Nuclear Meltdown with Critical ICS Vulnerabilities
In 2019, almost a decade after the famed Stuxnet worm silently wreaked havoc on an Iranian uranium enrichment plant, SCADA vendors still have gaping holes in their PLC and HMI development environments. We will detail the results of our research on top industrial control vendors. This research breaks down 12 critical vulnerabilities discovered in the past 9 months and we are releasing previously undisclosed exploits. The vulnerabilities in top tier software systems indicate a lack of security standards in modern SCADA software. This lack of security creates a great opportunity for future attackers and the next high-profile attack on an industrial control system.
The attack scenario cannot be understated as critical systems such as power, water, transportation, and manufacturing all rely on major PLC vendors. We will show a theoretical attack using recently discovered vulnerabilities and proof of concept code to disrupt a major power industrial system.
We share our observations on vulnerabilities found in vendors across the board and mitigation techniques for using this required software in highly critical environments where even air-gapping is not enough to remove the threat of a remote attacker.
Vulnerabilities and Exploits
Over a period of a little more than nine months, Tenable Research found a dozen critical vulnerabilities in soft and hard ICS targets from four different vendors. The targeted vendors build OT solutions that rank amongst the most prevalent solutions in industries across the board.
Siemens — TIA Portal
Tenable Research found a critical vulnerability in TIA Portal (exploit here) that was patched in July 2019. Siemens TIA Portal implements functionality for authenticated web users and administrators over WebSocket after authentication. An attacker can bypass HTTP authentication and access all administrator functionality by directly sending WebSocket commands to the server. A remote attacker is able to force a malicious firmware update from an arbitrary server (resulting in remote code execution), modify user permissions, or change application proxy settings.
[Critical] CVE-2019–10915 A remote unauthenticated attacker can execute administrator commands.
Fuji Electric — TELLUS and V-Server
Tenable Research found 2 vulnerabilities in V-Server (exploit here) that were patched in June 2019. V-Server has an integer overflow while handling application commands over port 8005. A crafted packet sent to the server will cause an out of bounds read which will crash the application server.
[Medium] CVE-2019–3946 An attacker with access to the filesystem to recover database credentials.
[Medium] CVE-2019–3947 An unauthenticated attacker can crash the V-Server process causing a denial of service.
Schneider Electric — InduSoft Web Studio
Tenable Research found 6 critical vulnerabilities in InduSoft Web Studio and InTouch Machine Edition (exploits here, and here) that were patched independently between April 2018 and February 2019. The team discovered vulnerabilities in several different parts of the Indusoft UniSoft.dll application library. Several stack buffer overflows exist, and some remote command execution vulnerabilities were found. Another stack overflow was found in Schneider Electric Indusoft library TCPServer.dll in parsing remote application commands.
[Critical] CVE-2018–8840 A remote unauthenticated attacker can execute arbitrary code.
[Critical] CVE-2018–10620 A remote unauthenticated attacker can execute arbitrary code.
[Critical] CVE-2018–17914 A remote unauthenticated attacker can execute arbitrary code.
[Critical] CVE-2018–17916 A remote unauthenticated attacker can execute arbitrary code.
[Critical] CVE-2019–6545 A remote unauthenticated attacker can execute an arbitrary process.
[Critical] CVE-2019–6543 A remote unauthenticated attacker can execute an arbitrary process.
Schneider Electric — Modicon Quantum PLC
Tenable Research found 5 vulnerabilities in Modicon Quantum Ethernet modules (exploits here) that were patched in November 2018. A remote unauthenticated attacker can access an exposed url to change any user’s password on the device. The Ethernet module also has several default accounts enabled.
[Critical] CVE-2018–7811 A remote unauthenticated attacker can gain administrator access by changing any user’s password.
[Critical] CVE-2018–7809 A remote unauthenticated attacker can gain access to the web interface by resetting the credentials to the default state.
