Long Post Warning: If you want a quick read, skip down to the bullets on our suggested ICS guru message.
After covering the technical details of Beresford’s presentation at Black Hat in Part I, let’s look at the politics of the situation and the ICS vendors, owner/operators and ICS security guru’s response.
The best way to look at both Stuxnet and the Beresford vulns is they are the first instances where the insecure by design and poor security posture of PLC’s became widely known outside of the niche ICS security community. In Stuxnet it was the dramatic impact of the attack on the Iranian nuclear program, and the Beresford vulnerabilities showed that neither ICS expertise nor vast resources were required. Both have whetted the appetite of hackers of every hat color to break PLC’s and other ICS components.
The attendees at Dillon’s presentation were taking a lot of photo’s and paying great attention, even during some of the slower parts waiting for things to happen in the demo. I can’t claim to be in sync with the Black Hat audience, but it appeared to me that the reaction was much more “isn’t that cool, I’d like to try to do some of that” rather than “this is a problem we need to fix”. We will have to wait and see what type of research/hacking and results come from this.
ICS Security Guru’s Need To Stop Rationalizing Vulns
Why is it whenever a PLC vulnerability is brought up, the ICS Security Experts asked to comment start off explaining how this is a longstanding known problem in all PLC’s due to the lack of access control? They are not wrong, but the primary message should be this vuln results in a huge security risk, and the vendor needs to provide a secure PLC asap.
Earlier I blogged on Eric Byres and Joel Langill giving Siemens cover at the Siemens user group meeting. Now I have to call out Jonathan Pollet and Tom Parker from the Black Hat press conference. These are all top notch ICS security professionals, and competitors, who would do a great job helping any owner/operator secure their SCADA or DCS. However, they are falling into the rationalization trap that I was in for years.
At the post-Beresford press conference, Jonathan and Tom followed Dillon’s explanation of the Siemens vulns with the usual explanation that this is a well known problem in ICS, protocols lack security, affects all vendors, will be around for a long time due to product life cycle, … none of this is wrong, but it should not be the message we are giving the press. I was watching the press, and it definitely took the enthusiasm out of the room that this was an important story. It was old news.
We should be embarrassed, I know I am, that we have made almost zero progress on PLC security over the last ten years — the lost decade. The fact that is a long-standing, wide-spread, well-known in the community problem is nothing to highlight when we have the world’s attention that might help or force the PLC vendors to finally make progress.
A reporter’s follow up question asked about the real impact of this. Again the ICS security experts tried to calm things down with talks about systems being heterogeneous and difficulty of widespread attacks. Again, not wrong but why focus on downplaying the problem. Why not focus on owner/operators with a S7 PLC need to be very concerned because Dillon’s attacks or slightly modified Stuxnet could take out their plant or SCADA system with huge loss of money, possible loss of life, environmental damage, and other negative affects?
ICS Security Guru’s and others who talk to the press, consider changing the message to:
- This is very serious set of vulnerabilities that puts anyone who has a process that relies on S7 PLC’s at risk. If an attacker can gain access to the PLC, they can affect the process with potentially huge financial loss, destruction of systems, environmental impact and even loss of life.
- Siemens needs to provide clear and honest information to their customers on the vulnerabilities and impact. Not a small job since Dillon has found 15 already, not to mention remaining Stuxnet issues. They need to stop denying problems. Stop misleading and lying to their customers. Stuxnet vulns in the PLC are not fixed. The vulns Dillon identified have not all been patched. Dillon’s work could be leveraged by bad guys to compromise SCADA and DCS that use Siemens’ PLC’s, again with grave results.
- Siemens needs to provide customers with information on how they will fix each vuln, integrate missing security features, and firm dates/versions when these will be available. In parallel, they should be providing customers with compensating controls. Who better than Siemens to provide IDS/IPS signatures for these vulns to their customers?
- Siemens security development lifecycle is hugely flawed. A number of the Beresford vulns are not missing security features, they are the result of very poor software engineering practices. Siemens should tell customers what modifications are being made to the SDL to prevent this in future code.
Full stop. No temporizing the message.
I know many colleagues in this small ICS security niche would say this is unfair to Siemens. Is it really our job to defend Siemens to their customers and the press? Be just as tough on each vendor when this comes up, rather than easing up on Siemens with weasel words. If it makes any of you feel better, Siemens will not be out there by themselves for long. We have our Project PLC Basecamp results scheduled for S4 this year, and I’m sure many others are inspired by Black Hat to look hard at PLC’s.
Dillon repeatedly stated that his motivation to start this work was to prove that Stuxnet or a Stuxnet-like attack would not have required a nation state level of effort. On this point he is only partially right.
He has proven that a highly skilled security professional with no ICS experience and limited resources can learn to attack PLC’s and affect the SCADA and DCS process.
Where Stuxnet differed from Dillon’s efforts was the sophistication of the engineering in attacking a couple of specific nuclear-related processes. First it was necessary to get the project file / process logic. Was this done with HUMINT? Directed hacking on one of the integrators?
This was followed up by a detailed effort to understand the complex logic in the process. Then the Stuxnet team determined how to modify the process in a way that caused failures that would be difficult to detect the root cause. The ladder logic that was written for the attack on the S7 400’s was substantial.
So the Stuxnet effort included someone like Dillon, perhaps some HUMINT, a process automation expert with Siemens system experience, and one or more nuclear experts.
Likely Impact of Beresford Vulnerabilities
Frankly, I hoped for more. Unless we see a change of approach from the ICS security community, Siemens and other vendors are going to weather this storm without any serious change.
The people who need to force the change at Siemens or any other PLC vendor are the customers. PLC customers are busy running their plant, pipeline, transmission EMS, … Security is another problem to deal with. Almost all are very receptive to the vendor message that the vendor is taking security seriously and all is ok. Everything is fixed. This means security is one less thing for the PLC customer to worry about.
ICS owner/operators first source of information is the vendor. The vendor/asset owner bond is very tight. There next source of information is the automation press who refuses to cover the story. The next source of information is the mainstream press. I would like to say that this blog, ICS security conferences, and other ICS security resources are a source of information for owner/operators, but we only reach those who care about security. Getting them to care is the first step.
Stuxnet could be a template. The automation press covered it little and in a very benign way until the mainstream press picked it up. Even then, most of the best reporting on Stuxnet has been done in the mainstream press. After it got in the mainstream press, owner/operators began taking is seriously.
Where we failed is allowing the message that Stuxnet is fixed to take place. I’m actually a bit baffled at how this has happened. Maybe it is a credit to the Siemens marketing department and a black mark on the ICS security community.
Image by Paul J Everett