[ISN] SCADA on thin ice - Industrial control systems pose little-noticed security threat

From: InfoSec News (isn@private)
Date: Tue May 09 2006 - 00:18:37 PDT


By Michael Arnone
May 8, 2006 

The electronic control systems that act as the nervous system for all
critical infrastructures are insecure and pose disastrous risks to
national security, cybersecurity experts warn.

Supervisory control and data acquisition (SCADA) and process control
systems are two common types of industrial control systems that
oversee the operations of everything from nuclear power plants to
traffic lights. Their need for a combination of physical security and
cybersecurity has largely been ignored, said Scott Borg, director and
chief economist at the U.S. Cyber Consequences Unit, an independent
research group funded by the Homeland Security Department.

Control systems security is one of six areas of critical
vulnerabilities Borg included in a new cybersecurity checklist
released in April by the research group.

The private-sector owners of critical infrastructure refuse to release
data and deny that their aging, inherently insecure systems pose any
security risk, said Dragos Ruiu, an information technology security
consultant to the U.S. government who runs several hacker conferences.  
Control systems security has been a hot topic in the past year at
those conferences.

"It's one of those issues that is so big, you just don't want to see
it because any solutions will be expensive, awkward and prohibitive,"  
Ruiu added.

Average hackers can break into the systems, said Robert Graham, chief
scientist at Internet Security Systems (ISS). He, Borg and other
experts fear that major cyberattacks on control systems could have
socioeconomic effects as severe and far-reaching as Hurricane Katrina
or even the 1986 Chernobyl nuclear disaster in Ukraine.

Most experts agree that measuring the risk from cyberattacks on
critical infrastructure is difficult. Attacks are rare because control
systems are still complex and individualized enough to make cracking
them difficult, although a hacker who knows a particular system well
can break into it easily, said Jason Larson, senior cybersecurity
researcher at the Idaho National Laboratory, which leads federal
efforts into critical infrastructure cybersecurity.

Even if a facility has not been attacked, that doesn't mean it's
secure or the threat isn't real, said Michael Assante, senior manager
of critical infrastructure protection at the laboratory. "The idea
that the technology is obscure and not well-understood by a potential
aggressor is dangerous thinking," he wrote in an e-mail message.

Government and industry have known for years that critical
infrastructures offer ripe targets for attack. In 2002, the FBI's
National Infrastructure Protection Center found that al Qaeda members
had sought information on control systems for water supply and
wastewater management facilities.

Open-heart surgery

Control systems are built to run around the clock for decades without
interruption or human intervention. A single critical infrastructure
facility can have thousands of SCADA devices spread over hundreds of

Because of the systems' structure and management, standard IT security
practices don't work for them, experts say.

"It's more like open-heart surgery," said William Rush, a physicist at
the Gas Technology Institute, a nonprofit research organization for
the natural gas industry.

The systems have proprietary operating systems and applications that
run on 20- to 30-year-old hardware built before security became a
major IT issue, leaving them riddled with vulnerabilities.

According to conventional wisdom, critical infrastructure owners can't
upgrade or patch systems because any jitter or delay caused by IT
security features could lead to catastrophic breakdowns costing
millions of dollars. Any mistakes in IT implementation could affect
the processes the systems control, leading to product alterations,
chemical interactions, explosions or worse.

The situation got even more complicated in late 2001 when
infrastructure owners started connecting their control systems to
Internet-enabled corporate networks to maximize the use of their
sophisticated equipment, said Eric Byres, research leader at the
Internet Engineering Lab at the British Columbia Institute of
Technology, a leading industrial cybersecurity research facility.

That introduced new vulnerabilities on top of existing ones and
created complex connections that opened new backdoors, Byres said. The
result is a smorgasbord for would-be attackers. "It's open season," he

'The stories here are terrifying'

Utility owners say they realize cyberattacks pose a risk but don't see
it as a huge problem, Rush said. The federal government says industry
is responsible for protecting critical infrastructure and has told
both industry and vendors to get moving. Vendors, however, are waiting
for sufficient demand for security products to make them, while
industry is waiting for an ample supply of products to buy them.

"It's a chicken-and-egg situation," Rush said. All parties are waiting
for government standards to guide and certify their efforts.

But Rush and other experts who are passionate about improving security
fume at the delays. "Everyone's waiting for a major catastrophe to
happen before they do anything," Graham said. "There will never be a
big move until the government or [malicious] hackers force it."

Until then, tailored attacks by an individual or a massive worm attack
could bring down critical infrastructure. "The stories here are
terrifying," Borg said.

In January 2003, the Slammer worm infected the safety monitoring
system at the Davis-Besse nuclear power plant in Oak Harbor, Ohio, and
replicated so fast that it disabled the system for nearly five hours.  
The worm knocked out the plant's central command system for six hours.  
A report from the North American Electric Reliability Council found
that power wasn't disrupted, but the failure stopped commands to other
power utilities.

At the Black Hat Federal conference in Arlington, Va., in January,
Graham presented a dozen horror stories of control system insecurity.  
For example, during negotiations to provide penetration testing to a
critical infrastructure facility, the facility's operators confidently
told an ISS team they didn't need help because their control system
was already secure.

The ISS team promptly found an unsecured wireless access point
connected to the facility's business network, which in turn linked to
the control system, Graham said. Using a 10-year-old exploit for Sun
Microsystems' Solaris operating system, the team took over the control
system as the operators watched. When the team was within a few
keystrokes of breaking something sensitive, the facility's operators
begged them to stop. Needless to say, he said, ISS got the job.

Solutions grow into maturity

The control systems security situation isn't all bad, said John Sebes,
chief technology officer and general manager of the public sector at
Solidcore, which develops software that monitors changes to servers
and prevents unauthorized code from running on them. The
vulnerabilities are real and serious, but facilities now have their
pick of mature security products to harden their systems, he said.  
With work and patience, critical infrastructure sectors have found
they can use IT security best practices and install commercial IT
security products without crashing control systems, he said.

"Industry as a whole has been moving away from the Chicken Little
syndrome," said Keith Stouffer, a mechanical engineer in the
Intelligence Systems Division of the National Institute of Standards
and Technology's Mechanical Engineering Laboratory. "The problem is
addressable. Let's start addressing it."

Industry better get a move on as attackers ramp up attacks, Graham
said. ISS is predicting an increased frequency of minor attacks on
control systems during the next three years. "We see it's inevitable,"  
Graham said. "We have seen it in every other industry, and these guys
are next."

Attend the Black Hat Briefings and
Training, Las Vegas July 29 - August 3
2,500+ international security experts from 40 nations,
10 tracks, no vendor pitches.

This archive was generated by hypermail 2.1.3 : Tue May 09 2006 - 00:42:07 PDT