To stay alive. SCADA Security

Just a couple of years ago, few people thought that viruses would step out of cyberspace into the real world and could not only steal data and interfere with software, but also attack entire production systems, disable machines and industrial installations. It would seem that production networks are usually isolated from public networks and internal networks of the enterprise, the equipment and software in them are significantly different from conventional networks - not to mention the fact that all processes are clearly regulated and strictly controlled ...

However, when it comes to not about a single hacker, but about a group of professionals consisting of industrial control system specialists, hackers and engineers who act (quite likely), relying on the support of the whole state - everything becomes possible.

The first threat that marked the beginning of the era of cyber wars was the famous "worm" Stuxnet, which attacked Iran’s nuclear facilities. Moreover, it is known that the malware was specially designed for Siemens SCADA-system - SIMATIC WinCC, which worked at the Bushehr nuclear power plant. It would seem: it was in Iran, a lot of time has passed ... - what's the difference to us?

But there is a difference, since it is the WinCC system that is used in high-speed trains, at Gazprom compressor stations, at domestic chemical plants ... The list goes on. It is easy to imagine the consequences of the failure of a high-speed train control system or installation on a gas pipeline.

On top of that, in this Siemens SIMATIC WinCC, experts at Positive Researchdiscovered a number of vulnerabilities that allow for complex attacks. Using these vulnerabilities, an attacker could gain full control over an industrial object.

Specialists of the Positive Research research center - Denis Baranov, Sergey Bobrov, Yuri Goltsev, Gleb Gritsay, Alexander Zaitsev, Andrey Medov, Dmitry Serebryannikov and Sergey Shcherbel participated in the project to identify the shortcomings of the Siemens SIMATIC WinCC security system.

Problems

So, what was discovered? ..

• XPath Injection in two web applications: special characters are not filtered while parsing URL parameters; Some of these parameters can be used to compose an XPath query for XML data. An attacker could exploit this vulnerability to read or write system parameters.
• The return path in directories. As in the first case, two web applications do not filter URL parameters. One of these parameters describes the file name. By adding information about the relative path to the file name, an authorized attacker can arbitrarily read files in the system.
• A buffer overflow allowing a denial of service attack to the WinCC DiagAgent web server, which is used for remote diagnostic tasks and is turned off by default. In the on state, it does not filter the data entered by the user properly, which can lead to the crash of DiagAgent (the remote diagnostic tool will become unusable).
• Reflected Cross-Site Scripting in two web applications that are prone to attack because they do not filter special characters when parsing URL parameters. You can create URLs whose parsing will result in the execution of malicious Java Script code. If the link is sent to an authorized WinCC user and he opens it, malicious code will run on the victim’s computer, which can lead to various troubles (for example, an attacker can gain authorized access to a web application).
• Open Redirect in a single web application that takes a parameter in an HTTP GET request and interprets it as a URL. The victim’s browser is then sent to this address. If the victim opens a similar link prepared by an attacker, the browser may instead of the WinCC system go to a malicious site.

What to do?

It should be noted that the product prone to these problems is WinCC 7.0 SP3. The system runs on Windows and uses the Microsoft SQL Server database. Users of this SCADA system need to install Update 2 and refuse to use the DiagAgent component, replacing it with alternative software (SIMATIC Diagnostics Tool or SIMATIC Analyzer). Detailed information on the vulnerabilities and the steps required to eliminate them are published on the Siemens website .

SCADA Security Perspectives

Unfortunately, the technologies on which modern SCADA systems are built are primarily focused on solving technological process control problems. The safety functions in them are either completely absent or implemented according to the residual principle.

If the situation does not change, then the number of incidents similar to the case with Stuxnet will inevitably continue to grow. Vendors and security specialists have no choice but to prevent information security risks and jointly eliminate security system weaknesses. In the case of automatic process control systems, the price of a trivial “hole” in the system is too high.