Feeds

SCADA honeypots attract swarm of international hackers

'Industrial control systems' faced attacks from US, China...and, er, Laos

Choosing a cloud hosting partner with confidence

These systems used to be run from a single computer next to a conveyor belt

Wilhoit, presented his research at the BlackHat Europe conference in Amsterdam, the Netherlands last Friday.

“This Trend Micro research shows that attackers have enough knowledge to analyse and affect industrial control devices' infrastructures,” said Raimund Genes, CTO at Trend Micro. “This is a wake-up call for operators of these infrastructures to check the security of these systems and ensure they are properly separated from the internet/open networks. The research also shows that it is not only usual suspects attacking, but that these attacks also happen in your own backyard.”

SCADA systems control everything from escalators in metro stations in Madrid to milk-processing factories in Mali and uranium enrichment centrifuges in Iran.

"Security in an ICS/SCADA network is often considered 'bolt-on' or thought of 'after the fact'. When these systems were first brought into service more than 20 or so years ago, security was typically not a concern," Wilhoit explains.

"However, as things changed over time, most of these systems’ purposes have been reestablished, along with the way they were configured. A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the internet, with very little hindrance."

Wilhoit called for further research into motives, sources and delivery techniques of the increasingly sophisticated attackers who target industrial control systems. "Internet-facing ICS are readily targeted," Wilhoit warns. "Until proper ICS security is implemented, these types of attack will likely become more prevalent and advanced or destructive in the coming years."

A recent study by InfraCritical discovered that 500,000 SCADA (supervisory control and data acquisition) networks were susceptible to attack, highlighting the wide-scale vulnerability of systems that control the operations of power and water plants, among other critical facilities. According to recent research conducted by ICS-CERT, 171 unique vulnerabilities affecting 55 different ICS vendors were found last year alone (PDF).

And patching of industrial control systems creates its own problems, according to a study by Tofino Security published last week.

Eric Byres, CTO and vice president of engineering at Tofino Security, reckons there are as many as 1,805 as-yet-undiscovered vulnerabilities existing on control system computers.

IC systems need FREQUENT patches... but if they're buggy, it ALL falls apart

The frequency of patching needed to address future SCADA/ICS vulnerabilities in both controllers and computers likely exceeds the tolerance of most SCADA operators for system shutdowns. Unlike IT systems, most industrial processes operate around the clock and demand high uptime. Weekly shutdowns for patching are unacceptable.

But even when patches can be installed, they can be problematic. According to Tofino Security, there is a one in 12 chance that any patch will affect the safety or reliability of a control system, and there is a 60 per cent failure rate in patches fixing the reported vulnerability in control system products. In addition, patches often require staff with special skills to be present. In many cases, such experts are often not certified for access to safety regulated industrial sites.

Tofino Security markets industrial network security and SCADA security products that protect industrial control systems from potential attack, even if they aren't patched, so it has a vested interest in talking up the problems of patching. However the overall picture of exposed and vulnerable industrial control systems is constant with findings from experts at Trend Micro and elsewhere.

A SCADA network ought to be segregated from a corporate intranet and air-gapped from the internet - or at least firewalled - but even rudimentary protections are often absent.

Sean McGurk, former head of cybersecurity for the US Department of Homeland Security turned managing principal for investigative response on Verizon’s RISK Team, told El Reg that attacks against the enterprise systems behind utilities are a bigger risk than Stuxnet-style attacks. The networks of both Saudi Aramco and Rasgas in Qatar were both hobbled by conventional malware attacks last year, for example. Both attacks were later linked to the Shamoon data wiper.

Part of the problem is that industrial control systems have a far longer timeline than enterprise servers, computers and routers - typically up to 20 years instead of three to five years. And industrial control kit works with different ports and protocols than conventional enterprise networks, so simply adding a firewall or network segmentation is adequate as a defensive strategy. In addition, industrial control systems often have to work in real time, with low latency and high availability.

"Patching of legacy system is ongoing," McGurk said. "But patching is difficult for five-9s high-availability systems. Secure connectivity can be enhanced with layers of security but you can't gold-plate everything."

Despite the difficulties, McGurk suggested many in the sector are being slow to react to the security threat. The UK energy sector has been particularly slow to adopt security measures that match new technological developments, such as smart grids - potentially leaving them exposed to large-scale cyber-attacks as a result.

However he acknowledged that the technology was certainly not without its issues, such as potentially making it easier to disconnect the vulnerable or elderly, and no panacea.

"Introduce smart-grid technology is a double edged sword," McGurk explained. "Although you enhance interoperability, you can't just throw it in there.

"There's a greater security focus and it's not just about interoperability anymore," he concluded. McGurk said that government and industry need to work together to improve both the security and interoperability of the industrial control systems that monitor and manage power generation and distribution systems.

McGurk, who has more than 30 years of experience in ICS cybersecurity and critical infrastructure protection, traveled to London last week to speak at the European Smart Grid Cyber and SCADA Security Conference, a closed event restricted to industry participants and vendors. ®

Beginner's guide to SSL certificates

More from The Register

next story
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
FYI: OS X Yosemite's Spotlight tells Apple EVERYTHING you're looking for
It's on by default – didn't you read the small print?
Microsoft pulls another dodgy patch
Redmond makes a hash of hashing add-on
'LulzSec leader Aush0k' found to be naughty boy not worthy of jail
15 months home detention leaves egg on feds' faces as they grab for more power
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
China is ALREADY spying on Apple iCloud users, watchdog claims
Attack harvests users' info at iPhone 6 launch
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.