S4 Disclosure of PLC Vulnerabilities in Major ICS Vendors
All information products included in http://ics-cert.us-cert.gov are provided "as is" for informational purposes only. The Department of Homeland Security (DHS) does not provide any warranties of any kind regarding any information contained within. DHS does not endorse any commercial product or service, referenced in this product or otherwise. Further dissemination of this product is governed by the Traffic Light Protocol (TLP) marking in the header. For more information about TLP, see http://www.us-cert.gov/tlp/.
This report is based on information presented by the Project Basecamp team of researchers during Digital Bond’s SCADA Security Scientific Symposium (S4) on January 19, 2012, without coordination with either the vendors or ICS-CERT.
The Basecamp findings include multiple zero-day vulnerabilities for several leading industrial control system (ICS) hardware Programmable Logic Controllers (PLCs). Major affected vendors include GE, Koyo, Rockwell, Schneider (Modicon), and Schweitzer. Exploit code was also released for the GE vulnerabilities. The affected PLCs are used to control functions in critical infrastructure in the chemical, energy, water, nuclear, and critical manufacturing sectors.
ICS-CERT has contacted the affected vendors about the vulnerabilities in an effort to confirm them and identify mitigations.
ICS-CERT is issuing this alert to provide preliminary notice of the reported vulnerable products and to begin identifying baseline mitigations to reduce the risk of cybersecurity attacks that may attempt to exploit these vulnerabilities.
|Rockwell Automation||Allen-Bradley ControlLogix|
|Rockwell Automation||Allen-Bradley MicroLogix|
|Schneider Electric||Modicon Quantum|
|Koyo||Direct LOGIC H4-ES|
The vulnerabilities purportedly include buffer overflows, backdoors, weak authentication and encryption, and other vulnerabilities that could allow an attacker to take control of the device and interfere or halt the process it controls.
Two new Metasploit modules have been released for the GE D20/DME vulnerabilities that could allow lower skilled users to exploit these vulnerabilities. In addition, according to Basecamp researchers, additional modules targeting the other products are expected to be released soon.
This public release increases the potential for cyber attack on these devices, particularly if the devices are connected to the Internet. ICS-CERT reminds users that the use of readily available and generally free search tools (such as SHODAN and ERIPP) significantly reduces time and resources required to identify Internet facing control systems. In turn, hackers can use these tools combined with the exploit modules to identify and attack vulnerable control systems. Conversely, owners and operators can also use these same tools to audit their assets for unsecured Internet facing devices. For more information, ICS-CERT recommends reviewing ICS-ALERT-11-343-01—Control System Internet Accessibility.
GE, Rockwell, Schneider (Modicon), and Schweitzer PLCs are deployed extensively in the energy sector, particularly the electric grid. GE and Rockwell are also deployed extensively in the water and wastewater sector.
ICS-CERT is communicating with the researchers and affected vendors to obtain additional vulnerability details and coordinate follow-up mitigation measures. ICS-CERT has released and will continue to release separate vendor alerts and advisories once additional information becomes available (www.ics-cert.org). Please report any suspected cyber issues affecting control systems to ICS-CERT.
Please report any suspected cyber issues affecting control systems to ICS-CERT.
ICS-CERT is currently coordinating with the vendors and security researchers to identify useful mitigations.
ICS-CERT recommends that users take defense in depth measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
- Minimize network exposure for all control system devices. Control system devices should not directly face the Internet.a
- Locate control system networks and devices behind firewalls, and isolate them from the business network.
- If remote access is required, employ secure methods, such as Virtual Private Networks (VPNs), recognizing that VPN is only as secure as the connected devices.
ICS-CERT reminds organizations to perform proper impact analysis and risk assessment prior to taking defensive measures.tly coordinating with the vendors and security researchers to identify useful mitigations.
- a. ICS-CERT ALERT, http://ics-cert.us-cert.gov/alerts/ICS-ALERT-10-301-01, website last accessed January 20, 2012
For any questions related to this report, please contact the NCCIC at:
Toll Free: 1-888-282-0870
The NCCIC continuously strives to improve its products and services. You can help by choosing one of the links below to provide feedback about this product.