Related Links

Top 5 Stories


Researcher tracks down compromised ICS systems

12 November 2012

SCADA and industrial control systems’ security has been much questioned in recent months. Now one researcher shows how easy it is to find ICS systems that have already been compromised, while another warns Siemens that just fixing SCADA vulnerabilities is a treadmill, not a solution.

In two Digital Bond posts last week, first Dale Peterson describes the SCADA vulnerability problem, and then Michael Toecker demonstrates how to find such systems that have already been compromised. SCADA/ICS “software is fatally flawed because it was not designed with good coding practices or any part of a reasonable security development lifecycle,” claims Peterson. He points to the findings of Sergey Gordeychik, CTO of Moscow-based Positive Technologies, presented at a conference in Seoul last Thursday and reported in Computerworld. “The team has found more than 50 vulnerabilities in WinCC's latest version, so many that Siemens has worked out a roadmap to patch them all, Gordeychik said in an interview. Most are problems that would allow an attacker to take over a WinCC system remotely,” reports Computerworld.

It was WinCC that was cracked to allow the Stuxnet attack on the Iranian centrifuges; and vulnerabilities still exist. “Siemens could patch these 50 vulns and attackers would easily find additional vulns.” warns Peterson. “What Siemens and other vendors need to do is stop and do a security code review of the product.” He uses Microsoft as an example. “Bill Gates famously stopped all work for a few months back in 2002 for a security code review on all development efforts,” he comments, but adds, “Even after that Microsoft had a huge legacy code issue, but they realized just fixing identified vulns was a treadmill not a solution.”

Meanwhile, fellow researcher Michael Toecker discussed his use of malware support forums to locate ICS systems that are already compromised. Such forums allow users who have been infected with malware to post details for remedial analysis by the forum community. “These users can run a set of programs, including HijackThis, DDS, OTS, and others, to pull information from the system.” The posted details, however, also provide a lot of information about the ‘infected’ system – if you know what to look for. 

Toecker concentrates on one particular system he found, ‘an extremely detailed DDS log.’ “First off,” he writes, “this system has the SEL AcSELerator Quickset and GE Enervista, so it was used to either review relay configurations or install relay configurations on SEL and GE digital protective relays.” In other words, it effectively plugs into the national power grid. “This suggests a technician’s laptop, one who works on a wide variety of electric power systems and other automation systems.”

But the laptop was infected with two pieces of malware: the fake AV and backup program ‘Malware Protection Designed to Protect’ and ‘Windows XP Recovery.’ Such malware is usually installed either by drive-by downloading or direct installation. “That’s right,” says Toecker, “if this post is a representative sample, the cyber security and reliability of the electric power grid could be in the hands of the normal computer user who will click on and install just about anything.”

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security  •  Public Sector



Maureen says:

07 December 2012
In my opinion, the ICS manufacturers and their customers are putting us all at risk. Sometimes willingly; sometimes out of fear of being "out of warranty"; sometimes out of shear ignorance to the threats. The only things that will change this horrendous situation are if Congress finally passes a CyberSecurity Bill that has measurable accountability controls and/or we suffer an attack that takes out our power grid or another piece of critical infrastructure. And for those companies who worry about not complying with what is a pretty low bar of cyber security best practices -- too bad! They should be doing that already. I've long supported this cyber security bill and continue to do so -- now more than ever. To better understand what I mean, here’s another great article on this matter: Keep up the good work!

Note: The majority of comments posted are created by members of the public. The views expressed are theirs and unless specifically stated are not those Elsevier Ltd. We are not responsible for any content posted by members of the public or content of any third party sites that are accessible through this site. Any links to third party websites from this website do not amount to any endorsement of that site by the Elsevier Ltd and any use of that site by you is at your own risk. For further information, please refer to our Terms & Conditions.

Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×