Vulnerabilities related to Industrial Controls Systems (ICS), which include supervisory control and data acquisition (SCADA) networks that administer operations for critical infrastructure and production, are a very hot topic in security. Joel Langill (SCADAhacker.com) and Eric Byres (Byres Security) have teamed up again to take a look at the recent CoDeSys vulnerabilities publicly disclosed in early November, and offer some useful guidance to those who may have these potentially vulnerable devices in their automation architectures.
In late 2011 researchers at Digital Bond initiated an effort entitled “Project Basecamp” designed to bring attention to a wide variety of problems in deployed SCADA and DCS devices, culminating in the public disclosure of numerous vulnerabilities and a host of Metasploit modules that automated exploits for the flaws. The disclosures were intended to put pressure on the industry to bolster security measures.
The paper published by Langill and Byres analyzes the disclosures made by Project Basecamp and examines the possibility that malicious actors could capitalize on the published exploits "for either financial or ideological gain," according to the report.
"In a post-Stuxnet world, a lot of attention is being given to the automation systems controlling critical infrastructure and important manufacturing processes. Much of this attention is caused by a new wave of security research being performed on the security vulnerabilities that many of these systems possess. It is one thing to say that a system has security vulnerabilities, but it is something entirely different to say that the system is insecure," Langill told Security Bistro.
The paper not only talks about the vulnerabilities uncovered by Project Basecamp in great detail, but also leverages the information in the disclosures to provide the end users of the at-risk systems with several compensating security measures that they can undertake to help protect their architectures from the possibility of exploitation by attackers.
Specifically, the paper covers:
- What the 3S CoDeSys vulnerabilities are and what an attacker can do with them
- How to find out what control/SCADA devices are affected
- The risks and potential consequences to SCADA and control systems
- The compensating controls that will help block known attack vectors
The authors acknowledge that if administrators follow the mitigation measures outlined in the paper it will not be enough to compensate for all of the vast number of vulnerabilities identified by Digital Bond, but they will gain a better understanding of the 3S CoDeSys flaws and how to determine if they could impact critical systems.
"Some of these measures will protect and defend a vulnerable system from possible breach, while others help to provide early detection and warning should a system be a potential target of attack. These powerful security controls provide the user with the ability to secure their systems without having to upgrade or replace critical control system components," Langill said.