It's the stuff of nightmares: hostile forces penetrating the power grid infrastructure, taking control of computers, and causing widespread blackouts or destructive power surges. System administrators do everything possible to prevent intrusions. Vulnerabilities in software are always bad, but they're especially alarming when they occur in code that maintains critical infrastructure.
When dozens of vulnerabilities were found in Siemens software for power plant controllers, it was definitely cause for concern. Some of them could be used in denial-of-service attacks or to execute arbitrary code. One lets an attacker receive password hashes and change passwords. There haven't been any reports of damaging exploits, but we'd all breathe easier if such problems were caught and fixed before the code went out to live sites.
As a power supplier, you need to comply with the NERC CIP standards. [1] They cover security management, physical security, incident reporting, and other essential issues. The standards are strict because they have to be.
Learn About The Threat Landscape And The Importance Of An Offensive Approach To Utility Security
Check out this post for more information: Read More
Discovery Of The Vulnerabilities
In 2018 and 2019, researchers at Positive Technologies and Kaspersky Lab found 35 vulnerabilities in Siemens' SPPA-T3000 application server and 19 in the SPASA-T3000 MS3000 migration server. [2] Their existence was disclosed to the public in December 2019. Some of these vulnerabilities have CVSS scores above 9.0, where 10 is the most severe.
This doesn't mean that someone who knows the vulnerabilities can simply use an Internet connection to attack them. A successful exploit requires access to systems which should never be exposed to the public. Taking advantage of the most serious weaknesses requires access to internal systems called the Application Highway and the Automation Highway. When you have them properly configured, there is no outside access to these systems.
Even so, you need to be concerned. Determined actors with sufficient resources can gain access to supposedly protected systems. An attacker who got access to the Highways would be able to exploit vulnerabilities without further authentication.
Vladimir Nazarov, the head of ICS Security at Positive Technologies, has said that a successful attack "could stop electrical generation and cause malfunctions at power plants where vulnerable systems are installed." [3]
Multiple layers of protection are necessary to secure such valuable targets. You can't just put a stone wall in the way; you need multiple stone walls with no holes in them.
Reducing The Risk
Siemens has recommended actions to reduce these risks. They include access restrictions, regular installation of updates, and strict separation of the Application and Automation Highways from external networks.
Fixing the vulnerabilities necessarily takes some time. When software is so critical, every change needs careful testing and verification. A patch that introduced another vulnerability or made operation unreliable could be more dangerous than the problem it was fixing. Siemens has fixed a few of the bugs but is still working on the majority of them.
Nation-state actors want a "first-strike" capability that will let them cause havoc if international conflicts become severe enough. Preventing them from gaining that position is a matter of national security.
Preventing Vulnerabilities In The Field
All software has bugs. No absolute guarantees of safety are possible. However, strict adherence to best practices lets you catch nearly all vulnerabilities before they get into production software.
Factoring in security from the start is essential. Good software development practices take it into account as the code is created, rather than revising code to make it secure.
The next step is thorough testing. Automatic testing of components is basic and important. When the systems are as vital as power plants, it's only the first step. The system as a whole needs testing. That means the software, its configuration, its network environment, and the people who have access to it.
You can't afford to overlook human testing. A vulnerability behind a firewall is useless to attackers if they can't get past it, but trickery may let them persuade others to open up avenues of access.
Siemens has stated that "Industry-wide, readiness to address cyber attacks is uneven and has common blind spots, especially with regards to the unique cybersecurity requirements for OT [operational technology]." [4] All power plants that rely on software for their operations need strong defenses against online threats.
Testing For Security
Penetration testing is an important tool in detecting vulnerabilities so they can be fixed promptly. Pen testers think like criminals to identify likely points of weakness and devise attacks that exploit them. They take advantage of known vulnerabilities but also use their imagination to create likely scenarios.
A pen tester doesn't inflict any harm on your systems, of course, but demonstrates the ability to make bad things happen. This gives you a chance to eliminate or reduce the risk before anyone can take serious advantage of the flaw.
Physical security testing checks whether it's possible to gain unauthorized physical access to your systems. A fake ID or unlocked door can be enough to get inside some facilities. Once intruders are inside, they tend to go unquestioned. If testers can make their way into your facility, so can dangerous people.
Social engineering testing looks at how employees respond to deceptive tactics. They aren't limited to phishing email. A convincing phone call can have the same effect, and so can a visit by someone claiming to be there on business. Hostile parties research individuals for personal information, making their requests sound more plausible. Testers will find out whether employees are susceptible to trickery.
Schedule A Free Consultation With Our CyberSecurity Experts
The stakes are high. For the power grid to be reliable, you have to maintain the highest standards of cybersecurity and physical security. RedTeam Security will provide you with the information, testing, and recommendations to meet those standards. Contact us or call today at 612-234-7848 to set up a security assessment and free consultation.
--
References:
[1] NEC CIP standards (redteamsecure.com)
[2] SSA-451445:MultipleVulnerabilitiesinSPPA-T3000
[3] Hackers Can Exploit Siemens Control System Flaws in Attacks on Power Plants (Information Week)
[4] Siemens and Ponemon Institute study finds utility industry vulnerable to cyberattacks (Siemens)
10-Point Offensive Security Checklist
Download Free Resource Download Free Resource