Pwned with '4 lines of code': Researchers warn SCADA systems are still hopelessly insecure

BSides London Industrial control systems could be exposed not just to remote hackers, but to local attacks and physical manipulation as well.

A presentation at last week's BSides London conference by researchers from INSINIA explained how a device planted on a factory floor can identify and list networks, and trigger controllers to stop processes or production lines.

The talk – Hacking SCADA: How We Attacked a Company and Lost them £1.6M with Only 4 Lines of Code – reviewed 25 years of industrial control kit, going back to the days of proprietary equipment and X21 connections before discussing proof-of-concept attacks.

Mike Godfrey, chief exec at INSINIA, told El Reg that industrial control kit has long been developed with safety, longevity and reliability in mind. Historically everything was "air-gapped" but this has changed as the equipment has been adapted to incorporate internet functionality. This facilitates remote monitoring without having to physically go around and take readings and check on devices, which are often as not in hazardous environments.

Godfrey explained that security has never been a design criteria for industrial control kit and this hasn't changed with the advent of IoT in the domain of SCADA systems. As a result, issues such as default hard-coded credentials and lack of encryption abound.

Worse yet, most systems are running either old or hopelessly obsolete versions of Windows. Most terminals are running Windows 7 but some run Windows 98...

Worse yet, most systems are running either old or hopelessly obsolete versions of Windows. Most terminals are running Windows 7 but some run Windows 98, according to Matt Carr, CTO of INSINIA. The Windows 98 terminals are thus vulnerable to Back Orifice, a vintage hacking tool that dates back to the 1990s.

"Industrial control setups certainly don't have the maturity of enterprise environments," Godfrey said with some understatement.

Industrial control systems run water supply, power grid and gas distribution systems as well as factories, building management systems and more. INSINIA has developed test rigs to assess the effectiveness of real-world systems that the security consultancy is asked to check. Testing attacks such as spoofing on real-world systems is likely to bring things down, Godfrey added.

Denial-of-service in industrial control environments is easy and fuzzing (trying a range of inputs to see which causes an undesigned effect) also offers a straightforward way to uncover hacks.

INSINIA has developed a device that automatically scans networks and shuts down components. The "weaponised" Arduino micro-controller looks like a regular programmable logic controller (PLC) to other devices on the network. If it is physically planted on a targeted environment, it can quickly enumerate networks before sending stop commands. It can "kill industrial processes with only four lines of code", according to Godfrey.

He added that it wouldn't be possible to apply a simple reset in the event of such an attack, so a targeted environment could be taken down again and again.

BSides presentations are often accompanied by the release of proof-of-concept code but the software here exploits systemic vulnerabilities that are unlikely to be resolved any time soon, so INSINIA is not releasing the tech even to its ethical hacker peers.

Godfrey said that for industrial control plants, keeping the processes running is the prime concern. He claimed many plants "self-insure" to cover for the losses and disruption caused by security incidents, which he said already happen on an under-publicised scale.

The wider security community has recognised the risk posed to industrial control systems from malware in the wake of high-profile attacks such as the Shamoon assault on Saudi Aramco and the BlackEnergy attacks on electricity distribution facilities in Ukraine.

The famous Stuxnet attack on Iran's uranium-enrichment facilities showed not only how SCADA devices might be hacked to cause real-world effects but how sensors can be fooled by faked logs so staff are none the wiser.

INSINIA's research shows how something similar might be achieved against a wider range of potential targets, provided that a rogue micro-controller – such as that developed by the UK-based security consultancy – is planted in a targeted environment.

That's aside from the large number of industrial control systems exposed to the internet, which are easily found using Shodan, the search engine for the IoT.

Not even a safe is safe

Part of INSINIA's BSides London demo showed how home and small office safes could be opened using only a magnet and a sock. The trick works because the solenoids – a kind of electromagnet that generates a controlled magnetic field – inside the safe can be manipulated to move the pins that keep a safe locked.

Magnetic interlocks in industrial control kit can be undone in a comparable way. Laser-based sensors, meanwhile, can be defeated with a mirror. The BSides demo also featured a demonstration of taking apart supposedly secure RJ45 connectors using two spoons and without leaving any obvious signs of tampering. ®