Know Your Remote Access SCADA Vulnerabilities

In my previous post about mobile device security for industrial control systems (ICS), I shared several findings from Verizon about how 4G LTE addresses five key aspects of securing mobile access to control systems. While addressing network security is a critical aspect of remote access cybersecurity, understanding the threats to ICS applications—if and when an intruder gains access—is an equally important piece of knowledge for manufacturers.

In a white paper titled “SCADA and Mobile Security in the Internet of Things Era,” authors Alexander Bolshev, a security consultant with IOActive (a cybersecurity advisor), and Ivan Yushkevich, information security auditor at Embedi (an embedded device security supplier), address this issue. The authors point out that while most applications accessed via the Internet and private cell networks—such as SCADA and MES clients and remote alerts—typically only allow monitoring of the industrial process, several applications do exist that allow the user to control/supervise the process. These kinds of remote applications are “more exposed and face different attack types, like man-in-the-middle (MiTM) attacks … or [through] another malicious application that could be installed on the device,” according to the paper.

The four main remote application threat types that manufacturers should address are:

Unauthorized physical access to the device or virtual access to device data. Bolshev and Yushkevich note that, in control room applications, “leaking data [via the Internet] could give attackers a more thorough understanding of the industrial process, ICS infrastructure, network addressing schemes, etc. [But in] remote access applications, the consequences are much more dangerous. Attackers could: extract any authentication data stored on the mobile device and use it to connect to remote SCADA endpoints; extract or alter data in the mobile SCADA application; and gain access to or alter data stored on SD cards."

Communication channel compromise (MiTM). Because mobile devices can connect to the Internet using non-secure channels, this creates the following threats: Rogue Wi-Fi or GSM access points, public access points or networks without proper security mechanisms, private (e.g., corporate or home) network compromise, and VPN channel compromise. Any of these threats could allow attackers to sniff, replay or alter communication data between the application and remote SCADA endpoint.

Application compromise. Applications themselves could include various vulnerabilities on both the server side and the client side. The paper states that “this could lead to various vulnerabilities. For example, issues on backend services could include access control list issues/incorrect permission checking, remote code/command execution, insufficient data validation or information leakage."

Directly/indirectly influencing an industrial process or industrial network infrastructure. The authors point out “this type of attack could be carried out by sending data that would be carried over to the field segment devices.” They list various methods that could be used to achieve this, such as:

• Acting as a MiTM over an insecure communication channel, an attacker alters commands from a mobile SCADA application to the remote endpoint, which reaches the field devices.
• Attackers steal a device and extract remote SCADA endpoint credentials from it. Using them, they connect to the SCADA environment and send malicious commands. Alternatively, the attackers just take photos of the application’s settings (including credentials) when the device is left unlocked and unattended.
• Engineers unwillingly install a malicious application on their personal mobile device, which initially stays dormant to avoid raising any suspicion. Later, the malicious application exploits vulnerabilities in the victim application to subvert the communication process with
 the backend servers or to extract valuable data. Another possible case is when SCADA mobile applications store data on partitions with insufficient permission checking 
and the malicious application alters/reads it.
• The backend servers are attacked using approaches from typical web or infrastructure application penetration testing or by reverse-engineering the protocol between the mobile SCADA application and the remote endpoint. Then, the attackers leverage the vulnerabilities they have identified and send data to the backend servers, which will influence some parts of industrial process or infrastructure.