August 24, 2012, 2:00 PM — A security flaw found in Siemens networking equipment used in power plants and other critical systems could only be fully exploited in a highly sophisticated attack, experts say.
While the vulnerability remains serious, being able to gain control of critical systems would also require compromising a computer that workers use to access the industrial systems. The two-step process adds to the complexity of a successful attack.
The U.S. Department of Homeland Security (DHS) issued a warning Tuesday that a vulnerability existed in the RuggedCom Operating System (ROS), often found in Ethernet switches and serial-to-Ethernet converters. RuggedCom is a Canadian subsidiary of Siemens.
Justin W. Clarke, a researcher for security startup Cylance, found the flaw that exposes the hard-coded RSA SSL private keys in the OS. With this technology, hackers could decrypt traffic flowing between the ROS device and other equipment communicating through Internet protocols.
The DHS has asked RuggedCom to "confirm the vulnerability and identify mitigations." Siemens and RuggedCom were investigating the discovery, but had no comment on a fix, as of Thursday. "We are investigating this issue and we will provide information updates as soon as they become available," a spokeswoman said.
The vulnerability alone would let an attacker eavesdrop on network traffic without a way to actually break into an industrial control system. "It's hard to do something like intercept all traffic," Marcus Carey, a security researcher at Rapid7, said. "That's easier said than done." Carey, a former serviceman, protected military networks as a member of the U.S. Navy Cryptologic Security Group.
Clarke also said that exploiting the vulnerability alone wouldn't be enough. "This vulnerability does not directly allow for an authentication bypass," he told CSO Online by email.
The benefit of being able to monitor network traffic would be fully reaped if an attacker were able to compromise the computer of someone on the network. At that point, a cybercriminal could mount what's called a "man-in-the-middle" attack, which means he could dictate everything the person using the compromised system sees.
As a result, the attacker could ber able to reconfigure control systems while the operator on the other end saw everything as normal.
"When everything is burning down, he's not receiving the accurate information," Carey said.
In doing some investigating on his own, Carey found less than 20 systems with the RuggedCom signature on the public Internet, an indication that most of the vulnerable equipment is on closed networks. "Those 20 devices could be in interesting locations, but there's a minimal number of devices that are Internet facing," he said.
Without knowing the network architecture of a power plant using a RuggedCom system, it's difficult to say how open the plant is to attack, Clarke said. In general, the best protection for critical systems is many layers of defense.
"As a best-practice, security of control systems and computer networks should be a matter of defense-in-depth, and thus there should be compensating controls or additional layers of security to block or alert, if exploitation of a vulnerability is attempted by an attacker," he said. "[RuggedCom's flaw] is serious in that at least one of the layers of defense-in-depth has been broken."
Clarke has found a flaw in the RuggedCom Operating System before. In April, the researcher disclosed finding a vulnerability that provided backdoor access to devices. The company fixed the problem with firmware updates in May and June.
Experts have warned for years that the nation's critical infrastructure, such as power plants, water supplies and transportation systems, are in need of better security against terrorist attacks. The DHS is working with private industry and lawmakers on regulations that would bolster the nation's cyber-defenses.
Read more about network security in CSOonline's Network Security section.