Wielding a relatively simple piece of code, Jonathon Pollet reached through cyber space into an industrial plant and disabled its emergency shutdown system and changed the states of individual tags at will. Fortunately, the plant in question was hypothetical, but the all-too-real demonstration drove home for attendees of Pollet's cybersecurity presentation at this week's ABB Automation & Power World just how vulnerable industrial control systems can be to cyber attack.
Industrial control systems and supervisory control and data acquisition (SCADA) systems are low-hanging fruit for hackers, said Pollet, who is founder and principal consultant for Red Tiger Security, in part because they do not go through the same rigorous security testing that commercial IT systems do.
"On average, Microsoft will put its software through 100,000 various fuzzing loops and debugging processes to test for crashes and bugs—yet we still find plenty of Microsoft vulnerabilities being discovered and reported," said Pollet. And because industrial control practices typically lag IT practices by five to 10 years, control system suppliers have only recently begun testing their products for security flaws, Pollet said. "Thousands of legacy products out there were never tested for simple cybersecurity flaws like buffer overflows."
Further, Pollet pointed out, there now exists a market in control systems exploits, where hackers can simply buy a way to attack a control system. In March 2011, Luigi Auriemma, an Italian security analyst (read "hacker") released 34 SCADA system vulnerabilities all at once, followed by another release in September 2011 of another bundle of exploits and vulnerabilities of six more industrial control systems.
Another example discussed by Pollet is "Project Basecamp," an attempt by an irate and frustrated Dale Peterson of Digital Bond to embarrass SCADA and control system vendors into fixing vulnerabilities that have been known for years. Peterson's team focused on six major programmable logic controller platforms and discovered "backdoors, weak credential storage, the ability to change ladder logic and firmware," and much more.
And the next threat to control system security may come through a smart phone or tablet, Pollet predicts. As mobile devices proliferate in the plant environment, hackers will attempt to access control systems using these mobile devices. The potential pathway is clear: In several instances, he's found a smart phone plugged directly into a plant's distributed control system console.
"The sky is not falling…yet," Pollet concluded, citing the need for both end users and suppliers to do much more to secure their facilities. An array of protective technologies and defense-in-depth practices can "hold back the tide," he said, encouraging his audience to get training, become informed and to establish policies and procedures that will help mitigate the risk of attack.