Tuesday, March 18, 2014

Recent development of ICS exploits continues upward trend of security research

In performing my daily rounds on news feeds and websites, I noticed a lot of recent developments in open-source exploit modules targeting industrial control systems. One very important part of a well-rounded ICS Security Management System (IACS-SMS per ISA 62443 terminology) is situational awareness of the actual risks facing industrial systems in terms of both vulnerabilities disclosed and the ease in converting these proof-of-concept (PoC) disclosures into workable exploit modules.

The vision of SCADAhacker.com is to assemble in a single location details relating to disclosures and exploits - as was demonstrated initially by my reference page (http://scadahacker.com/vulndb/ics-vuln-ref-list.html). This page became an overwhelming task to keep current - but rest assured it is still on the plate to update and maintain!

I wanted to provide a quick update of some recent developments in terms of disclosures, advisories and availability of useable exploit modules for some recent ICS systems. The vulnerability details are obtained via the Open-Source Vulnerability Database (OSVDB) project, exploit source code via Exploit-DB, and advisories published by ICS-CERT.

     Vuln Details
     Exploit Module - (published Dec. 3, 2013 (disclosure Apr. 5, 2013)
     MSF Reference -
     ICS-CERT (none published)
     Vendor Advisory

General Electric Proficy CIMPLICITY
     Vuln Details (none available)
     Exploit Module - published Feb. 28, 2014 (disclosure Jan. 23, 2014)
     MSF Reference -   
     Vendor Advisory (adv1 , adv2)

WellinTech KingSCADA
     Vuln Details
     Exploit Module - published Feb. 11, 2014 (disclosure Jan. 14, 2014)
     MSF Reference -
     ICS-CERT     Vendor Advisory (none published)

Yokogawa Centum CS
     Vuln Details (v1 , v2)
     Exploit Modules (e1 , e2) - published Mar. 12, 2013 (disclosure Mar. 10, 2014)
     MSF References -
     Vendor Advisory

Of particular interest to me is the Yokogawa Centum CS activity. This represents a significant shift in ICS research from SCADA to traditionally more robust DCS platforms. Rapid 7 published a very interesting blog on this activity, with some very detailed information regarding the exploit.  It is important to understand that the Centum CS3000 product is at end-of-life. Since it is based on Windows XP (migration to Centum VP required to support Windows 7), users of this ICS platform will face numerous challenges as Microsoft withdraws support in April 2014.  Centum CS3000 R3 was first released in 1998 with Release 3.09 available February 2010.  Yokogawa claims to have sold over 7,600 systems worldwide that likely have installations in most process and manufacturing sectors.

These vulnerabilities target what is called the "Test Function" on the Centum system. This is an offline simulation environment that allows you to test and validate your configuration prior to downloading to an actual production controller or "Field Control Station". There are numerous risk factors associated with running the Test Function on a production system, and for this reason, installations typically have this feature enabled on off-line engineering development systems.

I published a vulnerability within the Emerson DeltaV M- and S-Series controllers in  March 2013, which was unique as it was one of the first vulnerabilities targeting a DCS controller. There had been numerous vulnerabilities disclosed for SCADA devices like PLCs, but known focused on the DCS product sector which, in my opinion, are the primary ICS systems deployed at the core of all critical process industries.

Feel free to comment or drop me a note if you have any additional information you would like to share.


  1. Your blog has impressive information about  Scada Software. Thanks for Share.

  2. Hi.. your blog is very intersting. Nice to read. Thanks for sharing this