Big Picture:
[1] Company makes flawed code for control systems. [2] Security company exploits code and releases free tools. [3] Hacker search engine compiles list of
more than 500,000 control systems. [4] Researchers identify increased activity
attempting to exploit critical infrastructure.
Brief Details and Links:
CoDeSys
is a development platform created by 3S. This package is used to program
controllers in an impressive 261
companies. The products include everything from factory automation to
critical infrastructure SCADA systems. An interested party, a SCADA security
company named digital bond, created and
released two tools. The first tool is a command-shell utility (codesys-shell.py).
This allows an unauthenticated user the ability to perform privileged
operations, sans password. The second tool is a file transfer tool which allows
for reading and writing files on controllers with a file system (codesys-transfer.py).
Shodan, a powerful exploit search
engine, has already identified more than 500,000
reachable Industrial Control System (ICS) devices. Given that the Shodan
search engine can be
scripted, how long do you think that it takes an interested python coder to
identify, exploit, root, and establish control? Create a module
for Metasploit?
Some Quick Lessons:
- Build secure access controls into sensitive systems.
- Isolate sensitive systems from the Internet.
- Have your products third-party tested by professionals.
- Assume security measures you build into your products are going to be used by your customers. They will be tested. Hopefully by you.
- Especially if security isn't your core competency or product set, have your products third-party tested by professionals. Even if it is.... have your products third-party tested by professionals.