Wednesday, November 9, 2011

Are Web Services a Dumb Idea???

I recently read a blog post by Reid Wightman on the @DigitalBond site entitled "When Web Services are a Dumb Idea". It seems that the folks at Digital Bond are on some kind of mission to create a list of "insecure ICS products" which might not necessary be a bad idea, but at least we need to be sure that everyone is being evaluated against the same criteria.

First off, I have to apologize to Dale in my comment to this post, as I did not see that it was written by Reid, and incorrectly referenced Dale in my response.  I have copied my "edited" response from the @DigitalBond site below:
After reading Reid’s interesting post, I thought it would be nice to bring in two useful points for conversation.

First, you need to expand your concept of an “embedded web server” beyond something that a user would use when launching a browser and entering a URL for the device. Vendors actually use embedded web servers for a number of reasons, and many of these vendors are leaders in the industry – both from a functional and security point of view!

Point in case … Honeywell … clearly one of the leaders in terms of their commitment to security and one of the market leaders in ICS utilizes the embedded SafeNet Sentinel License Monitor embedded app which provides an http daemon on their Experion nodes (R31x was the last I verified that this was still present) for “internal use”. Vulnerabilities with this app were originally disclosed by Luigi Auriemma, and when I mentioned to Honeywell that they were using a vulnerable service on 6002/tcp, their response was that it was “hidden” behind the Windows Firewall and that they did not need to provide any further patches. Poor response considering that some of their “default accounts” allowed me to disable the firewall and expose this vulnerable service!

I also disclosed this exact same vulnerability to Iconics in their Genesis32 HMI package this past March after reviewing some of the exploits that were disclosed by Luigi Auriemma.

So, it is clear that there are a lot more web servers or better said http daemons running than one might expect! During your next assessment, see if you can find any of these services running!

Next point is that I initially was drawn to this post because of the term “web services” in the title. After reading, however, it was clear that Dale was not talking about “web SERVICES” but rather “web SERVERS”.

Vendors have been using web “services” for some time now, because they offer a fairly secure means of inter-application communication both locally and remotely across firewalls when integration is required with enterprise applications using the eXtensible Markup Language (XML) following the SOAP standard. (Of course, the recent news that researchers have been able to exploit the XML encryption standard does add a slight twist here!)

Vendors have been moving more and more to a service oriented architecture (SOA) to support better communication between applications from different vendors. One such implementation was the OPC XML-DA standard released in 2004, and more recently, the OPC Unified Architecture (UA) standard which is also based on XML/SOAP via web services! Now, remember that one of the drivers behind OPC-UA was improved integration with “non-Microsoft” platforms, including … process level devices. So it is not that difficult to see that most leading ICS vendors will have some form of web SERVICE running inside the ICS application framework, and in the near future, as OPC-UA is released in more devices, this will include L0 and L1 devices as well. OPC Foundation used the phrase “From the Controller to the Cloud” to describe OPC-UA, and when I just visited their product page, I saw there they are currently testing OPC-UA for QNX and VxWorks – so expect it to show up in controllers soon! There were also several leading ICS vendors who have tested or are in the process of testing their OPC-UA interfaces for their ICS L2 hosts.

3 comments:

  1. This blog expressing that does web services are dump ideas and is showing analytic between various vendors that are using different services for their need of usage and are implementing various techniques for it vast production of services and soft wares with its guidance........

    http://www.kmaxseo.com/

    ReplyDelete
  2. I just want to clarify that XML/SOAP via web services is just one of the possible protocol bindings of OPC UA.

    The preferred protocol binding is OPC UA Binary / UA Secure Conversation / UA TCP which is the optimized binary version.

    The binary protocol is the required protocol for the "Standard UA Server Profile".
    See http://www.opcfoundation.org/profilereporting

    All embedded OPC UA servers will provide the binary protocol binding. I am not aware of any embedded OPC UA Server that supports the XML/SOAP protocol binding.

    Matthias Damm
    OPC UA working group

    ReplyDelete
  3. SCADA make and also saves logs for each event into log file which is saved on hard drive or transferred to a printer. SCADA offers warnings by activating alarms when situations create hazardous scenarios.SCADA Systems

    ReplyDelete