An Open Source Offensive Methodology to Attack Critical Infrastructure
The goal of this article is to demonstrate how attackers with moderate skill levels can cause disruption to outright destruction of critical infrastructure installations around the world at low cost and in relatively short order.
Contrary to popular wisdom, an attack against a nuclear power plant or hydro-electric plant doesn't require long periods of time nor the resources of a nation state.
All that's required is some open source research based upon the findings of S4's Project Basecamp, familiarity with how to use Rapid7's Metasploit Penetration Testing Software, and one or more individuals with engineering training in Industrial Control Systems.
Project Basecamp identified four Programmable Logic Controllers (PLC) with major security flaws made by GE, Koyo, Rockwell, and Schneider:
- GE D20
- Koyo DirectLOGIC ECOM
- Rockwell Automation ControlLogix
- Schneider Modicon Quantum
The vulnerabilities discovered in each of those devices have become Metasploit modules which penetration testers can use against their own network to demonstrate vulnerabilities that need to be fixed.
Metasploit, while a valuable tool for security engineers to "sell" needed improvements to their employers, can also be used by bad guys to attack networks. In this case, the above modules have simplified the process for not only launching an attack against a utility operator but also in identifying which utilities to attack by doing some open source research.
Once you know that you can exploit a particular device, it's relatively easy to use a search engine and identify which utilities use that device. Those companies then become your target list.
For example, Capula Nuclear is a GE technology partner that uses the D20, D25, D200 and D400 Remote Terminal Units for 65 substation control systems across the U.K's power grid.
That means that a major act of sabotage could be perpetrated against Britain's grid by a hacker with intermediate process control engineering knowledge for the price of a single Metasploit license.
Schneider Electric's customers include the Three Gorges Dam in China (the world's largest hydro-electric power plant) and multiple utilities in France, India, the U.S., Spain, Australia, Brazil, Italy and many other countries - any of whom may be susceptible to attack via the Metasploit module for Schneider Electric.
This is literally a disaster waiting to happen. The above vendors along with Siemens (who wasn't included in Project Basecamp because its S7 vulnerabilities were already well-known) have done nothing to remediate the disclosed vulnerabilities. The boards of directors of companies who use these products aren't forcing their CEOs to change them out for more secure devices.
The U.S. Congress won't pass legislation requiring U.S. companies to stop using those devices because of political pressure from business interests who don't want to a) be "forced" to do anything and b) hurt their profits by spending the money needed to fix their networks.
It's because of that cluster-f__k that penetration testing research like the Metasploit Framework exists and ironically it may be that same research which is used to bring harm to thousands of innocent victims who rely on their utility companies to provide critical services.