by Jan Alsenz
Gateway systems with connections to different network segments are common in SCADA/ICS networks, as found in manufacturing plants or power / water management. While these gateway systems are considered a security barrier, the SCADA/ICS penetration tests done by Oneconsult show that they do not always hold up to this expectation.
In SCADA/ICS networks, it is common to connect different networks (e.g. manufacturing site and control room) with dual-homed gateway systems. In contrast to using a DMZ like architecture, there is typically no firewall involved in these setups, so all services provided by the gateway are accessible over the network.
In one instance recently tested with a SCADA application penetration test by Oneconsult the gateway was running a number of different services, of which most where only intended for use in the inner network with higher security level. However, all services were available on all network interfaces, including the external ones. One of the available services was an FTP daemon, allowing anonymous access. Some configuration files found on this FTP contained (weak) passwords for accessing other (internal) systems. As the management services for the gateway where also available, trying to login with these credentials was the next logical step, yielded administrator-level management access and thus allowed accessing the internal secured network.
It should be noted, that this attack path did not even take into account the heavily outdated software, which is also a common problem in SCADA/ICS environments, present on the system.
However, as another test showed, having only minimal attack surface does not necessarily equal high security. This gateway system offered only one secured communication service on its outside network interface. At first glance, no obvious security issue was visible, as the service used strong encryption and public-key authentication. However, upon deeper inspection of the system, the contents of the disk revealed, that the private-key required for authentication was present on the system and a fixed part of the installation. So once the private-key is extracted from any of the installations worldwide, it can be used to access any other gateway system from the same supplier. In this case the access also allowed bridging into the internal protected network, again violating the security properties.
These examples show that there is lot of room for improvement in the SCADA/ICS domain, both for the suppliers and the operators. First, the systems should be built with security, not only safety, in mind. Second, patches and shorter release cycles should be introduced directly for the SCADA/ICS specific software. In addition, this software should allow the underlying operating system to be patched independently. Also, in general, only the minimal required set of services should be exposed to the lower security networks. In addition, secure and strong passwords (at least 16 cryptographically random chosen characters for administration level access) should be used and differ for every system.
Jan Alsenz is Chief Research Officer at Oneconsult AG.
Oneconsult AG is a renowned Swiss cybersecurity consulting company with approx. 25 employees, offices in Switzerland and Germany, a customer base of 300+ organizations and 1100+ completed security projects worldwide. We are your trustworthy partner for a holistic cybersecurity approach against external and internal threats such as APT, hacker attacks, malware infection, digital fraud and data leakage. Our core services are penetration tests, ISO 27001 security audits and IT forensics. To protect your organization and mitigate specific information security risks, Oneconsult also offers practical security consulting, security training and virtual security officer services. Dedicated IT security researchers and a large team of certified penetration testers (OPST, OSCP, etc.), digital forensics experts (GCFE, GREM) and ISO security auditors (ISO 27001 Lead Auditor) are at your service.