Monday, April 27, 2009

There are no isolated networks anymore

Highly specialized networks, such as those that control power grids, or esoteric equipment, such as MRI scanners, are not typically considered at risk from Internet attacks. Yet, the recent conficker worm was able to infect these things. It is important to understand that just because hardware seems specialized and distant, it can still be connected to a TCP/IP network. Even if the equipment doesn't offer a convenient web-addressable interface to hack, it can still have a protocol and perform I/O.

Almost all modern but specialized equipment has embedded TCP/IP capabilities and the associated ethernet jack. Web and TCP/IP based technology is a good choice for machine interfacing and configuration. Browsers eliminate the need for specialized client software. Non-specialized programmers can write code that works with a HTTP or HTTPS interface to provide remote configuration capability - this equals lower software development costs.

Specialized equipment often contains a remote data terminal (RDT) which is like an embedded board that contains a mini-OS, likely based on a linux variant or even something like VXWorks. Newly emerging technology, like System on a Chip (SoC) is both inexpensive, and easy to interface to. Even when an RDT type function is not available, these devices may stream large volumes of data outbound over TCP/IP, with the port intended to be used in a specialized LAN configuration for image capturing or other functions (think medical equipment like MRI scanners or X-Ray machines that are interfacing to the PACS network).

The overall point is that these machines are connected to a network that talks TCP/IP. And, following the very nature of TCP/IP, it's easy to make connections that are unintended. So, even though the MRI scanner is not supposed to be connected to the Internet, the imaging workstation will need to talk with the database in Radiology which is then connected to the Hospital Information System (HIS), which is connected to the Internet. You now have an MRI scanner that is attached to machines that can browse the Internet. This is how Conficker got into Heart Monitors running an old unpatched Win2K systems.

Even old equipment falls prey to these unintended exploit paths. Especially for older SCADA equipment, there are tons of devices that will interface good old serial ports to ethernet and TCP/IP pathways. To lower costs, SCADA networks have been refitted with remote access that is routable over ethernet and TCP/IP. The protocols are old and weird, but anyone who does their research can attack them. Even when not directly connected to the Internet (and yes, sometimes they are), devices like power relays are just a few hops away from the Internet-facing gateway. These devices really do control power for small northeastern towns in the dead of winter.


A large amount of the risk here is simply that specialized networks are connected to the Internet via unintended means. These unintended connections between the so-called “protected” networks, and the totally unpatched open equipment is something like a void. It’s not well audited. In some cases, the IT staff may even be discouraged from auditing. In one factory a few years back, the IT staff were forbidden from even running port scans to inventory the network. Apparently doing so once crashed a SCADA controlled machine on the factory floor, so management had forbidden the practice hence. To make things worse, it's incredibly easy to bridge networks without thinking about the security implications. An end user can co-fuse two networks just by plugging in a cable incorrectly. A network admin may not have an extra switch so they use the existing one out of convenience. There are countless scenarios where it's easier to think of specialized systems as non-internet devices, thus not a problem for security.

When dealing with network security, you should always think of every networked device as containing an operating system. It would not harm your security to even think of them as embedded windows operating systems that are vulnerable to conficker worms. You should never think of them as non-internet devices.