Nothing funny about SCADA and ICS security

The reality is theyre stuck back in the 90s. Secure development lifecycles dont exist andtheres still a lot of other stuff missing.

Terry McCorkle, security researcher

CANCUN, Mexico The troubled state of industrialcontrol system (ICS) security is probably the worst kept secret in information securitycircles. These systems that monitor, manage and administer everything from nuclear power plants andother utilities to HVAC installations, robotics and even prison cell doors, are whistling past thegraveyard, according to experts.

The state of ICS security is really laughable, said researcher Terry McCorkle. I dont knowwhat else to say about it.

McCorkle presented research Friday at the Kaspersky Security Analyst Summit 2012 that he andfellow researcher Billy Rios conducted over the last nine months examining the security,availability and reachability online of Human Machine Interfaces (HMI) that translate SCADAsystem data into a visual representation of an industrial system.

Operators use the HMI to seeschematics of industrial systems and can use the interface, for example, to turn switches and pumpson or off, or raise or lower temperatures. HMI are usually deployed on Windows machines andcommunicate with programmable logic controllers (PLC) and other controllers that run industrialsystems.

McCorkle said he and Rios entered their research project with the goal of finding 100 bugs in100 days. Their assumption was that security had evolved to the point where 100 bugs in 100 dayswas a reasonable goal.

In the nine months since the project was initiated, the researchers havefound more than 1,000 bugs, 95 of which were easily exploitable. All have been reported to thevendors in question through the ICS-CERT, McCorkle said.

100 bugs sounds like a lot, we figured, because software development and security has evolved,McCorkle said. We figured ICS people were keeping up. The reality is theyre stuck back in the90s. Secure development lifecycles dont exist and theres still a lot of other stuffmissing.

McCorkle and Rios found a boatload of buffer overflow errors, SQL database holes, Web-basedvulnerabilities such as cross-site scripting and ActiveX vulnerabilities. McCorkle explained oneinstance where he was able to open a command shell through an online ActiveX control. Anyone whohad access to the control would be able to remotely run any commands, he said.

The ICS industry has never looked at fuzzing anything because they have no SDL, McCorkle said.

The problem, he said, is that SCADA and ICS managers believe that because their systems aresegregated from the Internet, theyre unreachable. With HMIs, however, listening by the thousandsonline and easily accessible and exploitable, that theory is turned on its head.

Not only are theyreachable, but security is often disabled by default on these systems, despite being accessible byremote desktop administration tools such as VNC. More foundational, system manuals recommend thatvulnerability scans and other security controls not be run against ICS systems.

Further complicating matters is that third parties often manage ICS and have no stake insecurity. Local engineers dont want to patch vulnerabilities for fear the fix will break aprocess. And IT has to meet internal uptime SLAs. McCorkle said all this conspires to keep ICSsecurity at its laughable level.

This needs to be taken back to the vendor to provide an automated means to patch systems, hesaid. Microsoft didnt always have automated notification and resources.

The reason they createdthem was because customers demanded it. The third parties running these systems have no interest inthe customer. When patches are released, its totally on the customer right now. It has to bepushed back to creating a mechanism to do this.