In a nutshell …

Myth 1: Consumer protection exists in cyberspace
Myth 2: Firewalls and virus scanners protect my computer and my enterprise
Myth 3: My government has the solution and will protect me
Myth 4: Physical assets are more valuable than information
Myth 5: Laws are keeping pace with technological innovation

I would like to especially call out Myth 2. There seems to be a false sense of security with installing firewalls, intrusion detection systems, virus scanners etc. within enterprise and industry. I have come across many situations within the manufacturing and control systems space where the engineers are totally satisfied with the security of their networks (as they have firewalls and virus scanners in place). However, what they don’t realize is that their network is still vulnerable and open to other forms of security breaches/ problems.

Security within a network is not just about physical implementation and should not be centered around it (which unfortunately a lot of people do). Security within enterprise or/and automation systems should be policy based with physical implementation (like firewalls and virus scanners) being one part of puzzle. No matter how big or small your network is, it is a good practice to have policies in place — you always want to be prepared for eventualities.

“Oops, I didn’t mean to do that!”

Security problems don’t just happen with viruses, it could be as simple as a factory worker accidentally pressing the wrong button, uploading the wrong ladder logic program, accidentally pulling out the wrong network cable from the network switch or accidentally dislodging the power cord.

Securitysearch.com gives a good definition of a “Security policy”:

“…a security policy is a document that states in writing how a company plans to protect the company’s physical and information technology (IT) assets. A security policy is often considered to be a “living document”, meaning that the document is never finished, but is continuously updated as technology and employee requirements change. A company’s security policy may include an acceptable use policy, a description of how the company plans to educate its employees about protecting the company’s assets, an explanation of how security measurements will be carried out and enforced, and a procedure for evaluating the effectiveness of the security policy to ensure that necessary corrections will be made.”

I would like to add to the Myth list –

“Myth 6: My network is 100% secure”
“Myth 7: Hackers always cause network security problems”

There is no such thing as a network being 100% secure. A good secured network is one that has policies/ steps to minimize loss of investment and control breaches/ exploits (purposeful or accidental).

There is also a common perception that network security problems always originate from the outside (from hackers or crackers). Not all security problems are purposeful, they can be accidental too and could originate from within the company. A good security policy accommodates and plans for internal and external occurrences.

To end this off, here are some steps companies should take to protect themselves:

1) Learn and educate yourself — Get a good understanding of the types of security threats you face in your environment
2) Do a risk assessment that reveals the crucial/beneficial areas of your network investment
3) Create policies and procedures that integrate security in accordance to your assessment
4) Integrate/ deploy up to date technical controls
5) Plan for eventualities and how to respond to them
6) Continually update/ revise policies

Of course, I am just scratching the surface here as network security has many facets to it. It does however give you something to think about and is something that can’t be taken lightly.

Do you have other Myths to add? Let us know in the comments area.

To summarize … the first power line exploit allows the attacker to grab keyboard signals through unshielded cablings, and the ground wire of an electrical system which is fed to the computer. The voltage difference and fluctuations of the signals that are leaked into the ground are captured from both resistor ends and converted to letters. The attack works on computers plugged into the wall and up to 15 meters (about 49 feet).

The second exploit involves a cheap laser pointed at a shiny part of a laptop or an object sharing the same space with the laptop. A receiver is set to capture the modulations of the reflected beam caused by the vibrations from the keys being struck. The modulation is then converted to electrical signals. Between the sequence of keys and word spacing, the attacker can disseminate what text is being typed; with shiny laptop lids and hinges provide the best read vibrations.

It is advised that when working on a laptop, that your surroundings are surveyed and that there isn’t a line of sight to the laptop while moving your position frequently while typing. They go as far as to say that striking random keys and using the backspace key to delete them is a good thing.

“If our small research was able to accomplish acceptable results in a brief development time (approximately a week of work) and with cheap hardware,” they say. “Consider what a dedicated team or government agency can accomplish with more expensive equipment and effort.”

The simplicity of exploits is indicative of the fact that you don’t need to do much to steal data. However, I am not sure how realistic (or real world) this is. It may be good in theory but the scenarios/ instances have to be perfect for it to happen.

Here are some notable comments:

“Many laptops have power converters without a ground. Based on the description of the attack, it seems that not having a ground wire would prevent this method from working as well.”

“Signal obtained by potential difference from the earth outlet needs to be fed back to a computer with the right voltage with AD converter and a software code to make any intelligible sense, I personally believe this claim is far fetched, the same goes with reflected laser beam unless the person listening to the sound signals is an expert telegraph operator who can detect and memorize at least 26 different sounds, not even Thomas Edison can do it.Unless of course the sound signal from the sound card is fed to speech converter application”

“Maybe you shouldn’t be writing your quarterly report on your laptop at Panera. Seriously, the best way to protect yourself and your data is simply choose better places to work on data with sensitive information. The only reason people are able to exploit this is because users are dumb. If your information needs to be protected then your computer needs to be in a secure area- and sorry, Motel 6 wifi doesn’t count.”

“Closing the curtains would be a start!”

Links

Compromising electronimagnetic emanations of wired keyboards
Researchers find ways to sniff keystrokes from thin air
Sniffing keystrokes via laser and keyboard power

Hackers Penetrating Control Systems (PC World)
Hackers Penetrating Industrial Control Systems (Computer World Security)
R&D work vulnerable to cyber threats (Federal Computer Week)
Control Systems Cyber Security – The Current Status of Cyber Security of Critical Infrastructures (Joseph Weiss’ testimony to the Members of Congress dated March 19, 2009)

Around the web

Cyber Security Procurement Language for Control Systems Version 1.8 (MSISA)
Multi-State Information Sharing and Analysis Center (MSISA)
Research Challenges for the Security of Control Systems (University of California, Berkeley)
Advances Needed in Control System Cyber Security (ControlGlobal.com)
Guide to Industrial Control Systems (ICS) Security (NIST)
A Summary of Control System Security Standards Activities in the Energy Sector (Department of Energy)

Any other links that you want to share, let us know in the comments and we will add it to the list.

