SCADA systems continue to be shown vulnerable, but don't worry, it's only our nation's critical infrastructure.

The 12th annual ICS Cyber Security Conference was held at Old Dominion University a few weeks ago (October 22-25, 2012.)  What was reinforced is how far behind our industry is with respect to cyber security.  I was expecting to read about all the deep, technical, revolutionary security topics that were discussed and sophisticated attacks that we haven’t seen before.  Instead, there were elementary talks like "Introduction to Encryption, Authentication and Key Management “ and demonstrations of attack that while disturbing, are nothing new:

  • An attacker with knowledge of the system demonstrated how with less than $60 in off-the-shelf equipment, a Zigbee wireless network can be compromised with complete loss of control for the operator. 
  • A malware researcher with minimal understanding of ICSs was able to take control of SCADA software. Very simply, this researcher started with a vulnerability notification about the technology on which the SCADA system was built. With this information, he was able to implant malware to infect the system and take control of the vendor's SCADA software.

There was recently a write-up of a Shodan search that found nearly half a million ICS devices that should not have been Internet-facing (note: Shodan a special kind of search engine that looks for computers based on software, geography, operating system, IP address and other specified options. For example, it can find servers running Apache 2.2.3 on Windows 2000 Server.)  ICS devices that are remotely accessible are easily compromised if they aren't adequately protected -- and most are not. Many have un-patched software running on them with known security vulnerabilities. Even worse, many ICS vendors prohibit their customers from making any changes to ICS devices -- either because it will cause the device to malfunction and/or will put the end user out of warranty. As a result, most ICS consumers opt to make no change at all so as to not jeopardize their manufacturer's warranty and guidance, DESPITE the security risk. 

The information I share above highlights a key commonality:  the ICS manufacturers and their customers are putting us all at risk. Sometimes willingly; sometimes out of fear of being "out of warranty"; sometimes out of shear ignorance to the threats. The only things that will change this horrendous situation are if Congress finally passes a CyberSecurity Bill (which I discussed in my previous blog post) that has measurable accountability controls and/or we suffer an attack that takes out our power grid or another piece of critical infrastructure. I'm sure the Saudi's weren't expecting the attack that destroyed 30,000 PCs at Saudi Aramco (largest state-owned oil producer) ... and that was just a warning. If they could get to all these PCs and cripple them, imagine what the attackers could have done if they wanted to launch a real attack.