Related Links

Related Stories

  • Critical infrastructure at risk from SCADA vulnerabilities
    SCADA software, used for industrial control mechanisms in utilities, airports, nuclear facilities, manufacturing plants and the like, is increasingly a target for hackers looking to exploit what appear to be growing numbers of vulnerabilities – giving rise to fears that critical infrastructure may be at risk.
  • Researcher tracks down compromised ICS systems
    SCADA and industrial control systems’ security has been much questioned in recent months. Now one researcher shows how easy it is to find ICS systems that have already been compromised, while another warns Siemens that just fixing SCADA vulnerabilities is a treadmill, not a solution.
  • SCADA Security Inertia
    It’s no secret that SCADA systems are vulnerable to compromise, and the tools to mitigate many of the vulnerabilities are within reach. Yet, as Fred Donovan discovers, the vendors that supply these systems are often slow to react to the security issues
  • The RuggedCom SCADA OS is vulnerable
    Last Friday security researcher Justin Clarke claimed to have discovered a serious flaw in the operating system used by SCADA systems within the critical infrastructure. Now the DHS Industrial Control Systems CERT (ICS-CERT) has issued a related alert.
  • Siemens patches security flaws in SCADA systems
    Siemens has patched a number of security holes in its SIMATIC supervisory control and data acquisition (SCADA) systems, according to the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT).

Top 5 Stories


The lessons of Shamoon and Stuxnet ignored: US ICS still vulnerable in the same way

04 January 2013

The ICS-CERT Monthly Monitor for the last quarter of 2012 provides news and alerts for industrial control systems and infrastructure companies – and describes two particular attacks on a power generation facility and an electric utility.

ReVuln, a Maltese start-up is one of the news discussions. "ReVuln claims to be sitting on a stockpile of vulnerabilities in industrial control software, but prefers to sell the information to governments and other paying customers instead of disclosing it to the affected software vendors,” says the report. The business model seems similar to that of Vupen; strong but morally questionable.

Project SHINE (SHodan INtelligence Extraction) is also discussed. Researchers Bob Radvanovsky and Jake Brodsky of InfraCritical used the Shodan search engine to discover 460,000 potentially vulnerable IPs; and handed the database to ICS-CERT. “Once accessed,” notes the Monitor, “these devices may be used as an entry point onto a control systems network, making their Internet facing configuration a major vulnerability to critical infrastructure.” ICS-CERT used its resources to refine the list of IPs. It first reduced it to 98,000 organizations within the US until “the list was again reduced to approximately 7,200 devices in the United States that appear to be directly related to control systems.”

The obvious lesson from SHINE is that control systems should not be internet-facing, and should be separate from the business network. This can work effectively – as last year’s Shamoon attack on Aramco demonstrates. According to the Saudi authorities the attack was intended to disrupt the Saudi economy by disrupting oil production; but it failed to bridge the air-gap between the business network and the control systems. Instead, it ‘merely’ destroyed 30,000 business computers.

But the air-gap isn’t always effective. “One of the most infamous pieces of malware, Stuxnet,” explains Stephen Cobb, security evangelist with ESET in a blog titled Are your USB flash drives an infectious malware delivery system? “is widely believed to have been introduced into Iran's Natanz nuclear facility in 2008 via a USB thumb drive. The malicious code on that flash drive damaged costly industrial equipment, centrifuges that play a critical role in Iran's nuclear program.”

Surprisingly, the lessons of Shamoon and Stuxnet do not seem to have been learned in the US, since both of the incidents reported by ICS-CERT in this Monitor involved infections getting onto control systems via USB drives. In the first, an engineer was experiencing intermittent issues with such a drive and asked IT support to have a look at it. “When the IT employee inserted the drive into a computer with up-to-date antivirus software, the antivirus software produced three positive hits,” reports the Monitor – two ‘common’ and one ‘sophisticated’ virus. The problem was that this thumb drive was used by the engineer for backing up control systems configurations within the control environment – and subsequent examination “discovered signs of the sophisticated malware on two engineering workstations, both critical to the operation of the control environment.”  Sadly, ICS-CERT doesn’t specify the sophisticated virus.

In the second incident, ten computers in the control system were found to have an infection after “a third-party technician used a USB-drive to upload software updates during a scheduled outage for equipment upgrades.”

“The US Government has highlighted a great weakness in energy infrastructure both in the US and beyond,” warns Chris McIntosh, CEO of ViaSat UK: “security is still firmly rooted in the 20th century. An attack need not be focused at hubs of power generation or sub-stations: communications lines, business networks and even smart meters can be viable points of entry for an attack.” There is no simple or immediate solution. But, “protection of the network must go beyond typical IT solutions, and,” he adds, “address the unique nature of interconnected real time control systems.  Encryption of data in transit and rigorous authentication protocols, for example, should become de rigeur. The genie of cyber-warfare is out of the bottle: organisations in the energy sector now need to get their heads out of the sand.”

This article is featured in:
Internet and Network Security  •  Malware and Hardware Security


Comment on this article

You must be registered and logged in to leave a comment about this article.

We use cookies to operate this website and to improve its usability. Full details of what cookies are, why we use them and how you can manage them can be found by reading our Privacy & Cookies page. Please note that by using this site you are consenting to the use of cookies. ×