Aquaboutic | Focus Security Research | Vulnerability Exploit | POC


safety inspection report of networked production system (power industry)

Posted by melchionda at 2020-03-08

1.1 industry background

In recent years, industrial network security incidents occur from time to time. It can be found that most attackers use loopholes to infiltrate from the Internet into the industrial intranet, and then attack and destroy. Common components or systems in the industrial control system include: IO module / sensor, industrial communication equipment, PLC / RTU equipment, SCADA and other production monitoring systems, real-time / historical database, production information management system, etc.; these components or systems are often exposed on the Internet.

As a whole, domestic electric power enterprises have basically completed the initial task of information construction, and built information systems including SCADA, GIS, OA, ERP, EAM, etc. In order to ensure the efficient and safe operation of electric power business, information integration and management and control will become the theme of electric power enterprise's next information work, that is, to gradually realize the transformation from "emphasis on construction" to "emphasis on management and control". Network security is the main part of information management and control, which has become the biggest practical problem faced by enterprises.

For the power industry, it is necessary to study the networking part of the power system, its security and possible attack points, and take necessary security measures to cope with all kinds of attacks. In order to implement general secretary Xi Jinping's "accelerating the construction of a key information infrastructure security system", "comprehensively strengthening network security inspection, finding out the real estate, identifying risks, finding loopholes, reporting results, and supervising rectification" are the important instructions. Since the second half of 2016, we have launched production monitor system and production management system for SCADA, such as the power industry. Hereinafter referred to as "production system").

1.2 inspection object

The data sources of the web system (website) selected for this security inspection are mainly from the "broad spectrum detection system" and "website detection system" (fofa) established by the national Internet Emergency Center.

According to our research, there are three types of web systems in industrial enterprises: production monitoring system, production management system and enterprise portal system. Because we focus on those web systems that may interfere or damage the production and operation of enterprises when they are attacked, we filter the data, remove the portal system, and only keep the production monitoring system and production management system.

Our data filtering process is as follows:

1. Preliminary screening: search the title and body fields with keywords such as distribution, transformation, transmission, power generation, demand side, grid, electric field, power plant, wind power, energy, etc., and screen out websites with keywords.

2. Precise screening: some of the vulnerability items preliminarily screened are not related to the production system, such as the official homepage, sales website, email system, etc. Therefore, it is necessary to conduct further manual review, check the description of the website one by one, and test its viability, and finally get the accurate list of production system websites in the power industry.

After the above screening process, 200 production web systems (websites) related to the power industry are finally obtained, which are the target objects of this safety inspection.

After the above-mentioned screening, 200 target systems that meet our requirements are selected nationwide, including 127 production management systems and 73 production monitoring systems. Among them,

Production management includes: production management, project management, customer information management, payment and repair management, office automation OA and other systems;

Production monitoring includes: fault location, wind power and photovoltaic power generation monitoring, power plant sis, patrol monitoring and other systems.

Figure 1 proportion of two networked production systems (power industry)

We make statistics on the provinces where the IP address is used, and find that these systems are distributed in 31 provinces, municipalities or autonomous regions. Select top 15 as shown in the figure below. It can be seen that Beijing, the Yangtze River Delta, the Pearl River Delta and other economically developed provinces (also large power consumption provinces) have a high degree of informatization in their power industry (more production websites).

Figure 2. Top 15 (power industry) of networked production systems by province

Figure 3. Top 10 provinces (power industry) in the number of networked production systems

3.1 systems with security vulnerabilities

Through the preliminary security inspection of these systems, it is found that 21 of them have various types of security vulnerabilities, that is, more than 10% of them have obvious security problems. Specifically, there are 16 production monitoring classes and 5 production management classes.

According to the statistics of provinces, the following figure can be obtained.

Figure 4 distribution of systems with security vulnerabilities by province

Statistics show that provinces with more networked production systems are also provinces with larger security problems (many systems have loopholes). It is worth noting that one of the systems is located abroad (Philippines) through IP positioning, which is called "visual disaster prevention online monitoring system for overhead high voltage transmission lines"; although the owner cannot be confirmed, according to the function of the system, its function is more important and the data is more sensitive. There are not only security problems, but also potential for overseas storage of key data Hidden dangers.

3.2 statistical analysis of security vulnerabilities

During this security inspection, 35 security vulnerabilities were found, including 24 high-risk vulnerabilities, accounting for 68.6%. We make a simple classification and statistical analysis of the security vulnerabilities in the system, which are classified according to the vulnerability categories, mainly including four categories: weak password vulnerability, SQL injection vulnerability, Code Execution Vulnerability, logic vulnerability, etc. The weak password, SQL injection and code execution marked in red are high-risk vulnerabilities, which can be used by attackers to gain control of the system or even the server. In addition, there are many kinds of logic vulnerabilities, not only including path traversal vulnerabilities, which are caused by incomplete input parsing, such as authentication mechanism vulnerabilities, access control deficiencies, and protection mechanism vulnerabilities, which are related to the logic of website implementation and are quite mixed, so it is difficult to have a clear and specific classification, so they are also classified as logic vulnerabilities Under category.

