WANT TO SEE SOMETHING REALLY SCARY?
Walt’s reports about security problems were mirrored here at the Emerson user conference, with several sessions on cybersecurity.
Then it got scary. A bunch of hackers from Idaho National Labs frightened the beejeesus out of about 250 attendees by demonstrating — live — how to use a laptop over the Internet to hack through two firewalls, get onto a process control network, read the internals of a device controller, and turn on a pump, all without being detected.
I don’t pretend to have understood all the gory details, because they were throwing around words like script kiddies, IDS, DMZ, and ACT scans as if we all knew what they meant. Nevertheless, the results were downright scary., Especially because they had a demo control system sitting on the floor in front of the podium, and you could hear the pump when it started up. They also spoofed HMI screens, demonstrating that they could make the operator see anything they wanted him to see. We saw the HMI screen change!
I will try to explain how it worked. They started their attack by sending an email to a user on one of the business computers. The email contained a powerpoint presentation which, when opened, sent innocuous emails back through the router and firewall to the hacker on the laptop. Because the email came OUT of the system, through the firewall and router, this gave the hacker enough information to get back in and “take over” the business PC, right through the router. Once in, they did an ACT scan to identify every node on the business LAN, figured out which node was the firewall protecting the control system, and then spoofed all the other computers into thinking that THEY were the firewall/router. This caused every node on the system to send them security codes, which they used to get through the real router, onto the process control network, and into another workstation. From there, another ACT scan identified all the network devices again. They nosed around until they found one with an embedded web server, and opened it up. Then, through some reverse engineering, they were able to find the internal tables that labeled all the process variables. They then “forced” an output to start the pump.
The demo took only about 15 minutes, obviously because they were just retracing steps and knew exactly where to find what they needed. In real life, it took the hackers three weeks to penetrate the system the first time, mostly because they had to reverse engineer the controller in question. But script kiddies (tools that amateur hackers can find and use) that contain intrusion programs are readily available for Zip files, PowerPoint files, Oracle and a host of other files you get in the mail every day, That means almost anyone can get through your firewalls, including 14-year-old hackers.
Going beyond the business system requires more skill, and reverse engineering the control device takes exceptional skill. But none of this is beyond the ability of a professional, dedicated hacker who is being paid to get into your system. And, once such a hacker does the reverse engineering on a particular device, it might find its way into the hacker community as a script kiddie. It’s just going to get worse.
One of the scariest items I learned is that Ethernet is a two-way network, even if you set your Shadow Server up so that it can send but not receive messages. It becomes a two-way network when the sending part asks the receiver, “Did you get that packet?” and the receiver says “Yes.” That’s two-way communications, and lets a talented hacker get in. Advice we gave a few months ago, which said you should isolate your system from outside networks completely, and let a shadow server deal with business networks and remote users, now appears a bit faulty. The concept is good, said the lab boys, but maybe you want the two computers to communicate by something other than an Ethernet link. Like Sneakernet.
When the session broke for 10 minutes, nary a person left. All wanted to hear the 2nd part, which explained what Emerson was doing to improve security on DeltaV systens.