Introduction to Sabotage Trojans

Attempts to destroy information on computers were known from the time of DOS viruses. There were several viruses that encrypted the harddrive.

The first mass epidemic if sabotage virus was CIH, also known as Chernobyl. It is a Microsoft Windows computer virus which first emerged in 1998. It used the fact that the capability to update firmware was present on many motherboards and using it is can corrupt the system BIOS making the PC unbootable.  The virus was created by Chen Ing-hau who at the time was a student at Tatung University in Taiwan. 60 million computers were believed to be infected by the virus internationally, resulting in an estimated $1 billion US dollars in commercial damages.

But the most famous case of sabotage Trojans was probably Stuxnet, which attacked SCADA Vulnerabilities and was designed to target the Iran uranium enrichment program by destroying centrifuges. It did success in destroying something about 1000 centrifuges which is not a very impressive number taking into account the size of blowback and the new threats it created and first of all in Western countries as they used computerized equipment more widely and it is more often is connected to various networks including sometimes to Internet.

Stuxnet is interesting not only because of unprecedented complexity and targeted attack on industrial systems, but also because it clearly demonstrated that governments are behind the efforts to develop malware:

Now widely believed to have been a project of U.S. and Israeli intelligence (U.S. officials have yet to publicly acknowledge a role but have done so anonymously to the New York Times and NPR), Stuxnet was carefully designed to infect multiple systems needed to access and control industrial equipment used in Iran’s nuclear program. The payload was clearly the work of a group with access to government-scale resources and intelligence, but it was made possible by four zero-day exploits for Windows that allowed it to silently infect target computers. That so many precious zero-days were used at once was just one of Stuxnet’s many striking features.

Attacks on SCADA Vulnerabilities

The author is not an expert in SCADA and generally left the around year 2000,  so information below is mainly of general nature.  SCADA systems have typically lasted anywhere from 15 to 30 years, but because of the steady stream of new technology, more recent system tend to last a decade of so.  In any case many of those systems are very old and often use long discontinued version of OS such as NT 4.

One important threat to SCADA system is growing connectivity of internal networks that deploy SCADA systems. Virus epidemics indirectly affecting SCADA systems started with the first network worms and some enterprise reacted by installing local firewalls controlling ports and IPs from which SCADA system are accessible. That that proved to be insufficient for sophisticated malware which was reveled in

Timeline: 

Stuxnet raised important political and even cultural issues. The first issue is that it made the term "cyberwarfare" real and launched a spiral of  development of "militarized" Trojans. US government was the first and probably started to pay attention to this problem around 2006. See Federal security rules fueling energy company anxiety September 28, 2006

The nation’s energy companies are scrambling to meet government regulations going into effect as soon as January that in part are designed to safeguard the computer-based control systems for electricity and gas distribution from cyberattacks.

Top energy IT officials say they are challenged to meet the new rules because the massive systems control and data acquisition (SCADA) systems used to manage their resources increasingly are based on Windows and Unix but weren’t really designed with network security in mind. The systems often don’t work easily with antivirus software and can be tough to patch, they say.

In addition, the SCADA systems increasingly share the same corporate network as other business applications, but the people running the SCADA and voice/data networks are on separate teams. “In companies I’ve seen, they choose to be separate," said Evon Salle, senior information systems auditor at OGE Energy, in Oklahoma City, and a forum participant at the IT Security World Conference here.

Congress took up the cause of greater SCADA security after a massive power blackout in the summer of 2003, passing legislation that has led to the creation of nine Critical Infrastructure Protection (CIP) rules.

Related Content These were devised under the aegis of the North American Electric Reliability Council (NERC), the trade group recently chosen by the Federal Energy Regulatory Commission to set mandatory security standards for the energy sector. NERC also is expected to be in charge of rules enforcement, which could include dishing out million-dollar fines for noncompliance.

The CIP rules cover areas such as reporting sabotage, ensuring physical security, monitoring and running antivirus controls, and doing patch updates on all critical assets, including control centers, substations and SCADA systems.

Energy companies say they’re prodding SCADA operations groups to work with the corporate IT departments to impose firewalls, access control, encryption and antivirus controls if they weren’t there before. But technical challenges remain.

“A lot of times you won’t have virus protection in a SCADA environment," Salle said.

“Virus software, such as from McAfee and Symantec, thinks the SCADA system is a virus and that’s why you can’t run it."

The biggest risk is “SCADA not having a firewall, while also having Internet access," she added.

