Tag Archives: BSI

Why is the industry such vulnerable against WannaCry and NotPetya style attacks? Part I

9 July 2017

“Germany’s BSI federal cyber agency said on Friday that the threat posed to German firms by recent cyber attacks launched via a Ukrainian auditing software was greater than expected, and some German firms had seen production halted for over a week.” The report “Germany says cyber threat greater than expected, more firms affected” published in the Reuters Technology News on 7 July 2017 is worth reading.

But the big question is: Why is the industry such vulnerable against WannaCry and NotPetya style attacks?

In my opinion, the main reasons for this are

  • the aging IT infrastructure, and
  • the built-in features of the Windows operating system.

Aging IT infrastructure

SMB Version Introduced with Version Year of Release
V1.0 Windows 2000 2000
Windows XP / 2003 Server 2001 / 2003
V2.0 Windows Vista / 2008 Server 2007 / 2008
Windows 7 / 2008 Server R2 2009
V3.0 Windows 8 / 2012 Server 2012
Windows 10 / 2016 Server 2015 / 2016

Table 1: SMB Versions

The source of today’s problems, SMB V1.0, was introduced with Windows 2000. With the end of the extended support for Windows XP on 8 April 2014, and Windows 2003 Server on 14 July 2015, Windows XP/2003 Server became a big security issue.

Nevertheless, systems with XP or Windows 2003 Server are still operated in data centers and industrial networks. Since these systems must exchange data with other Windows-based systems, SMB V1.0 cannot be just switched off. Even Windows systems which support SMB V2.0 or higher must allow SMB V1.0 for data exchange with older versions.

The big question is: Why takes it so long to shut down Windows XP/2003 Server? The answer is easy: Software and hardware manufacturers have not sufficiently cared about the software life cycle, at least in the past. Let me illustrate this with an example.

A package unit in Healthcare industry is a large machine with lots of inbuilt computers. Since package units are very expensive, they are operated for many years and extensively changed to support new products. With this, a package unit delivered in 2008 with embedded Windows XP control units may still be in use 24 hours a day in 2017.

The hardware of the computers is designed to control a high-speed packaging process. To ensure sustained high operational quality the manufacturer often allows neither the installation of anti-malware software nor service packs for the OS, not to mention the upgrade to newer versions of the Windows OS.

Since the MES (Manufacturing Execution System) copies files to and from the packaging unit through files shares on the embedded Windows XP control stations, the MES must communicate through the SMB V1.0 protocol. The same is true for computers used in remote maintenance. With this, a single Windows XP machine reduces the security level of an entire network.

The big challenge is to design maintenance-friendly industrial computer systems: An exchange of hardware and software components, which are near End-of-Life or which have reached technical limits, must be easily possible. This requires a change in the design of software in industry. In addition, hardware should be dimensioned such that basic security features like anti-malware protection could be operated.

Manufacturers were often not aware of the software lifecycle and its impact on cyber security and integrity of product and production in the past. A change is desperately needed, in particular with regards to the increased use of IIoT devices.

Have a great week.

Advertisements

Unsecured IIoT devices in untrusted networks

28 January 2017

I am currently reviewing a draft of the German Federal Office for Information Security (BSI) about Operational and Control Technology. The goal of the paper is to define suitable requirements for IT security in OT.

IIoT devices, e.g. moderns sensors like the Schneider Electric PowerLogic ION7650 power meter, offer many communication options, including an optional Ethernet port:

PowerLogic ION 7650 communication options

Schneider Electric PowerLogic ION7650 communication options

With the Ethernet port activated the power meter behaves like a standard web server which provides standard internet communication options for access, e.g. ftp via port 21, http via ports 80, 81 and 443.

The BSI paper introduces the concept of ‘required connections‘ to communication partners outside the production network. This concept is based on the idea that production networks are isolated from a company’s office network as well as from the internet through security devices. The number of required connections, e.g. a connection from the ERP system to the Manufacturing Executions system (MES), should be kept as low as possible. In addition, required connections and the related communication endpoints must be specially protected to prevent misuse.

Lots of the PowerLogic ION7650 power meters are not operated in a production network. They are directly attached to the internet through an internet router, thus directly attackable by all internet users.

With this, each power meter creates its own production network, and every connection becomes a required connection. The major difference to the classic production network is that the power meter is far short of the protection capabilities a classic production network provides.

Thus, special attention has to be paid to the secure configuration of the devices and the attached internet routers during commissioning. Unfortunately, neither the service personnel setting up the device nor the operators seem to be aware of the dangers which result from this limited protection options because lots of unsecured devices are directly attached to the internet.

It is not very likely that a single compromised power meter has an impact on the national power grid. But if an attacker is able to compromise hundreds or thousands of devices …

The BSI paper provides a comprehensive set of technical and organizational measures to OT organizations to deal effectively with IT security issues in production environments.

Nevertheless, I recommend to the operators to review the configuration of and secure their devices. Besides financial loss due to malfunctions unsecured devices can be hijacked and included into bot nets.

Have a good weekend.

Isolation of Everything

9 January 2016

I am currently preparing a presentation on IT security matters for the plant safety group of the Verband der Chemischen Industrie (VCI). Plant safety and IT security are closely linked, in particular because more and more safety equipment (e.g. safety relief valves) have built-in computers and networking options which allow data gathering and remote configuration and testing up to a certain extend.

To create awareness for the new challenges I searched for examples of successful cyber-attacks in the process industry. Stuxnet comes immediately into mind but is somewhat behind the times. In December 2014 a cyber-attack on a German steel mill was widely reported in the press.

On January 8, 2015 Kim Zetter wrote in WIRED ‘A Cyberattack Has Caused Confirmed Physical Damage for the Second Time Ever’. A post from Greg Masters in SC Magazine on December 23, 2014 was titled ‘Cyberattack fells German iron plant’.

An attacker has to pass some hurdles to get from the Internet to the Process Control System. Usually Process Control Systems (PCS) are well protected by a cascade of firewalls which isolate the control systems from the process plant network and the process plant network from the office network.

But, as in many other cases, the starting point was a phishing attack. In the BSI publication ‘The State of IT Security in Germany 2014’ published on December 17, 2014 we read:

The attackers used spear phishing e-mails in tandem with sophisticated social engineering to gain initial access to the steel mill’s office network. From there they worked their way progressively into the production networks.

The sentence ‘From there they worked their way progressively into the production networks.’ is of particular interest. It indicates a problem that is widely ignored by the plant operators because the firewalls give them a false sense of security.

For simplifying IT operations very often the same Active Directory is used for managing the Windows accounts of the plant operators in the office network and the plant network. But network isolation and segmentation by firewalls blocks traffic only on the OSI layers 1 .. 3, not on layer 7, where Active Directory works. Once an attacker manages to get on the office network it’s only a matter of time when he finds an operator account that grants him access to the plant network.

Thus a first step towards enhanced security in process plants is to isolate the Active Directories in the office and the plant network. In addition, access to email and internet from the plant network must be blocked, if possible with technical means.

The general design principle is ‘Isolation of Everything’ – Cyber attackers raise only a weary smile (LOL) at the Layer over Layer (LoL) approach with firewalls.

Have a good weekend.