Monday, November 5, 2012

CoDeSys + digital bond + Shodan = US-CERT Warning


Big Picture:

[1] Company makes flawed code for control systems. [2] Security company exploits code and releases free tools. [3] Hacker search engine compiles list of more than 500,000 control systems. [4] Researchers identify increased activity attempting to exploit critical infrastructure.

Brief Details and Links:

CoDeSys is a development platform created by 3S. This package is used to program controllers in an impressive 261 companies. The products include everything from factory automation to critical infrastructure SCADA systems. An interested party, a SCADA security company named digital bond, created and released two tools. The first tool is a command-shell utility (codesys-shell.py).  This allows an unauthenticated user the ability to perform privileged operations, sans password. The second tool is a file transfer tool which allows for reading and writing files on controllers with a file system (codesys-transfer.py). Shodan, a powerful exploit search engine, has already identified more than 500,000 reachable Industrial Control System (ICS) devices. Given that the Shodan search engine can be scripted, how long do you think that it takes an interested python coder to identify, exploit, root, and establish control? Create a module for Metasploit?

Some Quick Lessons:
  •  Build secure access controls into sensitive systems.
  • Isolate sensitive systems from the Internet.
  • Have your products third-party tested by professionals.
  • Assume security measures you build into your products are going to be used by your customers. They will be tested. Hopefully by you.
  • Especially if security isn't your core competency or product set, have your products third-party tested by professionals. Even if it is.... have your products third-party tested by professionals.