krunja - stock.adobe.com
McAfee researchers have demonstrated how a vulnerability in a commonly used industrial control system from Delta Controls could allow malicious actors to take complete control of the operating system.
Successful exploitation of the flaw could enable attackers to manipulate control systems in boiler rooms, temperature controls for critical systems and more, the researchers said, urging building management teams to ensure potentially vulnerable systems are patched up to date.
An attacker could potentially shut off cooling, manipulate power, or disable alarms, causing physical damage to the server hardware, downtime and potential permanent loss of critical data.
In 2017, British Airways cancelled more than 400 flights, stranding 75,000 passengers, due to a power surge at a datacentre, which although blamed on “human error” could theoretically have been caused by cyber attackers manipulating control systems.
The vulnerability in the Delta enteliBUS Manager (eBMGR) is essentially a classic buffer overflow vulnerability, or a mismatch in the memory sizes used to handle incoming network data.
The bulk of eBMGRs are deployed in the US (57%), followed by Canada (35%), the UK (2%) and Australia (2%). Just 1% each of the total is deployed in Poland, Japan, Italy and Ireland.
The device is designed to centralise control for various pieces of hardware often found in corporate or industrial settings, such as temperature and humidity controls for a server room.
eBMGR lets attackers in
However, from a cyber attacker’s point of view, the eBMGR is a potential single point of failure attached to a network, according to Mark Bereza, a security researcher at McAfee Advanced Threat Research.
Under testing, McAfee researchers discovered the buffer overflow vulnerability, a “seemingly innocuous mistake” that rendered the eBMGR “vulnerable to our carefully crafted network attack, which allows a hacker on the same network to gain complete control of the device’s operating system”, he wrote in a blog post.
The attack uses what is known as broadcast traffic, said Bereza, meaning bad actors can launch the attack without knowing the location of the targets on the network.
McAfee’s security recommendations for internet-connected devices
- Place all internet-connected devices behind a firewall.
- Monitor traffic to these devices.
- Segregate internet-connected devices from the rest of the network using VLANs.
- Stay on top of security updates despite business pushback against downtime.
- Adopt the principle of least privilege and question whether internet connectivity is necessary.
“The result is a twisted version of Marco Polo – the hacker needs only shout ‘Marco’ into the darkness and wait for the unsuspecting targets to shout ‘Polo’ in response,” he wrote.
The researchers then investigated if they could use control of the eBMGR to control the devices it was connected to. By examining some hardware that the Delta device might be used to manage, the researchers were able to identify some control code to enable them to carry out a replay attack.
“This strategy proved effective in granting us control over every category of device the eBMGR supports,” said Bereza.
The result was an attack that would compromise any enteliBUS Manager on the same network and attach a custom piece of malware the researchers developed to the software running on it. This malware was then used to create a backdoor for issuing commands to the manager remotely to control any hardware connected to it.
The researchers noted that if an attacker knows the IP address of the device ahead of time, this exploit can be performed over the internet, increasing its impact exponentially.
A Shodan scan revealed that more than 1,600 such devices are internet connected, meaning the danger is far from hypothetical. The total number of network-connected vulnerable devices is much higher still.
Patch to block attacks
In line with McAfee’s responsible disclosure policy, the researchers contacted Delta Controls, which responded with a beta version of a patch that the researchers were able to confirm was effective in blocking the attack they had developed.
“This is our idea of a success story – researchers and vendors coming together to improve security for end users and ultimately reduce the attack surface for the adversary,” said Bereza.
The important lesson to be learned, he said, is that it takes very little to make a critical system vulnerable, and therefore it is important that companies extend proper security practices to all network-connected devices.
Mo Cashman, principal engineer at McAfee, said it is important for industrial and manufacturing organisations to take a “one enterprise” approach to security and risk management.
“Many organisations still operate in silos. For instance, a CISO [chief information security officer] may be responsible for IT only, yet not charged with securing OT [operational technology] environments. This needs to change,” he said.
“Recent attacks demonstrate that threats to industrial control systems enter from multiple routes. As a result, increased collaboration and achieving one unified view across the digital workplace, cloud services, industrial controls and the supply chain are necessary considerations if an organisation is to maintain business resilience as it transitions to create a factory of the future.”
Read more about OT security
- Critical national infrastructure providers and others are improving cyber security capabilities around industrial control systems, but the cyber threat remains high and continues to evolve, a study shows.
- A lack of skills, visibility and clarity on which business function is responsible for securing operational technology are the biggest challenges to managing the risk, a study shows.
- A lack of visibility into the attack surface, inadequate security staffing and reliance on manual processes undermine operational technology security capabilities, a study reveals.
- Malicious cyber activity increased to almost half of the industrial infrastructure protected by Kaspersky Lab in 2018, but the UK is among the most secure countries, the security firm reports.