Tank Gauges and Security on the Internet

Transcription

1 Tank Gauges and Security on the Internet by Jack Chadowitz CEO, Boston Base, Inc. This article discusses the security and risk aspects of using the Internet for communicating with a tank gauge. As the majority of tank gauges are manufactured by Veeder Root/Gilbarco, we will use the TLS 350 as an example. The reader can apply the principles to other gauges that require public IP addresses and port forwarding. History The TLS 350 was designed for RS232 (serial) communications at a maximum baud rate of 9600 bps. It s communications card rack can take up to 4 cards. Slot 4 is slightly different so some but not all cards can use slot 4. Over the years a variety of cards were available. The most typical cards are RS232, Fax/Modem and TCP/IP. All 3 cards use a UART to communicate with the gauge, the RS232 card has a 25pin female (DB25) connector, the Fax/Modem has a telephone jack and the TCP/IP card has a RJ45 connector. The Fax/Modem card is actually the RS232 card with a front end modem and the TCP/IP card is the RS232 card with a Lantronix Xport module that translates RS232 to TCP/IP. The underlying communication is serial communication which uses the protocol published in the Serial Communications Document freely available via a quick Google. The document describes the commands for both polling for information and making configuration changes to the gauge. The communications was designed 20 to 30 years ago for RS232 and relies on physical access protection to secure the communications to the gauge. Physical access protection means that if you prevent physical access to the gauge, you prevent access to the gauge information and prevent sending configuration commands to the gauge. A feeble attempt at protection is the password feature where each communications slot can be 1

2 programmed with its own 6 character password. Its feeble because if anyone sniffs the communication, the password is in plain view. Unlike the front panel password which limits by activity, this security is all or nothing. The communications design is suitable for onsite communications if the gauge and any equipment that is connected is physically secured. The Fax/Modem card allows communications over a telephone line. Without a password the gauge is open to the world if the telephone number is known. With a password, the password can be sniffed by tapping into the telephone line, much easier than gaining access to the gauge. To save money, many sites share a telephone line by using sticks or switches. A series of tones tell the switch to direct the call to the gauge. To gain access, a hacker can simply look up the store s general number and try some common codes. Fortunately, the use of Fax/Modem cards is declining. This is due to a few factors, the cost of a dedicated telephone line is now more than an Internet connection, shared lines are inconvenient for the store and the new telephone exchanges which are digital, cause problems with the low speed Fax/Modem cards. This is evidenced by the glut of old and new Fax/Modem cards on ebay. A Fax/Modem card which once cost $700+, is now available new on ebay at about $100 or less. Last is the TCP/IP card. This card is setup in the gauge in the same way as other cards but unlike the Fax/Modem which typically operates at 1200 or 2400 baud, the TCP/IP card runs at the maximum serial speed 9600 baud. As the gauge sees the TCP/IP card as a serial card, setup in the gauge is simple but the TCP/IP setup needs to be done externally using a computer. In addition the store router(s) (sometimes more than one) need to be specially configured for port forwarding. This setup requires strong networking skills and specialized training. (If you have never heard of the arp command don t bother to try setting up the card.) 2

3 TCP/IP Card Communications The TCP/IP card needs a static IP address and port forwarding settings in the router to allow external access to the gauge over the Internet. As Internet connections with static, also called public IP addresses, cost typically more than twice the cost of a basic connection, static addresses are rarely available at dealer locations. The store will have a temporary public IP address which will change at the whim of the ISP. This may happen as frequently as every time the modem is power cycled, or when the ISP changes something on their network. This causes a break in communications with the gauge, resulting in one or more expensive service calls. A Dynamic DNS service is sometimes a solution to the changing IP if the store router supports the Dynamic DNS feature. This is one more configuration activity that the technician must learn to perform inside the store router and one more configuration that must be maintained in someone else s equipment. Then a subscription to a Dynamic DNS service must be setup and maintained. ISP s now commonly provide telephone and other services as well as Internet connectivity. To support these services, the modem has been replaced with a modem/router box that can take the place of a store router. These boxes bring their own issues as they often don t support Dynamic DNS. Why should they support Dynamic DNS? By not supporting Dynamic DNS, the ISP s force the store to buy a more expensive service to get a static or public IP address. In addition the technicians now need access to the ISP supplied router and possibly also the store router to configure port forwarding. The router login information for the ISP and store routers is often not available. 3