The proportion of the number of various vulnerabilities is shown in the figure below.

Figure 5 specific number of various types of security vulnerabilities

It can be seen from the figure that there are 24 high-risk vulnerabilities marked in red and 11 other vulnerabilities, which reflects the serious security situation of some production systems in the power industry. In terms of various subdivision types, the number of weak password vulnerabilities and logic vulnerabilities is the largest, which reflects the weak security awareness of system development and operation and maintenance personnel in this field.

3.3 main loopholes and case analysis

3.3.1 weak password vulnerability

As the first introduced vulnerability, weak password vulnerability is not uncommon in industrial control system. The lack of network security awareness among the operation and maintenance personnel of industrial control enterprises has become the biggest inducement for the frequent occurrence of industrial control network security problems. In the daily operation and maintenance of the industrial control operation and maintenance personnel, many low-level errors are exposed, such as a large number of weak passwords. According to our findings, common weak password combinations include admin / 000000, admin / Admin, test / 123456, test / test, test1 / test1, admin / 12345. The attacker can directly enter the production system by using weak password, which will cause a large number of production data and user data to be stolen, and the production system to be manipulated and production activities to be disturbed or destroyed.

The following is a typical example found in the safety inspection, that is, a wind turbine information management system of an energy company in Shaanxi Province.

The system is mainly responsible for the information management of wind power generation system, including wind farm monitoring, wind turbine monitoring, report generation and other functions. At present, it is found that the port 8000 of the server has opened the management service of tomcat, and there is a weak password vulnerability, which can be directly implanted into the back door to control the whole server. At the same time, the open Dunan wind farm monitoring and management system on port 8000 also has a weak password vulnerability, in which the IP address and other relevant information of the internal network wind turbine are leaked.

Figure 6 wind turbine information management system of an energy company

3.3.2 SQL injection vulnerability

SQL injection vulnerability is the most common web vulnerability, which is usually caused by programmers' failure to filter input parameters. SQL injection vulnerability is a high-risk vulnerability, and the harm usually includes leaking sensitive information, upgrading permissions, operating arbitrary files, executing arbitrary commands, etc.

The following is a typical example found in the safety inspection, i.e. inspection system of a power plant in Hebei Province.

There is a SQL injection vulnerability in the login interface of the system, which allows remote attackers to bypass password restrictions to login the system and obtain sensitive data such as production information.

Figure 7 inspection system of a power plant in Hebei Province

3.3.3 Code Execution Vulnerability

The code execution vulnerabilities we found include http.sys rce vulnerability (cve-2015-1635) in the server, Command Execution Vulnerability in the database, and struts 2 vulnerabilities in the website (s2-016, s2-032, s2-045, etc.). In particular, struts 2 vulnerabilities have emerged in an endless stream in recent years, requiring special attention. Code Execution Vulnerability can cause an attacker to execute arbitrary commands on the target system, which is a high-risk vulnerability

Here are two typical examples found in the safety inspection. One is SIS system of a power generation company in Shaanxi Province, and the other is management information system of a thermal power plant in Zhejiang Province.

The SIS system includes production process management, data query, report query, performance calculation, data operation and maintenance, among which the core is production process management and data query. The system has the Remote Code Execution Vulnerability of struts2s2-019, which can be used by remote attackers to directly control the server, obtain a large number of sensitive information, and then roam the intranet, forge sensor information, interfere with the operation of industrial control equipment, and destroy production activities.

Figure 8 SIS system of a power generation company in Shaanxi Province

Figure 9 parameters of production equipment can be directly controlled after entering the Intranet

In the case of management information system of a thermal power plant in Jiaxing, Zhejiang Province, the attacker can use the vulnerability to control the management information system of the thermal power plant, and then attack and penetrate the internal network. The most serious situation is that the power plant is shut down, resulting in regional power outage.

The attack method is as follows: add a user named hacker with password 123456 to execute the command (http://xx.xx.xx.xx: 8080 /... /... /... /... / Windows / system32 / CMD. Exe? / C + Net + user + hacker + 123456 + / add). Because the server also opens port 3389, if the attacker adds the new administrator account to the remote user group, he can log in to the server directly through the windows remote desktop to obtain full control.

Figure 10 screenshot of power plant management information system

3.3.4 logic vulnerability

There are many kinds of logic vulnerabilities, including the lack or bypass of verification code, login bypass, and unreasonable verification logic. The problems found in the production system of this security inspection are mainly concentrated in the login authentication part.

During patrol inspection, three main problems are found:

1) The login interface has no verification code mechanism, which can be brutally cracked;

2) The transmission process of user name and password is not encrypted;

3) The verification code mechanism of the login interface can be easily bypassed.

