Black Hat: Poor SCADA systems security 'like a ticking time bomb'

By Robert Westervelt, News Director 29 Jul 2010 | SearchSecurity.com

Security Wire Daily News Digg This!     StumbleUpon     Del.icio.us

LAS VEGAS -- An analysis of more than 120 security assessments of the networks and systems that manage power plants, oil refineries and other critical national infrastructure facilities across the U.S. uncovered tens of thousands of security vulnerabilities, outdated operating systems and unauthorized applications.

Jonathan Pollet, founder and principal consultant of Red Tiger Security, a Houston-based firm specializing in security for national critical infrastructure, conducted and analyzed the assessments, which took place during the past nine years. During a presentation Wednesday at Black Hat 2010, Pollet said the companies that maintain critical infrastructure facilities must be forced to improve security.

"It's kind of like a ticking time bomb," Pollet said. "I'm hoping the message that we're giving here can open a few eyes."

While companies that run supervisory control...

Tags: Government IT Security Management,  DMZ Setup and Configuration,  Vulnerability Risk Assessment,  VIEW ALL TAGS

Digg This!     StumbleUpon     Del.icio.us

RELATED CONTENT Government IT Security Management Desktop virtualization enhances telework security at CDC Smart grid security will require risk management Armorize's Huang cancels Black Hat China talk Smart grid system protection: SCADA security will challenge Feds Perimeter defenses deemed ineffective against modern security threats USB thumb drive security best practices spelled out by NIST Attackers can take out critical infrastructure, but profit lies elsewhere, researcher says Next Cyberstorm exercise to stress international cooperation on security Making USB thumb drives secure enough for government work Federal agencies scrambling on DNSSEC implementation Government IT Security Management Research DMZ Setup and Configuration Secure DMZ Web server setup advice Endpoint protection best practices manual: Combating issues, problems How to set up a DMZ How to configure firewall ports for webmail system implementation When should a database application be placed in a DMZ? How will many firewalls serving as the default gateway affect the DMZ? Should a domain controller be placed within the DMZ? If one server in a DMZ network gets attacked from outside, will the other servers be corrupted? Should an ISP keep corrupted machines off of a network? A security checklist: How to build a solid DMZ Vulnerability Risk Assessment New 'month of bugs' campaign outs LInux-based console flaw Black Hat convention hype hurts the enterprise risk management process TippingPoint Zero Day Initiative to push patch deadline on vendors Microsoft: Vulnerability disclosure will be coordinated, rather than 'responsible' KHOBE attack technique: Kernel bypass risk or much ado about nothing? Smart grid system protection: SCADA security will challenge Feds Shavlik moves patch management systems to the cloud MD5 security: Time to migrate to SHA-1 hash algorithm? Using fuzzing for internal application security testing Metasploit and software vulnerability testing Vulnerability Risk Assessment Research

RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary EINSTEIN  (SearchSecurity.com) Federal Information Security Management Act  (SearchSecurity.com)

RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary

and data acquisition systems (SCADA) often claim those systems are secure because they are disconnected from the outside world and surrounded by a myriad of physical and technical security controls, Pollet's analysis of the assessments found just the opposite to be true.

Pollet said some facilities had computers running Windows 95, while machines critical to the operations of the facilities were riddled with unauthorized software, from peer-to-peer applications to games to pornography.

Not surprisingly, Pollet said much of that unauthorized software contained major vulnerabilities, including downloaders designed to connect to the Internet. Applications were found that connect to gaming software servers, adult video directory scripts and online dating service databases. At one facility, security experts discovered a machine at the core of the operation had the popular Counter Strike game installed, which connects to an external server to compete with other players.

"There's no need for a zero-day," Pollet said, "there are already plenty of ways in." Critical infrastructure and SCADA system security have been an increasing priority of the federal government in recent years. A report issued by McAfee Inc. and the Center for Strategic and International Studies (CSIS) found that critical infrastructure facilities in many developed countries are in a dire need of security improvements. In the same report, a survey of 600 IT and security executives -- two-thirds of respondents -- acknowledged that their SCADA systems were connected to IP networks or the Internet, creating security issues that were not being addressed.

Pollet found that some of the central SCADA systems can be accessed via the business systems they are connected to. Other attack vectors come from configuration issues, poorly programmed firewalls and security systems that lack maintenance. Pollet called the demilitarized zone (DMZ), an area between operational SCADA systems and business systems, a "no man zone" where corporate IT professionals don't know how to manage SCADA operational data and SCADA operators assume the middle infrastructure is owned by someone else. About half of all the vulnerabilities (18,000) were discovered in the middle layer.

"It's the most connected part of the critical infrastructure," Pollet said. "Once you're in that middle layer you're pretty much home free in terms of what you can access."

Many of the vulnerabilities were contained in Web servers, business applications and the data base servers connected to them. Most systems were plagued with common errors, vulnerable to SQL injection, cross-site scripting and denial-of-service attacks. More than half of systems (62%) were running on Microsoft-based operating systems. Red Hat Linux made up 11% of the systems.

Making matters worse, Pollet found the time between when a vulnerability is disclosed to the public and when it is detected by control system operators was almost a year (330 days). In some cases, operators took even longer to deploy a patch because some systems can't be taken offline at all, while others are too important to risk installing a patch that would break or disrupt a critical process.

Some security improvements can come from increased vigilance by regulators. The North American Electric Reliability Corporation (NERC) maintains Critical Infrastructure Protection Standards and the International Society of Automation, an independent organization, maintains similar standards (ISA S99). Pollet said the two standards provide a common security framework that could be used to improve security at facilities.