In preparation for my January 25th keynote at the Texas A&M Instrumentation and Automation Symposium, I went back to my “Lack of Imagination” slide. INL gave a presentation at the 2008 Siemens International User Group Meeting on the results of the INL PCS7 testing. Why would Siemens ask DHS to perform a security assessment on PCS7? The intent was to validate and improve the PCS7 security concept; leverage INL’s unique skillsets (e.g., Aurora), enhance the security posture of PCS7 control systems, knowledge transfer to members of the PCS7 Security lab, expand DHS/INL body of knowledge for protecting control systems that control US critical infrastructure, help Siemens customers comply with new government regulations, and produce input for certification which did not exist at the time of the testing. The test architecture was derived based on what was described in the PCS7 Security Manual which included firewalls, VPN tunnels, DMZ as well as the Basic Process Control Systems (BPCS) and the Safety Instrumented Systems (SIS). The Targets of Evaluation were selected to stress key parts of the system and to leverage INL’s expertise gained from the Aurora testing. The testing assessed the vulnerability of DMZ servers for the attacker to gain control of a server inside the DMZ as gaining control of a server inside the DMZ would be a stepping stone for getting into the BPCS. The DMZ servers included WSUS, Virus Scan, and Certification Authority servers. The next step gained unauthorized access to the Engineering Workstation with the goal to gain interactive login to the PCS 7 Engineer’s Workstation as the Engineer’s Workstation is used for the development, maintenance, and troubleshooting of the BPCS and the SIS. The next step performed protocol fuzzing to find vulnerabilities with a goal of causing a communication disruption/overload. The communication paths included TUV certified safety system communication, controller-to-controller, Plant Bus, and Terminal Bus. The next step obtained unauthorized access to the Configuration Database to modify the PCS7 Engineer’s Workstation configuration. The objectives were to access/modify the control system configuration without being detected to compromise the controller configurations in the BPCS and SIS! This was essentially a description of Stuxnet but presented in 2008. However, the attendees didn’t recognize the implications of these vulnerabilities as can seen by the surprised reactions to Stuxnet in July/August 2010 until Ralph Langner first started publishing his results. It should be noted the Siemens presentation was on the web for all to see until about 2012 when it was removed.
Some have called the 2017 Triconex hack in Saudi Arabia a watershed event claiming it was the first cyber attack against a safety system. However, the Triconex attack vector appears similar to the 2008 Siemens PCS7 testing at INL.
This now makes two major SIS vendors that have been hacked with a similar approach. What does that say about the cyber vulnerabilities of the other SIS suppliers?