Critical Infrastructure Security, Vulnerability Management

Critical vulnerablilty discovered in industrial control product

The U.S. Department of Homeland Security is warning about a vulnerability that could allow an attacker to remotely access industrial control systems (ICS).

DHS's Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) issued a security advisory last Friday about a flaw in two programmable gateways, BL20 and BL67, produced by German manufacturer TURCK.

According to Ruben Santamarta, a researcher at Seattle-based security firm IOActive, who discovered the issue, the programmable gateways contain hard-coded login credentials. This could allow an intruder to login to the devices through a file transfer protocol (FTP) service to gain administrative access.

If that were to happen, the attacker could run amuck in targeted ICS networks, potentially creating bogus communications between systems or even shutting down critical processes.

The BL20 and BL67 programmable gateways are used in the automotive, agriculture, food and critical manufacturing industries, primarily in the United States and Europe.

Santamarta told SCMagazine.com on Thursday that the impacted units connect several devices, and input and output signals within ICS networks.

“They can upload any program to the device to modify how the device works or even to compromise another system in the network,” Santamarta of potential attackers.

Santamarta discovered the vulnerability last May, but the firm waited to disclose details about the flaw until TURCK produced updated firmware for the devices, and ICS-CERT notified users of the threat.

The vulnerability received the most severe rating, 10, on the common vulnerability scoring system (CVSS). According to ICS-CERT, an attacker with “low skill” could exploit the flaw.

Santamarta said that the hard-coded account issue is serious because it's a problem the device manufacturer must rectify.

“Those credentials are hard-coded, so unless you update the firmware, you can't remove the accounts through documented procedures,” he said. “Those hard-coded accounts are created by developers. It's not something the customer can configure or modify.”

While updated firmware for the devices is available through TURCK, ICS-CERT recommended that customers take additional measures to protect themselves against threats, such as making sure critical devices don't directly face the internet or using secure virtual private networks (VPNs) when remote access is necessary.

ICS-CERT has warned in recent months that vulnerable industrial control systems have increasingly become targets for attackers.

On Tuesday, Reps. Edward Markey, D-Mass., and Henry Waxman, D-Calif., released a survey (PDF) of utility companies that found they were under repeated attack by intruders.

More than 100 utility companies (including federal entities that own significant portions of the electrical system) participated in the survey. One respondent reported it was targeted approximately 10,000 times each month. But things like network scans don't mean the targeted organization actually was compromised.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.