IT Security at Sprecher Automation

This site is updated on a regular basis and informs about the latest security topics and the respective products of Sprecher.

For further questions please contact:
info@sprecher-automation.com (general inquiries)
sprecon@sprecher-automation.com (SPRECON inquiries)

News

ICS Malware "CRASHOVERRIDE"

Title ICS Malware "CRASHOVERRIDE"
Date 14. Juni 2017
Relevance

SPRECON-V460

CVE Code CVE-2015-5374
Desprition

A well-known security vendor recently discovered malware capable of affecting power grid operations, confirmed by Dragos as the malware used against Ukraine during late December 2016 power outage. The malware is highly modular supporting several protocols such as IEC 101, IEC 104, IEC 61850, and OPC Data Access (OPC DA). This malware also contains a data wiping component enabling destructive operations against the location machine, similar to the capability used against Ukraine in 2015.

 

Categorisation
Currently, no further exploits are known. The analysis from Dragos bases on samples from December 2016. It is obvious, that the malware has been extended and further developed in the meanwhile.
Principally, Microsoft Windows based maschines are vulnerable to this malware. Therefore, for Windows-based HMI stations the necessary countermeasures have to be taken into account.

     
        
Countermeasures

  • Utilities shall strictly isolate technical (ICS) networks from others (such as e.g. office networks).
  • All communication means to access ICS networks (and especially Windows based HMI stations) need to be secured, such as e.g. remote maintenance connections or mobile storage devices.
  • HMI stations shall additionally be hardened using e.g. application whitelisting. Additionally, antivirus software might be applied. Be aware, that antivirus software might cause false-positives on functionally relevant machines.
  • Electric utility security teams should have a clear understanding of where and how IEC 104 and IEC 61850 protocols are used. An appropriate security monitoring shall be enforced.
  • The YARA rules published by Dragos and other indicators of compromise can be leveraged to search for possible infections (IOCs).
  • Robust backups of engineering files such as project logic, IED configura­tion files, and ICS application installers should be offline and tested. This will help reduce the impact of the wiper functionality.

  • Prepare incident response plans for this attack and perform table top exer­cises bringing in appropriate stakeholders and personnel across engineer­ing, operations, IT, and security. Further information as well as solution approaches can be obtained from the appropriate CERT warnings as well as the Microsoft website.

 

> BBC News

> WIN32/Industroyer: A new threat for industrial control systems

> WIN32/Industroyer: Indicators of Compromise

> Siemens Security Advisory by Siemens

 > Dragos World Advisory

 > BSI News

 > Dragons Analyse

 

 

 

Ransom-Malware "WannaCry"

Title Ransom-Malware "WannaCry"
Date 17th May 2017
Relevance

SPRECON-V460 Systems

CVE Code CVE-2017-0143, CVE-2017-0144, CVE-2017-0147, etc.
Description

The ransomware WannaCry spreads across the internet since 12.5.2017. WannaCry is a ransomware, hence encrypts a set of defined filetypes on the affected computer's file system. It is highly critical, since it automatically distributes across a company's network infrastructure using several known vulnerabilities in Microsoft Windows.

 
Categorisation
  
A high risk results for SPRECON V460 stations, if their network zone is connected to an office network via Windows file sharing (SMB), NETBIOS or RDP.
  

     
        
Solution
Microsoft already closed the respective vulnerabilities in March 2017 via security patches. It is recommended to patch all Windows machines with actual security updates in order to mitigate these vulnerabilities.

Since May, security patches are also available for older Windows versions such as Windows XP or Windows Server 2003.

Further information as well as solution approaches can be obtained from the appropriate CERT warnings as well as the Microsoft website.

 

>   CERT.at: Ransomware/Wurm WannaCry

>   BSI: Tausende Clouds in Deutschland anfällig für Cyber-Attacken

>   Microsoft: Customer Guidance for WannaCrypt attacks

>   Microsoft: How to enable and disable SMBv1, SMBv2, and SMBv3 in Windows and Windows Server

 

 

 

 

Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability

Title Cisco IOS and IOS XE Software Cluster Management Protocol Remote Code Execution Vulnerability
Date 16th May 2017
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE Code CVE-2017-3881
Despription

A vulnerability in the Cisco Cluster Management Protocol (CMP) processing code in Cisco IOS and Cisco IOS XE Software could allow an unauthenticated, remote attacker to cause a reload of an affected device or remotely execute code with elevated privileges.

