Tag Archives: IIoT Security

Unsecured IIoT devices in untrusted networks

28 January 2017

I am currently reviewing a draft of the German Federal Office for Information Security (BSI) about Operational and Control Technology. The goal of the paper is to define suitable requirements for IT security in OT.

IIoT devices, e.g. moderns sensors like the Schneider Electric PowerLogic ION7650 power meter, offer many communication options, including an optional Ethernet port:

PowerLogic ION 7650 communication options

Schneider Electric PowerLogic ION7650 communication options

With the Ethernet port activated the power meter behaves like a standard web server which provides standard internet communication options for access, e.g. ftp via port 21, http via ports 80, 81 and 443.

The BSI paper introduces the concept of ‘required connections‘ to communication partners outside the production network. This concept is based on the idea that production networks are isolated from a company’s office network as well as from the internet through security devices. The number of required connections, e.g. a connection from the ERP system to the Manufacturing Executions system (MES), should be kept as low as possible. In addition, required connections and the related communication endpoints must be specially protected to prevent misuse.

Lots of the PowerLogic ION7650 power meters are not operated in a production network. They are directly attached to the internet through an internet router, thus directly attackable by all internet users.

With this, each power meter creates its own production network, and every connection becomes a required connection. The major difference to the classic production network is that the power meter is far short of the protection capabilities a classic production network provides.

Thus, special attention has to be paid to the secure configuration of the devices and the attached internet routers during commissioning. Unfortunately, neither the service personnel setting up the device nor the operators seem to be aware of the dangers which result from this limited protection options because lots of unsecured devices are directly attached to the internet.

It is not very likely that a single compromised power meter has an impact on the national power grid. But if an attacker is able to compromise hundreds or thousands of devices …

The BSI paper provides a comprehensive set of technical and organizational measures to OT organizations to deal effectively with IT security issues in production environments.

Nevertheless, I recommend to the operators to review the configuration of and secure their devices. Besides financial loss due to malfunctions unsecured devices can be hijacked and included into bot nets.

Have a good weekend.

Advertisements

IIoT Security is the result of close collaboration between Vendors, Contractors, and Operators

18 December 2016

In the past days, I prepared a key-note speech for the kick-off meeting of a new working group in the Committee for Operating Safety of the German Federal Ministry for Work and Social Affairs.

IIOT: Impact of Digital World on Physical World

Impact of Digital World on Physical World in IIoT

The working group deals with the impact of the Industrial Internet of Things (IIoT) issues on functional safety. In the world of Cyber Physical Productions Systems (CPPS) or the IIoT this becomes very important. A CPPS is a system which combines physical objects (through sensors or actuators) and processes with digital (virtual) objects and processes across information networks and the internet. In the IIoT the digital word acts upon the physical world. With this we have to be prepare for safety issues.

Cyber Cyber Physical Production System Structure

Cyber Physical Production System Structure

Safety engineers have long lasting experience in managing the risk created by classic vulnerabilities of safety devices like power or compressed air malfunction, corrosion or operator errors.

With the embedded system and its connection to the internet thousands of easy exploitable IT vulnerabilities enter the safety domain.

The main difference is that these IT vulnerabilities are exploitable by

  • any internet user
  • from any location and
  • at any time.

If the safety device is not properly designed this may have a negative impact on the safety function, thus on people or the environment.

Inspection engineers have in general only few experience in managing the risks which arise from the IT vulnerabilities. Objectives of the working group are to create awareness for these new kind of IT risks and to provide working materials for support of the inspection engineers.

During preparation, I focused on the easy exploitable weakness CWE-16 (Configuration), in particular Default Passwords.  Lots of process control systems (PCS) are attached to the Internet. And lots of them are accessible with default passwords for the administrator and guest account. Although the vendors strongly recommend to change the passwords during startup, neither the engineering teams nor the operators performed their duties.

Vendors started to deal with the default password issue and introduced individual passwords for PCS. Rockwell for example uses the serial number of the system as individual password:

The Configuration pages (Device Identity, Network Configuration and Device Services) are password protected. By default they can be accessed with:

  • Username = administrator
  • Password = the adapter’s serial number (listed on the adapter’s home page)

Generally, this is a good idea. But if the engineering team does not remove the password from the systems homepage or change the password this will create no security. The same applies to the operators. At least before commissioning they must check whether basic security best practice is implemented. Since the power plants I found during my research are operated from some years now, the operators checked this definitely not.

With this it is required that Vendors, Vontractors, and Operators

  • introduce Security-by-Design and Cyber Risk Management in their design standards
  • introduce Security Gates in their design processes
  • enhance handover and acceptance procedures by security requirements

to make sure that at least basic security requirements are met, thus the safety of the systems is not compromised by IT vulnerabilities.

That’s it for today, and for this year. I will take a Christmas break.

A merry Christmas to you all
and the best wishes
for health, happiness and prosperity
in the New Year.

Christmas Trees

Update on IIoT Security Basics

27 November 2016

Number One vulnerability on the OWASP IoT Top 10 from 2014 was “Insecure Web Interface”. The OWASP IoT Project makes the suggestions below to mitigate these vulnerabilities:

A secure web interface requires:

  1. Default passwords and ideally default usernames to be changed during initial setup
  2. Ensuring password recovery mechanisms are robust and do not supply an attacker with information indicating a valid account
  3. Ensuring web interface is not susceptible to XSS, SQLi or CSRF
  4. Ensuring credentials are not exposed in internal or external network traffic
  5. Ensuring weak passwords are not allowed
  6. Ensuring account lockout after 3 -5 failed login attempts

Recommendation (1) is much too weak. Customers must be forced to change passwords during initial setup.

Why? In many cases customers are simply not aware of the fact that a device is accessible from the internet. For example, HMI touchscreens are often remote accessible through built-in web services:

SIMATIC HMI Panel

SIMATIC HMI Panel

This HMI panel is well configured. For access e.g. to the files a login to the system is required.

But the default login password is publicly available from SIMATIC discussion forums and wasn’t changed during set up of the device:

SIMATIC HMI Panel File System Browser Details

SIMATIC HMI Panel File System Browser Details

With this, rule (1) above will not prevent any attacks on IIoT devices. Customers must be forced to change passwords as soon as the device network adapter is powered up and connected to the company network or the internet.

Have a good week!