Researchers presented some alarming findings about the state of security for supervisory control and data acquisition systems at the Kaspersky Security Analyst Summit on Feb. 3. SCADA systems are used across varied industries such as oil, water systems, electric grids, controlling building systems, and the basic security model underlying these systems is completely inadequate, they said.
Two researchers decided to try to find 100 bugs in 100 days in industrial control system software, Terry McCorkle, an industry researcher, told attendees at the conference. As they began their research, it quickly became evident the team had underestimated the severity of the problem.
"Ultimately, what we found is the state of ICS security is kind of laughable," McCorkle said.
The bugs were "straight out of the 90s," and for the most part, were "blatantly obvious" flaws, according to McCarkle. McCorkle and his partner in the project, Billy Rios, used fuzzing techniques and found over 1000 bugs in ICS software. McCorkle said a lot of the people he spoke with in the industry had never thought to try fuzzing to look for vulnerabilities in ICS software.
File format issues were the most prevalent, followed by ActiveX, according to McCorkle. They found several SQL vulnerabilities but no SQL injection flaws, and lots of buffer overflow issues. There were examples of how ICS software were executing VBScript to open command shells and other applications, as well as Websites having direct access to the Windows registry. They reported 1035 bugs that cause systems to crash and 95 that were easily exploitable, to vendors, McCorkle said. The exploitable bugs included issues that could be exploited by cross-site scripting. The 1035 bugs would have required someone to spend some time to find a way to exploit the vulnerability, but McCorkle was confident some could be exploited.
Although McCorkle and his team had reported those vulnerabilities to the vendors, the problem remained of how the systems would get patched. If the vendor decided to patch the issue, which is not always a given, there was still the question of how to notify administrators and how to actually distribute and install the patches, McCorkle said.
Many of the systems that are now Internet accessible were not originally designed to be connected, and some have embedded Web services and mobile interfaces that make it even easier to connect remotely. Many SCADA systems are available online with weak passwords such as '100,' according to McCorkle.
0 comments:
Post a Comment