The December 2017 Triton attack is often mentioned as one of the most devastating ICS malwares that could have caused unprecedented damage and risked human lives. The Triton attack was a sophisticated and persistent attack on a petrochemical plant in Saudi Arabia, that attempted to compromise Schneider Electric Triconex SIS (safety instrumented system). The malware was able to pass through the OT network of the victim and manipulate the safety systems by reverse engineering Schneider Electric industrial protocol.
Fortunately, the Triton attack failed before it was able to execute its main (estimated) goal: releasing a high amount of Hydrogen Sulfide (H2S) which would have led to explosions.
While Triton was a highly sophisticated and targeted attack handled by what many researchers define as a state-backed Russian APT, the same effect might be achieved also with less effort. Today’s attack surfaces are getting wider due to the steep increase in remote connectivity to ICS, and attackers know how to take advantage of nearly every security malfunction to gain confidential intelligence about ICS equipment that the victims use on their production floors.
To commemorate nearly 3 years since the Triton attack first occurred, we will show you here that today an attacker can target specific ICS products with a little help from legitimate systems, and without investing much effort in reaching the target or gaining permissions to run commands on it.
In this blog, we decided to focus our initial search on H2S alarm systems and if there are exposed components that can be used as bait for cyber criminals.
Oil and Gas Cyber Attacks: The case of the Canadian oil and gas company
Our first step was to check for systems that control or monitor H2S, and are exposed to the internet. We used some of the famous scanners like Shodan, Binary Edge, and Censys for that mission, with the banal term “H2S”.
What we found was surprising: a SCADA system and a control panel, which seems to control energy production processes. One of those processes has to do with H2S, and we assume that the CP gives indications about abnormal status of H2S in the process. This CP was exposed to the internet over port 5900, a port commonly used for VNC (Virtual Network Computing), a graphical desktop sharing system.
Combining results from Binary Edge with those from Shodan, revealed more confidential systems that belong to the same Canadian company: while searching for more exposed ICS systems, we found that the same IP serves an internal router that has communications with Rockwell Panelview 6 HMI (udp) and 1756 Controllogix PLC (tcp), both over port 44818.
Now that we’ve mapped some of the assets, we can assume that perhaps the SCADA main control page we saw above, is displayed to the engineers in the plant on a panelview 6 HMI screen.
This oil and gas company is apparently not alone. Searching for the same pattern, we found more oil and gas companies whose Rockwell Automation gear is exposed to the internet. One of the companies is an Atlanta, Georgia based oil and gas company, using a Rockwell 1769-L30ER Compactlogix controller exposed to the internet. The controller has communication over port 44818 as well, which is known for being highly vulnerable if not disabled.
To understand how common this vulnerable implementation is, we checked how many of these Rockwell Automation devices are openly exposed:
To conclude this part, we were able to find low hanging fruit targets that even low-skilled attackers can exploit easily to cause disruption or even severe damage to people and machines.
Making sense of it: understanding the threats on the oil and gas sector
Natural gas production in Canada, as elsewhere, faced many challenges in the past few years, the most prominent of which has been the volatility of energy prices. Canada was also particularly hurt by competition from cheap U.S. shale oil when production from those sources was at its height.
Most public natural gas companies had a rough earnings year in 2016, followed by some recovery in 2017 and 2018. The largest natural gas producers managed to make mild gains during the first ten months of 2019, but it was a challenging year for most small firms.
A cyber attack will cause overpressure to the victim, who already has to deal with the challenges of the sector.
The Oil and Gas sector, specifically, continues to be very attractive for cybercriminals in the past year, thus implementing an oil and gas cybersecurity solution is crucial. Some recent cases show that attackers choose those specific companies as “top targets”:
Conclusions
At the beginning of this blog, we mentioned the sophisticated Triton attack, which required, allegedly, nation-state efforts to execute. This case, however, shows that attacking OT doesn’t have to be so “expensive”. As we saw, in some circumstances, automation engineers can unwittingly leave useful tools for criminals that can easily be used as dangerous entry points to the OT network.
One may think this issue is no big news. In an alert (AA20-205A), dated July 2020, CISA and the FBI recommend “immediate actions to reduce exposure across operational technologies and control systems”. The agencies basically warned from exposed ICS systems like the ones we found in our case of the Canadian oil and gas company. So, how is it possible that we still see such bold cases of exposure?
The alert even mentioned Shodan as one of tools that can afford unauthorized access to unsecured assets.
We mentioned only 2 exposed firms in this blog while we recently found many more, from other critical sectors like upstream oil and gas, and water exploration. To protect its assets, every company should conduct security checks or hire a cyber security company to help monitor all the assets, fix security gaps, and bring a comprehensive risks report with prioritization modeling, with insights that help mitigate the risks step by step.
We hope the information discussed here will afford companies to decrease the risk of being attacked and raise awareness for today's threats while emphasizes the relevance of breach mitigation services. Let's keep in mind that today’s attack surface is getting wider and just as we are monitoring the internet, searching for exposed ICS products, so are cyber criminals and malicious activists.
Vulnerabilities overview
By using OTORIO’s RAM²'s proprietary & analyst-curated industrial vulnerability database, we could find several vulnerabilities that match the Rockwell Automation products that we found exposed:
|
Product |
cve_id |
CVSS |
Type |
Impact |
Known Public Exploit? |
|
PanelView Plus 6 |
CVE-2017-7914 |
8.6 |
Design Error |
Authentication Bypass |
NO |
|
Allen Bradley ControlLogix 1756 ENBT |
CVE-2012-6436 |
7.8 |
Crafted Packet |
Denial Of Service |
YES |
|
Allen Bradley ControlLogix 1756 ENBT |
CVE-2012-6437 |
10 |
Design Error |
Denial Of Service |
YES |
|
Allen Bradley ControlLogix 1756 ENBT |
CVE-2012-6439 |
8.5 |
Crafted Packet |
Denial Of Service |
YES |
|
Allen Bradley ControlLogix 1756 ENBT |
CVE-2012-6441 |
5.0 |
Crafted Packet |
Denial Of Service |
YES |
|
Allen Bradley ControlLogix 1756 ENBT |
CVE-2012-6442 |
7.8 |
Crafted Packet |
Denial Of Service |
YES |
|
Allen Bradley ControlLogix 1756 ENBT |
CVE-2012-6438 |
7.8 |
Crafted Packet |
Denial Of Service |
YES |
|
Allen Bradley ControlLogix 1756 ENBT |
CVE-2012-6440 |
9.3 |
Man IN The Middle |
Data Manipulation |
YES |
|
Allen Bradley ControlLogix 1756 ENBT |
CVE-2012-6435 |
7.8 |
Crafted Packet |
Denial Of Service |
YES |
|
Allen Bradley CompactLogix 1769- L30ER |
CVE-2016-9343 |
10 |
Buffer Overflow |
Denial Of Service |
NO |
|
Allen Bradley CompactLogix 1769- L30ER |
CVE-2016-2279 |
6.1 |
Cross Site Scripting |
Remote Code Execution |
YES |
Do you work in the oil & gas industry? Schedule a demo to find out how OTORIO can help you to mitigate cybersecurity risks.
Ran Finkelstein
Threat Intelligence Researcher
Recent Posts