Energy companies acknowledge that their SCADA systems haven’t been immune to virus outbreaks.

“We’ve had viruses hit one of our plants," said Charles Simons, manager of firewall integrity management at BP Global. The company immediately firewalled off its process-control networks and put corporate IT security in control of industrial systems.

Complying with the CIP guidelines to cordon off SCADA and apply a battery of security controls is proving difficult for some.

“It’s quite a culture change for us, especially for substations and generators," said Sharon Edwards, project manager for implementing the cybersecurity guidelines at Duke Energy. So far, Duke Energy hasn’t been able to identify vendors that would help in implementing the enormous log collection and management and other requirements dictated by CIP.

“We may have to develop one ourselves," Edwards said.

That will involve combining expertise in the IT and SCADA groups, she said. “But in SCADA, we haven’t gotten to the place of having good communications," she said, adding, “I don’t think we’re unique in that."

Edwards noted that one idea under discussion for achieving CIP compliance would entail equipping employees with two PCs on their desktop, one for access for secure accounts and the other for e-mail and Internet access.

Several energy companies said they are prodding SCADA vendors, such as Honeywell, Foxboro and Wonderware, to meet the security challenges brought by CIP.

“SCADA systems manage valves and pressures," said Jay White, global architect for information protection, policies and standards, at Chevron’s IT division. “They’re mission-critical. If you lose control over them, you could have an irreversible environmental impact."

Upgrading SCADA systems, often designed to last more than a decade and traditionally proprietary in their underlying software, could prove expensive and energy company customers could wind up footing much of the bill.

“The electric companies will have to pay to implement the standards and it will reflect in the rates," predicted Robert Schainker, technical executive for strategic planning in the office of innovation at Electric Power Research Institute, a nonprofit organization in Palo Alto for research on energy and the environment.

Enforcing the rules

One of the biggest uncertainties about the new security regime is how NERC will carry out its newly acquired mission in network security.

“NERC is no longer a volunteer organization, it’s a regulatory organization," Schainker said, adding that this is appropriate because the industry will benefit from improved network security. “There will be hackers out there, and more terrorists, and we have to be ready to meet these challenges."

Several industry insiders last week acknowledged that SCADA systems, some now Web-based, are known to be open enough to be fairly easily hackable, whether by insiders or outsiders. While some hacking-based disruptions have occurred in SCADA systems, no major cyberattack has occurred.

Schainker predicts that when NERC begins imposing fines for noncompliance, there will be an eruption of lawsuits. In the end, court decisions will probably guide how this new cybersecurity regulation evolves.

Some corporations, including Duke Energy, acknowledge they have fought the imposition of CIP. Their reluctance stems in part from the fact that the Department of Homeland Security is pushing them to supply detailed proprietary information about how they operate.

“There’s a lot of push-back from industry on this," Edwards said.

Meanwhile, the Department of Defense has long worked under a strict regimen for SCADA systems, which exist on Navy ships, said Herbert Armstrong, IT security director at the Navy’s Warfare Training Center in Ingleside, Texas.

Click to see: SCADA timeline

“The SCADA systems are subject to review, and we separate them from the rest of the network," Armstrong said. Strong authentication, including the Defense Department's Common Access Card and biometrics, are needed to prove identity to access SCADA systems. “We’re most concerned about the insider threat," he said.

Stuxnet changes the rules of the game and  helped to improve the security SCADA systems worldwide, as it become clear that devastating attacks are possible by reprogramming controllers.  Later it became clear that the USA created 13 "cyberattack" teams:(Pentagon’s 13 Offensive ‘Cyberattack’ Teams to Strike Across the World

General Touts New 'Cyber Cadre's' Attack Capabilities

by Jason Ditz, March 13, 2013

Cyber Command chief General Keith Alexander has unveiled some new information about the nation’s cyberwarfare policy, revealing in a Senate hearing the creation of 13 “cyberattack” teams, which he dubbed part of the “cyber cadre,” that are authorized to engage in preemptive cyberwarfare across the planet.

Alexander sought to downplay the seriousness of this revelation after the fact, insisting that they are “offensive” units, but are aimed primarily at deterrence, and are “analogous to battalions in the Army and Marine Corps.”

Except that the Army and Marine Corps don’t try to build deterrence credibility by launching unilateral attacks on other nations, or at least to the extent that they do, it is unquestionably an act of war, and done publicly.

The Pentagon has repeatedly made it clear they would view such cyberattacks by other nations as no different than any other military attack, but at the same time their own cyberwarfare units are treating offensive operations as a matter of course. Officials have repeatedly complained that such attacks are on the rise from hackers in other nations, but the US seems to be looking not to defend against such attacks, but rather to get in on the fun. 


