Poor SCADA security will keep attackers and researchers busy in 2013
- 21 December, 2012 17:16
An increasing number of vulnerability researchers will focus their attention on industrial control systems (ICS) in the year to come, but so will cyberattackers, security experts believe.
Control systems are made up of supervisory software running on dedicated workstations or servers and computer-like programmable hardware devices that are connected to and control electromechanical processes. These systems are used to monitor and control a variety of operations in industrial facilities, military installations, power grids, water distribution systems and even public and private buildings.
Some are used in critical infrastructure -- the systems that large populations depend on for electricity, clean water, transport, etc. -- so their potential sabotage could have far-reaching consequences. Others, however, are relevant only to their owners' businesses and their malfunction would not have widespread impact.
The security of SCADA (supervisory control and data acquisition) and other types of industrial control systems has been a topic of much debate in the IT security industry since the Stuxnet malware was discovered in 2010.
Stuxnet was the first known malware to specifically target and infect SCADA systems and was successfully used to damage uranium enrichment centrifuges at Iran's nuclear plant in Natanz.
Stuxnet was a sophisticated cyberweapon believed to have been developed by nation states -- reportedly U.S. and Israel -- with access to skilled developers, unlimited funds and detailed information about control system weaknesses.
Attacking critical infrastructure control systems requires serious planning, intelligence gathering and the use of alternative access methods -- Stuxnet was designed to spread via USB devices because the Natanz computers systems were isolated from the Internet, exploited previously unknown vulnerabilities and targeted very specific SCADA configurations found only at the site. However, control systems that are not part of critical infrastructure are becoming increasingly easier to attack by less skilled attackers.
This is because many of these systems are connected to the Internet for the convenience of remote administration and because information about vulnerabilities in ICS software, devices and communication protocols is more easily accessible than in the pre-Stuxnet days. Details about dozens of SCADA and ICS vulnerabilities have been publicly disclosed by security researchers during the past two years, often accompanied by proof-of-concept exploit code.
"We will see an increase in exploitation of the Internet accessible control system devices as the exploits get automated," said Dale Peterson, chief executive officer at Digital Bond, a company that specializes in ICS security research and assessment, via email.
However, the majority of Internet accessible control system devices are not part of what most people would consider critical infrastructure, he said. "They represent small municipal systems, building automation systems, etc. They are very important to the company that owns and runs them, but would not affect a large population or economy for the most part."
Attackers who could potentially be interested in targeting such systems include politically motivated hackers trying to make a statement, hacktivist groups with an interest in drawing attention to their cause, criminals interested in blackmailing companies or even hackers doing it fun or bragging rights.
A recently leaked FBI cyberalert document dated July 23 revealed that earlier this year hackers gained unauthorized access to the heating, ventilation and air conditioning (HVAC) system operating in the office building of a New Jersey air conditioning company by exploiting a backdoor vulnerability in the control box connected to it -- a Niagara control system made by Tridium. The targeted company installed similar systems for banks and other businesses.
The breach happened after information about the vulnerability in the Niagara ICS system was shared online in January by a hacker using the moniker "@ntisec" (antisec). Operation AntiSec was a series of hacking attacks targeting law enforcement agencies and government institutions orchestrated by hackers associated with LulzSec, Anonymous and other hacktivist groups.
"On 21 and 23 January 2012, an unknown subject posted comments on a known US website, titled '#US #SCADA #IDIOTS' and '#US #SCADA #IDIOTS part-II'," the FBI said in the leaked document.
"It's not a matter of whether attacks against ICS are feasible or not because they are," Ruben Santamarta, a security researcher with security consultancy firm IOActive, who found vulnerabilities in SCADA systems in the past, said via email. "Once the motivation is strong enough, we will face big incidents. The geopolitical and social situation does not help so certainly, it is not ridiculous to assume that 2013 will be an interesting year."
Targeted attacks are not the only concern; SCADA malware is too. Vitaly Kamluk, chief malware expert at antivirus vendor Kaspersky Lab, believes that there will definitely be more malware targeting SCADA systems in the future.
"The Stuxnet demonstration of how vulnerable ICS/SCADA are opened a completely new area for whitehat and blackhat researchers," he said via email. "This topic will be in the top list for 2013."
However, some security researchers believe that creating such malware is still beyond the abilities of the average attackers.
"Creating malware that will be successful in attacking an ICS is not trivial and may require a lot of insight and planning," Thomas Kristensen, chief security officer at vulnerability intelligence and management firm Secunia, said via email. "This also significantly limits the amount of people or organisations who are able to pull off such an attack."
"We are not in doubt though, that we will see attacks against ICS," Kristensen stressed.
