Black Hat: Poor SCADA systems security 'like a ticking time bomb'

An analysis of 120 security assessments at power plants, oil and chemical refineries and other critical systems revealed tens of thousands of security vulnerabilities, outdated operating systems and unauthorized applications.

LAS VEGAS -- An analysis of more than 120 security assessments of the networks and systems that manage power plants, oil refineries and other critical national infrastructure facilities across the U.S. uncovered tens of thousands of security vulnerabilities, outdated operating systems and unauthorized applications.

Jonathan Pollet, founder and principal consultant of Red Tiger Security, a Houston-based firm specializing in security for national critical infrastructure, conducted and analyzed the assessments, which took place during the past nine years. During a presentation Wednesday at Black Hat 2010, Pollet said the companies that maintain critical infrastructure facilities must be forced to improve security.

"It's kind of like a ticking time bomb," Pollet said. "I'm hoping the message that we're giving here can open a few eyes."

While companies that run supervisory control and data acquisition systems (SCADA) often claim those systems are secure because they are disconnected from the outside world and surrounded by a myriad of physical and technical security controls, Pollet's analysis of the assessments found just the opposite to be true.

Pollet said some facilities had computers running Windows 95, while machines critical to the operations of the facilities were riddled with unauthorized software, from peer-to-peer applications to games to pornography.

Not surprisingly, Pollet said much of that unauthorized software contained major vulnerabilities, including downloaders designed to connect to the Internet. Applications were found that connect to gaming software servers, adult video directory scripts and online dating service databases. At one facility, security experts discovered a machine at the core of the operation had the popular Counter Strike game installed, which connects to an external server to compete with other players.

SCADA systems security

Smart grid system protection: SCADA security will challenge Feds 
As if federal IT managers didn't have enough cybersecurity concerns, the coming of intelligent electrical supply systems will bring a new challenge: smart grid system security.

SCADA system, critical infrastructure security lacking, survey finds 
IT and security executives at firms that own critical infrastructure facilities are concerned about the lack of security protecting underlying management systems from attack.

Smart grid security will require risk management 
To a large degree, smart grids, and the nascent IP networks that control them, represent a voyage into the technological unknown. Learning to secure them may be tricky.
"There's no need for a zero-day," Pollet said, "there are already plenty of ways in." Critical infrastructure and SCADA system security have been an increasing priority of the federal government in recent years. A report issued by McAfee Inc. and the Center for Strategic and International Studies (CSIS) found that critical infrastructure facilities in many developed countries are in a dire need of security improvements. In the same report, a survey of 600 IT and security executives -- two-thirds of respondents -- acknowledged that their SCADA systems were connected to IP networks or the Internet, creating security issues that were not being addressed.

Pollet found that some of the central SCADA systems can be accessed via the business systems they are connected to. Other attack vectors come from configuration issues, poorly programmed firewalls and security systems that lack maintenance. Pollet called the demilitarized zone (DMZ), an area between operational SCADA systems and business systems, a "no man zone" where corporate IT professionals don't know how to manage SCADA operational data and SCADA operators assume the middle infrastructure is owned by someone else. About half of all the vulnerabilities (18,000) were discovered in the middle layer.

"It's the most connected part of the critical infrastructure," Pollet said. "Once you're in that middle layer you're pretty much home free in terms of what you can access."

Many of the vulnerabilities were contained in Web servers, business applications and the data base servers connected to them. Most systems were plagued with common errors, vulnerable to SQL injection, cross-site scripting and denial-of-service attacks. More than half of systems (62%) were running on Microsoft-based operating systems. Red Hat Linux made up 11% of the systems.

Making matters worse, Pollet found the time between when a vulnerability is disclosed to the public and when it is detected by control system operators was almost a year (330 days). In some cases, operators took even longer to deploy a patch because some systems can't be taken offline at all, while others are too important to risk installing a patch that would break or disrupt a critical process.

Some security improvements can come from increased vigilance by regulators. The North American Electric Reliability Corporation (NERC) maintains Critical Infrastructure Protection Standards and the International Society of Automation, an independent organization, maintains similar standards (ISA S99). Pollet said the two standards provide a common security framework that could be used to improve security at facilities.

Dig deeper on Government IT Security Management

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close