An attacker could exploit this vulnerability by sending malformed CMP-specific Telnet options while establishing a Telnet session with an affected Cisco device configured to accept Telnet connections. An exploit could allow an attacker to execute arbitrary code and obtain full control of the device or cause a reload of the affected device.

Affected Products
Catalyst switches,
Embedded Service 2020 switches,
Enhanced Layer 2 EtherSwitch Service Module,
Enhanced Layer 2/3 EtherSwitch Service Module,
Gigabit Ethernet Switch Module (CGESM) for HP,
IE Industrial Ethernet switches,
ME 4924-10GE switch, RF Gateway 10,
SM-X Layer 2/3 EtherSwitch Service Module

Solution
Cisco has released software updates that address this vulnerability. There are no workarounds that address this vulnerability.

CVSS-Score: 9.8

 

>   Cisco Security Advisory

  CERT-EU Security Advisory 2017-006

 

 

 

Notice: Confidential usage of ipsec.cfg configuration files

Title Notice: Confidential usage of ipsec.cfg configuration files
Date 15th May 2017
Relevance

Users of IPSec VPN connections with SPRECON-E

CVE Code No CVE code, since no vulnerability"
Description

Since firmware version 8.41, users are enabled to operate IPSec VPN connections with SPRECON control devices. The configuration therefore is done via the proper Security Editor tool, that offers a user interface for defining IPSec settings. Upon configuration, the users exports the propriertary file ipsec.cfg from this tool. This file can than be imported with the SPRECON Designer in order to integrate it into the process device list (main configuration file) which may then be downloaded to the device.

 

During IPSec configuration, the authentication of the IPSec pariticipant has to be defined. Depending on the chosen authentication method, either a pre-shared key or certificate may be used which in turn contains a private key. The vendor Sprecher Automation advises all users to maintain the confidentiality of these files, since they contain critical information.

 

Actually, ipsec.cfg files are equipped with a password-based protection mechanism against manipulation, which has been implemented majorly for protecting users against unauthorized alteration of the files. This is not a strong cryptographical encryption, which ensures confidentiality of those files against potential attacks. In order to support all customers, from SPRECON firmware 8.56 and Security Editor 1.03 a strong encryption will be applied to the ipsec.cfg files, to cryptographically ensure confidentiality and integrity of IPSec configurations.

 

 

 

Privilege Escalation in SPRECON-E Service Program

Title Privilege Escalation in SPRECON-E Service Program
Date 21st December 2016
Relevance

SPRECON-E-C/-E-P/-E-T3: affected

SPRECON-V460: not affected

CVE Code CVE-2016-10041
Description

Under certain preconditions, it is possible for a non-admin user to execute a telegram simulation.

As prerequisites, a user has to open an online-connection to the device, validly authenticate and authorise as administrator, and execute telegram simulation. The online-connection subsequently has to be closed without closing the program. Faulty caching of client data then may allow a following non-admin user to execute telegram simulation.

In order to exploit this vulnerability, a potential attacker would need to have both a valid engineering-account in the SPRECON RBAC system as well as access to the service/maintenance computer. Additionally, a valid admin-user must have executed telegram simulation, then close the service connection beforehand without closing the program. Hence, there is no risk from external attackers.

 

Affected Product: SPRECON-E Service Program 3.42 SP0

Limitation: 

This vulnerability is only relevant if using role-based access control (RBAC) on SPRECON. RBAC is available since the following product versions:

  • SPRECON-E Designer 5.79 SP0 (Access control needs to be activated, either local or remote (RADIUS) authentication profiles need to be configured)
  • SPRECON-E Firmware 8.49d
  • SPRECON-E Service Program 3.42 SP0

 

Solution

Sprecher Automation recommends to update SPRECON-E Service Program to version 3.43 SP0 or higher. An update of the Service Program can be done independently from device firmware and other related products.

Workaround

If it can be ensured that the Service Program is being closed after each usage by a particular user, there is no risk from this vulnerability.

