According to warnings of U.S. agencies that protect national critical infrastructure, electronic devices used to control the equipment at water treatment plants and other industrial sites contain serious flaws that could allow attackers to remotely manage them.
“Some models of the PLC Modicon Quantum, used in industrial control systems contain several hidden accounts that use pre-defined passwords for remote access,” – said the Group to respond to emergencies in industrial control systems (Industrial Control Systems Cyber ??Emergency Response Team) in information report , released Tuesday. Device manufacturers, the company Schneider Electric, based in Illinois, has released a revision to protect some of the weaknesses and continues to develop additional means of protection.
PLCs (programmable logic controllers), located at the lowest levels of the site where the computerized sensors are responsible for the valves, turbines or other equipment under control.Passwords are assigned by default, and stitched in Ethernet-cards are used to transmit commands and devices to read the temperature and other data. Ethernet-ins also allow administrators to remotely control the equipment using protocols such as Telnet, FTP and WinDriver Debug port.
According to a posting in the blog on Monday, an independent researcher Ruben Santamarta security modules, NOE 100 and NOE 771 contain at least 14 stitched passwords, some of which were published in the instructions. Even in cases where the passwords are hidden with the use of encrypted hashes, simply restore them due to the documented vulnerabilities in the operating system VxWorks. As a result, attackers can use them to enter the device and gain privileged access to management.
Hard-coded passwords – a common vulnerability, found in many industrial control systems, including some series of PLC S7 from Siemens. Since the system control equipment associated with dams, refineries and water treatment facilities, unauthorized access is considered a national security threat, since it can be used to disrupt their work.
The FBI said they were investigating claims that last month the work of one of the utilities had been violated by some person claiming that it had access to computers connected to the Internet and controlling generators, ventilators and other equipment.
“The encoded data access, which gives you administrator privileges are pretty serious violation,” – said K. Reid Wightman, a security expert at Digital Bond, a consulting company that focuses exclusively on the security of industrial control systems (ICS). He said that the attackers may be difficult to get too much control over industrial control systems can only access the PLC, because often there is not indicated what kind of equipment connected to it.
“You do not have human-machine interface, so you do not know exactly what is connected PLC” – he explained. “I do not know whether the [device] drain valve, inlet valve or a light bulb.”
Wightman plans to publish the study in the next month at a scientific symposium on the safety of SCADA in Miami could lead to an increase in the damage that criminals can strike after receiving access to many commonly used PLC. Among other things, he said that his conclusions would have shown how to use the device, so they attacked the other systems which are attached.
Moreover, in his blog on Monday Santamarta said that data access can be used to install malicious firmware controllers. He also referred to the “undocumented features, security implications,” in Schneider devices. He said he discovered the hidden accounts by reversinzhiniringa firmware that controls the PLC.