Tuesday, January 24, 2012

Our infrastructure may be more vulnerable than we realized

Wired magazine has highlighted a very interesting - and very troubling - dissertation examining the vulnerability of industrial control systems to cyber-sabotage. Here's an excerpt from their article.

A security researcher was able to locate and map more than 10,000 industrial control systems hooked up to the public internet, including water and sewage plants, and found that many could be open to easy hack attacks, due to lax security practices.

. . .

Eireann Leverett, a computer science doctoral student at Cambridge University, has developed a tool that matches information about ICSes that are connected to the internet with information about known vulnerabilities to show how easy it could be for an attacker to locate and target an industrial control system.

“Vendors say they don’t need to do security testing because the systems are never connected to the internet; it’s a very dangerous claim,” Leverett said last week at the S4 conference, which focuses on the security of Supervisory Control and Data Acquisition systems (SCADA) that are used for everything from controlling critical functions at power plants and water treatment facilities to operating the assembly lines at food processing and automobile assembly plants.

“Vendors expect systems to be on segregated networks — they comfort themselves with this. They say in their documentation to not put it on an open network. On the other side, asset owners swear that they are not connected,” Leverett said. But how do they know?

To debunk the myth that industrial control systems are never connected to the internet, Leverett used the SHODAN search engine developed by John Matherly, which allows users to find internet-connected devices using simple search terms. He then matched that data to information from vulnerability databases to find known security holes and exploits that could be used to hijack the systems or crash them. He used Timemap to chart the information on Google maps, along with red markers noting brand devices that are known to have security holes in them. He described his methodology in a paper (.pdf) about the project.

Leverett found 10,358 devices connected through a search of two years worth of data in the SHODAN database.

. . .

He also found that only 17 percent of the systems he found online asked him for authorization to connect, suggesting that administrators either weren’t aware that their systems were online or had simply failed to install secure gateways to keep out intruders.

. . .

Leverett’s tool shows how easy it is for a dedicated attacker or just a recreational hacker to find vulnerable targets online to sabotage.

There's more at the link. For a video tutorial about SCADA systems, see here.

I can only hope that the authorities are taking this report seriously. Think about it. Rogue states such as Iran or North Korea, or terrorist movements such as Al Qaeda or the Taliban, might not be able to directly attack the USA with military weapons (or want to, for fear of retaliation): but they're more than capable of exploiting such vulnerabilities in our industrial control systems to disrupt power generation and transmission, water supplies, sewage processing, and so on. A sufficiently widespread attack could cripple the basic infrastructure of this country without a shot being fired. Imagine a major US city with no water, no working transport control systems (so that road, rail and air transport can't bring food and other essential supplies to the people living there, and those people can't easily be evacuated), and no electric power or natural gas or other sources of energy. I wouldn't like to be living there . . . because that urban society might be facing meltdown after no more than a few hours of such conditions.

Very worrying indeed!



Wayne Conrad said...

I spent a fair chunk of my career in the automation of fresh and waste waster treatment plants. I wrote the computer programs that turned pumps and valves on and off in response to various sensors.

With only one foolish exception, every piece of equipment my computers controlled had a switch with three positions, labeled "OFF", "AUTO" and "HAND". Off meant what it said: The equipment was off. "AUTO" meant my computer had control of it. And "HAND" meant it was on. "AUTO" was the normal position when my computers were in control. The "OFF" and "HAND" were for manual control, bypassing the computers.

The result is that a computer malfunction doesn't keep them from running the plant and creating fresh or reclaimed water. What a malfunction does do is cause overtime for the operators since they now have to manually control the equipment.

Evyl Robot Michael said...

Reminds me of Live Free or Die Hard.