A SCADAfence New Feature report

“Could we be next?”  

One of the biggest challenges for an industrial OT/ICS security professional is figuring out if their organization is vulnerable to the latest announced strain of ransomware.  Reports of new OT security breaches and ransomware attacks being released every day it can be hard to know which ones are a concern to your organization, and which ones you can safely ignore.  While it’s important to remain prepared, it’s equally important not to create a false sense of urgency. What you need to remember is that although attacks are commonplace, they are often very specific. Not every threat pertains to every OT network setup. Malicious actors carry out attacks by targeting known vulnerabilities on specific devices. If your facility doesn’t use that device, you are less vulnerable to that attack. But with so many attacks happening daily, keeping track of which ones are a threat to your organization is a challenge.

Introducing “Tailored Threat Intelligence”

The SCADAfence platform now allows you to receive a feed of the latest industry news and intelligence customized specifically to your OT network containing only information relevant to your organization. Every time a new attack report is released, it is analyzed and curated by the SCADAfence Research Team. The information, including signatures and attack insights is added to the industry event database along with detailed explanations and recommendations on minimizing each risk. Then a custom news feed is delivered to each client, with only information that is relevant to you and your organization. The context delivered by SCADAfence’s Tailored Threat Intelligence provides valuable knowledge about each event, such as the types of assets being attacked, from which vendors, and the protocols being used. For each alert, SCADAfence Platform can determine the level of relevancy per customer based on the customer’s site details, asset inventory and network traffic. As a result, the SCADAfence Tailored Threat Intelligence provides users with a well-organized list of relevant industry news, each prioritized by a relevancy score, and actionable recommendations on what can be done to reduce the risk from the event.

Your fully customized and prioritized SCADAfence Threat Intelligence Feed.

SCADAfence’s automated threat updates and prioritization are a breakthrough for increasing your efficiency of the response to industrial cyber security events. It improves your ability to know which industry events are relevant, reduce risk and respond effectively without wasting valuable resources.

Summary of Benefits of Tailored Threat Intelligence

• Industry-specific security events are analyzed by SCADAfence’s Research Team, and tailored to your needs.  Save time by not having to wade through irrelevant information.
• You’ll understand the relevancy to your organization of each reported cyber attack
• Helps your organization avoid a false sense of urgency from ransomware attacks not relevant to your organization’s deployed devices.
• Provides a custom relevancy score for each event
• Dramatically reduces the need for manual review of each new reported threat.
• Feed is constantly updated through the SCADAfence cloud

Alerton, a subsidiary of Honeywell, is a major manufacturer of building management systems for heating, ventilation, and air conditioning (HVAC). SCADAfence’s research team discovered vulnerabilities that lead to NIST issuing the first CVEs ever assigned to Alerton products. Left without proper security measures, these vulnerabilities could lead to major disruptions in any facility where they are deployed.

This is a technical report on how our research team discovered these vulnerabilities.

Alerton Ascent Suite

Alerton Ascent is a suite of controllers, devices, and software used for building management specifically in regard to HVAC. The Ascent product suite is deployed in buildings, server rooms, chemical labs, hospitals and more, with the purpose of maintaining the appropriate air flow and safe temperature required for a room’s or space’s specific need.

The Alerton Suite is made up of many different components. For example, in the research we conducted the Alerton Ascent network comprised:

1. Alerton Ascent Control Module (ACM) – Main controller
2. VLC-853 – Field controller
3. Alerton Compass – Management and Control Tool
4. Visual Logic – Programming Tool

As seen in the topology map, an ACM is connected to a VLC-853 device over a serial port. The Compass software and Visual Logic software have access to the ACM over ethernet via a network switch.

Any user, innocent or malicious, can access the various Alerton devices and software either locally or remotely via the network switch, assuming that there are no extra security tools providing network protection (such as an FW or switch port security).

The resulting effect of a malicious user gaining access to the Ascent Suite can result in a degradation of credibility, integrity, and availability of the BMS as a whole.

Configuration Change for Alerton ACM

The Compass software provides the ability to configure the ACM. This configuration includes setting IP values, enabling or disabling specific ports, defining which networking protocols are active and more. In general, the configuration is set when the system is installed and is rarely changed thereafter.

The Attack – CVE-2022-30242 and CVE-2022-30245

Two of the CVEs that were disclosed, CVE-2022-30242 (cvss 3.x score of 6.8) and CVE-2022-30245 (cvss 3.x score of 6.5), are vulnerabilities discovered which allow for configuration changes to be made outside of the Compass Software without any authorization or authentication. In addition, the configuration changes that were performed are relayed to the Compass Software, leaving the system operator unaware that a change to the configuration occurred.

