Recent reports painted a bleak picture of the security issues plaguing industrial control systems, but the situation is exacerbated by the fact that administrators are na ve about the dangers, researchers said.
Researchers presented alarming findings about the state of security for supervisory control and data acquisition systems at the Kaspersky Security Analyst Summit in Mexico City on Feb. 3. SCADA systems are used across varied industries such as oil, water systems, electric grids, controlling building systems, and the basic security model underlying these systems is completely inadequate, they said.
Two researchers decided to try to find 100 bugs in 100 days in industrial control system software, Terry McCorkle, an industry researcher, told attendees at the conference. As they began their research, it quickly became evident the team had underestimated the severity of the problem.
"Ultimately, what we found is the state of ICS security is kind of laughable," McCorkle said.
The bugs were "straight out of the '90s," and for the most part, were "blatantly obvious" flaws, according to McCorkle. McCorkle and his partner in the project, Billy Rios, used fuzzing techniques and found over 1,000 bugs in ICS software. McCorkle said a lot of the people he spoke with in the industry had never thought to try fuzzing to look for vulnerabilities in ICS software.
File format issues were the most prevalent, followed by ActiveX, according to McCorkle. They found several SQL vulnerabilities but no SQL injection flaws, and lots of buffer overflow issues. There were examples of how ICS software were executing VBScript to open command shells and other applications, as well as Websites having direct access to the Windows registry. They reported 1,035 bugs that cause systems to crash and 95 that were easily exploitable to vendors, McCorkle said. The exploitable bugs included issues that could be exploited by cross-site scripting. The 1,035 bugs would have required someone to spend some time to find a way to exploit the vulnerability, but McCorkle was confident some could be exploited.
Many of the systems that are now Internet accessible were not originally designed to be connected, and some have embedded Web services and mobile interfaces that make it even easier to connect remotely. Many SCADA systems are available online with weak passwords such as '100,' according to McCorkle.
McCorkle cited the work of a different researcher who was able to locate and map more than 10,000 industrial control systems hooked up to the public Internet, including water and sewage plants. While some may have been test systems, some of them were actually in production. Only 17 percent of the systems found asked remote users for authorization to connect, according to that research.