An ICS Cyber Vulnerability Beyond Stuxnet

Ralph Langner and other ICS cyber security experts have warned that the critical ICS vulnerabilities that can cause significant damage and/or personal injuries lie in the functional design of the instrumentation and control systems. Additionally, a presentation was made at the October 2013 ICS Cyber Security Conference where a DOD ICS researcher called ICS cyber warfare a “race to the bottom”. That is, where sensing and control actually occur. The field devices at the level “0” layer do the real time sensing of the physical parameters such as pressure, temperature, flow, voltage, current, chemical composition, etc and send this data to the controllers to make real time changes occurring in milliseconds without any operator intervention.

A presentation was made at the S4 Conference on Hart vulnerabilities. HART stands for Highway Addressable Remote Transducer protocol which is commonly used in many industrial applications at the level 0 layer.  HART can either be wired or wireless and this vulnerability will affect either. Effectively the vulnerability allows several possible outcomes:

  • Take over a single device

  • Use the compromised device to take over all of the other devices on the HART highway

  • Use the compromised devices to take over the asset management software

There are a number of vendors that offer asset management software. Asset management software can be installed on the control system PC and used to monitor the digital data from HART or Foundation Fieldbus-enabled field devices. The asset management software provides an operator interface between the HART or Foundation fieldbus-enabled field device and the remote PC, which is networked to the control system via simple Ethernet. The asset management software provides the remote operator with COMPLETE ACCESS to both the primary variable and many secondary variables transmitted digitally by the HART or Foundation fieldbus-enabled field device. The asset management software enables the remote operator to check the field device measurement output, RECONFIGURE THE DEVICE, check calibration logs, and check error alerts without having to be present at the site. 

I believe this type of vulnerability can compromise the integrity of HART and fieldbus messaging from a sensor to a controller. The strategic importance of this cannot be underestimated as this is the input to the HMI that affects the real time view and input to the controllers that affect real time control of tens of thousands of industrial processes. The vulnerability allows the reconfiguration of the field devices (change the variables, limits, alarm ranges, etc.), even reflash and write to EEPROM. As asset management software is used for predictive maintenance programs, the potential integrity compromise can affect maintenance as well as operational decisions. Moreover, it is not clear how one would detect this type of compromise if the data remains within the acceptable operating range which itself can be compromised.  This vulnerability is beyond Stuxnet as it is not specific to any vendor, any specific process, the input data would be accepted by the controllers without question, and the initial compromise would be difficult to detect.

The asset management software vulnerability could cause an impact in either of two directions – the field devices where physical damage could occur or the ERP system where financial damage could occur. The security researcher that found the vulnerability was an ERP security expert concerned with access to the ERP.  One can only wonder what is happening with ICS experts intending on doing physical damage.

With all of the new vulnerabilities being found, maybe there should be a consideration for all critical control and safety systems to go “back to the future” – 4-20ma point-to-point serial.

Additional links on the vulnerability can be found at waltboyes.livejournal.com.

Joe Weiss

 

What are your comments?

You cannot post comments until you have logged in. Login Here.

Comments

  • I wanted to clarify if the vulnerability affected both wired and wireless HART. Consequently I sent an email asking for clarification to the security researcher and got the following response: "The physical layer (ability to spoof) is applicable only for HART FSK (wired). The vulnerable DTM component is a component for wired DTM device. I didn't research WirelessHART devices." Joe Weiss

    Reply

  • 1) If someone can insert a device on a HART cable and spoof network telegrams, then the same can be done with a 4..20 mA link : spoof fake milliamps. Then of course it is only one process value, and doesn't have the same dire consequences as discussed on the S4 conference. But why did we never worry about this in the past?

    2) HART is not alone. The same network message spoofing can be done for any network protocol, given a set of network transceivers and some software. We'll definitely here more about this in the near future. Modbus is probably next.

    Reply

RSS feed for comments on this page | RSS feed for all comments