Industrial Control Systems (ICS) have a reputation for being more secure than consumer devices. Their use cases and price points are vastly different, so they should be more secure too, right?
We posted over two years ago about the trend we saw in Industrial Control System security. To explore this idea in more detail, take a look at the controllers below.
|
|
|
These kinds of controllers, used in factories, run the same operating systems and use the same kinds of chips and microprocessors as the devices below.
|
|
|
The reality is, modern Industrial Control Systems and Supervisory Control (SCADA) devices share more in common with the cellphone in your pocket than they do with their recent ancestors. This trend led manufacturers to create products with features like remotely-accessible web servers, SDCard readers, and USB Ports, just like your average wifi camera. For example, watch this trout farmer gush about how he can connect his iPhone to his seemingly esoteric Siemens industrial controller.
|
|
|
ATMega SOC (also used in Arduinos) on a PLC
How did critical devices become so similar to consumer devices?
Historically, electronics were made with Application Specific Integrated Circuits (ASICs), chips generally designed to do only one thing for their entire lifespan. The chip’s job was set into it as instructions executed by electromechanical gears physically burned into the chip, like music was scratched into the grooves of a vinyl record. The music of a record is unchangeable without creating a whole new record, similarly, the only way to change an ASIC's functionality is to create a new chip.
From our keynote at ICS Cyber Security 2016
SoCs are an evolution of ASICs, but unlike ASICs they are general-purpose and allow companies to repurpose chips by changing the code running inside. Contrast expensive and difficult to maintain ASICs with reprogrammable, general purpose, System On Chips (SOCs), the revolution that made smartphones possible. Due to their immense benefits, SoCs are now found in everything from iPhones to vehicles, smart thermostats, and home routers.
And Programmable Logic Controllers (PLCs) now use them too.
And Programmable Logic Controllers (PLCs) now use them too.
So why did we think Industrial Control Systems were different? Well, they are different. They’re used in manufacturing, agriculture, and water treatment. They need to be more resilient to weather, vibration, high voltages, and failure. They are also subject to round after round of safety critical testing, because of their extreme importance. So naturally, we think of these systems as fundamentally different and expect that they should have better security and use specialized hardware.
And historically, they did. Manufacturers used to rely on custom-built ASICs, but the last 20 years brought a quiet tidal shift. Industrial controllers now have more in common with “Internet of Things” devices than controllers of a decade ago.
To further accentuate the similarities PLCs have with traditional consumer devices, Industrial Control Systems based on RaspberryPis and Arduinos have recently come to market.
And historically, they did. Manufacturers used to rely on custom-built ASICs, but the last 20 years brought a quiet tidal shift. Industrial controllers now have more in common with “Internet of Things” devices than controllers of a decade ago.
To further accentuate the similarities PLCs have with traditional consumer devices, Industrial Control Systems based on RaspberryPis and Arduinos have recently come to market.
|
|
Testing of Boeing 757 showed it was vulnerable to hacking
One benefit that SOCs bring is the ability to update them with new firmware, but this is, unfortunately, of minimal value to industrial automated systems. Controllers tend to be on longer refresh cycles because the cost, effort, and downtime required for an update are expensive. Companies, unlike consumers, don’t buy the next version as soon as it becomes available.
Additionally, their safety and compliance burden requires new code to be checked ad nauseam before release. A recent study from Southwest Airlines discovered the safety and compliance process cost them $1 million for every single line of code changed in their airplanes.
This high cost to patch compounds the security challenge for safety-critical systems.
|
Here’s why we’re worried: Looking through vulnerabilities discovered in PLCs on ICS-CERT turns up the same kinds of vulnerabilities we see in consumer devices, like classic stack overflows, hardcoded credentials, and unsecured SNMP servers. That means they're using the same coding standards as consumer devices as well
|
Excerpt from http://iot.security/infographic
|
A vulnerable camera at the LA airport
We found a vulnerability, Devil's Ivy, in the popular third party library, gSOAP, that implements SOAP, a commonly used protocol. In the device we discovered the vulnerability, the manufacturer was using gSOAP to support the ONVIF standard, which a variety of companies, including ICS manufacturers, use.
If they’re using the same chips, firmware, standards, and protocols, and the same vulnerabilities are turning up, then there isn’t much of a difference, except that controllers are in critical positions. A vulnerability in a consumer, or even enterprise, wifi camera is a nuisance. A vulnerability in a controller, that costs millions to patch and affects multiple companies across multiple industries, is a serious hazard.
If they’re using the same chips, firmware, standards, and protocols, and the same vulnerabilities are turning up, then there isn’t much of a difference, except that controllers are in critical positions. A vulnerability in a consumer, or even enterprise, wifi camera is a nuisance. A vulnerability in a controller, that costs millions to patch and affects multiple companies across multiple industries, is a serious hazard.
Want to learn more about what’s under the hood of these controllers? We’ve done research into a variety of manufacturers and their controllers, and spent hours live streaming our investigation of their hardware.
RSS Feed