Stay alive. SCADA Security

Just a couple of years ago, few people imagined that viruses would step out of cyberspace into the real world and would be able not only to steal data and interfere with the operation of software, but also to attack entire production systems, disable machines and industrial installations. It would seem that the networks in production are usually isolated from public networks and the internal networks of the enterprise, the equipment and software in them are significantly different from conventional networks - not to mention the fact that all processes are strictly regulated and strictly controlled ...

However, when it comes to not a single hacker, but a group of professionals, consisting of specialists in the process control system, hackers and engineers who act (quite likely), relying on the support of a whole state, everything becomes possible.

The first threat that marked the beginning of the epoch of cybernetic wars was the famous “worm” Stuxnet, which attacked Iran’s nuclear facilities. Moreover, it is known that the malware was designed specifically for the Siemens SCADA system - SIMATIC WinCC, which worked at the Bushehr nuclear power plant. It would seem: it was in Iran, a lot of time has passed ... - what difference does it make to us?
')
But there is a difference, because it is WinCC that is used in high-speed trains, at Gazprom compressor stations, at domestic chemical plants ... The list goes on. It is not difficult to imagine the consequences of failure of the control system of a high-speed train or installation on a gas pipeline.

On top of that, in this very Siemens SIMATIC WinCC, experts at Positive Research’s research center found a number of vulnerabilities allowing for complex attacks. Using these vulnerabilities, an attacker could gain full control over an industrial object.

The project to identify security flaws in the Siemens SIMATIC WinCC security system was attended by experts from Positive Research’s research center - Denis Baranov, Sergey Bobrov, Yury Goltsev, Gleb Gritsai, Alexander Zaitsev, Andrey Medov, Dmitry Serebryannikov and Sergey Scherbel.

Problems

So, what did you find? ..

• XPath Injection in two web applications: special characters are not filtered while parsing URL parameters; Some of these parameters can be used to compose an XPath query for the XML data. An attacker could exploit this vulnerability to read or write system parameters.
• Directory traversal. As in the first case, two web applications do not filter URL parameters. One of these parameters describes the file name. By adding information about the relative path to the file name, an authorized attacker can arbitrarily read the files in the system.
• Buffer overflow allowing a Denial of Service attack on the WinCC DiagAgent web server, which is used for remote diagnostics tasks and is disabled by default. When enabled, it does not filter user input properly, which may result in the crash of the DiagAgent (the remote diagnostics tool will become unusable).
• Reflected Cross-Site Scripting in two web applications that are susceptible to attack, because they do not filter special characters when parsing URL parameters. You can create such URLs, the parsing of which will lead to the execution of malicious JavaScript code. If the link is sent to an authorized WinCC user and it opens it, a malicious code will run on the victim’s computer, which can lead to various troubles (for example, an attacker can get authorized access to a web application).
• Open Redirect in a single web application that accepts a parameter in an HTTP GET request and interprets it as a URL. Then the victim's browser is sent to this address. If the victim opens a similar link prepared by an attacker, the browser can go to the malicious site instead of WinCC.

What to do?

It should be noted that the product subject to these problems is WinCC 7.0 SP3. The system runs under Windows and uses a Microsoft SQL Server database. Users of this SCADA system need to install Update 2 and stop using the DiagAgent component, replacing it with alternative software (SIMATIC Diagnostics Tool or SIMATIC Analyzer). Detailed information about the vulnerabilities and the steps necessary to eliminate them are published on the Siemens website.

Security Perspectives SCADA

Unfortunately, the technologies on which modern SCADA systems are built are primarily focused on solving process control problems. Security features in them are either completely absent or implemented as a residual.

If the situation does not change, then the inevitable growth of the number of incidents similar to the Stuxnet case will continue. There is nothing left for vendors and security specialists except to prevent the risks of information security and by joint efforts to eliminate shortcomings in security systems. In the case of a process control system, the price of a trivial “hole” in the system is too high.