Special Coverage Series

Network Computing

Special Coverage Series


Critical Infrastructure Vulnerabilities Unearthed

Researchers find 25 flaws in products used in power and water systems that attackers could exploit. In a separate study, researchers find vulnerabilities in a widely used vessel tracking system.

The nation’s power and water infrastructures may be more susceptible to cyberattacks than previously believed. Two independent researchers said they found 25 vulnerabilities that could be exploited to sabotage access to power and water.

The researchers, Adam Crain and Chris Sistrunk, discovered that products from more than 20 vendors had significant security vulnerabilities that hackers could use to wreak such havoc as guiding a power station’s master server into an infinite loop or causing outages by injecting code into a server, thereby allowing the attackers to open and close substation breakers.

More Insights

Webcasts

More >>

White Papers

More >>

Reports

More >>

“Every substation is controlled by the master, which is controlled by the operator,” Sistrunk told Wired, which broke the story. “If you have control of the master, you have control of the whole system, and you can turn on and off power at will."

Crain and Sistrunk submitted their findings to the Department of Homeland Security’s Industrial Control System Cyber Emergency Response Team, which worked with them to notify vendors of their vulnerabilities. While some of those vendors have issues patches, many vulnerabilities remain unpatched, and even affected utilities haven’t applied them.

Pete Lindstorm, VP of research at Spire Security, said during an email interview that, patches notwithstanding, pointing out all the vulnerabilities only makes it more likely that some of them will be exploited.

“If there is one thing our field has demonstrated, it is that cherry-picking vulnerabilities and fixing them in complex systems is not very effective,” said Lindstrom. “Vulnerabilities matter in the aggregate and when they are exploited. These folks are reducing the attacker cost and increasing likelihood, nothing more.”

Even if, in a best-case scenario, all the vendors in question issued patches, it’s highly unlikely that they’d be applied across the board, thus leaving some highlighted vulnerabilities exposed, added Lindstrom.

That said, affected utilities may want to get as many patches in place as they can before the end of the year, as Crain and Sistrunk told Wired that they plan to present their findings at the S4 industrial control systems security conference scheduled for January in Miami.

[Read how security standards from the National Institute of Standards and Technology can help build an information security program in "Do NIST Information Security Standards Matter?"]

The two aren’t the only researchers telling the world about potential weaknesses in critical infrastructure. Earlier this month, a team of three researchers from security vendor Trend Micro were at the Hack in the Box conference in Kuala Lumpur, Malaysia, to share with attendees how they were able to hijack automated identification systems on seagoing vessels, tampering with tracking efforts and even faking their own vessels.

The researchers--Marco Balduzzi and Kyle Wilhoit, both of whom are Trend Micro employees, and Alessandro Pasta, an independent researcher--have been looking for vulnerabilities that could give cyber attackers an in as the so-called Internet of Things continues to develop. They decided to conduct a thorough evaluation of the automated identification system (AIS) now used on an estimated 400,000 vessels worldwide, attacking it with software, hardware and radio frequency.

As Crain and Sistrunk did in working with DHS, the Trend Micro researchers took their findings to AIS oversight entities, and have been mostly dismissed despite their contention, in a blog post on their findings, that “users must not completely trust AIS, as attackers can actively use it for malicious deeds, such as piracy. In case of an attack, the final user (i.e. the captain) will not be able to distinguish between true and false information reported by the AIS transponder.”

Perhaps the Trend Micro team should heed the advice Lindstrom had for Crain and Sistrunk: “Any researcher who wants to truly make a difference should be looking for ways to reduce risk without the need to identify specific vulnerabilities,” he said. “There is a definite shift in looking for defensive technologies in security.”



Related Reading



Network Computing encourages readers to engage in spirited, healthy debate, including taking us to task. However, Network Computing moderates all comments posted to our site, and reserves the right to modify or remove any content that it determines to be derogatory, offensive, inflammatory, vulgar, irrelevant/off-topic, racist or obvious marketing/SPAM. Network Computing further reserves the right to disable the profile of any commenter participating in said activities.