[Medium] CVE-2018–7810,7830,7831
Rockwell Automation RSLinx
Tenable Research found 3 vulnerabilities in RSLinx Classic (exploits here)that were patched in September 2018 and March 2019. There is a stack overflow in the remote application command SendRRData over port 44818. There are also several other memory corruption vulnerabilities in the application executable RSLINX.exe that allow an attacker to execute arbitrary code.
[Critical] CVE-2019–6553 A remote unauthenticated attacker can execute arbitrary code.
[Critical] CVE-2018–14821 A remote unauthenticated attacker can execute arbitrary code.
[Critical] CVE-2018–14829 A remote unauthenticated attacker can execute arbitrary code.
Simulating an ICS attack
A simple table with a bunch of exploits to critical vulnerabilities might not feel very impactful to many people, so we will walk through a theoretical attack using freely available software to simulate a nuclear power plant. Stuxnet only needed 3 new vulnerabilities to spread through an isolated network and damage centrifuges in the targeted Iranian nuclear facility. Any of the vulnerabilities listed above could have been discovered by a threat actor and used as a key component in a targeted attack to disrupt or damage industrial hardware.
Nuclear Power Plant Basics
To set up the simulated attack scenario we should first establish some baseline terminology and functionality of a nuclear power plant. You should skip this paragraph if you already know how nuclear energy works! :)
Nuclear power plants heat water using a fission reaction to produce steam. The steam spins turbines that produce electricity. The reaction is controlled mainly by rods of neutron absorbing material (control rods) which can be inserted into the core. The control rods slow down the fission reaction as they are inserted into the nuclear reactor and speed up the fission reaction as they are withdrawn. In addition to the control rods, the fission reaction is also controlled by a moderating substance between the fuel rods. This moderator substance differs between types of reactors. The infamously unstable Russian (RBMK) nuclear power plants and nuclear reactors in the UK (AGR) use graphite as a moderator. All newer nuclear reactors (PWR, PHWR, BWR) use water as a moderator which makes for much more stable design parameters. Additionally, nuclear power plants implement safety systems such as rapid control rod insertion (SCRAM) and injection of boric acid into the coolant to quickly kill the fission reaction.
In the case of older graphite moderated designs, runaway reactivity conditions can be reached by disabling security systems designed to shut down the reaction, restricting coolant flow, and withdrawing the control rods from the reactor core. In the case of the Russian RBMK nuclear disaster, safety systems were shut down by poorly trained technicians operating the power plant. During a targeted attack, power plant control systems will be arrested by malicious code injected into the control network and redundant safety systems disabling operator access and falsifying information to the control operators to delay emergency response. In older reactor designs that use graphite moderators and rely on responsive control systems to maintain the naturally unstable nuclear fission reaction, unstable reactivity conditions can be reached within a matter of minutes.
For more modern light water (LWR) nuclear power plant designs, runaway nuclear fissions are theoretically and practically impossible because of the use of water as a moderator and its negative feedback coefficients. As the temperature of the moderator increases and it undergoes state change to gas, the nuclear reactivity decreases. This makes it so that there is no case, even in a disaster or malicious targeted attack, in which a runaway nuclear reaction can occur. This built-in safety makes it so that disasters like Chernobyl cannot occur. However, in these types of reactors, malicious code manipulating control systems, disabling emergency reactivity systems, and stopping coolant flow can still lead to nuclear meltdowns, hydrogen-air explosions, and the release of radioactive material as seen in the recent Fukushima accident.
Simulated Nuclear Power Plant
An older nuclear power plant with graphite moderation and water cooling (RBMK, EGP) design would be extremely susceptible to a malicious attack. These types of reactors don’t exist in the US and are being phased out where they do exist. We will instead simulate a reactor used in the US (PWR) and determine some worst-case scenarios in which an attacker can cause damage or disrupt operation.
