Insecure industrial control systems, hacker trends prompt federal warnings
DHS warns of increasing security risk to power utilities, water treatment plants and manufacturing
By Antone Gonsalves
October 30, 2012 — CSO — Security researchers fed up with what they see as the glacial pace with which vendors fix holes in industrial control systems have exposed vulnerabilities that raised concerns among federal officials.
The latest security weaknesses, as well as troubling trends in the hacker underground, led the Department of Homeland Security to warn late last week of an increasing security risk to the control systems used by power utilities, water treatment plants and manufacturing. The latest warning, issued Friday stemmed from a report of a vulnerability found in ICS equipment sold by 261 manufacturers.
Researchers with security vendor Digital Bond reported that Smart Software Solutions' CoDeSys product lets anyone upload code without authentication. The software is used in programmable logic controllers (PLCs), which are computers used in control systems to automate tasks.
Dale Peterson, chief executive for Digital Bond, said Germany-based Smart Software, known as 3S in the industry, designed the product without authentication, so the vendor knew about the vulnerability. "They chose to design the product that way," Peterson said Monday.
3S was not immediately available for comment.
Digital Bond, along with researchers from other organizations, have embarked on a research effort called Project Basecamp that is dedicated to exposing security weaknesses in ICS devices in order to prod manufacturers into fixing the problems. Many of the systems were built before the Internet was introduced in networks that also contain control systems.
"We call these insecure-by-design issues," Peterson said. "These PLCs that run power plants, oil pipelines and things like that were designed with no security in them and that's been allowed to continue."
[See also: Hacktivism moves from pranks to problems]
The vulnerability of control systems comes as interest in the devices has grown among hacktivist and anarchist groups.
"Hacktivist groups are evolving and have demonstrated improved malicious skills," DHS' cybersecurity division, ICS-CERT, said. "They are acquiring and using specialized search engines to identify Internet-facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems."
The DHS reported that several new exploit tools released publicly in February targeted PLCs from General Electric, Rockwell Automation, Schneider Electric and Koyo. The tools, which included the popular Metasploit penetration testing technology used by security pros and hackers, made it possible to leverage vulnerabilities to crash or restart affected devices.
The DHS also reported on the existence of publicly available specialized search engines, such as SHODAN and Every Routable IP Project, which researchers had used to compile a list of the IP addresses of more than a half million Internet-facing control systems.
The technology trends have raised the danger of hacktivist-led attacks against critical infrastructure, says the DHS. Whether disclosing weaknesses is making the systems less secure is unclear. Supporters say it forces vendors to move faster in fixing problems that most hackers already know exist. Others are not so sure.
"Putting something in the wild before vendors have a chance to understand what the problem is turns in to just unleashing something," said Bob Lockhart, an analyst for Pike Research.
The DHS notified 3S and asked the company to confirm the vulnerability and to report on how it can be plugged. Until a fix is released, the agency advised taking all affected systems off a network that is connected to the Internet.
No laws exist today governing security in industrial control systems, so companies must decide for themselves how to lock them down. Reid Wightman, a former employee of Digital Bond who led the research on 3S, said he advises companies to keep control systems on an isolated network.
However, that does not eliminate the inherent insecurity of many control systems, so Wightman, who now works for IOActive, advises clients to negotiate security.
"They should sit down and talk to their vendor and get security at the control level put into the contract," he said.
Read more about application security in CSOonline's Application Security section.