Top updates

Softpanorama Switchboard
Softpanorama Search


NEWS CONTENTS

Old News ;-)

[Oct 02, 2013] Hackers Courted by Government for Cyber Security Jobs

The article is mostly PR, but some tidbits are interesting. The author is incompetent and uses phrases like "agencies were compromised by a Distributed Denial of Service Attack"
Rolling Stone

So far, the truth about the extent of the U.S.’s offensive attacks against other countries has been shadowy at best. There’s Stuxnet, which has yet to be officially attributed to the U.S. (or Israel), and NSA leaker Edward Snowden’s recent claim the U.S. has launched widespread cyberattacks against China. Beyond that, the closest we’ve come was Hillary Clinton’s admission last year of a State Department attack on an Al Qaeda propaganda site in Yemen.

Related: Julian Assange Opens Up About Wikileaks Battle, House Arrest and the Future of Journalism

The tensions around this topic are partly because the laws governing cyberwar are still being determined. As Rear Adm. Margaret Klein, chief of staff of Cyber Command, the Ft. Meade-based defense center for U.S. military networks, put it last year,

“Attorneys and scholars face a variety of complex legal issues arising around the use of this new technology.”

But experts are pushing for more offensive measures regardless. The Commission on the Theft of American Intellectual Property concluded that “new options need to be considered.” It seems our government is already heeding the call.

A June leak of a presidential directive from Obama, which had been issued in October, reveals that the U.S. is, at the very least, getting its cyberwarriors in line. In addition to calling for a list of international targets, the directive argued that

“Offensive Cyber Effects Operations... can offer unique and unconventional capabilities to advance U.S. national objectives around the world with little or no warning to the adversary or target and with potential effects ranging from subtle to severely damaging.”

But while the government remains quiet about the existence or extent of their offensive measures, hackers and contractors I spoke with are, albeit cautiously, more forthcoming.

... ... ...

But the government hires private contractors to do such attacks on its behalf as well. The cyberwar underworld is rife with contractors who fashion themselves to be “the Blackwater of the Internet,” as Heid puts it, “information mercenaries…private sector guys who are going on the offensive, but you don’t hear about it.” At least not usually.

[Jun 28, 2013] Retired U.S. General Is Focus of Inquiry Over Iran Leak -

June 28, 2013 | NYTimes.com

The former second-ranking officer in the United States military, retired Gen. James E. Cartwright of the Marines, is a target of an investigation into the leak of classified information about American cyberattacks on Iran’s nuclear program, a person familiar with the investigation confirmed Thursday night.

The leak investigation, being carried out by the United States attorney for Maryland, Rod J. Rosenstein, was announced by Attorney General Eric H. Holder Jr. after articles in The New York Times described an ambitious series of cyberattacks under the code name Olympic Games that were intended to slow Iran’s progress toward a nuclear bomb. That General Cartwright is a focus of the leak inquiry was first reported by NBC News.

The general, 63, who served as vice chairman of the Joint Chiefs of Staff from 2007 to 2011, became a favorite adviser of President Obama and was considered an influential voice in the White House on security matters.

A lawyer for General Cartwright, Gregory B. Craig, who served as White House counsel early in the Obama administration, declined to comment.

Marcia Murphy, a spokeswoman for Mr. Rosenstein, declined to confirm or deny whether General Cartwright was being investigated. “We don’t have any comment at all,” Ms. Murphy said.

Since his retirement in 2011, General Cartwright has joined the Center for Strategic and International Studies and has spoken in favor of major cuts in nuclear weapons and warned of possible “blowback” from the use of drone aircraft by the United States in Pakistan and Yemen.

Asked about the NBC News report, Jill Abramson, executive editor of The New York Times, said, “We don’t comment on our confidential sources.”

Since President Obama took office in 2009, seven current or former government officials or contractors have been charged under the Espionage Act with leaking classified information, compared with three under all previous presidents. The seventh person charged was Edward J. Snowden, the former National Security Agency contractor who has acknowledged giving classified documents to The Guardian and The Washington Post.

Press advocates have criticized the unprecedented crackdown on leaks, in which F.B.I. investigators have used e-mail and telephone records to track exchanges between reporters and sources, saying it endangers reporting on national security. But Mr. Obama and Mr. Holder have said that leaks can put American security at risk.

www.cert.be (Attacks on SCADA-systems

Given the many reports circulating about a new type of malware that uses the .lnk vulnerability in Microsoft Windows and Siemens SCADA systems, we provide a short overview of what is known, at the moment, about these targeted attacks. A list of suggested information sources to consult is included.

