As mentioned in a blog article we wrote earlier this week, an Italian “Security Researcher” named Luigi Auriemma published thirty-four SCADA product vulnerabilities against four SCADA products (the complete list of vulnerabilities and companies is provided in the earlier article).
Eric Byres and I have tested the vulnerabilities and today we are releasing a White Paper that analyses the ones regarding ICONICS GENESIS32 and GENESIS64 products. The paper summarizes both the current known facts about the vulnerabilities and the actions that operators of SCADA and ICS systems can take to protect critical systems.
While there are no known viruses, worms, attack tools or automated exploit modules using the ICONICS GENESIS vulnerabilities, they do represent a significant threat. At a minimum, they can be used to crash a server, causing a denial-of-service condition and loss of view in the control system.
More serious consequences could occur if an experienced attacker exploited them to gain system access and then injected additional payloads or malicious code into key control system servers.
Though these vulnerabilities do not compromise any mechanical or process equipment directly, subsequent payloads could be used to damage the underlying plant, including equipment sabotage.
What Steps Should Operators Take?
The White Paper provides six actions (also known as compensating controls) that users of ICONICS GENESIS products should take to protect their systems. Operators of other HMI products are advised to consider similar measures.
You will have to download the paper to read all the recommendations, but there is one aspect of the vulnerabilities that is important to understand - any malware or attack exploiting these vulnerabilities would be difficult to detect or prevent since they would be using "valid" communications with the targeted server. Interestingly, this was also a feature of Stuxnet – that worm made use of the same protocols that the Siemens PCS7 systems used for normal communications, allowing the worm to “stay under the radar” and not be detected.
In a typical ICS network environment, additional risk comes from the fact that once inside the primary ICS firewall, any device on the network can send messages that exploit the vulnerabilities.
For example, a contractor laptop with no valid reason to access the GENESIS computers could still send messages to the vulnerable servers if it is attached to the control network. If the laptop was infected with a worm designed to exploit these vulnerabilities, a successful attack would be trivial.
For this reason, I am recommending that industrial firewalls are installed in-line between the GENESIS host computer and the nearest switch. Specifically, an industrial firewall is recommended, due to the high-risk exposure of these services from both less-trusted remote networks and from the local and trusted control system network.
The firewall should be configured with a rule set that allows traffic only from authorized GENESIS hosts using the specific services/ports needed for the ICONICS product to operate. In case you don’t know what ports are in use by the GENESIS system (or even what TCP ports are), a firewall with automated learning features is highly recommended.
(Warning, Byres Security product pitch coming)
The Tofino Security Appliance installed with the Tofino Firewall and Tofino Secure Asset Management LSMs (Loadable Software Modules) is specifically designed to provide this level of protection from unknown threats. If OPC communication is used in the control network, then the Tofino OPC Enforcer LSM is also recommended.
Download the White Paper
If you would like to learn more about the ICONICS GENESIS vulnerabilities, download the White Paper:
“Analysis of the ICONICS GENESIS Security Vulnerabilities for Industrial Control System Professionals” (157kb)
Note: you need to be a member of tofinosecurity.com to have access to the paper. Register here to become a member.
This article was written in collaboration with Eric Byres.