Over the last year, synchronized and coordinated attacks against critical infrastructure have taken center stage. Remote cyber intrusions at three Ukrainian regional electric power distribution companies in December 2015 left approximately 225,000 customers without power. Malware, like BlackEnergy, is being specially developed to target supervisory control and data acquisition (SCADA) systems. Specifically, adversaries are focusing their efforts on obtaining access to the human-machine interface (HMI) solutions that act as the main hub for managing the operation of the control system.
By analyzing the advisories released by ICS-CERT and the vulnerabilities provided by our network of world-wide researchers working with the Zero Day Initiative program, it is possible to get an understanding of the attack surface that is exposed by HMI solutions. The chart below highlights these findings:
Figure 1 – Common Vulnerabilities in SCADA HMI Solutions
Memory corruption vulnerabilities are the most common vulnerability types present in this class of software – making up approximately 20% of the identified issues. This category includes stack-based buffer overflows, heap-based buffer overflows, and out-of-bound reads and writes. To make matters worse, many of these software packages do not enable common software exploitation mitigations that are commonplace in highly deployed software like web browsers.
Another very common weakness deals with the management of critical credentials that can be leveraged by remote adversaries to change configurations and possibly execute remote code. A good example of this is CVE-2015-6456, which represents a hard-coded support account in GE MDS PulseNET. This product is used to monitor devices in industrial communication networks. This credential allowed a remote attacker to gain access with full privileges resulting in complete compromise to the system. Interestingly, this support account was not shown in the user management panel meaning that it could not be disabled without a patch.
Figure 2 – ge_support Account in GE MDS PulseNet
Vulnerabilities like these in SCADA HMI solutions are, and will continue to be, highly valuable as we usher in this new era of software exploitation. In the future white paper, we will detail out the popular vulnerability types discovered in HMI solutions developed by the biggest SCADA vendors, including Schneider Electric, Siemens, GE, and Advantech. It will study the weaknesses in the technologies used to develop HMI solutions and describe how critical vulnerabilities manifest in the underlying code. Finally, using the data presented, additional guidance will be provided to SCADA researchers along with a prediction on what we expect next in attacks that leverage SCADA HMI vulnerabilities.
Click here to learn more about securing ICS environments in a connected world.