Many control system vulnerabilities are not “new”, they are often just rediscovered

Wind River's VxWorks is arguably the most popular real time operating system used in embedded and control systems. July 30, 2019, Armis announced it discovered 11 zero-day vulnerabilities (named “URGENT/11”) that impact the VxWorks operating system, including six that are critical. 

In the 2011 time frame, I wanted to prove how different control systems were than IT. As a result, I worked with a utility to have an IT security consultancy, in this case Mocana, try to hack a substation Remote Terminal Unit (RTU) running VxWorks. I was sure Mocana would throw up their hands in despair as they had never heard of VxWorks. It took Mocana about 2 weeks to complete the assignment. The goals of the project were to determine actions that could lead to damage or financial loss to the utility. Mocana’s scope was to use black box penetration testing to perform:

- Embedded Device Testing,

- Device Communication,

- Identify Debugging Functionality,

- Uncover Administrative Privileges, and

- Protocol Assessment.

There were 3 High Severity issues identified:

- Could find and alter any memory record remotely or over the network

- Could extract admin credentials without permission

- Could extract live admin session tokens (such as web cookies)

I had the utility and Mocana present this case history at my 2011 ICS Cyber Security Conference.

Wind River recognized the vulnerabilities and provided a new processor board with firmware fixes. However, the RTU model had an installed base in the tens of thousands. Consequently, it is not clear how many systems actually implemented the new process board with firmware fixes. It is also not clear how the 2011 vulnerabilities correspond to those identified by Armis.

As we were using the utility as a control system cyber security testbed, another vulnerable system identified was the ABB MicroSCADA. Apparently, there were cyber vulnerabilities that were not corrected as the ABB MicroSCADA was compromised in the 2016 Ukrainian cyber attack.

New control system vulnerabilities often are not “new”, just rediscovered and not adequately disclosed or addressed.

Joe Weiss