This sophisticated new type of malware [1], targeting command-and-control software installed in certain critical infrastructures and production environments throughout the world uses a known default password that the software maker, Siemens, hard-coded into its systems. Coding a password into software makes that third-parties can retrieve it by analyzing the code, though obfuscation techniques can make this task more difficult. The password has been available since at least 2008. It was at that time posted to a product forum in Germany [2]. The password itself appeared to be deleted from this Siemens Technical Forum by a Siemens moderator soon after. This didn't prevent however the fact that the password has been published on a Russian-language Siemens forum [3] where it would remain for two years. The password is used by the system to connect to its MS-SQL database. Some of the forum posts claim that a password change would cause the system to stop working.

The password should protect the database being used in Siemens' Simatic WinCC SCADA system [4]. SCADA stands for Supervisory Control and Data Acquisition. A SCADA system is generally an industrial control system installed in utilities and manufacturing facilities. It's a system monitoring and controlling a certain process. These SCADA systems have been the focus of much controversy lately for being potentially vulnerable to e.g. remote attacks by malicious outsiders, trying to get in control of the processes for purposes of f.e. espionage and sabotage, as these systems are mostly critical. A good read on how to protect these systems is from the UK Centre for the Protection of National Infrastructure (CPNI). They provide some good practice guidelines for SCADA systems [5].

A German Security Expert, Frank Boldewin, found the hard-coded password in a new and sophisticated piece of malware [6]. The malware is designed to be spread through a USB thumb drive to attack the Siemens SCADA system. It exploits a new vulnerability in all versions of Windows [7], more specific in the part where it handles shortcut files (.lnk-files). The code would be launched by itself when a file-manager (e.g. Windows Explorer) is used to view the contents of the stick (or any infected drive, including network shares).

This malware was first reported by security blogger Brian Krebs [8] who says that a security firm in Belarus, VirusBlokAda [9], had discovered it somewhere in June. His analysis of the malware shows that when a system gets infected, it first searches the presence of Simatic WinCC. If found, it uses the hard-coded password, to access the database. If Simatic WinCC isn't present, e.g. on a home user system, the malware shouldn't harm the system much. This doesn't mean it will stay harmless. The backdoor provided by the malware will be used for other malicious purposes by hackers eventually. This is actually already going on. According to Eset, two new malware families, exploiting the same .lnk vulnerability, have been detected.

Siemens is said to have assembled a team of experts to evaluate the problem. They have also devoted a portion of their support website to this specific problem [10]. The security issue is a big problem for critical infrastructures but the vulnerability that the malware exploits is of a much greater immediate concern for the average user.

Microsoft issued a mitigation workaround to address the vulnerability. The users should modify their Windows registry to disable the WebClient service and should disable the display of shortcut icons. Some security experts have criticized Microsoft for these suggestions, noting that these workarounds are not easy to do in some environments and that disabling the WebClient would possibly break other services. Microsoft provides a 'fix me' download which can be executed [11].

A trusted source from Microsoft indicates that the use of Microsoft RDP (Remote Desktop Protocol) to fix a remote server doesn't have any impact on the machine being used as a start for the RDP session. It seems the .lnk files are being transmitted as bitmaps to the starting machine and in doing so they can not impact it. Strange or unexpected icon behaviour (again) using RDP to check the treated remote server after the mandatory reboot is more than likely due to caching mechanisms. This may not be the case with other remote desktop solutions. Basically this is a result of the way links are presented. In Microsoft RDP the links are presented by bitmaps, this way they don't trigger the vulnerability.

An interesting article is one from M-unition [13]. It describes the way the malware was signed by a legitimate certificate. The first problematic driver was one from RealTek. A new variant of Stuxnet is already seen where a compromised driver for JMicron is used. Verisign did already revoke the certificates but this doesn't seem to prevent the malware from infecting systems.

New variants have already been spotted. Organizations that are victim of a related malware should contact their anti-virus malware for assistance to guarantee the continuity of the organizations' processes after the cleanup.

Related or not, according to the Dutch security website Security.nl [14] a well known Dutch dairy cooperative got attacked too. The attackers tried to infiltrate into the SCADA-systems but a network protection appliance detected the targeted attack. This happened whilst the cooperative tried to get a ISA-99 certification [15] for security of systems in a production environment.

