Researchers presented some alarming findings about the state of security for supervisory control and data acquisition systems at the Kaspersky Security Analyst Summit on 3 February. SCADA systems are used across varied industries such as oil, water systems, electric grids, controlling building systems, and the basic security model underlying these systems is completely inadequate, they said.
Two researchers decided to try to find 100 bugs in 100 days in industrial control system software, Terry McCorkle, an industry researcher, told attendees at the conference. As they began their research, it quickly became evident the team had underestimated the severity of the problem.
“Ultimately, what we found is the state of ICS security is kind of laughable,” McCorkle said.
File format issues were the most prevalent, followed by ActiveX, according to McCorkle. They found several SQL vulnerabilities but no SQL injection flaws, and lots of buffer overflow issues.
There were examples of how ICS software were executing VBScript to open command shells and other applications, as well as websites having direct access to the Windows registry. They reported 1,035 bugs that cause systems to crash and 95 that were easily exploitable to vendors, McCorkle said.
The exploitable bugs included issues that could be exploited by cross-site scripting. The 1,035 bugs would have required someone to spend some time to find a way to exploit the vulnerability, but McCorkle was confident some could be exploited.
Although McCorkle and his team had reported those vulnerabilities to the vendors, the problem remained as to how the systems would get patched. If the vendor decided to patch the issue, which is not always a given, there was still the question of how to notify administrators and how to actually distribute and install the patches, McCorkle said.
Many of the systems that are now Internet accessible were not originally designed to be connected, and some have embedded web services and mobile interfaces that make it even easier to connect remotely. Many SCADA systems are available online with weak passwords such as ‘100’, according to McCorkle.
When programmable logic controllers were developed, security was not a priority, Tiffany Rad, a computer science professor at the University of Southern Maine, John Strauchs, an engineer, and penetration tester Teague Newman, concurred in their presentation on SCADA vulnerabilities in correctional facilities.
“Security through obscurity no longer works with SCADA,” Rad said.
Rad and her team were able to find control systems that were connected to the Internet that administrators hadn’t even known about. “The belief that PLCs are not vulnerable because they’re not connected to the Internet is not true,” Strauchs said.
McCorkle cited the work of a different researcher who was able to locate and map more than 10,000 industrial control systems hooked up to the public Internet, including water and sewage plants.
While some may have been test systems, some of them were actually in production. Only 17 percent of the systems found asked remote users for authorisation to connect, according to that research.
“People are gonna get owned; it’s going to hurt,” McCorkle said.
Security researchers have been criticising how SCADA vendors handle patching for a long time. At a recent S4 Conference in Miami, a team of six security researchers assessed the security of six programmable logic controllers widely used in the industry.
One of the tested systems, the D20 ME PLC from General Electric, lacked security controls, had multiple remotely exploitable vulnerabilities, and had several “back door” administrative accounts, the researchers said at S4. Despite the security issues, statements from GE suggested that fixes are unlikely because of the age of the hardware being used in the device, researchers said.
That same team partnered with Rapid7 and Tenable Network Security to release testing modules for Metasploit and Nessus vulnerability scanning suites that organisations can use to find the disclosed vulnerabilities within their environments.
While the module for GE D20 PLC from General Electric is available, other modules targeting Rockwell Automation, Schneider Motion and Koyo/Direct LOGIC controllers are expected soon.
Targetting AWS, Microsoft? British competition regulator soon to announce “behavioural” remedies for cloud sector
Move to Elon Musk rival. Former senior executive at X joins Sam Altman's venture formerly…
Bitcoin price rises towards $100,000, amid investor optimism of friendlier US regulatory landscape under Donald…
Judge Kaplan praises former FTX CTO Gary Wang for his co-operation against Sam Bankman-Fried during…
Explore the future of work with the Silicon In Focus Podcast. Discover how AI is…
Executive hits out at the DoJ's “staggering proposal” to force Google to sell off its…
View Comments
Should we be looking beyond the patching efforts needed to secure today's SCADA infrastructure? Maybe we need to address the inscure code being developed by novice developers using insecure standards. Perhaps a secure code certification requirement for anyone working on critical infrastructure or something along those lines. http://tinyurl.com/72gcnlb