The following is a typical example found in the safety inspection, i.e. online monitoring system for transmission and distribution line fault of a power supply company in Sichuan Province.

The system has unauthorized access vulnerability, login bypass vulnerability and information disclosure vulnerability, which can be used by remote attackers to control the server, obtain sensitive information and destroy production activities.

Figure 11 line information can be accessed directly

Figure 12 user name and password clear text saving

Through this safety inspection, we found that production systems in the power industry not only have common security vulnerabilities, but also have security risks such as data leakage and supply chain security, which are analyzed in combination with specific cases.

4.1 common security vulnerabilities

Looking back at the previous security events, we can see that vulnerability plays an important role in the whole process of industrial control system attack. In the event that Ukraine's power dispatching system was attacked in December 2015, the attacker first used the office sand bug vulnerability to carry out a water pit attack, intruded into the Ukrainian power company, and then used the remote execution vulnerability of the industrial control system HMI to control the upper computer of the industrial control system. The attacker remotely started blackenergy's KillDisk component to destroy the host disk, which eventually led to Ivano frankovsk state Hundreds of thousands of households have no electricity. It can be seen that the attacker enters the internal network from the external network, and the upper computer is controlled by the internal network in both processes.

The weak password, SQL injection and code execution vulnerabilities found in this patrol can enable attackers to control the servers carrying these production systems and complete the key steps of penetration from the external network to the internal network. After that, the attacker can conduct a more complete penetration test on the Intranet in order to cause more damage.

Not only that, many production monitoring systems found in patrol inspection can not only read production data, but also issue technical instructions or modify equipment parameters remotely, which directly cause interference or damage to the normal operation of the power system and threaten the power supply security of many cities.

As shown in the case in 3.3.3, the attacker can first attack the SIS system of the power plant by using the web site vulnerability. After obtaining the control right of the server, the attacker can penetrate the intranet, then obtain the control right of the database server, directly modify the operation parameters of the equipment, and destroy the normal operation of the power plant.

Figure 13 database entries for turbine speed

4.2 potential data leakage

Most industrial control production systems store sensitive data such as production data and user data. However, due to the security loopholes in the system, a large number of sensitive information is at risk of disclosure. In the above examples, production data such as patrol lines and personnel of power plants in 3.3.2 are at risk of leakage, and operators and production information of a power supply company in Sichuan Province in 3.3.3 are at risk of leakage. Attackers can use these data to carry out fraud, blackmail, destruction and other attacks. Here are some typical cases.

Case 1: a power demand side management platform in Foshan City, Guangdong Province

You can view and download a large number of residential electricity, manufacturing, metallurgy, government agencies' electricity project materials, which seriously threaten the city's electricity safety. Once obtained by foreign hostile forces, the consequences are unimaginable.

Figure 14 partial data files of a power demand side management platform in Foshan City, Guangdong Province

Case 2: production management information system of a power plant in Sichuan Province

Some backstage pages of the production management system do not have permission restrictions and can be accessed directly, resulting in information exposure.

Figure 15 internal documents and employee information stored in the production management information system of a power plant in Sichuan Province

4.3 overseas storage of sensitive data

As mentioned before, during this safety inspection, it is found that the IP address of the visual disaster prevention online monitoring system of an overhead high-voltage transmission line belongs to the Philippines, which is mainly responsible for the monitoring and alarm functions of the high-voltage transmission line. Although the name of the subordinate unit of the system cannot be verified, if the system does belong to a unit in China, the sensitive data of the key infrastructure is stored in the overseas server, there is a potential risk of data leakage, which needs to be paid enough attention by the regulatory authorities.

Figure 16 landing interface of visual disaster prevention online monitoring system for an overhead high voltage transmission line

As we are trying to carry out safety inspection work for a certain industry for the first time, we are short of time, manpower and experience, and there are still many shortcomings in this safety inspection work. First of all, the data provided by the detection system is not complete, and our screening strategy is relatively rough, so there may be a large number of missing systems without security checks. This will be improved in our next inspection. Secondly, due to the number and ability of the safety inspection team, our inspection results are not complete. Many target systems that have not found problems can only be said to be relatively safe. They need to continue to carry out safety self-examination and safety inspection, and constantly find and solve problems, so as to fundamentally improve their safety protection level and safety.

Through this safety inspection, we believe that it is not only necessary but also feasible to carry out safety inspection for the networking system of each key infrastructure. Therefore, we suggest that:

1. National competent departments, such as the central network information office, the Ministry of industry and information technology and the competent departments of various industries, should pay enough attention to the network system security of key infrastructure industries, and carry out the security inspection work as a daily task and means.

2. The operation units of key infrastructure shall be responsible for the network security of the operation system they are responsible for. It is necessary to disburse in the security operation and maintenance, and start to establish a security team to make a network security emergency response plan. For the web system of networking production, regular security self inspection shall be carried out, including vulnerability scanning, malicious code detection and artificial penetration test.