Critical Infrastructure Protection (CIP) or cyber security - they are not the same

Nov. 20, 2008

There has been a lot of discussion on the SCADA listservers about cyber vulnerabilities of control systems. What I want to address is that cyber vulnerabilities or cyber security for that matter does not equal CIP.

There has been a lot of discussion on the SCADA listservers about cyber vulnerabilities of control systems. What I want to address is that cyber vulnerabilities or cyber security for that matter does not equal CIP. Cyber security is a subset of CIP.  There are other aspects, including physical security, fragility of the asset, the availability and expense of backup support, etc. Many of the control system cyber events that have caused actual equipment damage or directly shutdown equipment have not been because of traditional cyber vulnerabilities. The corollary is that traditional cyber vulnerabilities (viruses, worms, buffer overflows, etc) have caused “burps” in the system shutting down systems, but so far have not caused equipment damage. That is not to say they can’t as the demonstration at the August ACS Conference illustrated. To demonstrate this premise, I will only address events that are publicly acknowledged. The Bellingham pipeline rupture, Browns Ferry and Hatch shutdowns, Maroochy wireless hack, the Florida outage, and a recent automatic shutdown of a nuclear plant were all CIP system-related events that had cyber “overtones”. Worms such as Code Red, Slammer, and Blaster affected control systems by directly or indirectly shutting many down many Windows-based HMIs but did not damage field equipment. System issues are generally architectural and policy-driven not technology-driven.

One specific issue has reappeared that needs to be addressed - the disconnect between power plants and the plant switchyards. The switchyard (inside the plant fence) is generally “owned” by the power plant (nuclear, fossil, or hydro). Plant staff are very knowledgeable about the equipment inside the plant but often are not technically cognizant about switchyard equipment (breakers, relays, etc) and therefore rely on others such as corporate T&D or local electrical contractors to maintain these systems. This creates the possibility of inadequate oversite of the switchyard equipment. Last year, one utility did have an automatic nuclear plant shutdown because of inappropriate testing of plant switchyard relays. (I believe there have been numerous fossil plant shutdowns because of relay testing but they do not have to be reported.) Even though I  have not been able to confirm the event had a direct cyber aspect, it could be cyber-related since upgrades to plant relays will include remotely accessible relays. What adds to the concern and disappointment is that most utilities have defined their plants as not being NERC critical assets and consequently this potential common cause failure, and others including Aurora, are not being addressed.

According to the new “Global Threat Report” from ScanSafe, “…energy companies worldwide have a nearly 200 percent rate of being hit with Webborne malware attacks. According to the report, energy companies experienced more Web-based malware attacks than any other vertical market in the third quarter of this year, with an increased rate of exposure of 189 percent.” I had a chance to discuss this report with the author since almost 4 years ago, Riptech made similar statements.  My concern is that most companies doing log-management are only looking at the corporate firewalls and DMZs. Consequently, they have no view into the control systems. It is not to say the report is wrong, it is just to say it hasn’t addressed what is happening with the control systems.

The following blog discusses using control system software to distribute malware: http://carnal0wnage.blogspot.com/2008/10/malware-targeting-industrial control.html 


Malware targeting industrial control software(?)

So this morning I was doing my usual malware roundup and looking for anything new or vaguely interesting. Lots of the usual sites all serving the same thing. The pdf exploit (I've a special fondness for this one, see the pentesting failures post), the snapshot_viewer_activex exploit, ms08_053, realplayer11, ms08_011, ms06_014 and a few others. All pretty popular right now.

Then I saw a site that has been floating around serving up malware for a while now. It's been up for about a year I think. It's always had a nice index.htm page with a list of iframes serving up all of the above and some others. I generally have a quick look every now and again and find it's always the same stuff. Lots of reuse of exploits, etc...

Today was a surprise as I found something 'new'. The page has another exploit added. Nothing new about that but it's what the exploit is for that is surprising.

hxxp://www.wackystone.com/counter/IConics.htm

In August a stack overflow exploit in the Iconics Vessel ActiveX control was released. The exploit is in the dlgwrapper.dll [Dialog Wrapper Module ActiveX control]. Tebo and kf wrote a Metasploit exploit module for it. [http://www.milw0rm.com/exploits/6570].

Iconics makes plant automation software for various industries including oil, gas, pharma, airports, etc... SCADA anyone?

A quick decode of the ucs2 encoded payload reveals:

hxxp://www.wackystone.com/counter/taskmgr.exe

The exploit downloads taskmgr.exe, a dropper that installs a second stage piece of malware. I've not downloaded that as yet so I don't know the actual payload or it's function.

I guess what is interesting to me is that the malware authors have decided to use an exploit that has a somewhat small target audience. I could be wrong as I'm not that familiar with those industries and perhaps the software is really widespread.”

Posted by Dean De Beer

Joe Weiss