprise Strategy Group, Inc., or its clients. ESG bloggers do not and will not engage in any form of paid-for blogging. Click to see our complete Disclosure Policy.



Dan Ducey handles everything from routine system setup, data backup, and platform maintenance to advanced troubleshooting of network elements, endpoint devices, and servers. He plays a lead role in moving mission-critical databases across platforms—including a cloud-based infrastructure as the business evolves—designing import/export routines and protecting against downtime.

Dan evaluates products to determine if they fit a business need and researches social media platforms for productivity-enhancing potential. He proactively reinforces ESG’s infrastructure to protect the company from threats, and he supports internal training, including writing, producing, editing, and handling post-production work for training materials.

“I do not fear computers. I fear lack of them.” - Isaac Asimov

Full Biography