A Project Basecamp result that has been widely overlooked is that some of the devices were much more robust and secure than others. The Modicon Quantum and GE D20 were clearly the worst. The Rockwell Automation / Allen Bradley controllers and Koyo/Direct LOGIC were in the middle, the SCADAPack bricked early so it is incomplete, and the SEL-2032 Communications Processor was the least fragile and most secure out of the devices tested.
It is a slightly unfair to directly compare the devices since some are full featured, deluxe PLC’s and the SEL-2032 is a communication processor that typically allows a WAN connection to access multiple serial devices in a substation. However many of the “Insecure by Design” features and vulnerabilities in these PLC’s could have been in the SEL-2032.
The most interesting and potentially serious issue with the SEL-2032 was the hidden CAL access level and default password. The CAL access level provides debugger-like access to the device, e.g. list running processes, dump and overwrite arbitrary memory, … Dillon Beresford found this in his firmware analysis, a very impressive piece of work, but it actually is listed in some product documentation – just not SEL-2032 documentation.
To get to the CAL access level you need to login to the ACC access level, authenticate to the second level (2AC), and then you can get to the CAL access level. Dillon and the Basecamp team discussed whether the CAL access level is a backdoor. The consensus was it’s not a backdoor because of the authentication requirement to ACC and 2AC access levels to reach the CAL access level. Dillon was calling it “a hidden debug environment for internal diagnostics and SEL engineers.”
However, debuggers used in product development are typically removed prior to release. At a minimum SEL should better document the CAL access level so owner/operators understand the risk if an attacker can reach this access level and recommend the default password be changed. We would rather see it removed because a skilled attacker with debugger access is likely to do some damage.
Other positive and negative findings include:
- Positive – the device required authentication to upload and download ladder logic
- Negative – the authentication was sent in clear text
- Positive – the device withstood resource exhaustion attacks
- Mixed – The fuzzing was able to cause the Telnet service to consistently crash, and the service on TCP/1024 also crashed at least once. The other services and device continued to operate properly when these services crashed. More work is required to determine if the crash could be exploited.
- Positive – The firmware on the system could not be downloaded. An attacker would need to get the firmware elsewhere.
SEL actually has a newer model, the SEL-3332, that includes more security features such as SSL/TLS, IPSEC and more robust user management, but the SEL-2032 is the device we had in the lab.
Project Basecamp Process Note – We wanted to be very careful in how we handled the SEL product because Reid is an ex-SEL employee, and SEL has advertised on digitalbond.com in the past. So we passed the SEL-2032 Communications Processor along with a SEL-351 Protection Relay to Dillon Beresford. Dillon’s skills have been proven with his work on the Siemens S7 PLC’s, and he had zero assistance from Reid on what to try or not try. Dillon gave it a hard shake and found some things, but it didn’t fall over like the S7 did — or the GE or Modicon.