Earlier this month Homeland Security released 4 different advisories for industrial control system vulnerabilities. This comes in the wake of a successful breach of a water treatment plant in Florida. While that hack took advantage of poor cyber hygiene practices (obsolete unpatched software, shared passwords, etc.), it did call attention to the fact that our critical infrastructure is under attack.
#1 – JOHNSON CONTROLS EXACQ TECHNOLOGIES EXACQVISION
DHS says this vulnerability is remotely exploitable and requires only a low skill level to exploit. It affects all supported versions of the software and can expose sensitive information of hackers. For more details see this ICS CERT ADVISORY.
#2 – Hitachi ABB Power Grids eSOMS
Again, DHS says that this vulnerability requires only a low skill level to exploit. This vulnerability allows a hacker to gain access to report data. For more details see this ICS CERT ADVISORY.
#3 – Hitachi ABB Power Grids eSOMS Telerik
This is a different Hitachi ABB problem and it is related to path traversal (get to a directory that they should not have access to), deserialization of untrusted data, improper input validation, inadequate encryption and insufficiently protected credentials. This scores a 9.8 (out of 10) on the vulnerability Richter scale. A hacker could upload malicious files, steal sensitive data and execute arbitrary code. For more details see this ICS CERT ADVISORY.
#4 – Rockwell Automation Logix Controllers
This is an update to the alert issued last month and this one rates a 10 out of 10 on the vulnerability rating scale. This one is also exploitable remotely and requires low skill to exploit. The vulnerability would allow a hacker to bypass the login requirement, alter the system’s configuration or change the code in the controller. For more information on this alert, see this ICS CERT ADVISORY.
If we look at this as a whole, what do we see:
- Most can be executed remotely
- Not limited to a single vendor
- Most require low skill to achieve
- Hackers can steal data and/or corrupt the system
If these attacks were applied to systems like the Florida water system that was compromised, you could, potentially, cause physical damage (like an explosion), turn off services (like turn off power or gas) or poison people (as could have happened in the Florida water treatment plant attack).
The other problem is that industrial control system owners are notorious for not applying patches. They are concerned, probably rightfully, that a patch could cause an outage (Microsoft or Apple never, ever, broke anything when applying patches, right?) or stop the system from working.
Unfortunately, given the typically poor cyber hygiene practices and the increased connectivity to the Internet of these systems, along with the information about the vulnerabilities that are now publicly available, don’t be surprised if hackers take advantage of this.
As a consumer, unfortunately, there is not much that you can do. That means that regulators, who are often in bed with the regulatees (the Chairman of the Texas PUC was just caught on tape reassuring investors that the millions of dollars they stole from Texans during the deep freeze this month was safe and they would not be forced to give it back. AFTER the recording was made public, the Governor asked him to resign – only AFTER). Given the often too cozy relationship between the PUCs and utilities, I am not counting on much pressure, but we can hope.