Tag Archives: Security by design

Ransomware for Industrial Control System – Digital Carelessness

19 March 2017

Ransomware for Industrial Control Systems (ICS) is a scaring idea. The research paper ‘Out of Control: Ransomware for Industrial Control System‘ by David Formby, Srikar Durbha and Raheem Beyah from the Georgia Institute of Technology is really worth reading.

The researchers study several attack vectors and run a proof of concept (POC). In addition, they give some hints for mitigation of this new risk in the ICS / SCADA domain.

In the simplest case, if the PLC is connected to the internet, the cyber-criminal can attack the PLC directly. A more dangerous, but also very promising way is to start an attack on a workstation located in the corporate network and use this system as base camp for the access to the production network.

In the past weeks I prepared a speech for a workshop about “Safety and security in plant safety”. In the IIoT, the digital world acts upon the physical world. With this, flaws in the IIoT software may create a safety problem. For example, if a PLC or other SCADA components are attached to the internet, cyber criminals can exploit such flaws and compromise the integrity of the systems or implement ransomware on the systems. In the worst case, if e.g. the SCADA system controls a critical infrastructure like a power grid, this may result in a blackout. And operators of critical infrastructures will pay definitely any ransom to avoid a blackout.

The attack vectors described above are the native way for accessing industrial facilities and critical infrastructures. Besides the PLC, lots of other components like switches or HMI panels are connected more or less intentionally to the internet today. My colleague Christoph Thust from Evonik calls this the Digital Carelessness.

A plain SHODAN search for ‘SCALANCE‘ results in 213 hits. These network switches are more or less exposed to the internet. If a cyber attacker can hijack such a switch, he gains full control of the production network.

Shodan Scalance Search

Shodan Scalance Search. Click to enlarge.

A search for ‘SIMATIC HMI‘ results in 103 hits. This HMI panels are directly attached to the internet, lots of them can be viewed with WinVNC, some of them can be fully operated by EVERYONE.

Shodan Search HMI

Shodan Search HMI. Click to enlarge.

And, above all, HMI panels attached to the internet can be used as base camp for an attacker’s lateral movement in the production network.

Although ransomware is a really big issue today, the effort to rollout ransomware in a SCADA environment is high compared to the effort of plain attacks to unsecured SCADA system components.

The good news is, that the vendors of SCADA components already offer the elementary technology and strategies for their secure operation. But improvement of the basic security technologies is of crucial need for efficient use in the production domain.

The bad news is, that neither the engineering service providers nor the plant operators are fully aware of cyber-threats and their impact on plant operations and safety. The above examples make clear that the mitigation measures and defense strategies provided by the technology vendors are not followed.

From my point of view we need to start early in the construction process with considerations of cyber security. Security gates must be added to each construction phase. And during handover to the operator, a final pen test must be performed. As soon as Security by Design becomes an integral part of the Industrial Plant Life Cycle, the era of digital carelessness will end.

Have a good weekend.

IIoT Security is the result of close collaboration between Vendors, Contractors, and Operators

18 December 2016

In the past days, I prepared a key-note speech for the kick-off meeting of a new working group in the Committee for Operating Safety of the German Federal Ministry for Work and Social Affairs.

IIOT: Impact of Digital World on Physical World

Impact of Digital World on Physical World in IIoT

The working group deals with the impact of the Industrial Internet of Things (IIoT) issues on functional safety. In the world of Cyber Physical Productions Systems (CPPS) or the IIoT this becomes very important. A CPPS is a system which combines physical objects (through sensors or actuators) and processes with digital (virtual) objects and processes across information networks and the internet. In the IIoT the digital word acts upon the physical world. With this we have to be prepare for safety issues.

Cyber Cyber Physical Production System Structure

Cyber Physical Production System Structure

Safety engineers have long lasting experience in managing the risk created by classic vulnerabilities of safety devices like power or compressed air malfunction, corrosion or operator errors.