4 The technician then has a choice, a second site visit with the hope that the login information will be available or simply reset the router to factory defaults and do the configuration. Resetting the router destroys any previous router settings so it may trigger a service call as any other equipment that depends on router configuration will now be broken. This is often the camera security system. The camera technician then resets the router and the gauge technician then gets called back causing an expensive self perpetuating circle. This is one of the reasons why the TCP/IP card has not penetrated the dealer market. $1,500 for a card with installation, and expensive service calls of $500 plus per year to maintain the communications, just to get dealer inventory is a strong disincentive. Accessing the Gauge over the Internet If the gauge, card, and store network has been successfully configured, the gauge information will be available via the Internet. In addition, the gauge may be also configured over the Internet. The gauge may be accessed for both reading and writing if the public IP address of the store and the port configured for the Lantronix XPort unit on the card is known. The gauge is on the Internet for the world to access if they know the public IP address and the port number. Its typically port and rarely changed. The XPort itself is programmed via port If port forwarding for port 9999 is setup in the local router, then the card can be programmed from anywhere on the Internet unless you password protect this access. Of course the default is no password. And then when you really need remote access to reconfigure the card because the network subnet has changed, the change will block access to reconfigure the card. 4

5 TCP/IP Card Internet Security The TCP/IP card provides no security for the gauge whatsoever! Its simply a TCP/IP to serial converter on a serial card. The same applies to solutions where an external TCP/IP to serial converter is added to a serial board. The gauge provides only the serial communications security which, if it is actually setup, shows the password in plain text to anyone who can sniff the communications. There is somewhat unintentional security inadvertently provided by the ISP s basic service and the need for port forwarding. Whenever the IP address changes or the port forwarding is lost, or the dynamic DNS fails, hackers are locked out in the same way as the actual users. (Hackers are forced to scan periodically to keep up to date.) Why worry about security? Does anyone care? Well, these days there are concerns about credit card information theft and the associated PCI regulations when sharing an Internet service with credit card processing. The good news is although the PCI folks may think differently, the open door to read and write gauge information is not an opportunity to steal credit card information. The inventory information may be useful to competing dealers or wholesalers, and tank testing results may be interesting to State inspectors, but hacking is driven by profit or terrorism and the penalties if caught are severe. So data stealing is not an issue. Security is important when considering tampering with gauge settings. Malicious tampering can wipe out the gauge memory resulting in a service call and in some cases a station shutdown. Sophisticated tampering can cause run outs and overfills. It can also generate tank test failures and alarms that can be expensive to resolve. 5

6 As an individual station or a small chain of stations, a targeted cyber attack on a store or small chain is unlikely and the perpetrator will likely be caught through an associated motive. But as a group, dealer locations which make up more than 60% of fueling locations will or already has become a tempting target for cyber terror as more of them become accessible over the Internet. About 5 years ago the oil companies began selling their stores. The oil companies had their own wide area networks, some using satellite. When these stores were sold they lost their communications networks. Many of these stores are now dealers who once made do with telephone modem connections. These are now being replaced by low cost, basic Internet connections as the price for basic Internet service has dropped. As these sites become Internet enabled, their suppliers will be adding the TCP/IP cards or serial to TCP/IP converters to get inventory information in spite of the cost and difficulties. As the number of Internet connected dealer locations increase, the attractiveness of these locations and the risk to national fuel logistics by cyber terrorists will increase. The cost of the TCP/IP card is dropping and solutions using the serial card and TCP/IP to serial conversion boxes are becoming more well known. This reduction in cost will increase the number of installations and consequently the risk of a cyber attack. How can security be added? There are a few ways to add security. An expensive, high maintenance solution suitable for chains uses a virtual private network (VPN). An organization s private network is extended to remote locations by piggybacking on the Internet. Devices at the remote site now become devices on the private network. This is not suitable for dealer locations because all devices at the 6

