Three presentations scheduled to take place at the Black Hat computer security conference in Las Vegas today will reveal vulnerabilities in control systems used to manage energy infrastructure such as gas pipelines. These are just the latest sign that such systems remain dangerously susceptible to computer attacks that could have devastating consequences; and although the researchers proposed fixes for each flaw they’ve identified, they caution that, on the whole, industrial infrastructure remains woefully vulnerable.
The vulnerabilities add to a growing list of problems identified due to a recent surge in research into the security of industrial systems. Progress to fix such security issues has been slow going, due partly to the poor design of existing systems, and partly to a lack of strong incentives to fix the flaws quickly.
One demonstration today will spray the audience with water from a replica water plant component forced to overpressurize. Another will show how wireless sensors commonly used to monitor temperatures and pressures of oil pipelines and other industrial equipment could be made to give false readings that trick automatic controllers or human operators into taking damaging action. A third talk will detail flaws in wireless technology used in 50 million energy meters across Europe that make it possible to spy on home or corporate energy use and even impose blackouts.
U.S. officials have frequently warned that vulnerabilities in industrial control systems could permit damaging attacks on public infrastructure resulting in power outages, environmental damage, or even loss of life (see “U.S. Power Grids a Hacking Target”).
All the attacks to be mentioned today require significantly fewer resources and skill than what was required to employ the best-known attack on an industrial system, the U.S.-Israeli-backed Stuxnet operation against the Iranian nuclear program (see “New Malware Brings Cyberwar One Step Closer”).
“We have demonstrated a few scenarios that will cause a catastrophic breakdown—a pipe to burst or tank to overflow—while sending a completely different view to the controller,” says Brian Meixell of Texas security company Cimation, who brought the replica water plant component to show off the vulnerabilities he discovered.
With colleague Eric Forner, Meixell exploited a protocol called Dbus that has been used to control industrial equipment since the 1970s and is still in wide use today on devices often connected directly to the Internet. Scans of public IP addresses have revealed that at least 90,000 industrial control devices are online and vulnerable to that type of attack, says Forner (see “What Happened When One Man Pinged the Whole Internet”). Dbus is insecure because no one in the industry that uses it thought it was a priority to make it secure, says Meixell.
Lucas Apa, a researcher with IOActive, says this attitude also underpins the flaw he and colleague Carlos Mario Penagos found in wireless sensors that are used to monitor oil, water, nuclear, and natural gas infrastructure. The three leading suppliers of those sensors designed them so that they can be made to give spoof readings, or even be shut down with a relatively cheap 40-mile-range radio transmitter, says Penagos. “We can show total shutdown of the plant,” he says.
That problem—and the one discovered by the Cimation team—is now known to the companies that make the equipment, and to the industrial and infrastructure companies that buy them, thanks to a data-sharing program run by the Department of Homeland Security. That program, called ICS-CERT, for Industrial Control System Cyber Emergency Response Team, shares newly published data on vulnerabilities with affected companies and industrial operators.
However, just because ICS-CERT highlights a problem doesn’t mean it gets fixed promptly.
Apa says he expects many sensors will remain vulnerable to his wireless attack despite ICS-CERT’s action because fixing it requires physically connecting to the sensors to upgrade their software. “Because the devices are used on hazardous places, it can be very hard to grab them,” he says, and some companies will have many hundreds of sensors or more.
Sameer Bhalotra, the former senior director for cybersecurity at the Obama White House and now chief operating officer of Web security company Impermium, told MIT Technology Review that although the ICS-CERT functions well, it doesn’t speed the progress in industrial security. In contrast, software companies such as Microsoft have become adept at rapidly patching vulnerabilities, to the point where major flaws are now rare, says Bhalotra. Companies that make industrial control equipment and software have never had to worry much about security, and so they’re not capable of generating patches quickly, or making significant design changes. “Nothing well organized is happening today,” he says. “Vendors are just going to have to get faster and better at patching, and that’s going to take some time.”
One reason the process is so slow is a lack of clear incentives, says Bhalotra. Current law doesn’t make energy operators or the manufacturers of control systems liable for the consequences of poor security, such as damage caused by an explosion or a lengthy power outage. Only the introduction of new legislation to clear up the liability issue is likely to speed the evolution of more secure industrial control systems, says Bhalotra.