 
Disqus Tips To upload an avatar photo, first complete your Disqus profile. | Please read our commenting policy.
 

Editor's Choice

Research: 2014 State of Server Technology

Research: 2014 State of Server Technology

Buying power and influence are rapidly shifting to service providers. Where does that leave enterprise IT? Not at the cutting edge, thatís for sure: Only 19% are increasing both the number and capability of servers, budgets are level or down for 60% and just 12% are using new micro technology.
Get full survey results now! »

Vendor Turf Wars

Vendor Turf Wars

The enterprise tech market used to be an orderly place, where vendors had clearly defined markets. No more. Driven both by increasing complexity and Wall Street demands for growth, big vendors are duking it out for primacy -- and refusing to work together for IT's benefit. Must we now pick a side, or is neutrality an option?
Get the Digital Issue »

WEBCAST: Software Defined Networking (SDN) First Steps

WEBCAST: Software Defined Networking (SDN) First Steps


Software defined networking encompasses several emerging technologies that bring programmable interfaces to data center networks and promise to make networks more observable and automated, as well as better suited to the specific needs of large virtualized data centers. Attend this webcast to learn the overall concept of SDN and its benefits, describe the different conceptual approaches to SDN, and examine the various technologies, both proprietary and open source, that are emerging.
Register Today »

Related Content

From Our Sponsor

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

How Data Center Infrastructure Management Software Improves Planning and Cuts Operational Cost

Business executives are challenging their IT staffs to convert data centers from cost centers into producers of business value. Data centers can make a significant impact to the bottom line by enabling the business to respond more quickly to market demands. This paper demonstrates, through a series of examples, how data center infrastructure management software tools can simplify operational processes, cut costs, and speed up information delivery.

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Impact of Hot and Cold Aisle Containment on Data Center Temperature and Efficiency

Both hot-air and cold-air containment can improve the predictability and efficiency of traditional data center cooling systems. While both approaches minimize the mixing of hot and cold air, there are practical differences in implementation and operation that have significant consequences on work environment conditions, PUE, and economizer mode hours. The choice of hot-aisle containment over cold-aisle containment can save 43% in annual cooling system energy cost, corresponding to a 15% reduction in annualized PUE. This paper examines both methodologies and highlights the reasons why hot-aisle containment emerges as the preferred best practice for new data centers.

Monitoring Physical Threats in the Data Center

Monitoring Physical Threats in the Data Center

Traditional methodologies for monitoring the data center environment are no longer sufficient. With technologies such as blade servers driving up cooling demands and regulations such as Sarbanes-Oxley driving up data security requirements, the physical environment in the data center must be watched more closely. While well understood protocols exist for monitoring physical devices such as UPS systems, computer room air conditioners, and fire suppression systems, there is a class of distributed monitoring points that is often ignored. This paper describes this class of threats, suggests approaches to deploying monitoring devices, and provides best practices in leveraging the collected data to reduce downtime.

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Cooling Strategies for Ultra-High Density Racks and Blade Servers

Rack power of 10 kW per rack or more can result from the deployment of high density information technology equipment such as blade servers. This creates difficult cooling challenges in a data center environment where the industry average rack power consumption is under 2 kW. Five strategies for deploying ultra-high power racks are described, covering practical solutions for both new and existing data centers.

Power and Cooling Capacity Management for Data Centers

Power and Cooling Capacity Management for Data Centers

High density IT equipment stresses the power density capability of modern data centers. Installation and unmanaged proliferation of this equipment can lead to unexpected problems with power and cooling infrastructure including overheating, overloads, and loss of redundancy. The ability to measure and predict power and cooling capability at the rack enclosure level is required to ensure predictable performance and optimize use of the physical infrastructure resource. This paper describes the principles for achieving power and cooling capacity management.