SCADA and critical infrastructures, in … security

Pierluigi Paganini January 11, 2013

According last report published by The European Network and Information Security Agency (ENISA)   “ENISA Threat Landscape – Responding to the Evolving Threat Environment” that summarizes principal cyber threats, critical infrastructures represent privileged targets for emerging trends.

Different agents such as terrorists, state-sponsored hackers or hacktivists could be interested in attack control systems within a critical infrastructure, the possible impact could be considerable under different perspectives (governments, homeland security, society). Public health, energy production, telecommunication are all sectors exposed to serious risks  that have to be protected at any level as described in an efficient cyber strategy.

We must be aware that hackers increasingly targeted critical infrastructures of any countries,  the department’s Industrial Control Systems-Cyber Emergency Response Team (ICS-CERT) responded to 198 cyber-incidents against critical infrastructures in 2012, while the number of incidents in 2011 was 130 (+52%). The sector that most suffered the attacks in 2012 is the energy, accounting for 41 percent of reported events, followed by water with 15 percent.

There are a couple of problems to address for the defense of critical infrastructures against cyber attacks:

  • Level of awareness  and government commitment:  Before the Stuxnet case, worldwide security community has always underestimated the possible effect of a cyber offensive, in many cases refusing the concept of cyber weapon. Fortunately the events have changed the perception of the cyber threats and all governments are approaching the problem through the definition of an efficient cyber strategy.
  • The level of knowledge needed for a cyber attack: contrary to what user can believe to attack a SCADA system in not so hard, there are many techniques that could be adopted to compromise a control system, in several occasions the absence of defense system, improper configurations, zero-day vulnerabilities and superficial patch management process advantage the mission of the attacker. The main problem is that potentially any professional with no particular knowledge could simply gather information on a target choosing for him already available exploit kit.

Recently the web portal ThreatPost, the Kaspersky news lab service, published an interesting article titled “Shodan Search Engine Project Enumerates Internet-Facing Critical Infrastructure Devices” on the possibility to use the public available info to identify Critical Infrastructure devices.

Two critical infrastructure protection specialists, Bob Radvanovsky and Jacob Brodsky of consultancy InfraCritical, have worked in collaboration with the Department of Homeland Security for  9 months to discover all devices presents inside US critical infrastructure and exposed on the web.

The situation is very concerning, the two researchers discovered initially 500,000 devices, many of them exposed online without proper security defense, typically protected by poor authentication mechanisms based on default password. Not only critical infrastructures such as communication, energy and water utilities use SCADA devices, also common HVAC systems, traffic control systems and building automation control systems make large use of these devices. SCADA systems are very diffused and DHS tried to restrict the initial list of most relevant systems, identifying a final list of 7,200 devices.

To select the potential targets the two specialist haven’t used specific technologies, it was enough to write scripts to conduct automated searches on Shodan search engine, a popular web portal which lists servers, routers, any other network devices exposed online providing useful information to an attacker such as geographic location and OSs version installed.

The specialist prepared a suite of scripts that uses more of 600 search terms for  the analysis, these terms allow the identification of specific equipment present in the products of dozen manufacturers of SCADA systems.

Radvanovsky and Brodsky limited their activities to the identification of the systems without doing penetration testing.

Radvanovsky declared:

“The biggest thing is we are trying to assign a number–a rough magnitude–to a problem plaguing the industry for some time now,”. “Until you identify the scope of a problem, no one takes steps to change things. We’re doing it on a beer budget; we hope others confirm our results.”

Brodsky added:

 “A lot of these guys want to fix things at 3 a.m. without driving three hours in each direction. It’s worth a lot to them to put it up on the Net without thinking hard about the potential consequences,” “They’ll presume a particular protocol is not well known. These guys think no one will figure it out, but actually, there’s a lot of residual information available where you could figure it out. They’re not as secure as they think they are. That’s why this stuff is naked out there on the Internet. A lot of people believe there is some safety in obscurity. I don’t think they’re right.” “It’s difficult to patch in timely fashion. [Ethical] hackers don’t realize that when they find a problem, the thing it controls may not be able to be pulled out for a three months,”“Unlike an office, data is not the product; the product is the product. When hackers publish a Metasploit script, they do so to get vendors to fix problem. In this case, it’s not just about the vendor, it’s about the user. It’s not easy to pull things from service. Maybe I can pull something only in the fall or spring, but not in the summer because I need it to be at full capacity. That’s the problem.”

I desire also to highlight the excellent work of a couple of Italian security specialists, Luigi Auriemma and Donato Ferrante, founders of the company ReVuln that published an interesting proof of concept on SCADA systems, “ReVuln – SCADA 0-day vulnerabilities“, and related vulnerabilities.

The video published by the researchers is a showcase of some SCADA 0-day exploits owned by the ReVuln security company, the 0-day vulnerabilities are all server-side and remotely exploitable. This video shows issues affecting the following vendors: General Electric, Schneider Electric, Kaskad, ABB/Rockwell, Eaton, Siemens nobody are secure. Note that many other 0-day vulnerabilities owned by ReVuln affecting other well-known SCADA/HMI vendors have been not included in this video.

Luigi Auriemma declared:

“[attackers] can take control of the machine with the maximum privileges (SYSTEM on Windows) granted by the affected service,”.”They can install rootkits and other types of malware or obtain sensitive data (like passwords used on other computers of the same network) and obviously they can control the whole infrastructure.”

The article proposed by ThreatPost portal also proposes the researches made by another group of experts, Terry McCorkle and Billy Rios, that found “more than 1,000 vulnerabilities in Internet-facing HMI interfaces that translate SCADA data into visualizations of critical infrastructure. More than 90 of those were exploitable flaws, including SQL injection, buffer overflows and more.

Demonstration of greatest interest on cyber security of the US Government, that fears cyber attacks and their consequences on Homeland Security, is given by programs such as “Perfect Citizen”. The program has the main purpose to explore national utilities to discover security vulnerabilities that could be exploited in case of attack, it will go on at least until September 2014.

The Perfect Citizen program was originally reported to be a program to develop a smart network of sensors (named Einstein) to detect cyber attacks against critical infrastructures in both the private and public sector. It is funded by the Comprehensive National Cyber security Initiative and thus far Raytheon,  the major American defense contractor and industrial corporation, has received a contract for up to $91 million to establish the project.

The DHS desires to sensitize the manager of the structures on the potential risks in case of attacks, suggesting best practices to follow to increase the overall security.

It’s fundamental that any governments will improve cyber strategies to protect SCADA systems, requiring the respect of strict regulation under security perspective to ensure their security and prevent external attacks. Following some good practices to adopt:

  • Deploy secure remote access methods such as Virtual Private Networks (VPNs) for remote access
  • Remove, disable, or rename any default system accounts (where possible)
  • Implement account lockout policies to reduce the risk from brute forcing attempts
  • Implement policies requiring the use of strong passwords
  • Monitor the creation of administrator level accounts by third-party vendors

Pay attention to the level of security of critical infrastructures is a duty of all, the risks are high and the consequences could be devastating, there is no time to waste.

Pierluigi Paganini

you might also like

leave a comment