SCADA Experts Simulate Catastrophic Attack

  /     /     /  
Publicated : 22/11/2024   Category : security


SCADA Experts Simulate Catastrophic Attack


Lack of security in remote oil drilling stations and other similar environments vulnerable to rudimentary but potentially disastrous attacks



LAS VEGAS -- BLACK HAT USA -- SCADA experts here today demonstrated just how easy it is to commandeer the antiquated networking protocols used in an oil-well pumping station and other SCADA environments, causing a simulated oil tank to nearly overflow using spoofed commands to the programmable logic controller (PLC).
While the live demo by Cimation researchers Brian Meixell and Erick Forner drew audience laughter with the model-simulated oil well and pump contraption -- at one point spraying some of the bluish-green dyed liquid, and the grand finale when they hacked the remote terminal units HMI interface and inserted a game of Solitaire on its screen -- their message was sobering.
We only had a 24-volt pump in the demo, but this [attack] could cause a complete environmental catastrophe in a real oil-well drilling environment, Forner said.
The researchers, whose day jobs include installing and supporting SCADA systems in oil rigs, basically wrote a few basic Python scripts that told the remote controllers what to do. In the live demo, they commanded the valve and pump to work on high and to nearly overflow the simulated oil. They also showed how they could send phony data that convinced the system that the pump was empty when it was actually rising, forcing it to nearly overflow.
So you can have the operator seeing something entirely different than whats happening in the process, causing the pipe to burst and the tank to overflow, Forner says. The operator would see the tank levels decreasing, when, in fact, they were increasing.
No specific software vulnerabilities or bugs are required for this attack: It comes down to the lack of security in the serial Modbus/TCP protocol, a networking protocol that dates back to the 1970s and operates on port 502. There is no authentication or security at all designed into it, Forner says.
We are sending packets over the network, unauthenticated and controlling the PLC devices with the scripts, he says. We were able to disable the safety logic ... and force inputs and outputs to turn a pump on, off, or sabotage its flow.
[How utilities could spot malware and cyberattacks on their automation environments on the fly merely by continuously monitoring the customarily predictable behaviors of those networks and systems. See
Experiment Simulated Attacks On Natural Gas Plant
.]
Meanwhile, the researchers say theyve found via Shodan scans some 93,000 devices reachable via the Internet that speak Modbus. Preventing attacks on these systems, such as those the two demonstrated, would require command-level filtering for the PLCs, or removing the systems from the public IP network altogether, they said.
So are these environments getting hit by attacks yet? A lot of why were not seeing a lot of attacks here is that you dont know what youre looking for if you dont know what to do with it, Forner says. These devices have been attached to the Net for years. Now people are starting to look at this and are starting to care.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Scan suggests Heartbleed patches may not have been successful. ◂
Discovered: 23/12/2024
Category: security

▸ IoT Devices on Average Have 25 Vulnerabilities ◂
Discovered: 23/12/2024
Category: security

▸ DHS-funded SWAMP scans code for bugs. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
SCADA Experts Simulate Catastrophic Attack