This vulnerability came to light recently when a security engineer at Iowa University discovered spammers using one of the university’s large commercial printers to send e-mail to other computers around the world.
IU Lead Security Engineer Nate Johnson was called when a Canon printer on the university network started acting strangely. It would power up and run without printing anything, or send out reams of paper printed with unreadable text and symbols. Every so often it printed a typical spam message.
Mr. Johnson found the printer was susceptible to a well-known Internet attack vector called FTP Bounce or FTP Echo. FTP stands for File Transfer Protocol, a common method of sending data from one computer to another. According to the Computer Emergency Response Team (CERT) at Carnegie Mellon University, FTP Bounce lets an Internet- connected device with FTP capabilities act as a data relay during information transfer. The receiving device sees data coming from the relay while the originating device remains hidden behind the relay address. Spammers use relays to hide their address so that Internet tracers cannot find who or where they are. Others use relays for the same reason when hacking into computers.
Computer Emergency Response Team
Carnegie Mellon Univ.
Phoenix Contact Inc.
Siemens Energy & Automation Inc.
Unlike many computer weaknesses, there is no “bug” to patch that would make FTP devices invulnerable to this attack. FTP Bounce uses the protocol as it was created for the Internet. Every device with an FTP service could become an unwitting accomplice in an attack. And many Internet-capable industrial-network devices, such as HMIs, motor controllers, and PLCs, use FTP to input setup and configuration information from host computers or to send status and production reports.
When contacted, several manufacturers of industrial Ethernet products couldn’t say what impact this type of attack would have on their hardware. “I’ll have to get back with you on that,” was the most common response. This does not imply many industrial systems are vulnerable, only that the effects of such an attack seem to be unknown.
Important to attackers is that the device accepts anonymous logins. Anonymous does not mean unknown in computer parlance. It means the user does not require an account or password. Prior to development of the Web, anonymous accounts let different people access information on a computers without each person needing an account.
The first step in securing an industrial network is to mandate passwords for all accesses. And many industrial devices do require passwords to access their FTP services.
However, passwords that come with devices are the same for every unit. These default passwords are readily obtainable over the Internet and are not, therefore, considered secure. According to Larry Komarek, automation product manager at Phoenix Contact, merely changing these passwords and making sure they’re changed periodically helps ensure a network is secure.
Komarek also points out there are other ways attackers can access your network. Machine OEM technicians that come to troubleshoot or install equipment often bring laptops with data and software they’ll need. But they could be bringing in something else if their laptop is already infected with a computer virus. By plugging their laptop into your network to work on a machine, the technician just bypassed a firewall and Internet security with a direct connection. The nature of most networks is one of “trust behind the firewall,” so once in, a virus has free rein within the now-compromised network to infect other networks. Komarek recommends scanning outside computers for rogue software and viral infections before they’re connected to your factory network.
Defense in-depth is a term used in IT circles that should become better known around industrial networks. It defines multiple layers of security that protects a network at different points. Historically, people put in one big firewall between the Internet and intranet. In reality, there should be multiple firewalls and DMZs, so-called demilitarized zones, where information is sent to one computer from the control, and another computer transfers it from there to the Internet.
Speaking of firewalls, Komarek reports firewalls are evolving with prices dropping into the hundreds rather than thousands of dollars. Simpler programming and configuration tools will make protecting specific network areas easier and faster. But he also warns that most firewalls are still fairly complex and usually require IT help for proper configuration. A firewall that’s not correct can actually do more harm because of its placebo effect on network security. Companies may think they’re protected and let other security measures lapse when in reality they have no protection at all.
VIDEO LIBRARY igus Inc.
E. Providence, R.I., has launched its new and improved video library at igus.com/applicationcorner/video_library.asp. The library includes various videos demonstrating each stage of life for igus components, from manufacturing to testing to installation.
Controlling access to the plant-floor network is a sentiment echoed by Jeremy Bryant, network technology specialist at Siemens Energy and Automation Inc. He recommends that any remote access to a network be carried over a virtual private network or VPN. VPNs provide a secure, encrypted connection over the Internet from the user’s computer to the plant floor. It’s as if they were plugged directly into that network. Special software on the remote computer links to the VPN server at the plant that authenticates users and protects against viruses.
By far the biggest threat to plant floor networks are not terrorist or spammer attacks — it’s disgruntled employees who already have access. Good security for plant networks depends upon good people and policies. If people aren’t managed properly, or policies ignored, then security just isn’t there.