By Gregory Hale
One of the many things Stuxnet taught the manufacturing automation world was operators cannot always believe what they see. That same axiom came true Thursday at Black Hat as researchers showed how easy it was to force a process out of control.
If you look at most standard DCS or SCADA networks, you can see the same type of basic design, but security still seems to be lacking, said Brian Meixell and Eric Forner, both researchers at Houston-based security provider Cimation during their session at the Black Hat conference in Las Vegas entitled, “Out of control: Demonstrating SCADA device exploitation.”
“Most firewalls are usually in place because a standard has told people to put them in, but they end up having an ‘anything can pass through.’ So there is no security there,” Meixell said.
That ends up being a very vital aspect as the two researchers were then able to demonstrate how they could work their way through a SCADA system without too much of a problem. “You don’t even have to go through the enterprise, you can just get to the system by going through a cell phone connection (in some cases),” Forner said.
But the way in to any system is through IP addresses found on the Internet, the researchers said.
One of the problems, Forner said, was the industry’s reliance on incredibly old Modbus/TCP protocol.
Modbus is an ancient protocol, you never know what you are actually driving,” Forner said.
They could talk about the problem all day, but the researchers showed the proof was in the pudding as they conducted a demonstration where a process was bringing water into a tank. There was a level transmitter that would shut the system down when the fluid reached a certain level, but when they issued a few commands to get into the system, the essentially owned the process.
When that happened all indicators showed the operator the tank was not at an overflow level and is actually decreasing, but in reality the tank ended up overflowing. They were able to override the safety interlock and take down the process.
“That could be oil or gas or some chemical leaking out of that tank,” Forner said.
“Because the operator saw something other than reality, when he goes to correct the problem, he may do something worse,” Meixell said.
“The operator is just doing what the PLC is telling him,” Forner said.
As an extra added bonus, after overflowing the tank, the researchers then took command of the HMI in the system and downloaded a game of solitaire.
These were not magic tricks to take over a system, it was two guys that knew about some of the ins and outs of a SCADA system making some solid basic moves.
That was an enlightening demo that showed just how fragile a system could be if the right layers of protection are not in play. Seeing is believing.