Hidden Vulnerabilities in SCADA and Critical Infrastructure Systems
by Eric Byres on 19 February 2008 - 06:17:04 PM
Most IT professionals are pretty confident that we know what applications and operating systems are running on our desktops and servers. So when a vendor like Adobe releases an announcement of some new critical vulnerability (such as last week's beauty here), I know that getting and installing that patch is a very good idea because I use Abode Reader software. Yes, patching is an annoying but at least a manageable activity.
Unfortunately, the same doesn't hold true for the control systems running the World's critical national infrastructures like power, water and transportation. These systems often come as bundled packages from the vendors, so the end-user really doesn't know what is inside and what needs patching to keep the wolves away from the security house doors (Control Global asked me to author this piece earlier in this year).
Let me give you a few real-world examples...
In December 1998, an ISS Security Advisory was released called "ICMP Redirects Against Embedded Controllers". Unfortunately, the advisory only stated that it "pertains to an indeterminant class of networked embedded controllers found in a wide variety of automation equipment... using the OS-9 operating system". The trouble is that few of the vendors of SCADA and PLC product will release information on which embedded operating system they use, so not one SCADA engineer in a thousand knew to contact his or her vendor for patches. The result of this SCADA weakness has been numerous system crashes and multimillion dollar production losses, culminating nearly 8 years later in the emergency shutdown of the Tennessee Valley Authority's (TVA) Browns Ferry Nuclear Plant in August 2006.
Last week a similar sequence of events began with the latest Microsoft Security Bulletin MS08-008 - "Critical Vulnerability in OLE Automation Could Allow Remote Code Execution (947890)". Now while this announcement makes it clear that if you use a web browser like IE, you are vulnerable, if fails to mention that OLE is the underlying component in an industry standard API commonly known as OPC (OLE for Process Control). Unfortunately nearly every system in the SCDA and process industries depends heavily on OPC for communications between control systems. How will OPC users discover they need this little patch? Well if they have a responsible control system vendor (and there are some very good ones) they will get an email in the next 24 hours. But tens of thousands of critical system will probably go unpatched this week until something messy like happens again.
What does this all mean for the owners and operators of critical SCADA and control systems?
It means that the end-user should not just assume that a control system product is secure just because there are no patch advisories for it. Users need to actively communicate with their vendors and push for full and timely disclosure of all vulnerabilities that could cause unscheduled downtime or larger product safety issues. Users also need to proactively apply service assurance and negative testing to their systems (offline of course) both prior to deployment in the field and on a regular basis by running available vulnerability scanning tools like the Mu-4000 analyzer against all networked devices and applications. Most importantly, the SCADA industry needs to push for mandated security disclosures for all the products used in the market. Only then will these hidden vulnerabilities (and the wolves) stay away.
Comments:
Write a comment
- Required fields are marked with *.
|
