Feeds

SCADA honeypots attract swarm of international hackers

'Industrial control systems' faced attacks from US, China...and, er, Laos

The essential guide to IT transformation

These systems used to be run from a single computer next to a conveyor belt

Wilhoit, presented his research at the BlackHat Europe conference in Amsterdam, the Netherlands last Friday.

“This Trend Micro research shows that attackers have enough knowledge to analyse and affect industrial control devices' infrastructures,” said Raimund Genes, CTO at Trend Micro. “This is a wake-up call for operators of these infrastructures to check the security of these systems and ensure they are properly separated from the internet/open networks. The research also shows that it is not only usual suspects attacking, but that these attacks also happen in your own backyard.”

SCADA systems control everything from escalators in metro stations in Madrid to milk-processing factories in Mali and uranium enrichment centrifuges in Iran.

"Security in an ICS/SCADA network is often considered 'bolt-on' or thought of 'after the fact'. When these systems were first brought into service more than 20 or so years ago, security was typically not a concern," Wilhoit explains.

"However, as things changed over time, most of these systems’ purposes have been reestablished, along with the way they were configured. A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the internet, with very little hindrance."

Wilhoit called for further research into motives, sources and delivery techniques of the increasingly sophisticated attackers who target industrial control systems. "Internet-facing ICS are readily targeted," Wilhoit warns. "Until proper ICS security is implemented, these types of attack will likely become more prevalent and advanced or destructive in the coming years."

A recent study by InfraCritical discovered that 500,000 SCADA (supervisory control and data acquisition) networks were susceptible to attack, highlighting the wide-scale vulnerability of systems that control the operations of power and water plants, among other critical facilities. According to recent research conducted by ICS-CERT, 171 unique vulnerabilities affecting 55 different ICS vendors were found last year alone (PDF).

And patching of industrial control systems creates its own problems, according to a study by Tofino Security published last week.

Eric Byres, CTO and vice president of engineering at Tofino Security, reckons there are as many as 1,805 as-yet-undiscovered vulnerabilities existing on control system computers.

IC systems need FREQUENT patches... but if they're buggy, it ALL falls apart

The frequency of patching needed to address future SCADA/ICS vulnerabilities in both controllers and computers likely exceeds the tolerance of most SCADA operators for system shutdowns. Unlike IT systems, most industrial processes operate around the clock and demand high uptime. Weekly shutdowns for patching are unacceptable.

But even when patches can be installed, they can be problematic. According to Tofino Security, there is a one in 12 chance that any patch will affect the safety or reliability of a control system, and there is a 60 per cent failure rate in patches fixing the reported vulnerability in control system products. In addition, patches often require staff with special skills to be present. In many cases, such experts are often not certified for access to safety regulated industrial sites.

Tofino Security markets industrial network security and SCADA security products that protect industrial control systems from potential attack, even if they aren't patched, so it has a vested interest in talking up the problems of patching. However the overall picture of exposed and vulnerable industrial control systems is constant with findings from experts at Trend Micro and elsewhere.

A SCADA network ought to be segregated from a corporate intranet and air-gapped from the internet - or at least firewalled - but even rudimentary protections are often absent.

Sean McGurk, former head of cybersecurity for the US Department of Homeland Security turned managing principal for investigative response on Verizon’s RISK Team, told El Reg that attacks against the enterprise systems behind utilities are a bigger risk than Stuxnet-style attacks. The networks of both Saudi Aramco and Rasgas in Qatar were both hobbled by conventional malware attacks last year, for example. Both attacks were later linked to the Shamoon data wiper.

Part of the problem is that industrial control systems have a far longer timeline than enterprise servers, computers and routers - typically up to 20 years instead of three to five years. And industrial control kit works with different ports and protocols than conventional enterprise networks, so simply adding a firewall or network segmentation is adequate as a defensive strategy. In addition, industrial control systems often have to work in real time, with low latency and high availability.

"Patching of legacy system is ongoing," McGurk said. "But patching is difficult for five-9s high-availability systems. Secure connectivity can be enhanced with layers of security but you can't gold-plate everything."

Despite the difficulties, McGurk suggested many in the sector are being slow to react to the security threat. The UK energy sector has been particularly slow to adopt security measures that match new technological developments, such as smart grids - potentially leaving them exposed to large-scale cyber-attacks as a result.

However he acknowledged that the technology was certainly not without its issues, such as potentially making it easier to disconnect the vulnerable or elderly, and no panacea.

"Introduce smart-grid technology is a double edged sword," McGurk explained. "Although you enhance interoperability, you can't just throw it in there.

"There's a greater security focus and it's not just about interoperability anymore," he concluded. McGurk said that government and industry need to work together to improve both the security and interoperability of the industrial control systems that monitor and manage power generation and distribution systems.

McGurk, who has more than 30 years of experience in ICS cybersecurity and critical infrastructure protection, traveled to London last week to speak at the European Smart Grid Cyber and SCADA Security Conference, a closed event restricted to industry participants and vendors. ®

Next gen security for virtualised datacentres

More from The Register

next story
Ice cream headache as black hat hacks sack Dairy Queen
I scream, you scream, we all scream 'DATA BREACH'!
Goog says patch⁵⁰ your Chrome
64-bit browser loads cat vids FIFTEEN PERCENT faster!
NIST to sysadmins: clean up your SSH mess
Too many keys, too badly managed
Scratched PC-dispatch patch patched, hatched in batch rematch
Windows security update fixed after triggering blue screens (and screams) of death
Researchers camouflage haxxor traps with fake application traffic
Honeypots sweetened to resemble actual workloads, complete with 'secure' logins
Attack flogged through shiny-clicky social media buttons
66,000 users popped by malicious Flash fudging add-on
New Snowden leak: How NSA shared 850-billion-plus metadata records
'Federated search' spaffed info all over Five Eyes chums
Three quarters of South Korea popped in online gaming raids
Records used to plunder game items, sold off to low lifes
Oz fed police in PDF redaction SNAFU
Give us your metadata, we'll publish your data
prev story

Whitepapers

5 things you didn’t know about cloud backup
IT departments are embracing cloud backup, but there’s a lot you need to know before choosing a service provider. Learn all the critical things you need to know.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Backing up Big Data
Solving backup challenges and “protect everything from everywhere,” as we move into the era of big data management and the adoption of BYOD.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?