A cybersecurity firm says a new “critical vulnerability” it found this month in a common piece of software used with industrial control systems could have been exploited in the nightmare-scenario of a major attack on critical infrastructure.
The security flaw affects STEP-7 TIA Portal made by Siemens, which has released patches in response, and is the 12th in a run of similar vulnerabilities found by information security company Tenable over the past nine months.
Tenable claimed the latest flaw “could be used as a stepping stone in a tailored attack against critical infrastructure with the potential for catastrophic damage” in a statement last week, invoking the famous Stuxnet attack against Iran.
In that case, a sophisticated computer worm spread across the world through Windows computers, doing very little of note until it found its ultimate target: centrifuges used in the enrichment of nuclear fuel. It did this via programmable logic controllers (PLCs), which are used to control various sorts of industrial machinery all over the world, and are in “the same family of devices” affected by the latest vulnerability, Tenable reports.
“The flaw would allow an unauthenticated, remote attacker to perform any administrative actions on the system, enabling them to add malicious code to adjacent ICS.
“A bad actor could also exploit the vulnerability to harvest data in order to plan a future, targeted attack. The delicate nature and function of critical infrastructure means a successful cyberattack could result in damage to operational technology equipment, disrupt operations, destruction of hardware or cyber espionage.”
One interesting and instructive element of the Stuxnet story is that it did not do anything particularly complex, as the machines it was misdirecting are quite limited in what they can do, but nor did it need to. It simply hid itself away and told the centrifuges to spin too fast, for too long, so they (and any replacement centrifuges) burnt themselves out.
The rising fear for governments is that the more general attack vector – the SCADA systems used to manage and control big machines – could be used by hostile actors to target critical infrastructure like dams, power stations and so on.
Tenable’s Joseph Bingham has published an article describing 12 specific industrial-control vulnerabilities the company has found since last November, and musings on their potential impact.
The previous flaws relate to products sold by Fuji Electric, Schneider Electric and Rockwell Automation. Bingham says this shows “gaping holes” exist in a lot of SCADA systems.
“The vulnerabilities in top tier software systems indicate a lack of security standards in modern SCADA software. This lack of security creates a great opportunity for future attackers and the next high-profile attack on an industrial control system.
“The attack scenario cannot be understated, as critical systems such as power, water, transportation, and manufacturing all rely on major PLC vendors.”
To liven things up, he describes how a theoretical attack on a nuclear power plant to a surprising level of detail.
“Stuxnet only needed three new vulnerabilities to spread through an isolated network and damage centrifuges in the targeted Iranian nuclear facility.
“Any of the vulnerabilities listed above could have been discovered by a threat actor and used as a key component in a targeted attack to disrupt or damage industrial hardware.”
Bingham notes that one barrier to such an attack is that these kinds of systems are typically air-gapped, but points out this has not stopped clever and committed attackers in the past. One way around the air-gap involves slipping infected USB drives into places where they are eventually picked up and inserted into a machine on the target network.