The following is a Wireshark partial capture showing how the configuration data is sent over the network from the Compass Software to the ACM:

As seen in the traffic snippet above from Wireshark, the configuration is sent to the ACM in ASCII characters and in cleartext with no obfuscation and minor difficulty in understanding or changing the configuration data.

By extracting the whole configuration from the network traffic, and setting the MSTP0 ENABLE field to N, we can simply disable the COM0 port from any computer with access to the ACM.

As a result of sending a specially crafted packet with the above change, the configuration of the ACM changed, and COM0 was set to disabled, disconnecting the VLC-853 controller from the ACM:

While successful changes in the configuration occurred, the Device Configuration window still indicates to the operator that COM0 is enabled:

In a real life scenario, this can have significant and/or tragic effects.

Having this vulnerability leveraged in a real life setting can cause connectivity issues or undefined behavior of the entire network. In the example above, COM0 was disabled, which resulted in the VLC-853 to be cut out of the network.

If the VLC-853 was responsible for ensuring that a cloud storage server room was properly cooled, operators who notice that VLC-853 is not communicating with the ACM and also are unaware that a configuration change occurred, may be compelled to shutdown the server farm out of fear of the servers overheating causing major disruptions for numerous services worldwide.

This is obviously a single example for a single change in configuration. Any number of other changes can have similar, troubling effects.

Programming Changes for Alerton Controllers

Programming management for Alerton Controllers is done using an Alerton proprietary plug-in for Microsoft Visio called Visual Logic. Programs written in using Visual Logic use diagrams to display the program in a visual manner as seen below:

Programs are written, pushed to controllers and run by engineers whose task it is to define the programmatic logic of the controller necessary for it to perform its specific role in the network.

Programs are written and edited on an as-needed basis and are not accessed frequently so long as the target device is fulfilling its intended purpose.

The Attack – CVE-2022-30243 and CVE-2022-30244

In our research, we successfully wrote a program to an Alerton ACM device without authorization or authentication. In addition, the Visual Logic software did not provide an indication that a programming change occurred or that there is a difference in the program saved in the engineering software to that actually running on the ACM. This leaves an operator clueless as to why a controller has malfunctioned, changed its activity or stopped processing altogether.

This resulted in the disclosure of two CVEs, CVE-2022-30243 (cvss 3.x score of 8.8) and CVE-2022-30244 (cvss 3.x score of 8.0)

The packet sequence for writing a program to the ACM is a set sequence of Bacnet commands and is listed, in order as follows:

With the exclusion of ADD_CODE_BLOCK_PACKET, all of the commands above are static, constant BACnet packets with a dynamic parameter of invoke ID. Being a BACnet system, there are no authorization checks to ensure that the commands being sent are from a reliable and authorized source.

An attacker who has network access to any of the Alerton controllers can send a maliciously crafted program, using the above sequence of commands, to change a program on the target controller. This is done without the knowledge of an operator, as there is no indication of a program change in the Compass software or the Visual Logic Programming Visio plug-in.

The following image is a diagram of the program that we pushed to the controller in the previous section; however, an additional component was added and pushed to the controller from a third-party computer with no access to the Visual Logic software:

The only indication that a programming change occurred is by clicking the Read from Device button as seen in the image below, and comparing the downloaded program to that which is stored on the engineering station:

As with the configuration change vulnerabilities, if these vulnerabilities are leveraged on an Alerton controller in a real-life, production network the effects can be catastrophic.

If a controller is managing the air flow in a chemical lab, and a program is written to the controller that essentially renders it useless for its current purpose (either by sending a stub program, or sending a program that does not fulfill the air flow requirement), anyone in the lab could potentially be in life threatening situation.

The potential scenarios that can occur by taking advantage of these vulnerabilities are endless, and can be very serious and even lethal.

Full details on the CVEs can be found on the official NIST website:
https://nvd.nist.gov/vuln/detail/CVE-2022-30242

https://nvd.nist.gov/vuln/detail/CVE-2022-30243

https://nvd.nist.gov/vuln/detail/CVE-2022-30244

https://nvd.nist.gov/vuln/detail/CVE-2022-30245

In response to SCADAfence’s findings, Honeywell issued a Product Security Bulletin informing Alerton ACM Controller users of the vulnerabilities.

To learn more about how the SCADAfence Platform can protect your OT network, visit our website or request a demo.

