LAS VEGAS -- An analysis of more than 120 security assessments of the networks and systems that manage power plants, oil refineries and other critical national infrastructure facilities across the U.S. uncovered tens of thousands of security vulnerabilities, outdated operating systems and unauthorized applications.
Jonathan Pollet, founder and principal consultant of Red Tiger Security, a Houston-based firm specializing in security for national critical infrastructure, conducted and analyzed the assessments, which took place during the past nine years. During a presentation Wednesday at Black Hat 2010, Pollet said the companies that maintain critical infrastructure facilities must be forced to improve security.
"It's kind of like a ticking time bomb," Pollet said. "I'm hoping the message that we're giving here can open a few eyes."
While companies that run supervisory control and data acquisition systems (SCADA) often claim those systems are secure because they are disconnected from the outside world and surrounded by a myriad of physical and technical security controls, Pollet's analysis of the assessments found just the opposite to be true.
Pollet said some facilities had computers running Windows 95, while machines critical to the operations of the facilities were riddled with unauthorized software, from peer-to-peer applications to games to pornography.
Not surprisingly, Pollet said much of that unauthorized software contained major vulnerabilities, including downloaders designed to connect to the Internet. Applications were found that connect to gaming software servers, adult video directory scripts and online dating service databases. At one facility, security experts discovered a machine at the core of the operation had the popular Counter Strike game installed, which connects to an external server to compete with other players.
Pollet found that some of the central SCADA systems can be accessed via the business systems they are connected to. Other attack vectors come from configuration issues, poorly programmed firewalls and security systems that lack maintenance. Pollet called the demilitarized zone (DMZ), an area between operational SCADA systems and business systems, a "no man zone" where corporate IT professionals don't know how to manage SCADA operational data and SCADA operators assume the middle infrastructure is owned by someone else. About half of all the vulnerabilities (18,000) were discovered in the middle layer.
"It's the most connected part of the critical infrastructure," Pollet said. "Once you're in that middle layer you're pretty much home free in terms of what you can access."
Many of the vulnerabilities were contained in Web servers, business applications and the data base servers connected to them. Most systems were plagued with common errors, vulnerable to SQL injection, cross-site scripting and denial-of-service attacks. More than half of systems (62%) were running on Microsoft-based operating systems. Red Hat Linux made up 11% of the systems.
Making matters worse, Pollet found the time between when a vulnerability is disclosed to the public and when it is detected by control system operators was almost a year (330 days). In some cases, operators took even longer to deploy a patch because some systems can't be taken offline at all, while others are too important to risk installing a patch that would break or disrupt a critical process.
Some security improvements can come from increased vigilance by regulators. The North American Electric Reliability Corporation (NERC) maintains Critical Infrastructure Protection Standards and the International Society of Automation, an independent organization, maintains similar standards (ISA S99). Pollet said the two standards provide a common security framework that could be used to improve security at facilities.