An electronic device used to control machinery in water plants and other industrial facilities contains serious weaknesses that allow attackers to take it over remotely, the U.S. Industrial Control Systems Cyber Emergency Response Team warned. Some models of the Modicon Quantum PLC used in industrial control systems contain multiple hidden accounts that use predetermined passwords to grant remote access, the agency said in an advisory issued December 14. Palatine, Illinois– based Schneider Electric, the maker of the device, produced fixes for some of the weaknesses, and continues to develop additional mitigations. The programmable logic controllers reside at the lowest levels of an industrial plant, where computerized sensors meet the valves, turbines, or other machinery being controlled. The default passwords are hard-coded into Ethernet cards the systems use to funnel commands into the devices, and get temperatures and other data out of them. The Ethernet modules also allow administrators to remotely log into the machinery using protocols such as telnet, FTP, and the Windriver Debug port. According to a blog post published December 12 by an independent security researcher, the NOE 100 and NOE 771 modules contain at least 14 hard-coded passwords, some of which are published in support manuals. Even in cases where the passcodes are obscured using cryptographic hashes, they are easy to recover thanks to documented weaknesses in the underlying VxWorks operatingsystem. As a result, attackers can exploit the weakness to log into devices and gain privileged access to their controls.
Read more :
The source article is worth visiting for at least two reasons. It gives us the link for "the blog post published on Monday by independent security researcher Rubén Santamarta," and goes on to inform us, just after the end of the passage the DHS saw fit to quote:
SCADA vuln imperils critical infrastructure, feds warn.
December 14, The Register – (International)
Hard-coded passwords are a common weakness built into many industrial control systems, including some S7 series of PLCs from Siemens. Because the systems control the machinery connected to dams, gasoline refineries, and water treatment plants, unauthorized access is considered a national security threat because it could be used to sabotage their operation.
Remind anyone of anything ?
From Schneider Electric (which forms, according to Wikipedia , a cornerstone of AREVA:
In fact, Modicon PLC's were, at least as of 2006, in use at
- at least one nuclear plant in Virginia
- two in Korea ("The DPS [Diverse Protection System] configuration is based on a Modicon PLC, which is now supplied by Schneider Electric." notes the NRC, adding helpfully "The use of multiple vendors and digital platforms promotes system diversity among the echelons of defense."
- in Bruce Nuclear Generation Station at Tiverton, Ontario
- and no doubt many more I have not the determination, at present, out of obscurity to dig, given the penchant this industry has into the same, to bury. Witness how neatly the following company avoids, in their boasts, the very proper nouns that would pinpoint what nuclear power plants, likely Canadian, are now at risk:
Synopsis of Nuclear Reactor Retubing Controls Automation System Project
• Situation: A nuclear power generation company committed to upgrading its operations with new reactors.
• Issues: Aging reactors subject to problems such as water leakage, corrosion, and contamination (fine powdery particulate—iron oxide activated to isotope FE55—as a result of corrosion) that are potentially hazardous and costly to deal with.
• Requirement: Upgrade of 2 reactors (including re-tubing operations).
• Technology: Unity Pro IEC 61131-3 application software/Modicon Quantum PLC platform; GE Iconics Series HMI; Ethernet; Kepware OPC driver; Kollmorgen drives; PICS™ simulation.
Be seeing you.