Field device worms, economics and infosec and estimating 0days
I hope loyal readers will pardon the days delay in the recap, and even the limited tweeting, during S4. As the Event Chair and with the physical and virtual program it gets pretty crazy. I did like twitter for the updates and will be tweeting again at the SANS SCADA Security Summit.
We had a great group of 46 physical attendees and 24 virtual attendees this year. The max possible is 55 physical so it was not quite a sell out. One of the highlights for me is to spend the time and watch the collaboration between these technical and thought leaders from the vendors, consultants, asset owners, national labs, government, etc. We purposely schedule longer breaks / no lunch speaker / cocktail party and put a cap on the size to maximize the community effect of the event.
Now to the day 1 sessions
Our Keynote from Dr. Ross Anderson on the Economics of Control System Security was one of the S4 highlights for me. How do we bring in the field of economics to aide in making the business decisions on when, where and how much resources should be placed on control system security? Ross presented a number of economic concepts, how they have been applied to information security and some discussion on the implications to the critical infrastructure. I was madly making notes on Adverse Selection [why do people with Volvo’s have more accidents, why are web sites with the TRUSTe certification twice as likely to be malicious as those that don’t], Shapiro-Varian theorem [net present value of a company is the cost of their customers to switch to another company’s product], regulatory impacts, … There was a huge amount of food for thought and I hope this spurs some of the security metrics work to take the next step to start talking about financial impact.
As an added bonus, Dr. Anderson was an active participant throughout S4.
Session 1: Leveraging Ethernet Card Vulnerabilities in Field Devices, Digital Bond
Many field devices allow for unauthenticated firmware upload. If you can ping the Ethernet card, you can load firmware with the idea being this is for vendor firmware updates. This is not new information, but has been largely sloughed off because an attacker with logical access could typically read or write to the field device anyway. In our paper, Daniel Peck and I wanted to demonstrate it is in fact possible to load rogue firmware and discuss what an attacker could do with this capability.
We analyzed two devices from our lab, Rockwell Automation’s ControlLogix 1756 ENBT Ethernet module and the Koyo / Direct Logic H4-ECOM Ethernet modules. The paper discusses the tools and methods to learn the load in detail – – and two different methods were required since they had two different processors. We were able to upload our own firmware onto the devices showing served up web pages change as well as having the modules ping the network. Basic stuff, but what would an attacker do with this capability?
The paper discusses some possible attacks including disgruntled insider, delayed mass attack to cover tracks and allow for pre-staging, a field device worm to discover and compromise all field devices in the control system, and using the field device to attack workstations and servers on the network. Imagine fifty compromised field devices turning on the control center or ICCP business partners. Our last step is to complete our proof of concept field device worm that will identify other similar field devices, load rogue firmware on identified field devices, report back to the master, try to find other field devices, and await instructions. Still a bit of work to do in our coding of the propagation and reporting. We will post in a few weeks when this is done.
The last part of this paper discussed cross-site scripting vulns, orphaned code and other issues in the management protocols. These could be leveraged to attack any HMI or engineering work station that connected to a management resource.
Session 2 – Empirical Estimates of 0Day Vulnerabilities in Control Systems, INL
The team at INL, this time with an assist from Trevor McQueen at Harvey Mudd College, continues to put out some excellent metrics work. This year they used data from the Zero Day Initiative and iDefense to estimate the number of 0Day Vulnerabilities and the mean vulnerability lifespan. FYI – they defined a 0Day as a “vulnerability, in deployed software, that has been discovered by at least one person but has not yet been publicly announced or patched”.
A few interesting facts:
- The mean lifespan was 131.81 days for the 491 vulns in the study.
- Low CVSS scoring vulns, less impact, had a shorter lifespan than medium and high CVSS scoring vulns – this is counterintuitive.
- They estimated that there were about 250 control system 0day vulnerabilities on any given day in 2006/2007.
Lots of detail in this paper.
Still to come . . . Day One Afternoon and Day Two