Feeds

SCADA honeypots attract swarm of international hackers

'Industrial control systems' faced attacks from US, China...and, er, Laos

Beginner's guide to SSL certificates

These systems used to be run from a single computer next to a conveyor belt

Wilhoit, presented his research at the BlackHat Europe conference in Amsterdam, the Netherlands last Friday.

“This Trend Micro research shows that attackers have enough knowledge to analyse and affect industrial control devices' infrastructures,” said Raimund Genes, CTO at Trend Micro. “This is a wake-up call for operators of these infrastructures to check the security of these systems and ensure they are properly separated from the internet/open networks. The research also shows that it is not only usual suspects attacking, but that these attacks also happen in your own backyard.”

SCADA systems control everything from escalators in metro stations in Madrid to milk-processing factories in Mali and uranium enrichment centrifuges in Iran.

"Security in an ICS/SCADA network is often considered 'bolt-on' or thought of 'after the fact'. When these systems were first brought into service more than 20 or so years ago, security was typically not a concern," Wilhoit explains.

"However, as things changed over time, most of these systems’ purposes have been reestablished, along with the way they were configured. A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the internet, with very little hindrance."

Wilhoit called for further research into motives, sources and delivery techniques of the increasingly sophisticated attackers who target industrial control systems. "Internet-facing ICS are readily targeted," Wilhoit warns. "Until proper ICS security is implemented, these types of attack will likely become more prevalent and advanced or destructive in the coming years."

A recent study by InfraCritical discovered that 500,000 SCADA (supervisory control and data acquisition) networks were susceptible to attack, highlighting the wide-scale vulnerability of systems that control the operations of power and water plants, among other critical facilities. According to recent research conducted by ICS-CERT, 171 unique vulnerabilities affecting 55 different ICS vendors were found last year alone (PDF).

And patching of industrial control systems creates its own problems, according to a study by Tofino Security published last week.

Eric Byres, CTO and vice president of engineering at Tofino Security, reckons there are as many as 1,805 as-yet-undiscovered vulnerabilities existing on control system computers.

IC systems need FREQUENT patches... but if they're buggy, it ALL falls apart

The frequency of patching needed to address future SCADA/ICS vulnerabilities in both controllers and computers likely exceeds the tolerance of most SCADA operators for system shutdowns. Unlike IT systems, most industrial processes operate around the clock and demand high uptime. Weekly shutdowns for patching are unacceptable.

But even when patches can be installed, they can be problematic. According to Tofino Security, there is a one in 12 chance that any patch will affect the safety or reliability of a control system, and there is a 60 per cent failure rate in patches fixing the reported vulnerability in control system products. In addition, patches often require staff with special skills to be present. In many cases, such experts are often not certified for access to safety regulated industrial sites.

Tofino Security markets industrial network security and SCADA security products that protect industrial control systems from potential attack, even if they aren't patched, so it has a vested interest in talking up the problems of patching. However the overall picture of exposed and vulnerable industrial control systems is constant with findings from experts at Trend Micro and elsewhere.

A SCADA network ought to be segregated from a corporate intranet and air-gapped from the internet - or at least firewalled - but even rudimentary protections are often absent.

Sean McGurk, former head of cybersecurity for the US Department of Homeland Security turned managing principal for investigative response on Verizon’s RISK Team, told El Reg that attacks against the enterprise systems behind utilities are a bigger risk than Stuxnet-style attacks. The networks of both Saudi Aramco and Rasgas in Qatar were both hobbled by conventional malware attacks last year, for example. Both attacks were later linked to the Shamoon data wiper.

Part of the problem is that industrial control systems have a far longer timeline than enterprise servers, computers and routers - typically up to 20 years instead of three to five years. And industrial control kit works with different ports and protocols than conventional enterprise networks, so simply adding a firewall or network segmentation is adequate as a defensive strategy. In addition, industrial control systems often have to work in real time, with low latency and high availability.

"Patching of legacy system is ongoing," McGurk said. "But patching is difficult for five-9s high-availability systems. Secure connectivity can be enhanced with layers of security but you can't gold-plate everything."

Despite the difficulties, McGurk suggested many in the sector are being slow to react to the security threat. The UK energy sector has been particularly slow to adopt security measures that match new technological developments, such as smart grids - potentially leaving them exposed to large-scale cyber-attacks as a result.

However he acknowledged that the technology was certainly not without its issues, such as potentially making it easier to disconnect the vulnerable or elderly, and no panacea.

"Introduce smart-grid technology is a double edged sword," McGurk explained. "Although you enhance interoperability, you can't just throw it in there.

"There's a greater security focus and it's not just about interoperability anymore," he concluded. McGurk said that government and industry need to work together to improve both the security and interoperability of the industrial control systems that monitor and manage power generation and distribution systems.

McGurk, who has more than 30 years of experience in ICS cybersecurity and critical infrastructure protection, traveled to London last week to speak at the European Smart Grid Cyber and SCADA Security Conference, a closed event restricted to industry participants and vendors. ®

Protecting users from Firesheep and other Sidejacking attacks with SSL

More from The Register

next story
Spies would need SUPER POWERS to tap undersea cables
Why mess with armoured 10kV cables when land-based, and legal, snoop tools are easier?
Early result from Scots indyref vote? NAW, Jimmy - it's a SCAM
Anyone claiming to know before tomorrow is telling porkies
Jihadi terrorists DIDN'T encrypt their comms 'cos of Snowden leaks
Intel bods' analysis concludes 'no significant change' after whistle was blown
TOR users become FBI's No.1 hacking target after legal power grab
Be afeared, me hearties, these scoundrels be spying our signals
Home Depot: 56 million bank cards pwned by malware in our tills
That's about 50 per cent bigger than the Target tills mega-hack
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
China hacked US Army transport orgs TWENTY TIMES in ONE YEAR
FBI et al knew of nine hacks - but didn't tell TRANSCOM
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
NORKS ban Wi-Fi and satellite internet at embassies
Crackdown on tardy diplomatic sysadmins providing accidental unfiltered internet access
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Protecting users from Firesheep and other Sidejacking attacks with SSL
Discussing the vulnerabilities inherent in Wi-Fi networks, and how using TLS/SSL for your entire site will assure security.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.