Researchers examined the state of security in SCADA and industrial control systems and presented an ugly picture of the vulnerabilities and challenges in addressing the issues.
CANCUN, Mexico Recent reports painted a bleak picture of
the security issues plaguing industrial control systems, but the situation is exacerbated
by the fact that administrators are naÃ¯ve about the dangers, researcher said.
Researchers presented some alarming findings about the state
of security for supervisory control and data acquisition systems at the
Kaspersky Security Analyst Summit on Feb. 3. SCADA systems are used across varied
industries such as oil, water systems, electric grids, controlling building
systems, and the basic security model underlying these systems is completely
inadequate, they said.
Two researchers decided to try to find 100 bugs in 100 days
in industrial control system software, Terry McCorkle, an industry researcher,
told attendees at the conference. As they began their research, it quickly
became evident the team had underestimated the severity of the problem.
"Ultimately, what we found is the state of ICS security
is kind of laughable," McCorkle said.
The bugs were "straight out of the '90s," and for
the most part, were "blatantly obvious" flaws, according to McCorkle.
McCorkle and his partner in the project, Billy Rios, used fuzzing techniques
and found over 1,000 bugs in ICS software. McCorkle said a lot of the people he
spoke with in the industry had never thought to try fuzzing to look for
vulnerabilities in ICS software.
File format issues were the most prevalent, followed by
ActiveX, according to McCorkle. They found several SQL vulnerabilities but no
SQL injection flaws, and lots of buffer overflow issues. There were examples of
how ICS software were executing VBScript to open command shells and other applications,
as well as Websites having direct access to the Windows registry. They reported
1,035 bugs that cause systems to crash and 95 that were easily exploitable to
vendors, McCorkle said. The exploitable bugs included issues that could be
exploited by cross-site scripting. The 1,035 bugs would have required someone to
spend some time to find a way to exploit the vulnerability, but McCorkle was
confident some could be exploited.
Although McCorkle and his team had reported those
vulnerabilities to the vendors, the problem remained as to how the systems would
get patched. If the vendor decided to patch the issue, which is not always a
given, there was still the question of how to notify administrators and how to
actually distribute and install the patches, McCorkle said.
Many of the systems that are now Internet accessible were
not originally designed to be connected, and some have embedded Web services
and mobile interfaces that make it even easier to connect remotely. Many SCADA
systems are available online with weak passwords such as '100,' according to
When programmable logic controllers were developed, security
was not a priority, Tiffany Rad, a computer science professor at the University
of Southern Maine, John Strauchs, an engineer, and penetration tester Teague
Newman, concurred in their presentation on SCADA vulnerabilities in
correctional facilities. "Security through obscurity no longer works with
SCADA," Rad said.
Rad and her team were able to find control systems that were
connected to the Internet that administrators hadn't even known about. "The
belief that PLCs are not vulnerable because they're not connected to the
Internet is not true," Strauchs said.
McCorkle cited the work of a different researcher who was
able to locate and map more than 10,000 industrial control systems hooked up to
the public Internet, including water and sewage plants. While some may have
been test systems, some of them were actually in production. Only 17 percent of
the systems found asked remote users for authorization to connect, according to
"People are gonna get owned; it's going to hurt,"
Security researchers have been criticizing how SCADA vendors
handle patching for a long time. At a recent S4 Conference in Miami, a team of
six security researchers assessed the security of six programmable logic
controllers widely used in the industry. One of the tested systems, the D20 ME
PLC from General Electric, lacked security controls, had multiple remotely
exploitable vulnerabilities, and had several "back door"
administrative accounts, the researchers said at S4. Despite the security
issues, statements from GE suggested that fixes are unlikely because of the age
of the hardware being used in the device, researchers said.
That same team partnered with Rapid7 and Tenable Network
Security to release testing modules for Metasploit and Nessus vulnerability
scanning suites that organizations can use to find the disclosed
vulnerabilities within their environments. While the module for GE D20 PLC from
General Electric is available, other modules targeting Rockwell Automation,
Schneider Motion and Koyo/Direct LOGIC controllers are expected soon.