CyberWire Daily - Knocking down the legs of the industrial security triad. [Research Saturday]
Episode Date: February 11, 2023Pascal Ackerman, OT Security Strategist from Guidepoint Security, joins Dave to discuss his work on discovering a vulnerability in the integrity of common HMI client-server protocol. This research is ...a Proof of Concept (PoC) attack on the integrity of data flowing across the industrial network with the intention of intercepting, viewing, and even manipulating values sent to (and from) the HMI, ultimately trying to trick the user into making a wrong decision, ultimately affecting the proper operation of the process. In this research, they are targeting Rockwell Automation’s FactoryTalk View SE products, trying to highlight the lack of integrity and confidentiality on the production network and the effect that has on the overall security of the production environment. The research can be found here: GuidePoint Security researcher discovers vulnerability in the integrity of common HMI client-server protocol Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K. of you, I was concerned about my data being sold by data brokers. So I decided to try Delete.me.
I have to say, Delete.me is a game changer. Within days of signing up, they started removing my
personal information from hundreds of data brokers. I finally have peace of mind knowing
my data privacy is protected. Delete.me's team does all the work for you with detailed reports
so you know exactly what's been done. Take control of your data and keep your private life Thank you. Hello, everyone, and welcome to the CyberWire's Research Saturday.
I'm Dave Bittner, and this is our weekly conversation with researchers and analysts
tracking down the threats and vulnerabilities,
solving some of the hard problems of protecting ourselves in a rapidly
evolving cyberspace.
Thanks for joining us.
Pretty much industrial control systems are all around us, right?
Everything we touch is either directly controlled by one of these systems or it's fabricated
by one of these systems or it's fabricated by one of these systems.
So an industrial control system is a bunch of peripherals that combine to make a product or ship a good or a service to somebody.
That's Pascal Ackerman.
He's a senior security consultant for operational technology and threat and attack simulation at GuidePoint Security. The research is titled,
GuidePoint Security Researcher Discovers Vulnerability in the Integrity of Common HMI Client-Server Protocol.
Think of it as pretty much the engine in your car
that drives everything, that makes sure that your
battery gets charged, makes sure that there's hydraulic pressure for your pressured steering
column and stuff like that. So these systems are controlling the process, the industrial control
systems that take care of a certain process. So there's variables like temperature, pressure that go into it,
and these systems will monitor these control points,
and they will make actions to keep them in a certain acceptable parameters.
And so what is the peril here that you all are exploring?
the peril here that you all are exploring?
So, as I said, these systems control a key value, like a pressure or temperature, and
oftentimes they do that very well themselves. Like you said, for example,
I want the temperature to be 100 degrees Fahrenheit.
Or if you go back to the resemblance to a car,
I want my cruise
control to stay at 60 miles an hour so it will it will use sensors to look at your temperature or
your speed in in in the car reference and it will it will uh throttle uh steam pressure or it will
throttle your uh your gas pedal in the car to stay within that value. Oftentimes, there needs to be some sort of an oversight to make sure that the process is within tolerable maximum and minimum values.
And that's done with what we call an HMI or human machine interface.
So an operator will have one of these HMI sitting in the control room or wherever he's looking at these values.
And he can keep an eye on the temperature.
Sometimes there's some trending on there as well that can show you outliers to see over
time what your pressure or your temperature is doing.
I've always been fascinated with the communication from the process to that HMI and how that
works.
So I started looking at it deeper and deeper, and that's how I discovered these vulnerabilities.
Well, let's walk through it together here.
Can you take us through this journey?
What exactly did you discover?
So as I was doing an assessment of a large manufacturer that was doing a lot of recipe-based manufacturing. This was food and beverage. And then they sent recipes from a controller, the PLC,
or the programmable logical controller,
which is the brain of your automation system, to an HMI.
And we were taking Wireshark packet captures.
So we're basically sniffing the network, looking at all the traffic,
all of the data traversing the network.
And I was seeing these recipe names flowing by in clear text.
And that set off my curiosity bell, right?
And I started looking deeper into it,
and I noticed that they were tied to a particular protocol.
And this was for an Allen Bradley facility.
So it was what they called the live data protocol, where they basically have an HMI
system with the system being a server and a client. They were communicating these recipes
to each other over clear text. And that sparked the whole research project.
Well, let's continue down the path then. I mean, your curiosity hasiqued. Where did you go from there? I started looking at the Wireshark packet captures and started to push it through a Python framework called Scapey,
which is really, really handy for dealing with packet captures and actually also manipulating it.
Some of the data, which we'll get to in a minute.
So I started filtering out certain values. I was looking at, okay,
when I see these clear text recipes come by,
what else is on that packet?
Is there anything that stands out?
And I noticed that there was a certain part of the protocol
always showed these clear text protocols
and the clear text strings passing by.
So I started looking deeper at that
and I started honing down, started
filtering out that particular part of the protocol. And I noticed that pretty much any data between
the server and the client in one of these HMI systems is sent over clear text.
Now, is this data that's reporting back a status? Is this data that is used to control devices?
Is it both?
It's both.
So one way, like I said,
the operator can look at his process
and look at temperatures, look at pressures.
And then if he notices that something is out of whack,
he can go in and change a set point.
He can stop the process.
He can do anything from that HMI, which is also then sent back from the client to the server in clear text.
Now, I've seen enough movies where things go horribly wrong, like Jurassic Park or something like that,
where there's somebody sitting at a control panel and something starts to indicate incorrectly and they say, oh, we must have a bad sensor, you know, and then I'll go check it out. And then they go check
it out and they get eaten by a dinosaur. So is that where we're headed here? That the reliability
of the information flowing back and forth is really at issue? Yes, absolutely. Think of it as being pulled over in your car and the cop is telling you you were doing 100 miles an hour, even though your speedometer was saying you were doing 60 miles an hour.
And so somebody might have tampered with your speedometer and you're thinking you're going under the speed limit while the police officer with his radar gun
picked you at 100 miles an hour.
So yes, what we're showing on the HMIs
can no longer be just accepted
or no longer trusted to be valid.
And that's a big, big problem
because now the operator sees the wrong values
and you might make the wrong decisions based on what he's seeing.
And now, a message from our sponsor, Zscaler, a leader in cloud security.
Enterprises have spent billions of dollars on firewalls and VPNs,
yet breaches continue to rise by an 18% year-over-year increase in ransomware attacks
and a $75 million record payout in 2024. These traditional security tools expand your attack
surface with public-facing IPs that are exploited by bad actors more easily than ever with AI tools.
that are exploited by bad actors more easily than ever with AI tools.
It's time to rethink your security.
Zscaler Zero Trust plus AI stops attackers by hiding your attack surface,
making apps and IPs invisible, eliminating lateral movement, connecting users only to specific apps, not the entire network,
continuously verifying every request based on identity and
context, simplifying security management with AI-powered automation, and detecting threats
using AI to analyze over 500 billion daily transactions. Hackers can't attack what they
can't see. Protect your organization with Zscaler Zero Trust and AI. Learn more at zscaler.com slash security.
And you went down the path in your research here
to actually sort of proof of concept
this man-in-the-middle technique.
Yeah, so after I saw those clear text values and passing by,
which was a nice finding on itself already,
I thought, what if I could manipulate these values as well
and start showing something else on the screen?
And that's exactly what I did.
I used, again, the escapee tool to find the packets that were interesting,
what I did. I used, again, the escapee tool to find the packets that were interesting,
look at specifics on how to change some of the values on there. The framework even makes it easy for me that once I'm done with manipulating the packet, it will do a revalidation, it will
do a fix-up of the CRC on the packet, and then we'll send it off to the client. And hold and behold, I saw the values change on the HMI.
So I was looking at the PLC itself, which is the source of the data.
It was showing 100 degrees.
And then in the server client HMI setup, it was showing 100 degrees.
But by the time I was done manipulating the packet, the HMI was showing 2,000 degrees.
So that was a successful compromise of integrity.
And you're able to do this in a way that wouldn't automatically draw attention to itself,
would delay detection?
It would be.
So these attacks are all based around the ability to sit,
to put an attacking machine, my colleague Linux in the write-up,
between the server and the client.
In order to do that, we have to perform what's called ARP spoofing,
which is really easy to detect if you have the right tools in place.
So if you have like a SIM or a deep packet inspection tools installed,
it will be detectable.
But a lot of these facilities don't have those means in place yet.
