25 New SCADA Flaws Emerge in Critical Infrastructure

Automatak has submitted its findings to the US Department of Homeland Security’s Industrial Control System-CERT, and has notified the vendors
Automatak has submitted its findings to the US Department of Homeland Security’s Industrial Control System-CERT, and has notified the vendors

Critical infrastructure systems – many of them aging and outdated – continue to show fraying around the edges, opening up the power grid, water plants, industrial control systems and more to nefarious activity, despite the high-profile reporting on it and scrutiny from the Obama Administration, which continues to carry out information-sharing initiatives as laid out in February’s Executive Order on the subject.

The problem is that many of the systems are connected in ways that are considered outdated, and often get overlooked as threat vectors. “SCADA systems are potentially more vulnerable to exploitation given that, when they were developed, internet use was yet to explode,” explained Ross Brewer, vice president and managing director for international markets at LogRhythm, in an email. “The focus of control system security has therefore been typically limited to physical assets, rather than cybersecurity."

Researcher Chris Sistrunk and Adam Crain, which are part of a consulting firm called Automatak, began a fact-finding mission last April using a custom “fuzzer” for detecting vulnerabilities in SCADA systems. They have since found 25 flaws that could allow attackers to do everything from causing power outages to blocking operator visibility into substation operation so that, unbeknownst to the NOC, it starts making decisions based on outdated operational information. That, in turn, paves the way for a shielded attack.

While most of the known issues would not render servers completely unable to control utilities, some of them do allow for complete hijacking, they said. A buffer overrun vulnerability is the most serious issue that they’ve found so far, which would allow arbitrary code to be injected remotely, so that attackers would “own” the server.

Automatak has submitted its findings to the US Department of Homeland Security’s Industrial Control System-CERT, and has notified the vendors. Nine of the potential exploits have been patched so far.

“While cyber-attacks on SCADA systems may be rare when compared to the extraordinary number of incidents involving web applications or enterprise IT networks, the damage they are able to cause is disproportionately severe,” said Brewer. “The software is primarily responsible for critical operations and national infrastructures and, if exploited, could seriously damage the operations of electricity, water and power suppliers. The potential implications of a hack are terrifying and could not only result in the loss of data, but can also cause damage to physical assets and in certain scenarios, the loss of life.”

Some of the most notorious cyber-attacks in recent years – such as the Stuxnet and Flame viruses – have been SCADA breaches. And just last November one researcher uncovered 25 vulnerabilities in just a few hours. But adding insult to injury is the fact that traditional perimeter cybersecurity tools, such as anti-virus software, have proven their shortcomings time and time again.

“The Flame virus, for example, avoided detection from 43 different anti-virus tools and took more than two years to detect,” Brewer said. “Instead, organizations must have tools in place that allow them to identify threats, respond and expedite forensic analysis in real time.”

Brewer advocates continuous monitoring of all log data generated by IT systems in order to automatically baseline normal, day-to-day activity across systems and multiple dimensions of the IT estate – to identify any and all anomalous activity immediately.

What’s hot on Infosecurity Magazine?