With the embedded system and its connection to the internet thousands of easy exploitable IT vulnerabilities enter the safety domain.

The main difference is that these IT vulnerabilities are exploitable by

  • any internet user
  • from any location and
  • at any time.

If the safety device is not properly designed this may have a negative impact on the safety function, thus on people or the environment.

Inspection engineers have in general only few experience in managing the risks which arise from the IT vulnerabilities. Objectives of the working group are to create awareness for these new kind of IT risks and to provide working materials for support of the inspection engineers.

During preparation, I focused on the easy exploitable weakness CWE-16 (Configuration), in particular Default Passwords.  Lots of process control systems (PCS) are attached to the Internet. And lots of them are accessible with default passwords for the administrator and guest account. Although the vendors strongly recommend to change the passwords during startup, neither the engineering teams nor the operators performed their duties.

Vendors started to deal with the default password issue and introduced individual passwords for PCS. Rockwell for example uses the serial number of the system as individual password:

The Configuration pages (Device Identity, Network Configuration and Device Services) are password protected. By default they can be accessed with:

  • Username = administrator
  • Password = the adapter’s serial number (listed on the adapter’s home page)

Generally, this is a good idea. But if the engineering team does not remove the password from the systems homepage or change the password this will create no security. The same applies to the operators. At least before commissioning they must check whether basic security best practice is implemented. Since the power plants I found during my research are operated from some years now, the operators checked this definitely not.

With this it is required that Vendors, Vontractors, and Operators

  • introduce Security-by-Design and Cyber Risk Management in their design standards
  • introduce Security Gates in their design processes
  • enhance handover and acceptance procedures by security requirements

to make sure that at least basic security requirements are met, thus the safety of the systems is not compromised by IT vulnerabilities.

That’s it for today, and for this year. I will take a Christmas break.

A merry Christmas to you all
and the best wishes
for health, happiness and prosperity
in the New Year.

Christmas Trees

Update on IIoT Security Basics

27 November 2016

Number One vulnerability on the OWASP IoT Top 10 from 2014 was “Insecure Web Interface”. The OWASP IoT Project makes the suggestions below to mitigate these vulnerabilities:

A secure web interface requires:

  1. Default passwords and ideally default usernames to be changed during initial setup
  2. Ensuring password recovery mechanisms are robust and do not supply an attacker with information indicating a valid account
  3. Ensuring web interface is not susceptible to XSS, SQLi or CSRF
  4. Ensuring credentials are not exposed in internal or external network traffic
  5. Ensuring weak passwords are not allowed
  6. Ensuring account lockout after 3 -5 failed login attempts

Recommendation (1) is much too weak. Customers must be forced to change passwords during initial setup.

Why? In many cases customers are simply not aware of the fact that a device is accessible from the internet. For example, HMI touchscreens are often remote accessible through built-in web services:



This HMI panel is well configured. For access e.g. to the files a login to the system is required.

But the default login password is publicly available from SIMATIC discussion forums and wasn’t changed during set up of the device:

SIMATIC HMI Panel File System Browser Details

SIMATIC HMI Panel File System Browser Details

With this, rule (1) above will not prevent any attacks on IIoT devices. Customers must be forced to change passwords as soon as the device network adapter is powered up and connected to the company network or the internet.

Have a good week!

Security by Design

21 August 2016

Friday afternoon I participated in a really interesting meeting. Some application managers got a request from researchers to implement a new application to support pharmacological studies. The new application collects information from some business critical application. The researchers combine and enrich the information, evaluate the new information with numerical models and, if the results are promising, it is transferred back to the source systems.

With this, it is very likely that the new application will create and store business critical information, even if the information collected from the source systems may not be critical.

The application managers were particularly concerned about the impact of the security requirements on the usability and the development and operation costs of the application. Thus they decided to start the security discussion as early as during the development of the project proposal.

Great! That is the best phase to start with application security, indeed. Security by Design is the key to sustainable and cost-effective security. We had a very fruitful discussion about role concepts, clearance of users and encryption.

