Case in point: A months-old hack of an Illinois utility's control system wasn't discovered until earlier this month, when a water pump that an attacker apparently set to repeatedly turn on and off finally burned out. The Department of Homeland Security, however, downplayed the implications of the attack. "At this time there is no credible corroborated data that indicates a risk to critical infrastructure entities or a threat to public safety," read a DHS statement.
But security experts beg to differ. "This is a big deal," industrial control system expert Joe Weiss told The Washington Post. "It was tracked to Russia. It has been in the system for at least two to three months. It has caused damage. We don't know how many other utilities are currently compromised."
While U.S. utilities have previously been spared from such attacks, the failure of a control system for any reason can be deadly. For example, in 2009, an automated control system installed at Russia's largest hydroelectric facility, the Sayano-Shushenskaya plant, failed to regulate a poorly maintained, 1,500-ton turbine, which ripped free from its moorings and shot 50 feet into the air, before crashing down and causing massive destruction and flooding inside the facility. Ultimately, 75 people died.
Alarmingly, the hack of the Illinois utility appears to have involved a negligently maintained industrial control system environment. How else to explain the hacker's ability to exploit phpMyAdmin, an open source MySQL front end that was connected to the utility's control system? At last count, the tool has had 105 known vulnerabilities, making it a prime candidate for never being brought anywhere near a control system environment.
Why aren't utilities treating information security with more respect? An April study from Ponemon--sponsored by security information and event management vendor Q1 Labs (which was purchased by IBM last month) found that utilities and energy companies spend about 10 times more on physical security than on information security.
The failure by DHS, the utilities that run the critical infrastructure, as well as control system manufacturers to own up to the broader implications of the Illinois utility exploit have led one hacker, who uses the handle "pr0f" and sports a Rumanian email address, to hack into a utility in South Houston, Texas. Thankfully, he simply published screen shots of the control system. "No damage was done to any of the machinery; I don't really like mindless vandalism. It's stupid and silly," he said in a Pastebin post. "On the other hand, so is connecting interfaces to your SCADA machinery to the Internet. I wouldn't even call this a hack, either, just to say. This required almost no skill and could be reproduced by a two-year old with a basic knowledge of Simatic."
If Siemens Simatic systems sound familiar, that's because they were exploited by Stuxnet. According to a recent DHS report, even members of Anonymous had tested Siemens Simatic control system software for potential weaknesses, although the agency rated the likelihood of the group actually attempting to exploit control systems as slim. But just as attackers or security researchers can easily search for websites or Internet-connected photocopiers with known vulnerabilities, so too can would-be industrial control system hackers search for Internet-connected systems with known bugs.
But this warning has been sounded before. Long before pr0f hacked South Houston or Stuxnet targeted Iranian nuclear refineries, security researchers were warning that exploiting the programmable logic controller (PLC) used in industrial control systems isn't very difficult. At the Black Hat conference in Las Vegas earlier this year, furthermore, security researcher Dillon Beresford of NSS Labs decided to see how difficult it might be to create his own version of Stuxnet. He found that with less than three weeks of work, and spending about $10,000 to replicate his target hardware environment, he was able to successfully exploit a Siemens Simatic S7 PLC.
His aim wasn't to create Stuxnet 2.0. "The real motivating factor was really to try and show the public that it's really not that complicated, these types of attacks, and that most people with enough time and resources could really pull this off," said Beresford. One big problem, he said, is that few if any PLCs use any type of effective access control system.
John Pollet of Red Tiger Security--also speaking at Black Hat--agreed with Beresford's assessment, noting that while the Siemens Simatic requires a password before it will execute remotely sent commands, many control systems lack even that level of protection. That's perhaps not surprising, since many PLCs were designed before the Internet was ever adopted. "Some of the systems that we conduct assessments on are older than me," he said. "PLCs that have been running oil-cleaning facilities for over 30 years, they rarely break."
But besides lacking passwords, none of the systems have simple network management protocol (SNMP) either, meaning there's nary a digital paper trail. "You can chuck forensics out the door," said Pollet. As a result, and as the incidents in Illinois and Russia illustrate, the first sign of software failure--due to an attack or otherwise--may not be until something physical fails. Does anyone think that's safe?
Sensitive customer and business data is scattered in hidden corners of your infrastructure. Find and protect it before it winds up in the wrong hands. Also in the new issue of Dark Reading: The practical side of data defense. Download the issue now. (Free registration required.)