SCADA's Scarce Security

Yesterday, BBC news reported that a “hacker” had allegedly destroyed a pump in the Illinois water treatment system. Apparently, this person had managed to gain access to the system and break the pump by repeatedly turning it off and on. This attack on a SCADA system (Supervisory Control and Data Acquisition) follows a similar attack earlier this year by the Stuxnet virus which appeared to target the Siemens SCADA system of the Uranium nuclear enrichment facilities in Iran.

SCADA systems are widely used where an interface between industrial processes and computer system is required. If a malicious user manages to gain entry to these systems, they can effectively modify the operation of the system by changing machine operation parameters, modifying reported values and even circumventing built-in safety measures (as was the case with Stuxnet). Obviously this is a big problem which is why these systems should be protected against such attacks. So how was the Stuxnet worm able to infiltrate and do just this? How was this attacker able to control a water pump in an Illinois water treatment system directly?

Many viruses and “hackers” use attack vectors known as Zero-Day vulnerabilities. These are flaws found in a computer system or software that are as yet unknown by the developers. Zero-Days can be of considerable value – a malware writer can exploit it to infect thousands of machines before anybody even notices let alone issues a fix. But this is not always the case and sometimes the attack vector is much simpler…

A ThreatPost article describes yet another water infrastructure attack, this time in Houston, Texas by an attacker known as “pr0f”. Pr0f managed to gain entry into this system not by discovering or purchasing a new Zero-Day, but by cracking their “…three character password”. Pr0f used an on-line scanner to find hosts that are visible on the Internet that looked like SCADA systems. Once found, he managed (unsurprisingly) to break their password.

In the case of the Illinois incident, usernames and passwords were actually stolen from the company, making the attack afterwards even simpler.

So, however diligent software and hardware manufacturers are at making sure their hardware/software is as secure as possible from attack, there seems to be no protection against honest stupidity. Why is an industrial control system visible on the Internet? If it really needs to be, why is there no system like a VPN to protect it? And if it really must be visible on the unsecured Internet, why did they have a three character password? Extreme security means nothing if operators are not aware of the vulnerabilities they introduce themselves.

So these reports basically highlight just how important it is to have some common sense and to use strong passwords. We are told this all the time but many people ignore it, thinking that nothing will ever happen to them. When it’s somebody’s own data that’s in danger that’s of concern to themselves, but when a public system like this is so badly configured it really becomes the concern of everybody.

How many other systems out there are grossly prone to attack? In an age where we are reliant on computer systems to control everything from our own personal finances to a country’s nuclear programme, we have to start taking this seriously. With just a basic education in computer security, the Houston attack would not have happened. We also need to protect user credentials as we protect other assets – a stolen credential is almost like giving an attacker a key to the front door.

As attackers are getting cleverer and more prolific, we must take the same attitude to computer security. Otherwise, who knows on which system the next attack will take place? And next time, it might be far more devastating that just breaking a water pump…