SCADA on thin ice

Editor's note: The sidebar titled "First steps to control systems security" was updated at 11 a.m. May 8, 2006, to correct the name of the Process Control Systems Forum.

The electronic control systems that act as the nervous system for all critical infrastructures are insecure and pose disastrous risks to national security, cybersecurity experts warn.

Supervisory control and data acquisition (SCADA) and process control systems are two common types of industrial control systems that oversee the operations of everything from nuclear power plants to traffic lights. Their need for a combination of physical security and cybersecurity has largely been ignored, said Scott Borg, director and chief economist at the U.S. Cyber Consequences Unit, an independent research group funded by the Homeland Security Department.

Control systems security is one of six areas of critical vulnerabilities Borg included in a new cybersecurity checklist released in April by the research group.

The private-sector owners of critical infrastructure refuse to release data and deny that their aging, inherently insecure systems pose any security risk, said Dragos Ruiu, an information technology security consultant to the U.S. government who runs several hacker conferences. Control systems security has been a hot topic in the past year at those conferences.

“It’s one of those issues that is so big, you just don’t want to see it because any solutions will be expensive, awkward and prohibitive,” Ruiu added.

Average hackers can break into the systems, said Robert Graham, chief scientist at Internet Security Systems (ISS). He, Borg and other experts fear that major cyberattacks on control systems could have socioeconomic effects as severe and far-reaching as Hurricane Katrina or even the 1986 Chernobyl nuclear disaster in Ukraine.

Most experts agree that measuring the risk from cyberattacks on critical infrastructure is difficult. Attacks are rare because control systems are still complex and individualized enough to make cracking them difficult, although a hacker who knows a particular system well can break into it easily, said Jason Larson, senior cybersecurity researcher at the Idaho National Laboratory, which leads federal efforts into critical infrastructure cybersecurity.

Even if a facility has not been attacked, that doesn’t mean it’s secure or the threat isn’t real, said Michael Assante, senior manager of critical infrastructure protection at the laboratory. “The idea that the technology is obscure and not well-understood by a potential aggressor is dangerous thinking,” he wrote in an e-mail message.

Government and industry have known for years that critical infrastructures offer ripe targets for attack. In 2002, the FBI’s National Infrastructure Protection Center found that al Qaeda members had sought information on control systems for water supply and wastewater management facilities.

Open-heart surgery
Control systems are built to run around the clock for decades without interruption or human intervention. A single critical infrastructure facility can have thousands of SCADA devices spread over hundreds of miles.

Because of the systems’ structure and management, standard IT security practices don’t work for them, experts say.

“It’s more like open-heart surgery,” said William Rush, a physicist at the Gas Technology Institute, a nonprofit research organization for the natural gas industry.

The systems have proprietary operating systems and applications that run on 20- to 30-year-old hardware built before security became a major IT issue, leaving them riddled with vulnerabilities.

According to conventional wisdom, critical infrastructure owners can’t upgrade or patch systems because any jitter or delay caused by IT security features could lead to catastrophic breakdowns costing millions of dollars. Any mistakes in IT implementation could affect the processes the systems control, leading to product alterations, chemical interactions, explosions or worse.

The situation got even more complicated in late 2001 when infrastructure owners started connecting their control systems to Internet-enabled corporate networks to maximize the use of their sophisticated equipment, said Eric Byres, research leader at the Internet Engineering Lab at the British Columbia Institute of Technology, a leading industrial cybersecurity research facility.

That introduced new vulnerabilities on top of existing ones and created complex connections that opened new backdoors, Byres said. The result is a smorgasbord for would-be attackers. “It’s open season,” he said.

‘The stories here are terrifying’
Utility owners say they realize cyberattacks pose a risk but don’t see it as a huge problem, Rush said. The federal government says industry is responsible for protecting critical infrastructure and has told both industry and vendors to get moving. Vendors, however, are waiting for sufficient demand for security products to make them, while industry is waiting for an ample supply of products to buy them.

“It’s a chicken-and-egg situation,” Rush said. All parties are waiting for government standards to guide and certify their efforts.

But Rush and other experts who are passionate about improving security fume at the delays. “Everyone’s waiting for a major catastrophe to happen before they do anything,” Graham said. “There will never be a big move until the government or [malicious] hackers force it.”

Until then, tailored attacks by an individual or a massive worm attack could bring down critical infrastructure. “The stories here are terrifying,” Borg said.

In January 2003, the Slammer worm infected the safety monitoring system at the Davis-Besse nuclear power plant in Oak Harbor, Ohio, and replicated so fast that it disabled the system for nearly five hours. The worm knocked out the plant’s central command system for six hours. A report from the North American Electric Reliability Council found that power wasn’t disrupted, but the failure stopped commands to other power utilities.

At the Black Hat Federal conference in Arlington, Va., in January, Graham presented a dozen horror stories of control system insecurity. For example, during negotiations to provide penetration testing to a critical infrastructure facility, the facility’s operators confidently told an ISS team they didn’t need help because their control system was already secure.

The ISS team promptly found an unsecured wireless access point connected to the facility’s business network, which in turn linked to the control system, Graham said. Using a 10-year-old exploit for Sun Microsystems’ Solaris operating system, the team took over the control system as the operators watched. When the team was within a few keystrokes of breaking something sensitive, the facility’s operators begged them to stop. Needless to say, he said, ISS got the job.

Solutions grow into maturity
The control systems security situation isn’t all bad, said John Sebes, chief technology officer and general manager of the public sector at Solidcore, which develops software that monitors changes to servers and prevents unauthorized code from running on them. The vulnerabilities are real and serious, but facilities now have their pick of mature security products to harden their systems, he said. With work and patience, critical infrastructure sectors have found they can use IT security best practices and install commercial IT security products without crashing control systems, he said.

“Industry as a whole has been moving away from the Chicken Little syndrome,” said Keith Stouffer, a mechanical engineer in the Intelligence Systems Division of the National Institute of Standards and Technology’s Mechanical Engineering Laboratory. “The problem is addressable. Let’s start addressing it.”

Industry better get a move on as attackers ramp up attacks, Graham said. ISS is predicting an increased frequency of minor attacks on control systems during the next three years. “We see it’s inevitable,” Graham said. “We have seen it in every other industry, and these guys are next.”