Thursday, February 16, 2012

Current State of SCADA Security 'Laughable'

Many of the systems that are now exposed to the Internet were not designed with that connectivity in mind

Researchers have been speaking publicly about some of them for a couple of years now, and a group recently discussed a huge set of vulnerabilities it found during an extended project looking at PLCs (programmable logic controllers). That talk at the S4 conference showed just how vulnerable such systems are to a wide variety of attacks.
"It's a blood bath mostly," said Reid Wightman, a consultant at Digital Bond, said during that conference last month. "Many of these devices lack basic security features."
During talks on SCADA security problems at the Kaspersky-Threatpost Security Analyst Summit here Friday, several other researchers talked about the serious issues inherent in these ICS installations, and the picture they painted is one of systemic problems and a culture of naivete about security in general.

Terry McCorkle, an industry researcher, discussed a research project he did with Billy Rios in which they went looking for bugs in ICS systems, hoping to find 100 bugs in 100 days. That turned out to be a serious underestimation of the problem.

"It turns out they're stuck in the Nineties. The SDL doesn't exist in ICS," McCorkle said. "There are a lot of ActiveX and file format bugs and we didn't even bother looking at problems with services. Ultimately what we found is the state of ICS security is kind of laughable."

McCorkle and Rios, who reported all of their findings to the affected vendors and through the ICS-CERT, found that the basic security model underlying the ICS systems that run critical services such as power, water and others, is completely inadequate.

Many of the systems that are now exposed to the Internet were not designed with that connectivity in mind, and some of them now have mobile interfaces that can be run on smartphones, leading to an entirely new set of issues.

"People are gonna get owned, it's going to hurt," McCorkle said. "These HMIs are listening, they're out there and they give access to these systems that are supposed to be segregated."

Tiffany Rad, a computer science professor at the Universiry of Southern Maine and an intellectual property attorney, said during her talk here on vulnerabilities in the ICS systems at correctional facilities that there is a serious, overarching set of problems that needs to be addressed.
"Security through obscurity no longer works with SCADA," she said. "The belief that PLCs are not vulnerable because they're not connected to the Internet is not true."

It would cost hundreds of billions of dollars to fix these problems physically. The only solution is [user] training."

No comments: