CANCUN–For people who follow the developments in the security and research communities, it’s easy to get discouraged by the current state of affairs, given the rash of serious hacks on certificate authorities, military networks and companies such as RSA and VeriSign. But, if you think things are bad there, you may not want to look at what’s happening in the ICS and SCADA communities. It’s getting ugly early.
Examples of the woeful state of security in these control systems are not difficult to come by these days. Researchers have been speaking publicly about some of them for a couple of years now, and a group recently discussed a huge set of vulnerabilities it found during an extended project looking at PLCs (programmable logic controllers). That talk at the S4 conference showed just how vulnerable such systems are to a wide variety of attacks.
“It’s a blood bath mostly,” said Reid Wightman, a consultant at Digital Bond, said during that conference last month. “Many of these devices lack basic security features.”
During talks on SCADA security problems at the Kaspersky-Threatpost Security Analyst Summit here Friday, several other researchers talked about the serious issues inherent in these ICS installations, and the picture they painted is one of systemic problems and a culture of naivete about security in general. Terry McCorkle, an industry researcher, discussed a research project he did with Billy Rios in which they went looking for bugs in ICS systems, hoping to find 100 bugs in 100 days. That turned out to be a serious underestimation of the problem.
“It turns out they’re stuck in the Nineties. The SDL doesn’t exist in ICS,” McCorkle said. “There are a lot of ActiveX and file format bugs and we didn’t even bother looking at problems with services. Ultimately what we found is the state of ICS security is kind of laughable.”
Terry McCorkle, photo via Nikita Shvetsov
McCorkle and Rios, who reported all of their findings to the affected vendors and through the ICS-CERT, found that the basic security model underlying the ICS systems that run critical services such as power, water and others, is completely inadequate. Many of the systems that are now exposed to the Internet were not designed with that connectivity in mind, and some of them now have mobile interfaces that can be run on smartphones, leading to an entirely new set of issues.
“People are gonna get owned, it’s going to hurt,” McCorkle said. “These HMIs are listening, they’re out there and they give access to these systems that are supposed to be segregated.”
Tiffany Rad, a computer science professor at the Universiry of Southern Maine and an intellectual property attorney, said during her talk here on vulnerabilities in the ICS systems at correctional facilities that there is a serious, overarching set of problems that needs to be addressed.
“Security through obscurity no longer works with SCADA,” she said. “The belief that PLCs are not vulnerable because they’re not connected to the Internet is not true.”
Rad, her father, John Strauchs, who is an engineer, and penetration tester Teague Newman, a penetration tester, spoke about research they’d done that found a broad set of vulnerabilities that likely can’t be fixed through patching and other technical means.
“It would cost hundreds of billions of dollars to fix these problems physically,” said Strauchs, who has done engineering design for more than a hundred jails and prisons. “The only solution is [user] training.”