Apparently, the firmware update (also) contained an adapted version of the well known Conficker worm [16].

Possible motives for this attack could be a competitor trying to get hold of sensitive information or to disrupt the production.

More profound information can be read on the original blog article [14].

For more info about Stuxnet one could read the posts from Kaspersky Lab Expert Costin Raiu. He also provided some FAQs about Stuxnet [17]. The Microsoft Malware Protection Center blogpost should also be seen as a good reference about Stuxnet [18].

[1] http://www.wired.com/threatlevel/2010/07/siemens-scada/
[2] http://www.automation.siemens.com/forum/guests/PostShow.aspx?PostID=1612...
[3] http://iadt.siemens.ru/forum/viewtopic.php?p=2974&sid=58cedcf3a0fc7a0b6c...
[4] http://nl.wikipedia.org/wiki/Supervisory_control_and_data_acquisition
[5] http://www.cpni.gov.uk/ProtectingYourAssets/scada.aspx
[6] http://www.wilderssecurity.com/showthread.php?p=1712146
[7] http://www.microsoft.com/technet/security/advisory/2286198.mspx
[8] http://krebsonsecurity.com/2010/07/experts-warn-of-new-windows-shortcut-...
[9] http://www.anti-virus.by/en/index.shtml
[10] http://support.automation.siemens.com/WW/llisapi.dll?func=cslib.csinfo&l...
[11] http://support.microsoft.com/kb/2286198
[12] http://blog.didierstevens.com/2010/07/18/mitigating-lnk-exploitation-wit...
[13] http://blog.mandiant.com/archives/1236
[14] http://www.security.nl/artikel/33906/Gerichte_hackeraanval_op_zuivelco%C...
[15] http://www.isa-99.com/
[16] http://www.confickerworkinggroup.org/
[17] http://www.securelist.com/en/blog/2236/Stuxnet_signed_certificates_frequ...
[18] http://blogs.technet.com/b/mmpc/archive/2010/07/16/the-stuxnet-sting.aspx

Federal security rules fueling energy company anxiety

The nation’s energy companies are scrambling to meet government regulations going into effect as soon as January that in part are designed to safeguard the computer-based control systems for electricity and gas distribution from cyberattacks.

Top energy IT officials say they are challenged to meet the new rules because the massive systems control and data acquisition (SCADA) systems used to manage their resources increasingly are based on Windows and Unix but weren’t really designed with network security in mind. The systems often don’t work easily with antivirus software and can be tough to patch, they say.

In addition, the SCADA systems increasingly share the same corporate network as other business applications, but the people running the SCADA and voice/data networks are on separate teams. “In companies I’ve seen, they choose to be separate," said Evon Salle, senior information systems auditor at OGE Energy, in Oklahoma City, and a forum participant at the IT Security World Conference here.

Congress took up the cause of greater SCADA security after a massive power blackout in the summer of 2003, passing legislation that has led to the creation of nine Critical Infrastructure Protection (CIP) rules.

Related Content

These were devised under the aegis of the North American Electric Reliability Council (NERC), the trade group recently chosen by the Federal Energy Regulatory Commission to set mandatory security standards for the energy sector. NERC also is expected to be in charge of rules enforcement, which could include dishing out million-dollar fines for noncompliance.

The CIP rules cover areas such as reporting sabotage, ensuring physical security, monitoring and running antivirus controls, and doing patch updates on all critical assets, including control centers, substations and SCADA systems.

Energy companies say they’re prodding SCADA operations groups to work with the corporate IT departments to impose firewalls, access control, encryption and antivirus controls if they weren’t there before. But technical challenges remain.

“A lot of times you won’t have virus protection in a SCADA environment," Salle said.

“Virus software, such as from McAfee and Symantec, thinks the SCADA system is a virus and that’s why you can’t run it."

The biggest risk is “SCADA not having a firewall, while also having Internet access," she added.

Energy companies acknowledge that their SCADA systems haven’t been immune to virus outbreaks.

“We’ve had viruses hit one of our plants," said Charles Simons, manager of firewall integrity management at BP Global. The company immediately firewalled off its process-control networks and put corporate IT security in control of industrial systems.

Complying with the CIP guidelines to cordon off SCADA and apply a battery of security controls is proving difficult for some.

“It’s quite a culture change for us, especially for substations and generators," said Sharon Edwards, project manager for implementing the cybersecurity guidelines at Duke Energy. So far, Duke Energy hasn’t been able to identify vendors that would help in implementing the enormous log collection and management and other requirements dictated by CIP.