The newer generation of reactors such as PWR (pressurized water reactor) and BWR (boiling water reactor) all have reactivity designs that maximize safety and stability, minimizing the possibility of runaway nuclear reactions even in extreme cases of damage or disaster. Such designs as the PWR operate with negative reactivity coefficients where increases in temperature or coolant changes reduce the reactor’s reactivity forcing the fission reaction to shut down as temperature increases. However, even with these designs, many simulators would still allow an attacker with sufficient access to increase the reactor core’s reactivity and temperature to a high enough point to create a steam explosion and subsequent undefined behavior.
Two high profile nuclear failures have occurred in these designs: Fukushima in 2011, a BWR and Three Mile Island in 1979, an older PWR reactor. In each of these failures, conditions were reached that caused the nuclear meltdown and subsequent hydrogen explosions.
There are several barriers to a successful attack on a PWR nuclear power plant. Foremost in the attack is the difficulty of the jump to an air-gapped network. This capability has been demonstrated several times in national level campaigns such as Duqu and Stuxnet using USB propagation. Additionally, modifying core control and emergency safety shutdown programmable logic in an active control network is a matter of preference. Stuxnet demonstrated a wrapped TCP library to modify communication from control servers to hardware. TRISIS demonstrated full PLC logic replacement as a means of subverting control and operational telemetry reporting.
The most catastrophic attack scenario on a PWR begins with an attacker inserting malware into the control network by leveraging an infection vulnerability. Next, the weaponized code will arrest command over the core control system and spread to adjacent networks housing automatic emergency core shutdown systems. The PWR system is designed with a negative void coefficient ensuring that boiling coolant doesn’t increase the nuclear reactivity, but one characteristic of PWR’s is that the void coefficient can be positive in a specific circumstance where the moderating coolant is saturated. Under these conditions “a reduction in density of the moderating coolant would reduce neutron absorption significantly while reducing moderation only slightly, making the void coefficient positive” [5].
These power plants will have redundant emergency systems in place to protect against dangerous conditions in the reactor core. Even if implemented in a completely segregated network, these systems will always be vulnerable to a malicious actor using vulnerabilities like those listed above to spread from the control network to the separate core safety systems network. The malicious code can then disable control rod deployment commands, disable boric acid injection to stabilize nuclear core conditions, falsify control rod sensors and monitors, and falsify pressure or temperature conditions in the core to slow down external emergency countermeasures.
We used nuclear reactor simulator PCTran to validate extreme conditions in the reactor core with emergency core safety systems disabled. Without emergency control rod insertion (SCRAM) and boric acid injection, even the stable design of a PWR is vulnerable to a nuclear meltdown.
Conclusion
Vulnerabilities are easy to find in ICS software and hardware and come with a heavy cost to systems that rely on the stability and security of these solutions. Mitigation efforts and barriers to malicious actors can always be overcome with enough time or money. The stability and security of the underlying system must always be analyzed when performing threat analysis. While the example in this article is an extreme one, the lesson applies regardless. All critical infrastructure is vulnerable under the right circumstances. If your organization utilizes hard or soft targets with operational technology, take the necessary precautions and keep vendors accountable for security flaws.
References
[1] “Nuclear Power Plants Have a ‘Blind Spot’ for Hackers.” Pulitzer Center, April 2018
https://pulitzercenter.org/reporting/nuclear-power-plants-have-blind-spot-hackers-heres-how-fix
[2] “Experts Meet at IAEA to Evaluate Computer Codes for Severe Accidents” International Atomic Energy Agency, October 2017
[3] “Three Mile Island, Chernobyl, and Fukushima” Institute of Electrical and Electronics Engineers, October 2011
https://spectrum.ieee.org/energy/nuclear/three-mile-island-chernobyl-and-fukushima
[4] “TRISIS: Analyzing Safety System Targeting Malware”, DRAGOS, June 2019
https://dragos.com/wp-content/uploads/TRISIS-01.pdf
[5] “The Fundamentals of Nuclear Power Generation: Questions & Answers”, M. W. Hubbell, 2011 AuthorHouse Publishing