"Most of the deployed SCADA and DCS [distributed control system] applications and hardware were developed without a Security Development Lifecycle (SDL) -- think Microsoft in the late 90's -- so it is rife with common programming errors that lead to bugs, vulnerabilities, and exploits," Peterson said. "That said, the PLCs and other field devices are insecure by design and do not require a vulnerability to take a critical process down or alter it in a malicious way a la Stuxnet."
Peterson's company, Digital Bond, released several exploits for vulnerabilities found in many PLCs (programmable logic controllers) -- SCADA hardware components -- from multiple vendors as modules for the popular Metasploit penetration testing framework, an open-source tool that can be used by virtually anyone. This was done as part of a research project called Project Basecamp, whose goal was to show how fragile and insecure many existing PLCs are.
"The only restriction to finding large numbers of SCADA and DCS vulnerabilities is researchers getting access to the equipment," Peterson said. "More are trying and succeeding so there will be an increase of vulnerabilities that will be disclosed in whatever manner the researcher deems appropriate."
Santamarta agreed that it's easy for researchers to find vulnerabilities in SCADA software today.
There is even a market for SCADA vulnerability information. ReVuln, a Malta-based startup security firm founded by security researchers Luigi Auriemma and Donato Ferrante, sells information about software vulnerabilities to government agencies and other private buyers without reporting them to the affected vendors. Over 40 percent of the vulnerabilities in ReVuln's portfolio at the moment are SCADA ones.
The trend seems to be growing for both attacks and investments in the SCADA security field, according to Donato Ferrante. "In fact if we think that several big companies in the SCADA market are investing a lot of money on hardening these infrastructures, it means that the SCADA/ICS topic is and will remain a hot topic for the upcoming years," Ferrante said via email.
However, securing SCADA systems is not as straightforward as securing regular IT infrastructures and computer systems. Even when security patches for SCADA products are released by vendors, the owners of vulnerable systems might take a very long time to deploy them.
There are very few automated patch deployment solutions for SCADA systems, Luigi Auriemma said via email. Most of the time, SCADA administrators need to manually apply the appropriate patches, he said.
"The situation is critically bad," Kamluk said. The main goal of SCADA systems is continuous operation, which doesn't normally allow for hot patching or updating -- installing patches or updates without restarting the system or the program -- he said.
In addition, SCADA security patches need to be thoroughly tested before being deployed in production environments because any unexpected behavior could have a significant impact on operations.
"Even in those cases where a patch for a vulnerability exists, we will find vulnerable systems for a long time," Santamarta said.
Most SCADA security experts would like for industrial control devices like PLCs to be re-engineered with security in mind.
"What is needed is PLCs with basic security measures and a plan to deploy these in the most critical infrastructure over the next one to three years," Peterson said.
"The ideal scenario is where industrial devices are secure by design, but we have to be realistic, that will take time," Santamarta said. "The industrial sector is a world apart. We should not strictly look at it through our IT perspective. That said, everybody realizes that something has to be done, including the industrial vendors."
In the absence of secure-by-design devices, ICS owners should take a defense-in-depth approach to securing these systems, Santamarta said. "Considering that there are industrial protocols out there that are insecure by default, it makes sense to add mitigations and different layers of protection."
"Disconnect ICS from the internet, put it in an isolated network segment and strictly limit/audit access to it," Kamluk said.
"The owners of critical infrastructure should realize that separate networks, or at least separate credentials are needed for accessing critical infrastructure," Kristensen said. "No sane and security aware administrator would log on to any of his systems using administrative credentials and within that same session access the hostile Internet and read emails. This should also apply to ICS; use one set of credentials to access the ICS session and perhaps access your Internet connection session using a virtual and / or remote desktop setup."
The need for government regulation that would force the operators of critical infrastructure to secure their industrial control systems has been a hotly debated topic and many SCADA security experts agree that it could be a good starting point. However, little progress has been made so far towards this goal.
"The most ambitious government regulation, NERC CIP for the North American electric sector, has been a failure," Peterson said. "Most would like successful government regulation but can't identify what this would be."
"I would just like the government to be honest and state out loud that these systems are insecure by design and organizations that run the critical infrastructure SCADA and DCS should have a plan to upgrade or replace these systems in the next one to three years," he said.
Government regulation would be extremely helpful, Kamluk said. Some SCADA vendors sacrifice security for development cost savings without considering the risks of such decisions and their potential impact on human lives, he said.
Earlier this year, Kaspersky Lab revealed plans to develop an OS that would provide a secure-by-design environment for operating SCADA and other ICS systems. The idea behind the OS is to guarantee that no undeclared functionality will be able to run on it, which would prevent attackers from executing malicious code by exploiting unpatched vulnerabilities.
While this sounds like an interesting project, it remains to be seen how the SCADA community and the industry sector will react to it, Santamarta said.
"There are not enough details about the new OS to evaluate its features," Ferrante said. "To do that we will need to wait for an official release. Anyway the main problem when adopting a new OS is that it needs to be able to run existing SCADA systems without having to rewrite their code."