These systems used to be run from a single computer next to a conveyor belt
Wilhoit, presented his research at the BlackHat Europe conference in Amsterdam, the Netherlands last Friday.
“This Trend Micro research shows that attackers have enough knowledge to analyse and affect industrial control devices' infrastructures,” said Raimund Genes, CTO at Trend Micro. “This is a wake-up call for operators of these infrastructures to check the security of these systems and ensure they are properly separated from the internet/open networks. The research also shows that it is not only usual suspects attacking, but that these attacks also happen in your own backyard.”
SCADA systems control everything from escalators in metro stations in Madrid to milk-processing factories in Mali and uranium enrichment centrifuges in Iran.
"Security in an ICS/SCADA network is often considered 'bolt-on' or thought of 'after the fact'. When these systems were first brought into service more than 20 or so years ago, security was typically not a concern," Wilhoit explains.
"However, as things changed over time, most of these systems’ purposes have been reestablished, along with the way they were configured. A system that used to only be accessible to a single computer next to a conveyor belt became accessible via the internet, with very little hindrance."
Wilhoit called for further research into motives, sources and delivery techniques of the increasingly sophisticated attackers who target industrial control systems. "Internet-facing ICS are readily targeted," Wilhoit warns. "Until proper ICS security is implemented, these types of attack will likely become more prevalent and advanced or destructive in the coming years."
A recent study by InfraCritical discovered that 500,000 SCADA (supervisory control and data acquisition) networks were susceptible to attack, highlighting the wide-scale vulnerability of systems that control the operations of power and water plants, among other critical facilities. According to recent research conducted by ICS-CERT, 171 unique vulnerabilities affecting 55 different ICS vendors were found last year alone (PDF).
And patching of industrial control systems creates its own problems, according to a study by Tofino Security published last week.
Eric Byres, CTO and vice president of engineering at Tofino Security, reckons there are as many as 1,805 as-yet-undiscovered vulnerabilities existing on control system computers.
IC systems need FREQUENT patches... but if they're buggy, it ALL falls apart
The frequency of patching needed to address future SCADA/ICS vulnerabilities in both controllers and computers likely exceeds the tolerance of most SCADA operators for system shutdowns. Unlike IT systems, most industrial processes operate around the clock and demand high uptime. Weekly shutdowns for patching are unacceptable.
But even when patches can be installed, they can be problematic. According to Tofino Security, there is a one in 12 chance that any patch will affect the safety or reliability of a control system, and there is a 60 per cent failure rate in patches fixing the reported vulnerability in control system products. In addition, patches often require staff with special skills to be present. In many cases, such experts are often not certified for access to safety regulated industrial sites.
Tofino Security markets industrial network security and SCADA security products that protect industrial control systems from potential attack, even if they aren't patched, so it has a vested interest in talking up the problems of patching. However the overall picture of exposed and vulnerable industrial control systems is constant with findings from experts at Trend Micro and elsewhere.
A SCADA network ought to be segregated from a corporate intranet and air-gapped from the internet - or at least firewalled - but even rudimentary protections are often absent.
Sean McGurk, former head of cybersecurity for the US Department of Homeland Security turned managing principal for investigative response on Verizon’s RISK Team, told El Reg that attacks against the enterprise systems behind utilities are a bigger risk than Stuxnet-style attacks. The networks of both Saudi Aramco and Rasgas in Qatar were both hobbled by conventional malware attacks last year, for example. Both attacks were later linked to the Shamoon data wiper.
Part of the problem is that industrial control systems have a far longer timeline than enterprise servers, computers and routers - typically up to 20 years instead of three to five years. And industrial control kit works with different ports and protocols than conventional enterprise networks, so simply adding a firewall or network segmentation is adequate as a defensive strategy. In addition, industrial control systems often have to work in real time, with low latency and high availability.
"Patching of legacy system is ongoing," McGurk said. "But patching is difficult for five-9s high-availability systems. Secure connectivity can be enhanced with layers of security but you can't gold-plate everything."
Despite the difficulties, McGurk suggested many in the sector are being slow to react to the security threat. The UK energy sector has been particularly slow to adopt security measures that match new technological developments, such as smart grids - potentially leaving them exposed to large-scale cyber-attacks as a result.
However he acknowledged that the technology was certainly not without its issues, such as potentially making it easier to disconnect the vulnerable or elderly, and no panacea.
"Introduce smart-grid technology is a double edged sword," McGurk explained. "Although you enhance interoperability, you can't just throw it in there.
"There's a greater security focus and it's not just about interoperability anymore," he concluded. McGurk said that government and industry need to work together to improve both the security and interoperability of the industrial control systems that monitor and manage power generation and distribution systems.
McGurk, who has more than 30 years of experience in ICS cybersecurity and critical infrastructure protection, traveled to London last week to speak at the European Smart Grid Cyber and SCADA Security Conference, a closed event restricted to industry participants and vendors. ®