     Privilege Escalation in SPRECON-E Service Program

Partially critical vulnerabilities in CISCO ASA

Title Partially critical vulnerabilities in CISCO ASA
Date 25th October 2016
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE Code CVE-2016-6432
CVE-2016-6431
CVE-2016-6439
Description

Cisco closes several, partially critical, vulnerabilities with a new software update.


CVE-2016-6432 defines a security gap (CVSS score of 9.3) which could allow an unauthenticated remote attacker to cause a reload of the affected system or to remotely execute code. An attacker could exploit this vulnerability by sending a crafted NetBIOS packet in response to a NetBIOS probe sent by the ASA software.


Cisco has released software updates that address this vulnerability. A workaround is to deactivate NetBIOS probing.

Multiple Vulnerabilities in Siemens SIPROTEC 4 and SIPROTEC Compact

Title Multiple Vulnerabilities in Siemens SIPROTEC 4 and SIPROTEC Compact
Date 6th September 2016
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE Code CVE-2016-7112
CVE-2016-7113
CVE-2016-7114
Description

The latest firmware update for SIPROTEC 4 and SIPROTEC Compact fixes multiple vulnerabilities, which are classified with CVSS-Scores from 7.8 to 10 according to cvedetails.com. The vulnerabilities exist within the EN100 Ethernet module.


The vulnerabilities CVE-2016-7112 and CVE-2016-7114 allow remote attackers to bypass authentication and obtain administrative privileges.


CVE-2016-7113 allows remote attackers to cause a denial of service via HTTP.


An update to the latest firmware is necessary. As a general security measure, Siemens recommends to run devices in protected IT environments.


> Siemens

Multiple Vulnerabilities in Meinberg NTP-Server

Title Multiple Vulnerabilities in Meinberg NTP-Server
Date 10th August 2016
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE Code

CVE-2016-3962

CVE-2016-3988

CVE-2016-3989

Description The following products (versions before 6.20.004) have multiple critical security vulnerabilities:
  • IMS-LANTIME M3000
  • IMS-LANTIME M1000
  • IMS-LANTIME M500
  • LANTIME M900
  • LANTIME M600
  • LANTIME M400
  • LANTIME M300
  • LANTIME M200
  • LANTIME M100
  • SyncFire 1100
  • LCES

CVE-2016-3962 and CVE-2016-3988 are Buffer-Overflow vulnerabilities in the time-server interface that enable remote-attackers to cause “denial-of-service” and allow the capture of sensitive information or manipulation of data.


CVE-2016-3989 causes "Privilege Escalation", where attackers can use the "nobody" user to obtain root privileges.


Vulnerabilities have the criticality scores of 7.3 and respectively 8.1.


Meinberg already released a fixed firmware (Version 6.20.004).


> ICS-CERT

Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability

Title Cisco ASA Software IKEv1 and IKEv2 Buffer Overflow Vulnerability
Date 11th October 2015
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE Code CVE-2016-1287
Description

A vulnerability in the Internet Key Exchange (IKE) version 1 (v1) and IKE version 2 (v2) code of Cisco ASA Software could allow an unauthenticated remote attacker to cause a reload of the affected system or to execute code.

The vulnerability is due to a buffer overflow in the affected code area. An attacker could exploit this vulnerability by sending crafted UDP packets to the affected system. This could allow the attacker to execute arbitrary code and obtain full control of the system or to cause a reload of the affected system.

Cisco has released software updates that address the vulnerability.


> Cisco

3S CODESYS Runtime Toolkit Null Pointer Dereference Vulnerability

Title 3S CODESYS Runtime Toolkit Null Pointer Dereference Vulnerability
Date 15th October 2015
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE Code CVE-2015-6482
Description

Tenable Network Security detected a “NULL pointer deference” security gap in the CODESYS Runtime Toolkit of 3S-Smart Software Solutions GmbH.

 

This gap allows an attacker to trigger a “denial of service” by causing the crash of the Runtime Toolkit. All CODESYS Runtime Toolkit versions < 2.4.7.48 are affected.

VxWorks Fuzzing

Title VxWorks Fuzzing
Date 14th September 2015
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE Code Not yet classified
Description

The vulnerability of the widely used real-time embedded operating system VxWorks (versions 5.5 to incl. 6.9.4.1) of Wind River can be identified by Fuzzing.