 

LockBit Overview

The first known ransomware attacks using what would come to be known as LockBit were reported back in 2019. Organizations that were infected with the malicious software had their files encrypted and in order to decrypt them they were forced to pay a large sum for a decryption key. 2021 saw the emergence of LockBit 2.0, featuring a faster encryption software. In one of the most widely reported ransomware attacks of 2021, LockBit attacked the consulting group Accenture and claimed to have stolen six terabytes of data.

A SCADAfence New Feature Report

SCADAfence now offers new advanced services via our cloud. We use the cloud to deliver continuous OT security updates, software upgrades and OT health monitoring.

 

 

A SCADAfence New Feature report

A large, robust Industrial Control Systems (ICS) network can contain tens of thousands of devices. Each of those devices may have any number of associated known CVEs (Common Vulnerabilities and Exposures). Do the math and what you’ll come up with is a terrifying mountain of possible vulnerabilities. What’s a CISO to do? How to prioritize the work of implementing all the patches needed to keep the OT network safe? The problem is exacerbated if the CISO has limited OT Security team members available. (Check out the 2022 State Of Operational Technology Report for more on that)

Almost immediately after a fire broke out in an active power plant in southern Israel on July 14, 2022, an Iranian hacking group claimed responsibility. While it’s understandable why the group, which goes by the name #Altahrea, would want to boost their hacker profile by saying they caused the fire, there is ample evidence that they actually had nothing to do with it. 

The Orot Yosef power plant, part of the Edeltech group, is located in Ramat Hovav, Israel and has been in operation since 1989. 

To understand why we believe this fire was not the work of hackers, let’s take a look at how this plant operates and what might have happened to cause the fire. (SCADAfence’s security team research lead Yossi Reuven also spoke about the attack to Techmonitor.ai)

Gas turbines can be used in conjunction with steam boilers by passing hot gasses from the boiler through a gas turbine to produce mechanical drive for electricity generation. This combined arrangement is commonly referred to as “cogeneration.” Cogeneration is thermodynamically the most efficient method for generating electrical power, and it is the method used by the Orot Yosef facility. 

Why is this important? Understanding the process used by a facility is crucial to determining what event took place. Gas turbines require a correctly ratioed air-to-fuel mixture to operate. Running a turbine too rich or too lean, (too much air or too little air, respectively) can cause significant damage to the turbine. This means that if someone with malicious intent were able to compromise the air handling and run the turbine at maximum output with a lean mixture there is a good chance of detonation, overheating, loss of power, and damage to the turbine. These issues would all relate to the turbine housing and be far more catastrophic of an event.

We know that GE turbines were purchased and installed in the plant in 1989 as you can see in the image below from the Global Energy Observatory. (The GEO is a publicly available database of global energy information)

The Power Plant Fire 

Shortly after the fire began, the Iranian hacker group #Altahrea posted a photo on Telegram of a fire that looks to have started in the building known as the, “Air Filter House”.

Most of the technology that resides inside the filter house is there to detect if the system is clogged. When a clog happens, it triggers the shutdown of the turbine to protect it from too much debris passing through the filter system, which can shorten the lifespan of the turbine.

Fire is a major risk for filter houses that have poor maintenance cycles. If filters are not replaced routinely, particulates and debris build up and all it takes for the filter cartridge pairs to go up in flames is a single spark. 

Based on open-source intel, it is likely that this facility is running an Electrostatic Precipitator.

An Electrostatic Precipitator is typically used for pollution control to remove dirt from flue gasses in exhaust systems. Due to the fact that this facility has the ability to use Diesel as a secondary source of power generation, it is possible that an ESP could be present.

Another detail that provides relevant information is a redacted picture of Shodan.io’s Industrial Webcrawler revealing a Phoenix Contact EMpro PLC running a Webserver exposed to the internet as shown below.

The EMpro is used to measure voltages and current in a power supply system. The measure is used primarily to manage critical load balancing across a system and not for any critical process control of the filter house. If the device were to be compromised it would only allow an individual to carry out relatively small actions, and this is only in the event that the device had the Digital Output wired up.

This all begs the question, is it possible that a remote monitoring device was compromised in a way that allowed an adversary to trigger a discharge inside the filter house which then ultimately triggered a fire. Possibly. However it would require ideal conditions for this to happen and would also require a lapse in maintenance with a buildup of debris etc. I would expect that the same level of probability would occur if someone discarded a cigarette that was still lit and the filter house consumed it into the filter cartridge stage. In this case, that is a more likely cause of the fire, and not the Iranian hackers who claimed credit. 

To learn more about how the SCADAfence Platform can protect your OT network request a demo today.