Widely used WirelessHART-type industrial control products are wide open to exploitation, a security tools firm has warned.
Applied Risk, an industrial control systems (ICS) security specialist, has discovered several weaknesses in various WirelessHART products.
The vulnerabilities create the potential for hackers of various shades (nation states, insiders and hacktivists) to manipulate instruments and jeopardise process data integrity.
The occurrence of an attack could be masked by attackers, so that plant operators would be none the wiser about their systems going awry.
WirelessHART is a wireless-based sensor networking technology for industrial control plants based on the Highway Addressable Remote Transducer Protocol (HART). The technology – versions of which are sold by various vendors – is used for monitoring and control across multiple industries, including the measurement of temperature, flow, pressure and humidity among others. One possible attack, a manipulation of View or Control, will pass undetected in the absence of active monitoring at this level.
The threat originates from Level 1 field devices, such as sensors and valves responsible for sensing and monitoring in industrial plant. Applied Risk is using its research on the newly detected vulnerabilities to develop the first WirelessHART Fuzzer in the industry, designed to test these devices for potential flaws.
Applied Risk is not shy about talking up the risk of security problems in the niche market its a seeking to sell into, a familiar security market tactic that doesn't mean it's necessarily wrong but is, nonetheless, worth bearing in mind.
Jalal Bouhdada, founder and principal security consultant for Applied Risk, stated: “Our research team was concerned to find a number of vulnerabilities in various WirelessHART components used across the globe. The majority of plants are unaware of the risks as security assessments at this level have often been overlooked.”
“The risks this flaw pose reach far beyond financial loss,” he added. “The loss of production is a significant issue for manufacturers, as are fines from customers if products aren’t delivered on time. The most serious risk, however, is the loss of life in the case of explosions, especially in hazardous environments.”
“Alongside the potential impact to the environment, an attack could lead to significant reputational damage. End users and ICS suppliers must take a more proactive and thorough approach to testing – and implementing security measures to effectively tackle these threats,” Bouhdada concluded.
Alexander Polyakov of ERPScan, a firm whose research exposed serious security gaps in the architecture of links between enterprise and industrial control systems in the oil and gas industry, backed Applied Risk's research effort.
WirelessHART provides some security mechanisms for ICS in general but the biggest problem [is] usually on implementation layer - how vendors implement this functionality," Polyakov told El Reg. "Implementation issues [can] mean that it is possible to find the key to encrypt WirelessHART in firmware. Also some devices are not locked. [which] means that you can download firmware from device via JTAG or other debug interfaces." ®