 

By using this vulnerability, it is possible to provoke a buffer overflow via the network and then execute any code. Furthermore, the FTP server of the system could be crashed through a specific username and password (demonstrated at the security conference 44CON).

 

The latest generation – VxWorks version 7 – is not affected.

#OprahSSL

Title #OprahSSL
Date 6th July 2015
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE Code CVE-2015-1793
Description Security gap in OpenSSL – certificate verification bug:
Under certain circumstances, OpenSSL does not verify the CA flag (certificate authority) of a certificate correctly. The CA mechanism, which validates the endpoint services, can be bypassed by the certificate verification bug. This allows the attacker to play the role of the intermediate CA and to sign own certificates for other websites.

The error occurs in the latest OpenSSL versions (first half year 2015) 1.0.2c, 1.0.2b, 1.0.1n und 1.0.1o.

LogJam

Title LogJam
Date 9th June 2015
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE Code CVE-2015-4000
Description

“LogJam” is a security gap in the Diffie-Hellman crypto protocol for encrypted connections of web-, mail-, SSH- and VPN-servers. Due to a weakness of the TLS process (Transport Layer Security), the key size can be reduced to unsecure 512 bit by a man-in-the-middle attack.

 

That allows to shift the HTTPS connections to the unsecure export mode and to compromise them. Generally, the 512 Bit key size is not used anymore, but some servers still support it for compatibility reasons.

Corrective actions Set Diffie-Hellman-Group on at least DH5 (1,536 Bits) at IPsec.

Ghost

Title Ghost
Date 10th February 2015
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE Code CVE-2015-0235
Description

“GHOST” is a security gap of the gethostbyname() function (standard C library: Glibc). Under certain circumstances, malware can be executed via malicious DNS-responses.

 

The gap arose with Glibc 2.2 (11/2000) and has been fixed within version 2.18 (01/2013).

Schannel (Microsoft® Secure Channel)

Title Schannel (Microsoft® Secure Channel)
Date 17th November 2014
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

3rd-Party: Microsoft® Windows® Server 2003 SP2, Windows® Vista SP2, Windows® Server 2008 SP2 and R2 SP1, Windows® 7 SP1, Windows® 8, Windows® 8.1, Windows® Server 2012 Gold and R2, and Windows® RT Gold and 8.1

CVE Code CVE-2014-6321
Description

The crypto component "Microsoft® Secure Channel" is also responsible for encrypted Internet connections. Microsoft® classified this security gap as critical (MS14-066). Through the Schannel security gap attackers can implant manipulated data packages via prepared websites and take over control of the computer.

Corrective actions
  • Update Windows® operating system
  • Only run computers with Windows® operating systems in isolated networks

Poodle

Title Poodle
Date 23rd Oktober 2014
Relevance

SPRECON-E-C/-E-P/-E-T3: Webserver

SPRECON-V460: not affected

3rd-Party: IP camera access via browser (Chrome, Firefox, Internet Explorer,...)

CVE Code CVE-2014-3566
Description

If server and client of a TLS connection also support the previous versions of the protocol (i.e. due to compatibility reasons), attackers may force a backset to the older and vulnerable SSLv3 by a MiM (Man in the Middle) attack. Hence it is possible to disclose the session cookie and to take over the connection.

 

SSLv3 support (which was necessary due to compatibility reasons) will be terminated along with the next version of the SPRECON webserver.

Corrective actions
  • Deactivate your webserver (should be standard if not used)
  • Deactivate SSLv3 in your web browser

SandWorm

Title SandWorm
Date 17th October 2014
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

3rd-Party: Microsoft® applications, i.e. MS Office, all Windows® versions since Vista

CVE Code CVE-2014-4114
Description

SandWorm affects all Windows® operating systems since Windows® Vista. The security gap has been existing for six years and was discovered by the security company iSight in early September 2014.

 

Through an infected PowerPoint file, target computer can be intruded in order to place vital malware and spyware.

 

On Tuesday, 14th October 2014, Microsoft® released a security update (KB300061) against this gap.

Bash-security gap: ShellShock

Title ShellShock 
Date 29th September 2014
Relevance

SPRECON-E-C/-E-P/-E-T3: not affected

SPRECON-V460: not affected

CVE Code

CVE-2014-6271

CVE-2014-7169

Description

Bash, the command line editor of OS X and Linux contains a significant security gap. Functions and therefore malware can be executed through variables.

