In performing my daily rounds on news feeds and websites, I noticed a lot of recent developments in open-source exploit modules targeting industrial control systems. One very important part of a well-rounded ICS Security Management System (IACS-SMS per ISA 62443 terminology) is situational awareness of the actual risks facing industrial systems in terms of both vulnerabilities disclosed and the ease in converting these proof-of-concept (PoC) disclosures into workable exploit modules.
The vision of SCADAhacker.com
is to assemble in a single location details relating to disclosures and
exploits - as was demonstrated initially by my reference page
(http://scadahacker.com/vulndb/ics-vuln-ref-list.html). This page became
an overwhelming task to keep current - but rest assured it is still on
the plate to update and maintain!
I wanted to provide a
quick update of some recent developments in terms of disclosures,
advisories and availability of useable exploit modules for some recent
ICS systems. The vulnerability details are obtained via the Open-Source
Vulnerability Database (OSVDB) project, exploit source code via
Exploit-DB, and advisories published by ICS-CERT.
Exploit Module - (published Dec. 3, 2013 (disclosure Apr. 5, 2013)
MSF Reference -
ICS-CERT (none published)
General Electric Proficy CIMPLICITY
Vuln Details (none available)
Exploit Module - published Feb. 28, 2014 (disclosure Jan. 23, 2014)
MSF Reference -
Vendor Advisory (adv1 , adv2)
Exploit Module - published Feb. 11, 2014 (disclosure Jan. 14, 2014)
MSF Reference -
ICS-CERT Vendor Advisory (none published)
Yokogawa Centum CS
Vuln Details (v1 , v2)
Exploit Modules (e1 , e2) - published Mar. 12, 2013 (disclosure Mar. 10, 2014)
MSF References -
ICS-CERT / JP-CERT
particular interest to me is the Yokogawa Centum CS activity. This
represents a significant shift in ICS research from SCADA to
traditionally more robust DCS platforms. Rapid 7 published a very
on this activity, with some very detailed information regarding the
exploit. It is important to understand that the Centum CS3000 product is at
end-of-life. Since it is based on Windows XP (migration to Centum
VP required to support Windows 7), users of this ICS platform will face
numerous challenges as Microsoft withdraws support in April 2014. Centum CS3000 R3 was first released in 1998 with Release 3.09 available February 2010. Yokogawa claims to have sold over 7,600 systems worldwide that likely have installations in most process and manufacturing sectors.
These vulnerabilities target what is
called the "Test Function" on the Centum system. This is an offline
simulation environment that allows you to test and validate your
configuration prior to downloading to an actual production controller or
"Field Control Station". There are numerous risk factors associated with running the Test Function on a production system, and for this reason, installations typically have this feature enabled on off-line engineering development systems.
I published a vulnerability
within the Emerson DeltaV M- and S-Series controllers in March 2013,
which was unique as it was one of the first vulnerabilities targeting a
DCS controller. There had been numerous vulnerabilities disclosed for
SCADA devices like PLCs, but known focused on the DCS product sector
which, in my opinion, are the primary ICS systems deployed at the core
of all critical process industries.
Feel free to comment or drop me a note if you have any additional information you would like to share.