Attack Code for SCADA Vulnerabilities Released Online Threat Level Wired.com By Kim Zetter

03.22.11

The security of critical infrastructure is in the spotlight again this week after a researcher released attack code that can exploit several vulnerabilities found in systems used at oil-, gas- and water-management facilities, as well as factories, around the world.

The 34 exploits were published by a researcher on a computer security mailing list on Monday and target seven vulnerabilities in SCADA systems made by Siemens, Iconics, 7-Technologies and DATAC.

Computer security experts who examined the code say the vulnerabilities are not highly dangerous on their own, because they would mostly just allow an attacker to crash a system or siphon sensitive data, and are targeted at operator viewing platforms, not the backend systems that directly control critical processes. But experts caution that the vulnerabilities could still allow an attacker to gain a foothold on a system to find additional security holes that could affect core processes.

SCADA, or Supervisory Control and Data Acquisition, systems are used in automated factories and in critical infrastructures. They came under increased scrutiny last year after the Stuxnet worm infected more than 100,000 computers in Iran and elsewhere.

The worm was designed to target a specific component known as a programmable logic controller, or PLC, used with a specific Siemens SCADA system. It was widely believed to be aimed at a PLC controlling centrifuges at the Natanz uranium-enrichment plant in Iran.

The exploit codes released this week were posted to the Bugtraq mailing list on Monday by security researcher Luigi Auriemma who wrote that he knew nothing about SCADA before uncovering the vulnerabilities in a series of tests. Auriemma told the Register that he published the vulnerabilities and attack codes to draw attention to security problems with SCADA systems.

His move got the attention of U.S. ICS-CERT, or Industrial Control Systems–Computer Emergency Response Team, which subsequently published advisories for the vulnerabilities.

The systems that are affected include Siemens Tecnomatix FactoryLink, Iconics, Genesis32 and Genesis64, DATAC RealWin, and 7-Technologies IGSS.

The Iconics and DATAC systems are most heavily used in the United States, according to Joel Langill, a control-systems security specialist. Langill says the Iconics systems are used in the oil and gas industry in North America, and the DATAC system is often found in municipal wastewater management facilities. He is not aware of any of the programs being used at important nuclear facilities.

“Most of these don’t tend to be high-reliability products,” he said. “And in nuclear you need high reliability.”

Of the 34 attacks Auriemma published, seven of them target three buffer-overflow vulnerabilities in the Siemens system, an old legacy system that Siemens plans to stop supporting next year. One of the attacks against the Siemens system would simply result in a denial-of-service, but the other two would allow an attacker to remote-copy files into the file systems, according to Langill.

“As a proof of concept, that could actually be very dangerous, because it would allow you to drop in a malicious payload,” he said. “I would want to patch that fairly fast.”

The Iconics system involves 13 attacks — all targeting one vulnerable process. Langill said these were the least-developed attack codes Auriemma released. None of them would allow an intruder to execute code on the system.

The 7-Technologies IGSS attack involves eight different exploits targeting two vulnerabilities in that system. Langill considered these the most impressive, noting that at least one of the attacks would allow remote execution of malicious code on the system.

“It was very easy to drop files onto the host,” he said about his test of the code.

The DATACS system involves seven attack codes targeting one vulnerability.

Although the attacks don’t target programmable logic controllers directly, they would allow an attacker to mask what an operator sees on his monitor, by changing data that appears on his screen. Therefore, if an attacker can find and attack vulnerabilities in a PLC connected to these systems, he could make it appear to the operator that everything is functioning on the PLC correctly.

“I could download operator graphics to my system, modify them and then upload those modified graphics to the operator,” Langill said. “Idaho National Labs has shown that to be a very effective attack vector to fake out the operator.”

Langill said, however, that the likelihood that any of these vulnerabilities would be attacked remotely is low, because such systems are generally not connected to the internet.

But the bottom line, Langill says, is that Auriemme showed that even someone with no knowledge of SCADA could, in a very short time, take SCADA software that is easily obtained by anyone and generate exploits that could reasonably impact operations.

“He’s done the hard part to give someone a way into the system,” Langill said. “Someone else who knows the system can now go in and find a way around in it, to launch the malicious act.”

UPDATE: Story updated to correct the misspelling of Langill’s name.



Recommended Links

Softpanorama Top Visited

Softpanorama Recommended

SCADA - Wikipedia, the free encyclopedia

2006 rewamp of SCADE security in the USA

Stixnet attack