Cisco is getting pretty innovative. They just released a comic book style 4 part animation series called The Realm. It’s about a group of Cisco engineers battling the evils of network security within the world. This is launched to coincide with their industry conference next month.

Each episode raises issues surrounding security threats, like identity theft and malware, that are averted by comic book heroes, said Marie Hattar, VP of marketing. “The idea was, it would drive the readership to look for products that could [protect them] in real life,” she added.

Taping into the stereotypical security person’s love of comic books and online games, this may proof to be a gimmicky (but effective) effort.

AREVA e-terrahabitat SCADA systems vulnerabilities
February 2009

GE Fanuc Proficy HMI/SCADA iFIX uses insecure authentication techniques
February 2009

GoAhead Webserver Information Disclosure Vulnerability
February 2009

Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge URL Redirection Vulnerability
February 2009

Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge Cross-site Scripting Vulnerability
February 2009

Automated Solutions Modbus TCP Slave ActiveX Control Vulnerability
January 2009

ABB PCU400 vulnerable to buffer overflow
September 2008

Citect CitectSCADA buffer overflow
June 2008

Wonderware SuiteLink null pointer dereference
May 2008

GE Fanuc CIMPLICITY HMI heap buffer overflow
January 2008

GE Fanuc Proficy Information Portal allows arbitrary file upload and execution
January 2008

GE Fanuc Proficy Information Portal transmits authentication credentials in plain text
January 2008

Gesytec Easylon OPC Server fails to properly validate OPC server handles
December 2007

Invensys Wonderware InTouch creates insecure NetDDE share
November 2007

LiveData Server fails to properly handle Connection-Oriented Transport Protocol packets
May 2007

LiveData Protocol Server fails to properly handle requests for WSDL files
May 2007

Takebishi Electric DeviceXPlorer OPC Server fails to properly validate OPC server handles
March 2007

NETxAutomation NETxEIB OPC Server fails to properly validate OPC server handles
March 2007

ICONICS Dialog Wrapper Module ActiveX control vulnerable to buffer overflow
January 2007

SISCO OSI Stack fails to properly handle malformed packets

January 2007

This standard describes the elements contained in a cyber security management system for use in the industrial automation and control systems environment and provides guidance on how to
meet the requirements described for each element.

Here is the full description of the vulnerability (per Rockwell’s official support site):

• The potential for cross-site scripting, which could allow the Product to be used in a social engineering attack.

• An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would instead execute script from a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.

• The potential for web redirection, which could allow the Product to be used in a social engineering attack.An attacker could potentially craft a URL that looked as if it would take a user to the Product, but would actually direct the browser to a different location. A successful attack would require the attacker to transmit the crafted URL to a user with access to the web interface of the Product and to convince that user to open the URL.

• The potential for exposure of some of the Product’s internal web page information. While this does not directly present a functional vulnerability, it does expose some internal information about the module.

The new firmware scheduled for July 2009 will fix this vulnerability. They have suggested the possible use of IE8 (beta) and Firefox may help prevent the cross site scripting attacks.

US-CERT reports it with Vulnerability Note VU#882619 here.

[Update: US-CERT also reports VU#619499 Rockwell Automation ControlLogix 1756-ENBT/A EtherNet/IP Bridge URL Redirection Vulnerability]

Full list of control system vulnerabilities from 2007-present can be seen here.

Developed in 2008, the list opens the eye to areas that are not well understood, not as apparent and not frequently tested within the wired/ wireless systems space.

The Top 25 is organized into three high-level categories that contain multiple CWE entries.

Insecure Interaction Between Components
These weaknesses are related to insecure ways in which data is sent and received between separate components, modules, programs, processes, threads, or systems.

• CWE-20: Improper Input Validation
• CWE-116: Improper Encoding or Escaping of Output
• CWE-89: Failure to Preserve SQL Query Structure (aka ‘SQL Injection’)
• CWE-79: Failure to Preserve Web Page Structure (aka ‘Cross-site Scripting’)
• CWE-78: Failure to Preserve OS Command Structure (aka ‘OS Command Injection’)
• CWE-319: Cleartext Transmission of Sensitive Information
• CWE-352: Cross-Site Request Forgery (CSRF)
• CWE-362: Race Condition
• CWE-209: Error Message Information Leak

Risky Resource Management
The weaknesses in this category are related to ways in which software does not properly manage the creation, usage, transfer, or destruction of important system resources.

• CWE-119: Failure to Constrain Operations within the Bounds of a Memory Buffer
• CWE-642: External Control of Critical State Data
• CWE-73: External Control of File Name or Path
• CWE-426: Untrusted Search Path
• CWE-94: Failure to Control Generation of Code (aka ‘Code Injection’)
• CWE-494: Download of Code Without Integrity Check
• CWE-404: Improper Resource Shutdown or Release
• CWE-665: Improper Initialization
• CWE-682: Incorrect Calculation

Porous Defenses
The weaknesses in this category are related to defensive techniques that are often misused, abused, or just plain ignored.

• CWE-285: Improper Access Control (Authorization)
• CWE-327: Use of a Broken or Risky Cryptographic Algorithm
• CWE-259: Hard-Coded Password
• CWE-732: Insecure Permission Assignment for Critical Resource
• CWE-330: Use of Insufficiently Random Values
• CWE-250: Execution with Unnecessary Privileges
• CWE-602: Client-Side Enforcement of Server-Side Security

Source [CWE]

[SANS 25 most dangerous programming errors]