The application managers were actually surprised when I began talking about the solution life cycle. To talk about the solution life cycle during the development of the project proposal sounds really strange, but the architecture of a solution has a major impact on the security and the operation costs.

In R&D we talk about application lifetimes of 10 or more years. With this we have to change applications just because application components are discontinued by the suppliers and need to be replaced by either newer versions of the same component or, in the worst case, by components of other suppliers. In addition, we have to apply an endless stream of security patches to all components which leads to high effort in application operations.

If the application architecture does not support the easy replacement or patching of components we have to apply additional technical measures to secure the application, which leads to increased operation costs and complexity. Thus it makes sense to start talking about the solution life cycle as early as possible.

That reminds me of Dan Lohrmann’s post “Idea to retire: Cybersecurity kills innovation”, which was published in the Brookings TECHTANK blog some month ago:

Security is a necessary enabler of opportunity and innovation. Improved cybersecurity enhances innovative projects and is a core requirement for their success.

Now we have to convince the research department to spend some additional effort and time during the development of the project proposal to build a really innovative application.

Have a good weekend.

The Art of Threat Modeling

18 September 2014

Currently I am very busy with hardening of complex applications. As a starting point I develop a threat model of the application system.

Threat models are powerful tools in the design phase of the software development process. They are the basis for the security design of systems and applications. From the threat model vulnerabilities could be identified and mitigation measures could be designed.

If the threat model is refined in the further development process it could be used for verification, validation and test case creation.

To develop a threat model for an existing application system is a complex communication task. In most cases people of different organizations within a company, e.g. IT operations or application development, must be involved.

However, the main challenge is to develop a complete model to find all potential vulnerabilities and risks. Let me clarify this by the means of a simplified model of the web application.

A simplified web application is built of an application service and some data stores. The user communicates through an internet browser with the application service. The application service stores data in a database and on a file share. Thus the building blocks are two data stores, an application process and the browser process on the client computer. In addition we have one data flow from the users browser to the application service and two data flows from the application service to the data stores.

Threat Model Simplified 3 Tier Application System

Threat Model Simplified Three Tier Application System

The picture above shows this simplified threat model created with Microsoft Threat Modeling Tool 2014 (TMT). TMT uses the STRIDE threat model as a basis for threat identification. STRIDE is an acronym for

Spoofing identity,
Tampering with data,
Information disclosure,
Denial of Service and
Elevation of privilege.

This are commonly used threat categories.

Unfortunately our model is not complete. An attacker would try to bypass the application to get direct access to the data stored in the database and the file share. Thus we have to add two applications and two data flows to our simplified model:

Threat Model Simplified 3 Tier Application System Ext.

Threat Model Simplified Three Tier Application System Extended

TMT generates for each object depending on the object type, e.g. database, application or data flow, threats from the STRIDE categories. This is the main advantage of TMT over manual threat creation because you can focus on the design of mitigation measures.

Threat Model Three Tier System Mitigation

Threat Model Three Tier System Mitigation

You can download TMT from Microsoft download center.


Security testing – The new magic trick?

14 August 2014

Security testing is one of the top issues in the media at the moment.

Security testing will definitely support companies in delivering less error prone and vulnerable software to their customers. It is an old truth that the cost to fix an error after rollout is considerably higher than before. But when it comes to security relevant vulnerabilities, errors can have catastrophic effects on a company.

In my opinion, standalone security testing wil not lead to more secure software in the long-term. Security should be built into the entire development process from requirements specification to user acceptance test, with verification and validation in each step. And it is very important to make it crystal clear to the customer that security comes at a price.

Security by design is the means by which less vulnerable software products could be delivered.

In particular the coding phase is critical for the vulnerability of a product. To create less vulnerable software, developers have to unlearn old programming habits, and to acquire the well known best practice for developing secure products. To ensure success, this transformation process should be embedded in a change process.

Drive the change!