Imagine an attack on critical infrastructures that could evade virtually all existing security measures (network firewalls, AV, application whitelisting, etc.) and that would operate generically across a wide range of different SCADA implementations. Indegy researcher Avihay Kain has discovered a vulnerability that would enable just such an attack. We will unveil the vulnerability for the first time at the 2016 Industrial Control Systems (ICS) Cyber Security Conference.
The vulnerability allows for remote code execution in Schneider Electric’s flagship product - the UnityPro software platform. (The vulnerability applies to all versions of UnityPro, including the latest release of version 10.0.) Schneider Electric’s UnityPro software platform, which runs on Windows-based engineering workstations, is used for programing and managing Schneider Electric equipment in industrial control networks including those operating critical infrastructure. Regardless of the specific SCADA application in use, if Schneider Electric PLCs are in use, UnityPro software will be deployed for the engineering stations, making this attack relevant across virtually any process controlled by Schneider PLCs.
While we will show an exploit specific to Schneider, all PLC vendors have similar proprietary engineering protocols and we should expect many vulnerabilities like it that apply to other vendors. The result is that those concerned with ICS security should realize two key points:
1.) Attacks on ICS networks do not require exploitation of vulnerabilities in SCADA/HMI applications or the controllers themselves:
There is a misconception in the industrial cyber security space that securing these networks only requires monitoring of the SCADA/HMI application protocols, for instance - MODBUS and DNP3. However, there is an important distinction between the communication protocols used by HMI/SCADA applications, and the control-plane protocols which are used by the engineering station software. The less known engineering station protocols are not fully documented, and worse -- each vendor uses a different proprietary communication protocol, making it extremely difficult to monitor them. As a result, these protocols, which allow an attacker to access the controllers using the vulnerability described above, aren’t monitored and the engineering stations are mostly ignored.
2.) Combining security controls borrowed from IT Security with HMI/SCADA application monitoring is not enough to secure ICS.
It is commonly believed that with a combination of IT security technologies (secure network design, AV/anti-malware and application whitelisting) and monitoring the HMI/SCADA protocols mentioned in point 1, it is possible to prevent industrial network infiltration and device access. This exploit will look exactly like known good engineering work and will evade all of those controls, demonstrating that IT security plus HMI monitoring is not sufficient for ICS. Additional security controls for engineering network activity monitoring are needed.