Experts Say Industrial Control System Security is a Decade Behind Enterprise IT Security
It seems strange that a burned out water pump would be at the center of suspected cyber-attack. Yet that is exactly what appears to be the case.
News last week that a cyber-attack may have caused the burnout of a pump at a facility in Illinois has put the focus back on critical infrastructure security and the SCADA (supervisory control and data acquisition) software that runs it.
“SCADA systems were never intended to be connected to the Internet, and so they lacked many of the security controls and features we see in modern IT systems,” opined Rick Moy, CEO of NSS Labs. “ICS (industrial control system) security is probably 10 years behind enterprise IT security in this regard.”
It should be said that it is not known for certain whether the hack described in the report by the Illinois Statewide Terrorism and Intelligence Center was actually responsible for the damage to the water pump at the Curran-Gardner Townships Public Water District, which serves about 2,200 customers west of Springfield, Ill. The U.S. Department of Homeland Security (DHS) originally downplayed the attack reports, and late Thursday, continued to defend its stance on the incident, saying there was no evidence to support claims made in the initial report, which were “based on raw, unconfirmed data and subsequently leaked to the media – that any credentials were stolen, or that the vendor was involved in any malicious activity that led to a pump failure at the water plant.”
But what is known is that original attempts by the DHS to downplay the threat spurred a hacker to exploit weak passwords at a water utility in South Houston, TX, to swipe screenshots and post them to the Internet.
That hacker, who goes by the alias “Pr0f”, told Threatpost he remotely compromised the Texas plant’s SCADA systems after using a scanner to discover a vulnerable system. According to Pr0f, the plant had an instance of Siemens Simatic human interface (HMI) software that was accessible from the Internet and was protected with a guessable, three-character password.
“I wouldn’t even call this a hack, either…This required almost no skill and could be reproduced by a two year old with a basic knowledge of Simatic,” he wrote on Pastebin.
Siemens did not respond to questions from SecurityWeek Tuesday as to whether or not the compromised password was a company default, but to Moy, the situation is another example of weak authentication and password security is in SCADA devices and protocols. For example, he noted, several older models of S7 devices have hardcoded passwords.
Italian security researcher Luigi Auriemma, who uncovered a number of vulnerabilities in SCADA systems earlier this year, said authentication for critical infrastructure systems should be multi-layered.
“It would be good to have various solutions like at least the usage of certificates, different accounts for each operator (maybe to limit the impact of a password lost) and public-key encryption,” he said. “Anyway remember that the limitations for the attacker permitted by the technology can be bypassed with social engineering and the human factor. There is nothing to protect you versus a valid username and password in the wrong hands.”
There are two security challenges facing SCADA software, he continued. One is the prospect of security vulnerabilities in the software itself; the other is improper configurations and bad security around the software.
“A SCADA system, like any system, can only ever be as secure as those who use it,” said Eric Knapp, director of critical infrastructure markets for NitroSecurity. “The complication arises when you consider the environments that use SCADA, which have three common qualities. First, they represent automated systems that if compromised can impact some sort of production, and which typically have safety concerns as well. Second, they’re highly vulnerable by nature, because by design they are command-and-control systems whose sole purpose is to allow users to monitor and manipulate an automated process. Third, they have high reliability requirements.”
In the best case, downtime has economic impact; in the worst case it has greater loss up to and including loss of life, Knapp explained. Such stakes may explain why critical systems have been seen running older operating systems such as Windows 95 – a fact that can bring with it its own set of security issues.
The challenges are exacerbated by such systems being connected to the Internet.
“SCADA Security is typically a decade behind other large enterprise security systems,” explained Anup Ghosh, CEO of Invincea and a former scientist at the Defense Advanced Research Projects Agency (DARPA). “Cost tends to be the primary motivational factor in utility plants. As a result, spending on IT systems and security tends to be relegated to the margins. As utility plants began to automate from analog systems to digital control, they embraced cheap “plug-n-play” systems to quickly interconnect remote and distributed sites over Internet protocol because it was cheap and interoperable. In so doing, secure architecture wasn’t a primary design consideration.
As a result, many of the SCADA systems are connected to public networks via the Internet and can be discovered and potentially breached, Ghosh said.
“As homes, buildings, highways, and other physical infrastructure become automated, they also become interconnected because of the necessity for sharing intelligence and optimization,” he said. “These networked physical systems present an opportunity for malicious actors to gain access and create potential physical effects, like those we saw at Natanz in Iran (Stuxnet) as well as the wastewater treatment plant in Australia and the water plant in Illinois.”
Related Reading: Industrial Control Systems Security One Year After Stuxnet
Related Reading: Are Industrial Control Systems Secure?
Related Reading: How to Make the Smart Grid Smarter than Cyber Attackers
Related Reading: The Increasing Importance of Securing The Smart Grid
Related Reading: Stuck on Stuxnet – Are Grid Providers Prepared for Future Assaults?