Cyber attacks on industrial control systems - Radiflow finds vulnerability

Radiflow threat intelligence team shares its learnings after uncovering security flaw in Schneider Electric Modicon Controller.
Published: Tue 11 Sep 2018

Once again, industrial control systems (ICS) have come into the limelight as vulnerable to cyber attacks.

Recent developments such as the ICS 'honeypot' under attack and on sale in days and the TRITON ICS cyber attack of December 2017 remind critical infrastructures of the increasing risks.

A recent interview with Anjos Nijk, Managing Director of the European Network for Cybersecurity (ENCS), a member-driven organisation focussed on cybersecurity for energy grids and infrastructure, confirmed this growing concern: “Threats are becoming more diverse, the numbers of threat actors are increasing and they are becoming more professional.”

These risks can be especially profound in legacy devices installed before the recent climate of high cybersecurity risk. Once again, the vulnerability of critical infrastructures, specifically utilities, has been exposed, this time by cybersecurity solutions experts at Radiflow.

Whilst conducting research for its ongoing vulnerability detection and cybersecurity protection efforts, Radiflow’s threat intelligence team discovered a security vulnerability in a Schneider Electric Modicon M221 Controller that severely exposed the safety and availability of the ICS networks on which these devices were installed.

Risky business for ICS in critical infrastructures

The team’s findings unearthed a vulnerability whereby unauthorised users could have remotely disconnected the device from communicating in the ICS network by sending crafted packets that induce this unwanted behaviour.

This vulnerability could have easily been exploited by an unauthorised user to execute a synchronised attack and cause a number of these controllers to stop communicating.

This type of unauthorised action would allow a cyber attacker to massively disconnect the affected programmable logic computers (PLCs) from the human machine interface (HMI), leaving the operator with no way to view and control the physical processes on the OT network, while instantly harming the safety and reliability of the ICS systems.

The recovery from such an attack would require a reboot of the attacked PLCs and physical access to the controllers, which would cause significant downtime to the ICS network.

Radiflow’s CTO, Yehonatan Kfir, conducted this research alongside the threat intelligent research team, which also involved the reverse engineering of the control protocol used by the affected controller and detecting the exact packet structure that caused the shutdown.

At least two use cases to exploit this common vulnerability and exposure (CVE) related to the same issue with the Modicon firmware implementation, both of which could be executed remotely, were detected by Radiflow.

Tackling ICS vulnerabilities

At the time that this vulnerability was discovered, Radiflow incorporated the cyberattack signature of the vulnerability into its iSID industrial threat detection system, which immediately positioned the company’s customers to be protected against the exploit while it was being remediated by Schneider Electric.

“For this specific vulnerability, we prevented a potentially dangerous exploit that could have caused extensive damage to the safety, security and operations of numerous industrial enterprises and critical infrastructure operators,” said Kfir. “Equally as important, we are proud of our threat intelligence research team for its ongoing efforts of detecting new vulnerabilities and improving the cybersecurity protection capabilities of our solutions and the overall operations of our customers.”

Radiflow discovered this vulnerability approximately two months ago and immediately reported it to Schneider Electric, who has since remedied it. This vulnerability was registered as CVE-2018-7789.

“Schneider Electric would like to thank Yehonatan Kfir of Radiflow for all his efforts related to identification and coordinate on of this vulnerability,” wrote Schneider Electric in a published security notification about the resolution to this flaw.

This follows news announced earlier this year from Radiflow that the company’s threat intelligence team detected a cryptocurrency malware attack on the OT network of a wastewater facility customer in Europe.

This malware attack was designed to increase CPU and network bandwidth consumption of devices on the customer’s network in order for the attackers to mine the Monero cryptocurrency. This attack, which would have significantly slowed the response times of the devices on this operational technology network, was prevented by Radiflow’s iSID industrial threat detection system.