7 store are now on someone else s network. They are also expensive to install and maintain. Interestingly the secure Onsite360 solution from Gilbarco, the company that manufactures the TCP/IP card requires a VPN to the gauge in order to be secure. A better solution is Kachoolie. In the interests of full disclosure I freely admit that I have a vested interest in the Kachoolie solution. I invented Kachoolie to provide an alternative to the TCP/IP card or similar insecure solution. The goal was low cost for equipment and installation, a reliable connection and data and configuration security. Another rather poor solution is using the TCP/IP card and adding source IP authentication at the store router. The router will only accept communications from pre configured IP addresses. This is often the solution of choice by chains who use 3rd party software services but don t allow foreign entities on their WAN s. This is subject to source IP spoofing and relies on the router retaining the source IP authentication configuration. A router reset will destroy this protection along with the port forwarding. The chains who own and control access to their routers often have separate IP addresses for different functions at the store. This conforms with the PCI compliance requirements but does not make the gauge more secure. A drastic solution is to simply avoid using the TCP/IP card or a similar solution. The TCP/IP card requires a static IP address and an open port. Its like leaving a front door open and expecting no one to walk in. Anyone can walk in, look around and leave. And no one will know about it unless the router logs all visits and someone knows where to look. In technical terms this is as simple as a scan of popular ISP s IP addresses on port and logging any responses to the popular get inventory command. (The response typically returns the store location as well as inventory.) The visitor (hacker) can come back and do damage at will, now that they know how to access the gauge. They even know the gauge s location so that they can attack by geographical location. 7

8 How The Kachoolie Solution Provides protection The Kachoolie solution uses a serial card installed in the gauge (or an existing serial connection on some gauges) and a Kachoolie box that connects between the card and the local router. The Kachoolie box has no public IP address and no open incoming ports. Its like an invisible building that no one can see and it has no doors or windows that can be broken. Kachoolie calls out ONLY to the Kachoolie secure server and communicates through secure encrypted messages. The same encryption that banks use with their customers but with encryption certificates instead of inherently insecure passwords. This is point to point encrypted communication and is very different from a VPN where there is only network security once one is within the network. Users access information or send commands via the Kachoolie secure website. The Kachoolie website provides password protected encrypted communications for users to access their gauges. It also emulates the gauge so that users can continue using their current software or service. In this case the security between the software or service and the Kachoolie server is as good as provided by their software or service. We do mitigate the risk by adding source IP authentication and command type filtering. Source IP authentication means that we only allow communication from known sources for specific tank gauges. This provides some protection but even a mediocre hacker can spoof an IP. Command type filtering is stronger because we can filter or ignore any commands, especially those which can change gauge settings. What are the ramifications of ignoring security? The gauge data is of little value to cyber criminals unlike credit card information. The real risk is malicious or terrorist attacks that disrupt fuel logistics and cause expense to wholesalers, store owners and the companies that provide environmental compliance services. An attack 8

9 can affect all vulnerable stations or just those in a targeted region. The attack can be disguised as a genuine problem at a site, an erroneous full tank report or an erroneous empty tank report. The attack can simply erase the tank gauge memory. These attacks can use the set (S) type commands that are openly published or the undocumented commands which are easy to find. Attacks in the future will occur. its rumored that least one malicious attack has already occurred but was not publicized. And as the vulnerability still exists, then in the society we live in, blame and liability will be assigned for the substantial damages. Who would be held liable and for what? The wholesaler who paid for and installed the TCP/IP card? The card manufacturer, the card distributor or the installer. Or who has the biggest pockets? The link below hints that companies, especially in the energy field could be liable for damages from cyber attacks if they ignore Federal Guidelines. guidelines could leave energy companies lia ble/ The article states The energy industry is among the most targeted by cyberattacks, with 40 percent of all hacks in 2012 aimed at energy companies, according to the Department of Homeland Security. As protection is added to large strategic energy installations, gas stations as a group will become the easy unprotected target for cyber attacks. 9