Tuesday, March 18, 2014

Recent development of ICS exploits continues upward trend of security research

In performing my daily rounds on news feeds and websites, I noticed a lot of recent developments in open-source exploit modules targeting industrial control systems. One very important part of a well-rounded ICS Security Management System (IACS-SMS per ISA 62443 terminology) is situational awareness of the actual risks facing industrial systems in terms of both vulnerabilities disclosed and the ease in converting these proof-of-concept (PoC) disclosures into workable exploit modules.


The vision of SCADAhacker.com is to assemble in a single location details relating to disclosures and exploits - as was demonstrated initially by my reference page (http://scadahacker.com/vulndb/ics-vuln-ref-list.html). This page became an overwhelming task to keep current - but rest assured it is still on the plate to update and maintain!

I wanted to provide a quick update of some recent developments in terms of disclosures, advisories and availability of useable exploit modules for some recent ICS systems. The vulnerability details are obtained via the Open-Source Vulnerability Database (OSVDB) project, exploit source code via Exploit-DB, and advisories published by ICS-CERT.

ABB MicroSCADA
     Vuln Details
     Exploit Module - (published Dec. 3, 2013 (disclosure Apr. 5, 2013)
     MSF Reference -
           windows/scada/abb_wserver_exec.rb
     ICS-CERT (none published)
     Vendor Advisory

General Electric Proficy CIMPLICITY
     Vuln Details (none available)
     Exploit Module - published Feb. 28, 2014 (disclosure Jan. 23, 2014)
     MSF Reference -   
          windows/scada/ge_proficy_cimplicity_gefebt.rb
     ICS-CERT 
     Vendor Advisory (adv1 , adv2)

WellinTech KingSCADA
     Vuln Details
     Exploit Module - published Feb. 11, 2014 (disclosure Jan. 14, 2014)
     MSF Reference -
          windows/browser/wellintech_kingscada_kxclientdownload.rb
     ICS-CERT     Vendor Advisory (none published)

Yokogawa Centum CS
     Vuln Details (v1 , v2)
     Exploit Modules (e1 , e2) - published Mar. 12, 2013 (disclosure Mar. 10, 2014)
     MSF References -
          windows/scada/yokogawa_bkhodeq_bof.rb
          windows/scada/yokogawa_bkbcopyd_bof.rb
          dos/scada/yokogawa_logsvr.rb
     ICS-CERT / JP-CERT
     Vendor Advisory

Of particular interest to me is the Yokogawa Centum CS activity. This represents a significant shift in ICS research from SCADA to traditionally more robust DCS platforms. Rapid 7 published a very interesting blog on this activity, with some very detailed information regarding the exploit.  It is important to understand that the Centum CS3000 product is at end-of-life. Since it is based on Windows XP (migration to Centum VP required to support Windows 7), users of this ICS platform will face numerous challenges as Microsoft withdraws support in April 2014.  Centum CS3000 R3 was first released in 1998 with Release 3.09 available February 2010.  Yokogawa claims to have sold over 7,600 systems worldwide that likely have installations in most process and manufacturing sectors.

These vulnerabilities target what is called the "Test Function" on the Centum system. This is an offline simulation environment that allows you to test and validate your configuration prior to downloading to an actual production controller or "Field Control Station". There are numerous risk factors associated with running the Test Function on a production system, and for this reason, installations typically have this feature enabled on off-line engineering development systems.

I published a vulnerability within the Emerson DeltaV M- and S-Series controllers in  March 2013, which was unique as it was one of the first vulnerabilities targeting a DCS controller. There had been numerous vulnerabilities disclosed for SCADA devices like PLCs, but known focused on the DCS product sector which, in my opinion, are the primary ICS systems deployed at the core of all critical process industries.

Feel free to comment or drop me a note if you have any additional information you would like to share.

17 comments:

  1. Your blog has impressive information about  Scada Software. Thanks for Share.

    ReplyDelete
  2. Hi.. your blog is very intersting. Nice to read. Thanks for sharing this

    ReplyDelete
  3. Our expertise and craftsmanship is well fame and we have an extensive variety of involvement in taking care of the necessities of customers all things considered, either from office or to home. By always procuring the notoriety from our clients we are today viewed as the best office interior designers in coimbatore

    ReplyDelete
  4. Our expertise and craftsmanship is well fame and we have an extensive variety of involvement in taking care of the necessities of customers all things considered, either from office or to home. By always procuring the notoriety from our clients we are today viewed as the best modular kitchen coimbatore price

    ReplyDelete
  5. Hello all
    am looking few years that some guys comes into the market
    they called themselves hacker, carder or spammer they rip the
    peoples with different ways and it’s a badly impact to real hacker
    now situation is that peoples doesn’t believe that real hackers and carder scammer exists.
    Anyone want to make deal with me any type am available but first
    I‘ll show the proof that am real then make a deal like

    Available Services

    ..Wire Bank Transfer all over the world

    ..Western Union Transfer all over the world

    ..Credit Cards (USA, UK, AUS, CAN, NZ)

    ..School Grade upgrade / remove Records

    ..Spamming Tool

    ..keyloggers / rats

    ..Social Media recovery

    .. Teaching Hacking / spamming / carding (1/2 hours course)

    discount for re-seller

    Contact: 24/7

    fixitrogers@gmail.com

    ReplyDelete
  6. Thanks for this amazing post its help me a lot to solve my issues click here to download Kinemaster Mod APK

    ReplyDelete
  7. Thank you for writing can I say something for those people who are looking for one of the best website to find details about latest gadget launch, there price, fac3book, dslr full form, USSd code of airtel, idea and protected text like websites so why you are finding, its here read out Sir G.. Pinoy TV

    ReplyDelete
  8. Thanks for your informative article. This article is very informative for us. Thank You for this amazing knowledge.
    Download Call of Duty Mobile Hack Script

    ReplyDelete
  9. Thanks Admin For That Great article. I have read that article so many time for that i have thought its beautifull article ever i have read. you may also like Pinoy Tambayan with out any charge in High Quality.

    ReplyDelete
  10. I want to share a testimony on how Le_Meridian funding service helped me with loan of 2,000,000.00 USD to finance my marijuana farm project , I'm very grateful and i promised to share this legit funding company to anyone looking for way to expand his or her business project.the company is UK/USA funding company. Anyone seeking for finance support should contact them on lfdsloans@outlook.com Or lfdsloans@lemeridianfds.com Mr Benjamin is also on whatsapp 1-989-394-3740 to make things easy for any applicant. 

    ReplyDelete
  11. Thanks for sharing this good informative article admin.

    Do checkout vasthi's Portable Hydrogen Purity Analyzer: Model VHP- 200 is a light weight, easy to handle, battery-powered analyzer, used to verify measurements.

    ReplyDelete
  12. Very good info provided in the article, thanks for sharing
    Also do checkout hydrogen puriy analyzer by Vasthi which is a light weight, easy to handle, battery-powered analyzer.

    ReplyDelete
  13. Pinoy Teleserye, Pinoy Tambayan,Pinoy Tv Replay, Pinoy Lambingan, Pinoy1tv, Pinoy Tv Shows Replay, Pinoy ako.

    ReplyDelete
  14. As you know this is an extensively playing lottery in West Bengal, India. It is the first lottery game, which draws 3 times a day in Nagaland. The first result called, lottery Sambad result morning, second is Sambad lottery result 4 pm and the last result called lottery Sambad night

    ReplyDelete