 

Through media reports “ShellShock” has already gone public and experts compare it with the “Heartbleed” bug. After all, the security gap was classified by the CVE-database of NIST with 10 points (“maximum riskiness”). According to Github, malware attacks have already occured.

Overview

IT Security

The challenges of designing future power grids are defined
by the integration of all participating producers, consumers and prosumers. The growing density together with the growing number of grid participants amplifies the attack vector on energy networks.

Therefore, approved technological solutions are required that meet the demands of modern information and communication technologies – especially regarding data management and data security.

Security standards

With SPRECON, Sprecher Automation introduces a modular automation platform for power transmission and distribution, which is particularly developed for critical infrastructures such as energy, information & communication technologies, transportation & traffic as well as water supply.

SPRECON systems, as well as all relevant business processes of Sprecher Automation, are ready-prepared to meet the specific future regulations.

SPRECON systems are in accordance with the IT security catalogue (§ 11 Abs. 1a EnWG) of the German Federal Network Agency (Bundesnetzagentur), the BDEW Security Whitepaper as well as the international standards of the ISO/IEC 27000 series (i. e. ISMS), IEC 62351 and IEC 62443.

Security functions

SPRECON devices provide comprehensive functions for
secure operation of energy stations:

  • Secure communication of process data by VPN tunneling with OpenVPN or IPsec
  • Integrated firewall
  • Authentication at the end-point as well as password encryption
  • Connection to RADIUS/LDAP (Directory Services) as well as local administration for Out-of-Band (OOB) network access
  • Secure access for commissioning and service through Role-Based Access Control (RBAC) in the Service Program and Webserver
  • System hardening by deactivation of non-required services, ports or webserver as well as through secured connection by Transport Layer Security (TLS)
  • Network monitoring (security logging) via Syslog and SNMPv3
  • Network segmentation with VPN, VLAN, firewall as well as independent physical interfaces
  • Protection against malware due to applied SPRECON firmware as well as Application Whitelisting

SPRECON devices support VPN tunnelling for all IP-based services and protocols. The system provides consistent security and encryption by the CPU.

Together with the integrated modem or any other existing network SPRECON supports secure IP connections.The high-performance CPUs feature VPN tunnel
setup and data encryption either by multi-channel IPsec or OpenVPN. Both technologies are supported which allows applications under certain conditions such as specific platforms, network components or cryptographic requirements.

VPN connections – as usual for various projects – can be used for telecontrol or for communication with SCADA systems and may also be applied to secure communication between SPRECON devices. Full hardening is achieved through encryption of network services such as NTP.Additionally, SPRECON features a firewall which is directly integrated into the firmware and therefore into the devices. This minimises the amount of additional devices. The combination with external firewalls increases security in accordance with the Defense-in-Depth principle.

Furthermore, the system allows firewall extensions at level (Application Firewall)  in order to monitor communication via domain-specific protocols such as IEC 60870-5-104 or to block telegrams of unauthorised devices in advance to potential compromising.

SPRECON systems also support the Syslog protocol which allows transfer of system messages via the network in order to analyse them preventively upon applied regulations.

Management of IT Security

For Sprecher Automation, IT security is a continuous corporate process, obtained by certain security administrators.

The production of security directives as well as coding directives for development and system design is based on clear guidelines. Also, vulnerability management and analysis tools are applied, that scan source code and applications against vulnerability databases in order to identify potential weaknesses.

The complete source code is in permanent posession of Sprecher Automation.
System hardening and secure system configuration are achieved by professional and approved routines.

With the experience gained from various reference installations meeting manifold security requirements – including projects with well-known research institutes – as well as through regularly based staff training, Sprecher Automation convinces of its competence in this indispensable technology.

Both manufacturing and final testing of the systems are conducted in Sprecher‘s headquarters in Linz, Austria.

Additionally, Sprecher Automation supports its customers with implementations of Information Security Management Systems (ISMS).

For roll-outs of security-relevant updates,  Sprecher Automation is driving patch management processes. Furthermore, security problems are communicated via release notes.

Information on current security issues are continually announced at www.sprecher-automation.com under "IT Security".

Guidelines & Recommendations

IT security relevant guidelines and recommendations:

bgContainerEnde