The world's most capable, rugged and secure
industrial control system...
Introducing Bedrock OSA® Remote
- Intrinsically-secure PLC and RTU control
- 10 or 20 channels of universal I/O
- Free IEC 61131-3 engineering software
- -40ºC to +80ºC temperature range
- Rugged, all-metal case 5.4 in x 8.9 in x 2.3 in
It’s Just a Power Supply. What Could Possibly go Wrong?
April 28, 2020 | Robert Bergman
Power supplies are emerging as a significant source of vulnerability to cyberattack. Cyber security experts at the Department of Homeland Securities (DHS), universities and private businesses have been identifying and warning about potential vulnerabilities in the power supply chain since at least 2015 and have found many causes for concern, some of which we call out below. Although the vendors of the identified products have now addressed most of the vulnerabilities found, these do represent examples of what might be found in any traditional power device. As such they serve as checkpoints to help guide you in evaluating the cyber vulnerability of your installed or planned power devices.
Vulnerabilities in power analyzers
In 2015 the U.S. Department of Homeland (DHS) security issued an ICS Alert based on what industrial cyber security services provider Applied Risk found in one brand of power analyzers. DHS concluded that all of the following vulnerabilities could be exploited by an attacker with low to moderate skills:
- Weak password protection. By default, the tested device’s web interface was unprotected. Users could configure a password, but it was limited to a short PIN. No controls were in place to prevent PIN guessing. The system did not, for example, lock after several invalid attempts.
- Weak session token generation. Session tokens were derived from the 4-digit user PIN in combination with a server-generated challenge. An attacker may have been able to crack the user PIN using a sample of session tokens.
- Hard-coded passwords. The device exposed an FTP interface that was protected by an undocumented default password. Once logged in, an attacker could upload and download arbitrary files.
- Privilege escalation. A remote debug interface on a TCP Port could have allowed an unauthenticated remote attacker to read and write files and execute JASIC program code.
- Persistent cross-site scripting. A device may not have filtered user input properly. Unauthenticated parts of the web interface could have been vulnerable to reflected cross-site-scripting (XSS). Some parameters could have been vulnerable to stored XSS after login.
- Cross-site request forgery. A device’s web interface may not have protected web requests originating from other sources than the current user’s authenticated browser session. Therefore, it could have been possible for an attacker to execute actions on behalf of an authenticated user while connected to an attacker-controlled web site during an active session.
- Information disclosure. Services running on ports exposed netstat-like information, leaking current network connection information.
- Remote Exploitability All vulnerabilities could have been exploited remotely.
Vulnerabilities in uninterruptible power supplies (UPSs)
Uninterruptible power supplies have long been critical to reducing costly downtime in industrial networks and as such represent key points of vulnerability. Cyber security research firm Positive Technologies, which offers vulnerability analysis services, identified the following four vulnerabilities in management cards of one of the largest UPS supplies products, two of which they identified as presenting a very high degree of risk:
- Authentication system bypass. A remote attacker would have been able to bypass the authentication system of a built-in webserver and obtain full administrative access to the UPS, which jeopardizes the continued uptime of equipment connected to electrical power.
- Information exposure. The built-in web server also enabled an attacker to obtain sensitive information about the UPS unit.
- Improper authorization. Unauthorized users could have changed the settings of the device, including possibly disabling parameters.
- Cleartext transmission of sensitive information. A remote attacker could have intercepted administrator account credentials. If SSL were not activated on the UPS, account credentials would have been sent in cleartext when the access control page was requested.
Vulnerabilities in communications between UPS and control network
UPSs can also be vulnerable at the network communications level. Most traditional USPs in mission-critical applications rely on SNMP for communications. Earlier versions of SNMP had known cyber vulnerabilities but encryption changes around the year 2000 were supposed to change all that. But that is not accurate, at least according to two researchers at the Georgia Institute of Technology who concluded the following after conducting extensive testing of SNMPv3:
“Even with the use of strong cryptography, invalid assumptions can cause the protocol to fail. In SNMPv3, the protocol relied on the fact that messages could not be modified to protect the communication against redirection. This failed to take into consideration that an adversary could change an agent’s IP address at will in some cases. It also relied on an unprotected mechanism to determine, identity and to choose which key pair to use. We have shown how this can be used by an adversary to force the manager into using a specific key pair. We have explored how these vulnerabilities can be used by an adversary to hide sabotage done to web servers, backup servers, and other vital services,” wrote Nigel Lawson and Dr. Patrick Traynor in their presentation to the Georgia Tech Information Security Center (GTISC).
Build it right the first time
Vendors of the above product have addressed the issues with patches and DHS issued some suggestions for reducing the risk as well. In the third example, the Georgia Institute researchers offered some suggestions for mitigating the vulnerabilities. But most of these problems and the costly workarounds could have been avoided had attention been paid to cyber security at the design phase.
To read more about how Bedrock Automation has built cyber protection into its power products, read our white paper Empowering Power. or register for our upcoming webinar with Automation.com, Empowering Power for the Digital Age.