World's electrical grids open to attack
Scads of SCADA bugs
A serious vulnerability has been found in yet another computerized control system that runs some of the world's most critical infrastructure, this time in a product sold by a vendor known as the ABB Group.
According to researchers from C4 - a firm specializing in the security of so-called SCADA, or Supervisory Control And Data Acquisition, systems - ABB's Process Communication Unit (PCU) 400 suffers from a critical buffer overflow bug.
"The vulnerability was exploited by C4 to verify it can be used for arbitrary code execution by an unauthorized attacker," researcher Idan Ofrat wrote in this advisory published on Thursday. "In addition, an attacker can use his control over the FEP server to insert a generic electric grid malware...in order to cause harm to the grid."
The vulnerable software controls critical national infrastructure, including electrical grids. The vulnerability affects versions 4.4, 4.5, and 4.6, and possibly others, the C4 advisory warns.
ABB has issued a patch for the bug.
The advisory comes as concern mounts about the safety of software used to run gasoline refineries, manufacturing plants and other industrial facilities. In June, a now-patched vulnerability in CitectSCADA potentially exposed plants' critical operations to outsiders or disgruntled employees. Law makers on both sides of the Atlantic have warned that lax security may make critical infrastructure vulnerable to saboteurs or terrorists.
C4 is no stranger to security in SCADA systems. In January, it warned of vulnerabilities in two products made by Ge Fanuc. One of them resided in Ge Fanuc's Cimplicity product, and the other affected the company's Proficy Information Portal 2.6. Both appear to have have been patched. ®
Of course the power stations are all connected. UCTE and NORDEL cover the entire civilized world.
There is no other way to have a stable grid.
Whenever the wind dies down at a turbine park, or a coal plant encounters a problem and falls of the grid, coordinators remotely and automatically redistribute the juice, turn up pumped storage or fire up a gas turbine plant, while remotely telling nuclear plants to increase their output. Do you really think they lay their own fibre to do that?
And SCADA is the Software most of the coordinators use.
Would they do it?
"But they wouldn't connect them to the internet would they?"
A small thought exercise:
Privatised companies are ALL about the money - when they are privatised it is inevitably sold to the public as "Private companies are somehow magically more efficient and will cut costs for the consumer", if you believe that stop reading now - you need the kind of help I can't provide in a few paragraphs. Otherwise if you are prepared to accept that that's bollocks and it's all about the money - read on
Would connecting a companies power stations, substations and other assets to the internet save money? YES - large savings are possible as you can centralise all the numpty work and reporting , having 24x7 teams in place or even on call for every location is very expensive - you can reduce this drastically by having as much of this work done remotely as possible. Using 'civilian' internet connections is way cheaper than dedicated lines (bear in mind the sheer number of locations you are probably talking about here)
Is it a good idea? Well no, not really for all the reasons you probably know already if you read el'reg
Would removing large amounts of fall back redundant systems, lines and power stations and other assets save money? Well obviously yes, much less to maintain and support - the cost saving is obvious
Is it a good idea? Again no, obviously no - these are your backup, your fall back and emergency systems, these are what you rely on in the case of a major problem at one of your primary sites. America did this already (remember the east coast blackout? Been to California lately?) So it's obviously a bad idea with no benefit other than cost saving (odd that my bills still go up...)
They already got rid of most of the redundancy in the network as far as I am aware, now go back and re-read question 1 - would they do it?
There's still a way in...
I don't know any large-scale SCADA system that doesn't have at least two emergency backdoors, usually with rudimentary authentication because of necessity. Typically, you'll have one PLC (Private Leased Circuit) style backdoor from a secure facility; could be 2-wire, could be fiber-optics, could be long-haul RS232, don't matter too much. The number two? Remote accessible dial-in, for when that secure facility goes kaboom for whatever reason. Whether or not the supposed vulnerability can be exploited from that side, I don't know. What I do know is that thankfully, these days, the average script kiddie doesn't even know what a modem is, much less how to setup the requisite tools for such activities.
Also, don't underestimate organized criminals. They love a soft target, and plenty of beancounters are stupid enough to think money actually will make the problem go away. Then again, they likely employ modern script kiddies instead of the bearded guru.
Posted as AC because I don't want to be responsible when some kid finds a substation with a login and password of 'login' and 'password,' and accidentally takes an entire country offline.