Industrial Control Systems Face More Security Challenges
Two independent sets of security researchers have released lists of vulnerabilities in supervisory control and data acquisition (SCADA) software used to control industrial and manufacturing systems, including nuclear power facilities and power plants. The lists follow on the heels of the Stuxnet attack discovered last July, in which an unidentified assailant physically destroyed the centrifuges that were key for Iran's nuclear weapons program via a virus delivered through a USB card.
Despite widespread vulnerabilities in infrastructure software, the security research in this area lagged until Stuxnet showed how damaging a precisely targeted cyber attack could be. "Nobody would have given these vulnerabilities much attention two or three years ago," said Yuriy Gurkin, CEO of Gleg Ltd., an infrastructure security provider, which announced 11 vulnerabilities.
Many of the security upgrades recommended by vendors raise new problems, said Luigi Auriemma, an independent researcher who published the other list of vulnerabilities. "For example, the Siemens FactoryLink product will no longer be supported by Siemens after October 2012, and they suggest migrating to WinCC, which has been the target of Stuxnet. It's scary to think of changing the product used for years with the additional costs and the risks of things no longer working."
The Dawn of Cyber Attacks
Stuxnet raised awareness of how a well-organized team could remotely destroy an industrial system by slowly sabotaging as many as 30,000 nuclear centrifuges. Now well-organized criminals have an idea and some methodologies for creating new havoc.
"Criminal and nuisance attacks would, in my opinion, be more likely to rise in the short term due to the public awareness created by Stuxnet," said Chris Blask, vice president of marketing at AlienVault, a security vendor. "The general weaknesses in control-system infrastructure that Stuxnet exploited aren't new or unknown, and technical remediations for dealing with this type of attack are widely available." Blask said this opens the door for organized crime to take a role in developing either Stuxnet itself or similar future attack tools, raising legal issues about giving a wider audience access to such tools.
The attackers must have spent at least $1 million, said Joe Weiss, CEO of Applied Control Systems, a consulting firm that focuses on protecting against cyber incidents. One team mastered the control system for the specific centrifuges being used in Iran, while another identified two zero-day vulnerabilities. When the code was readied, it was delivered on USB sticks at an event likely to be attended by the Iranian scientists.
Once the disks were brought to Iran, the code wormed its way into the programmable logic controllers (PLCs) control systems driving the centrifuges and made subtle adjustments that the main control system failed to detect. The centrifuges broke down gradually one at a time. Although the Stuxnet code has found its way onto other systems, it hasn’t caused any significant damage outside Iran.
The Unprotected PLC
Critical-infrastructure managers have typically broken their networks into two realms. The PC-based networks are well secured, but the PLCs that control the systems that pump water, switch electricity, and operate power plants have been presumed protected by technical obscurity.
At the SCADA level of control, a competent hacker might be able to commandeer a PC-based control system to make changes at a high level. These are the sorts of threats that Gurkin and Auriemma recently presented.
Thus far, no widespread SCADA-based attacks have been reported. But many different types of attacks have occurred using other vectors. In France and Washington state, infrastructure hackers managed to steal water.
Far more threatening and dangerous threats rely on precisely and surreptitiously tweaking the PLC control infrastructure. These attacks can operate beneath the SCADA systems and confuse the readings sent from and the control signals sent to specific classes of physical equipment. Stuxnet operated in this manner.
In 2006, the US Department of Homeland Security ran a test simulation in Iowa, the Aurora project, that showed how code transmitted over a modem could destroy a $25 million generator. In 2009, a fossil fuel power plant in Iran suffered about $100 million in damage after a mysterious accident that resembled the destruction in Aurora, said Weiss.
Malicious Attack or Cyber Incident?
For years, security and infrastructure experts have warned against a lackadaisical attitude about the control systems that protect infrastructure. Because these systems are interrelated, the consequences of attacks can be severe. Malicious attacks are but one element in the wider threat of cyber incidents possible when one system establishes a damaging feedback pattern in relation to others.
Today, there is no systematic effort to tabulate the impact of cyber incidents and, according to Weiss, little appreciation of the kind of chaos that a deliberate cyber attack could cause. Weiss said he’s documented over 200 control systems cyber incidents, including four that resulted in death and two that affected nuclear power plants. However, only 10 of those were officially linked to a cyber incident.
"The reason we care is that if you could damage systems unintentionally, you could do it worse intentionally," said Weiss. He’s identified a set of fundamental communication vulnerabilities that could be leveraged to stage malicious code capable of damaging the electrical infrastructure nationwide. He believes that a well-crafted attack could cause 18 months of nationwide power outages before the industry could replace the affected equipment.
Blask believes that more events on the scale of Stuxnet are likely, but he doesn’t expect an electrical infrastructure Armageddon any time soon. "This would generally require a large-scale coordinated attack on a large number of sites or an unusually successful attack at an extremely sensitive site," Blask said. "Attacks on this scale are unlikely not only due to the electronic security at such facilities but also due to the design of the industrial processes themselves. Individual facilities may be likely to be impacted in the foreseeable future — with potentially significant economic and perhaps even human loss — but large-scale risk to society as a whole is likely relatively low."
In the short term, Weiss doesn't see the publication of new vulnerabilities as likely to significantly affect the power industry. "Until Congress regulates this," he said, "critical infrastructure security won't matter because the industry is fighting tooth and nail against it."
George Lawton is freelance writer based in Guerneville, California. Contact him at glawton@glawton.