By Rich Merritt, Senior Technical Editor
THREE CYBER security researchers from the U.S. Department of Energys Idaho National Laboratory demonstrated, live at the recent 2005 Emerson User Exchange, how to use a laptop via the Internet to hack through two firewalls, get onto a process control network, read the internals of a device controller, and turn on a pumpall without being detected.
The researchers, Curtis St. Michel, John Hammer and Jared Verba, are part of the SCADA and Power Systems Security Resources group at INL, which supports the Department of Homeland Securitys Control Systems Security Center program. This program creates awareness in the control systems industry about the importance of cyber security.
I don't pretend to understand all the gory details, because they were throwing around words like script kiddies, IDS, DMZ, and ARP scans, as if we all knew what they meant. Nevertheless, the results were downright scary. Especially because they had a demo control system sitting on the floor in front of the podium, and you could hear the pump when it started up. They also spoofed HMI screens, demonstrating that they could make the operator see anything they wanted him to see.
They started their attack by sending an e-mail to a user on one of the business computers. The e-mail contained a PowerPoint presentation which, when opened, sent an FTP download request back through the router and firewall, over the Internet, and to the hackers laptop. Because the request came out of the system, the firewall permitted the download of hacking programs. This let the INL researchers get in and "take over" the business PC. Once in, they did an Address Resolution Protocol (ARP) scan to identify every node on the business LAN, figured out which node was the firewall protecting the control system, and then spoofed all the other computers into thinking that they were the firewall. This allowed them to find out which computers were talking through the firewall to computers on the process control network.
Another exploit got them through the firewallwithout passwordsand onto the master database of the process control network. From there, another ARP scan identified all the control network devices. They nosed around, found one with an embedded web server, and opened it up. Nosed around some more, and found internal tables that labeled all of the process variables. Then, after some reverse engineering they "forced" an output to start the pump.
The demo took only about 15 minutes, because they already knew exactly where to find what they needed. In real life, it took the researchers three weeks to penetrate the system for the first time.
Script kiddies are tools that amateur hackers can find and use, and they contain similar intrusion programs that are readily available for Zip files, PowerPoint files, Oracle and a host of other files you get in the e-mail every day. That means almost anyone can get through your firewalls, including 14-year-old hackers. Getting into your control system requires skill, but its not beyond the ability of a professional hacker, who is being paid to get into your system.
One of the scariest items I learned about is that Ethernet is a two-way network, even if you set up your Shadow Server, so that it can send but not receive messages. However, it still becomes a two-way network when the sender asks the receiver, "Did you get that packet?" and the receiver says, "Yes." That's two-way communications, and it can let a hacker in.
Even advice we gave a few months ago, which said you should isolate your system from outside networks completely, and let a Shadow Server deal with business networks and remote users, now appears a bit faulty. The concept is good, says INLs researchers, but you may want the two computers to communicate over something other than an Ethernet link. Like Sneakernet.
Other advice they offered to control system users includes:
- Set up a layered defense using standard tools, such as anti-virus software, firewalls, demilitarized zone (DMZs) and Intrusion Detection Systems (IDSs).
- Enforce security procedures, including user names and passwords.
- Use virtual private networks (VPNs) and encryption.
- Hire someone to break into your system and find the vulnerabilities.
- Regard control system security as an ongoing problem, and take it seriously.
If you want to persuade your upper management into taking cyber security seriously, hire the researchers from INL to come in and give a little demonstration. Itll scare the bejeezus out of them.