@ABBAPWorld: An Unsecure Plant is Not a Safe Plant: Hacking SCADA Systems
(this was cross posted to Unfettered)
Jonathan Pollet, of Red Tiger Security, an extremely well known Industrial Control System and SCADA security authority reprised the lecture he gave in March at SANS. Marcus Braedle of ABB, the session host, was at some pains to assure the listeners that the point of the talk was to illustrate what could happen to anybody, not to trash any of the companies whose equipment was used as examples.
Pollet showed how easily a relatively simple cyber attack could disable the ESD system in a plant, and change states of individual tag numbers from on to off, for example. Clearly doing this would probably not be good for the plant.
Pollet started his discussion with an overview of the state of hacking with respect to ICS and SCADA systems. SCADA and ICS systems are the low hanging fruit for hackers. The reason is simple, Pollet said. SCADA and ICS Hardware/Software do not go through the same rigorous security lifecycle process as Information Technology systems.
On average, Microsoft will put their software through 100,000 various fuzzing loops and debugging processes to test for crashes and bugs....and yet we still find plenty of vulnerabilities still being discovered and reported for Microsoft software. Control System vendors, if they actually test their systems for bugs at all, will typically only run their applications through basic regression tests, and this process is maybe 5% of what Microsoft does to test their code.
The SCADA / ICS world lags the IT world typically by 5 to 10 years, so we are only recently seeing the larger Control System vendors building plans to test their products for security flaws. All of those thousands of legacy products out there were NEVER tested for simple cyber security flaws like buffer overflows.
Further, Pollet pointed out, there now exists a "market" in SCADA and ICS exploits where hackers can simply buy a way to attack a control system. In March 2011, Luigi Auriemma, an Italian security analyst (hacker) released 34 SCADA system vulnerabilities all at once, followed by another release in September 2011 of another bundle of exploits and vulnerabilities that covered six more SCADA/ICS vendors.
Pollet discussed "Project Basecamp," an attempt by an irate and frustrated Dale Peterson of Digital Bond to embarrass SCADA and ICS vendors into fixing the vulnerabilities that have been known for years. Peterson's team focused on six major PLC vendors' products and discovered "backdoors, weak credential storage, the ability to change ladder logic and firmware," and much more.
Many nation states and governments already have the ability to track, monitor, filter, restrict, and in some cases manipulate Internet and Email communications. This is important to ICS and SCADA owners, because vastly more malware is distributed by email and compromised websites than other means. There are elaborate phishing schemes that have been developed using social media sites like LinkedIn and Facebook and Twitter to attempt to invade corporate systems, both IT and ICS.
The next platform many governments want access to is mobile phones. They not only already have the ability to monitor SMS messages and perform digital wire tapping, but now they want the ability to geo-locate mobile users to track their physical presence. In the Arab Spring countries, and in China, the governments in power are working hard to restrict what media is allowed to flow into their countries, and restrict blogging activities that contain negative comments about the government. In Libya, Pollet noted, the new government started social filtering of the Web; in Tunisia: Deep Packet Inspection (DPI) is still in use, waiting for government regulation (but censorship is more transparent) and in Egypt, the military actively goes after individual bloggers.
These techniques can be easily applied to the control system space, Pollet argued. As the use of smartphones and tablets like the iPad proliferate in the plant environment, hackers will be attempting to access the control system using these mobile devices. Pollet has found smartphones plugged right into the DCS console in several instances already.
Is it more than a threat? Pollet quotes Sanaz Browarny, the chief intelligence and analysis for control system security at DHS as saying, "On a daily basis the US is being targeted." Pollet pointed out how many attacks are occurring and produced a copy of an alert from ICS-CERT, dated April 13, 2012 to back his statement up. The alert said that there was an ongoing "campaign" of attacks against the gas pipeline industry's control systems.
"The sky is not falling...yet..." Pollet concluded. End users and vendors both have to do much more to secure their facilities. He pointed out technologies that he said were "holding back the tide," and he encouraged his audience to get training and become informed, and establish policies and procedures that will diminish the risk of attacks on their control systems.