The reality is they’re stuck back in the ‘90s. Secure development lifecycles don’t exist and there’s still a lot of other stuff missing.
Terry McCorkle, security researcher
CANCUN, Mexico – The troubled state of industrial control system (ICS) security is probably the worst kept secret in information security circles. These systems that monitor, manage and administer everything from nuclear power plants and other utilities to HVAC installations, robotics and even prison cell doors, are whistling past the graveyard, according to experts.
“The state of ICS security is really laughable,” said researcher Terry McCorkle. “I don’t know what else to say about it.”
McCorkle presented research Friday at the Kaspersky Security Analyst Summit 2012 that he and fellow researcher Billy Rios conducted over the last nine months examining the security, availability and reachability online of Human Machine Interfaces (HMI) that translate SCADA system data into a visual representation of an industrial system. Operators use the HMI to see schematics of industrial systems and can use the interface, for example, to turn switches and pumps on or off, or raise or lower temperatures. HMI are usually deployed on Windows machines and communicate with programmable logic controllers (PLC) and other controllers that run industrial systems.
McCorkle said he and Rios entered their research project with the goal of finding 100 bugs in 100 days. Their assumption was that security had evolved to the point where 100 bugs in 100 days was a reasonable goal. In the nine months since the project was initiated, the researchers have found more than 1,000 bugs, 95 of which were easily exploitable. All have been reported to the vendors in question through the ICS-CERT, McCorkle said.
“100 bugs sounds like a lot, we figured, because software development and security has evolved,” McCorkle said. “We figured ICS people were keeping up. The reality is they’re stuck back in the ‘90s. Secure development lifecycles don’t exist and there’s still a lot of other stuff missing.”
McCorkle and Rios found a boatload of buffer overflow errors, SQL database holes, Web-based vulnerabilities such as cross-site scripting and ActiveX vulnerabilities. McCorkle explained one instance where he was able to open a command shell through an online ActiveX control. Anyone who had access to the control would be able to remotely run any commands, he said.
“The ICS industry has never looked at fuzzing anything because they have no SDL,” McCorkle said.
The problem, he said, is that SCADA and ICS managers believe that because their systems are segregated from the Internet, they’re unreachable. With HMIs, however, listening by the thousands online and easily accessible and exploitable, that theory is turned on its head. Not only are they reachable, but security is often disabled by default on these systems, despite being accessible by remote desktop administration tools such as VNC. More foundational, system manuals recommend that vulnerability scans and other security controls not be run against ICS systems.
Further complicating matters is that third parties often manage ICS and have no stake in security. Local engineers don’t want to patch vulnerabilities for fear the fix will break a process. And IT has to meet internal uptime SLAs. McCorkle said all this conspires to keep ICS security at its laughable level.
“This needs to be taken back to the vendor to provide an automated means to patch systems,” he said. “Microsoft didn’t always have automated notification and resources. The reason they created them was because customers demanded it. The third parties running these systems have no interest in the customer. When patches are released, it’s totally on the customer right now. It has to be pushed back to creating a mechanism to do this.”