I recently read a blog post by Reid Wightman on the @DigitalBond site entitled "When Web Services are a Dumb Idea".
It seems that the folks at Digital Bond are on some kind of mission to create a list of "insecure ICS products" which might not necessary be a bad idea, but at least we need to be sure that everyone is being evaluated against the same criteria.
First off, I have to apologize to Dale in my comment to this post, as I did not see that it was written by Reid, and incorrectly referenced Dale in my response. I have copied my "edited" response from the @DigitalBond site below:
After reading Reid’s interesting post, I thought it would be nice to bring in two useful points for conversation.
First, you need to expand your concept of an “embedded web server” beyond something that a user would use when launching a browser and entering a URL for the device. Vendors actually use embedded web servers for a number of reasons, and many of these vendors are leaders in the industry – both from a functional and security point of view!
Point in case… Honeywell… clearly one of the leaders in terms of their commitment to security and one of the market leaders in ICS utilizes the embedded SafeNet Sentinel License Monitor embedded app which provides an http daemon on their Experion nodes (R31x was the last I verified that this was still present) for “internal use”.
Vulnerabilities with this app were originally disclosed by Luigi Auriemma, and when I mentioned to Honeywell that they were using a vulnerable service on 6002/tcp, their response was that it was “hidden” behind the Windows Firewall and that they did not need to provide any further patches.
Poor response considering that some of their “default accounts” allowed me to disable the firewall and expose this vulnerable service!
I also disclosed this exact same vulnerability to Iconics in their Genesis32 HMI package this past March after reviewing some of the exploits that were disclosed by Luigi Auriemma.
So, it is clear that there are a lot more web servers or better said http daemons running than one might expect! During your next assessment, see if you can find any of these services running!
Next point is that I initially was drawn to this post because of the term “web services” in the title. After reading, however, it was clear that Dale was not talking about “web SERVICES” but rather “web SERVERS”.
Vendors have been using web “services” for some time now, because they offer a fairly secure means of inter-application communication both locally and remotely across firewalls when integration is required with enterprise applications using the eXtensible Markup Language (XML) following the SOAP standard. (Of course, the recent news that researchers have been able to exploit the XML encryption standard does add a slight twist here!).
Vendors have been moving more and more to a service oriented architecture (SOA) to support better communication between applications from different vendors. One such implementation was the OPC XML-DA standard released in 2004, and more recently, the OPC Unified Architecture (UA) standard which is also based on XML/SOAP via web services!
Now, remember that one of the drivers behind OPC-UA was improved integration with “non-Microsoft” platforms, including … process level devices. So it is not that difficult to see that most leading ICS vendors will have some form of web SERVICE running inside the ICS application framework, and in the near future, as OPC-UA is released in more devices, this will include L0 and L1 devices as well.
OPC Foundation used the phrase “From the Controller to the Cloud” to describe OPC-UA, and when I just visited their product page, I saw there they are currently testing OPC-UA for QNX and VxWorks – so expect it to show up in controllers soon!
There were also several leading ICS vendors who have tested or are in the process of testing their OPC-UA interfaces for their ICS L2 hosts.
Cross-posted from SCADAhacker