You know, as I was reading through your research
and I came to the section that talks about the potential implications,
I have to admit perhaps my twisted sense of humor was triggered. The first thing you list is
panic. And while it's easy to laugh at that, I mean, the reality
is that in an industrial environment, that's a real problem
to get people responding to something that is out of bounds for what they're used to.
Yeah, and it's valid too because I have worked in controls and automation since 1999
and I've been out on the production field.
And a lot of times these processes that have high pressure steam,
high temperatures are quick and oftentimes hard to control.
An operator has to be on his toes to keep it up and to keep it going.
So if anything like this happens that is way out of whack,
panic might have him push the emergency button,
which stops the process, and with all the consequences from doing that.
Were you surprised to see so much data being exchanged in the clear?
No. As I've been advocating for years now, industrial control system security
was an awful thought. And that wasn't anybody's fault. It's just how it organically grew, right?
When we first started seeing industrial control systems, they weren't more than a handful of devices
that were tied together with serial communications,
point-to-point connections.
So authentication, authorization wasn't in play at those times
because there was only one device that was able to connect to it.
But then when the hype came to bring everything to TCP IP stack
and put everything on Ethernet,
And when the hype came to bring everything to TCP IP stack and put everything on Ethernet,
in order to be competitive and to easily have customers convert from point-to-point and serial to Ethernet,
they just took those wide-open protocols and they put them on Ethernet,
which was already being scrutinized by attackers with Wireshark, and I think it was Ethereum at at that time, tools and the other common IT attack tools.
So what is to be done here?
What are your recommendations,
given everything that you've discovered here?
Ideally, I'd love to see the ICS manufacturers,
the controls and automation vendors, start to build in authentication or at least integrity between the parts of their offerings where this kind of communication takes place.
So in the case of Rockwell Automation, it would be great if they could set up a secure channel between their server and their client.
secure channel between their server and their client.
Until then, we're going to have to rely on compensating control, as we call that,
because you can set up a tunnel between the client and server operating systems.
So Windows will allow you to set up something called an IPsec tunnel,
which encrypts all communications between the client and the server.
Yeah, it strikes me too, and correct me if my understanding is wrong, that more and more organizations are relying on these kinds of
remote sensors, where you used to have perhaps a person on
site at a location or on the other side of
a plant or the other side of a nation, and more and more
of this is happening remotely, both for convenience and cost savings.
Yeah, and oftentimes they use what they call a SCADA system for that.
And they will have remote sensors.
They will have plants all across the world, and they all tie that data back to a central
place.
The good news is, though, that they often do that communication, that centralized model.
They do that over what they call peer-to-peer VPN connections or some hub-spoke VPN architecture.
So from the internet, from the public network, this is shielded off by the VPN connection.
But once you're on that network, all of this data is visible. Now, what you have outlined here is a proof of concept. Are you aware
of anything like this happening in the wild, of any bad guys trying to take advantage of this
sort of thing? No, not yet. Yeah. It seems like it's a matter of time. Sad to say. It is sad to say, but luckily or unluckily, I don't know, attackers are still focused on ransomware.
So I've read some research from a colleague researcher.
They had set up an ICS honey net where they basically open up some ports and they made it look like they had an industrial control system
sitting on the internet.
And he stated that over the six or seven months they had that open,
they had no really targeted attacks on the ICS system,
but mostly it was ransomware or malware trying to take over the network. So until that changes, stuff like this is probably not that critical to look after yet.
Our thanks to Pascal Ackerman from GuidePoint Security for joining us.
The research is titled,
GuidePoint Security Researcher Discovers Vulnerability in the Integrity of Common HMI Client Server Protocol.
We'll have a link in the show notes.
And now, a message from Black Cloak.
Did you know the easiest way for cybercriminals to bypass your company's defenses
is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform
secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365, with Black Cloak.
Learn more at blackcloak.io.
The Cyber Wire Research Saturday podcast is a production of N2K Networks,
proudly produced in Maryland
out of the startup studios of Data Tribe,
where they're co-building the next generation
of cybersecurity teams and technologies.
This episode was produced by Liz Ervin and senior producer Jennifer Iben.
Our mixer is Elliot Peltzman.
Our executive editor is Peter Kilby, and I'm Dave Bittner.
Thanks for listening.