Critical infrastructure at risk again from Stuxnet-like attack

Researchers find gaping flaws in critical systems used in the most importnt industries across the globe

Hacking

A dozen vulnerabilities including previously undisclosed exploits have been discovered in software used to maintain industrial control systems (ICS) which could lead to another devastating attack on highly-prevalent critical infrastructure.

The researchers from Tenable likened the vulnerabilities to those in the family of devices affected by the infamous Stuxnet attack on an Iranian nuclear facility, adding that the software affected is used across nearly every business vertical.

The vulnerabilities affected four of the most popular ICS vendors: Siemens, Fuji Electric, Schneider Electric, and Rockwell Automation, all of which make some of the most widely used operational technologies in the world.

The researchers notified the vendors of the critical vulnerabilities and have now been patched, but they said remote malicious actors could exploit the software flaws, if left unpatched, to launch targeted attacks, perform administrative functions, unleash malicious code, harvest data or conduct espionage.

Advertisement
Advertisement - Article continues below
Advertisement - Article continues below

Users of the affected systems are urged to check the latest update has been applied, especially now the vulnerabilities have been disclosed.

"The attack scenario cannot be understated as critical systems such as power, water, transportation, and manufacturing all rely on major PLC vendors," said Joseph Bingham, reverse engineer at Tenable. "We will show a theoretical attack using recently discovered vulnerabilities and proof of concept code to disrupt a major power industrial system."

With Siemens' TIA Portal, which was patched this month, attackers could bypass HTTP authentication to gain admin privileges, enabling them to launch malicious firmware updates to modify user permissions or change proxy settings.

The Siemens vulnerability was the most dangerous of the 12 noted by the researchers, but vulnerabilities in the other systems involved remote command execution, memory corruption and stack overflows.

"A simple table with a bunch of exploits to critical vulnerabilities might not feel very impactful to many people... [but] Stuxnet only needed 3 new vulnerabilities to spread through an isolated network and damage centrifuges in the targeted Iranian nuclear facility, said Bingham. "Any of the vulnerabilities listed above could have been discovered by a threat actor and used as a key component in a targeted attack to disrupt or damage industrial hardware."

In a proof of concept exercise run by the researchers in a simulated nuclear reactor, they were able to show how just one exploited vulnerability could lead to major emergency detection systems in a plant being rendered useless, potentially causing a total nuclear meltdown.

Advertisement - Article continues below

"Attacks on critical infrastructure go well-beyond cyberspace -- they have the potential to cause physical damage and harm," said Renaud Deraison, chief technology officer and co-founder, Tenable. "And the threats to these often delicate systems cannot be overstated."

Featured Resources

What you need to know about migrating to SAP S/4HANA

Factors to assess how and when to begin migration

Download now

Your enterprise cloud solutions guide

Infrastructure designed to meet your company's IT needs for next-generation cloud applications

Download now

Testing for compliance just became easier

How you can use technology to ensure compliance in your organisation

Download now

Best practices for implementing security awareness training

How to develop a security awareness programme that will actually change behaviour

Download now
Advertisement

Recommended

Visit/security/internet-security/354417/avast-and-avg-extensions-pulled-from-chrome
internet security

Avast and AVG extensions pulled from Chrome

19 Dec 2019
Visit/security/354156/google-confirms-android-cameras-can-be-hijacked-to-spy-on-you
Security

Google confirms Android cameras can be hijacked to spy on you

20 Nov 2019

Most Popular

Visit/policy-legislation/data-governance/354496/brexit-security-talks-under-threat-after-uk-accused-of
data governance

Brexit security talks under threat after UK accused of illegally copying Schengen data

10 Jan 2020
Visit/microsoft-windows/32066/what-to-do-if-youre-still-running-windows-7
Microsoft Windows

What to do if you're still running Windows 7

14 Jan 2020
Visit/operating-systems/microsoft-windows/354526/memes-and-viking-funerals-the-internet-reacts-to-the
Microsoft Windows

Memes and Viking funerals: The internet reacts to the death of Windows 7

14 Jan 2020
Visit/operating-systems/25802/17-windows-10-problems-and-how-to-fix-them
operating systems

17 Windows 10 problems - and how to fix them

13 Jan 2020