Hardly could have anyone imagined a couple of years ago that viruses would jump to the real world bringing power capable of attacking whole production systems and breaking down machines and industrial plants, let alone stealing data and interrupting software operations. It might seem inconceivable: networks on plants are usually separated from public and internal networks, software and hardware are distinct from those used in common networks; moreover, all processes are strictly regulated and closely controlled…
The first threat that marked the era of cyber wars was the infamous Stuxnet warm, which attacked nuclear plants in Iran. Now it is already a fact that the malware was crafted specially for SIMATIC WinCC, a SCADA system from Siemens, which was deployed in the atomic power station in Bushehr. You might think: ‘It was in Iran, so long ago… Why care?’
But there is much to care about. It is the same WinCC system that is used in trains, compression stations of Gazprom, and domestic chemical plants. The list can be added. It’s not hard to imagine the possible consequences of a system breakdown in a high-speed train or a gas-pipe facility.
To top it all, experts of Positive Research (Denis Baranov, Sergei Bobrov, Yuri Goltsev, Gleb Gritsai, Alexander Zaitsev, Andrey Medov, Dmitry Serebryannikov and Sergey Scherbel.) have detected a number of severe vulnerabilities in the Siemens SIMATIC WinCC. By exploiting these vulnerabilities, an attacker can take over an industrial facility.
So, what have they found?..
- Vulnerability 1 Two web applications do not filter out special characters when parsing URL parameters. Some of the affected URL parameters are used to construct an XPath query for XML data, that can be exploited for X-Path Injection. An authenticated attacker can use this vulnerability to read or write settings of the system
- Vulnerability 2 Like in the vulnerability above, two web applications do not sanitize URL parameters. One parameter describes a file name. By appending relative path information to the file name, an authenticated attacker can read arbitrary files on the system (directory traversal).
- Vulnerability 3 The DiagAgent web server is used for remote diagnostic purposes and is turned off by default. If it is turned on, it does not sanitize user input correctly. Specially crafted input can crash the DiagAgent, rendering remote diagnostic unusable.
- Vulnerability 4 Two web applications are susceptible to Reflected Cross-Site Scripting (XSS) because they do not filter out special characters when parsing URL parameters. It is thus possible to create URLs in such a way that causes the execution of malicious java script code. If the link to such a tailored URL is sent to a legitimate user of WinCC and if this user clicks on this link, the malicious code runs on the victim’s computer. This can have many consequences, e.g. it may give the attacker authenticated access to the web application.
- Vulnerability 5 A web application accepts a parameter in a HTTP GET request and interprets it as a URL. The victim’s browser is then redirected to that URL. If a victim clicks on a link that was prepared by an attacker, the victim’s browser might end up on a malicious web site instead on the WinCC system.
What To Do?
It should be pointed out that the product containing the flaws is WinCC 7.0 SP3. The system works under Windows OS and uses Microsoft SQL Server. Those who use this SCADA should install Update 2 and restrain from using DiagAgent in favor of any other alternative software product (SIMATIC Diagnostics Tool или SIMATIC Analyser). Detailed information on the vulnerabilities and measures to be taken against the, is provided on Siemens web site.
SCADA Security Prospects
Unfortunately, Technologies that serve a foundation for today’s SCADA systems are mainy aimed at solving process management tasks. Their security functions are either missing as such, or are implemented as leftovers.
If not fixed, this situation will only favor the increasing number of incidents similar to Stuxnet. So, information security market players have to take proactive measures against the emerging risks for information security and cooperate with one another to fix flaws in security systems. The price of a banal “system loophole” can be too high in case of SCADA.