RSSExpert: public utilities may be at risk for hacking
By Ed Oswald | Published June 12, 2008, 3:25 PM
Researchers with security firm Core Security Technologies are warning that flaws within the software that manages the nation's public utility systems may be vulnerable to incursion via the Internet.
The problem exists in software called CitectSCADA, which is used to control industrial processes. SCADA is short for "Supervisory Control and Data Acquisition." The flaw has only been patched for a week, although Core Security notified Citect five months ago.
CitectSCADA software is used by a wide variety of companies, including many public utilities. In addition, Citect's clients also span across the aerospace, food, and manufacturing sectors.
As Core Security alleged, an attacker would be able to execute code by taking advantage of the flaw, which is due to a buffer overflow issue. This could result in loss of control of whatever system the software is administrating, Core Security said in an advisory.
There is the outside chance that this vulnerability may exist on other platforms, the firm added.
Two months ago, a power company hired a security engineering team led by Ira Winkler to break into its SCADA system. The team accomplished this using perhaps the simplest trick in the book: It sent e-mails to power company employees with fake links promising to take them to reports about their benefits plan. Those links instead launched a password-harvesting virus. Winkler's team used the stolen passwords to gain access literally within minutes.
While SCADA software makers advise their customers to keep the systems separate from the Internet, not all have taken steps to assure it is completely cut off. In addition, it would also just take a disgruntled employee to perform the hack internally as well, without even needing the Internet.
"Vulnerabilities of this nature can pose serious risks to any businesses using this technology and both the vendor and user organizations should be diligent and address them in a timely manner," the firm's chief technical officer Ivan Arce said.
Arce's team was behind the detection last September of a serious hole in AOL's Instant Messenger that it demonstrated could lead to Web browser hijacks, and also the discovery last February of a security hole in VMware that would enable a stealth attack under the guise of a virtual machine, where malicious users could generate and run executable code practically at will.
Curiously, security engineer Winkler doesn't appear to hold any particular affection for security engineer Arce or his team. Back in May 2007, Winkler called Core Security to task for running ads in major publications stating it had discovered macros in Microsoft Office files were vulnerable, accusing the company of scare-mongering.
"Anyone with a clue knows that the macro abilities embedded within those file types has been proven to enable attacks for over a decade," Winkler wrote on his blog at the time. "The fact that a security company feels compelled to have this as the main teaser line either demonstrates that they have little faith in the intelligence of the readers (although they may be right) and is an insult to our intelligence, or they don't have a clue."
But Winkler and Arce do appear to agree upon the potential severity of the SCADA vulnerability. It could be said that the SCADA problem could pose a national security risk if not remedied, based on a read of Core Security's advisory. The CIA warned public utilities earlier this year that attacks on public utilities launched through the Internet have already occurred in other countries, one resulting in a power outage that affected multiple cities.
In fact, Homeland Security officials have already run several simulated events to prepare for an eventuality where public utilities were compromised through the Internet. In the end however, calls for better security within SCADA software are nothing new.
The Federal Energy Regulatory Commission in January approved eight mandatory security standards specifically aimed at the electricity industry in order to protect systems from Internet-based attacks.
Scott M. Fulton, III contributed to this report.
Hello Mr. Oswald and Mr. Fulton.
I don't at all recall Core running ads in major publications stating that we've discovered that macros of MS Office are vulnerable to anything. I don't recall being accused of anything by Ira Winkler either.
I'd appreciate it if you could provide us with references to those events either here or by contacting me directly.
Thank you
-ivan
Ivan Arce
Core Security Technologies
Score: 0
|The vulnerability of SCADA systems has been one of the most significant and oldest exposures! Heretofore the limitations in the size and scope of the systems have been their major saving grace. And thus damage due to incursion was limited simply to the scope of the individual system.
This is changing rapidly.
Only the lack of the publics awareness and understanding of the systems has obscured the vulnerability. But this is exposure is WELL known in the security community.
And going one step further, one wonders at the lack of use by neredowells that low yield impulse devices haven't been used more often to disable regional communications and security systems - especially as they are SO EASILY fabricated (hell, IEEE Spectrum even published the plans in ~November2003!)
And as far as the nonsense that SCADA is simply a monitoring tool, they might want to review the breach and takeover of the CSX eastern seaboard railway system in August of 2003! OOPS!
Sorry Tool, but SCADA is a primary vulnerability that is increasing daily as interactive management increases in scope and complexity and heretofore independent networks increasingly become interactive and consolidate - regardless of your authoritative Wikipedia source! And the fact that so many here are just learning what the systems are and that they are vulnerable speaks to the ignorance of the IT community.
Score: 0
|And as far as the nonsense that SCADA is simply a monitoring tool, they might want to review the breach and takeover of the CSX eastern seaboard railway system in August of 2003! OOPS!
Point it out. Google brings up nothing regarding this. Zero. You'd think it would have gotten some press?
Maybe a link? The least you could provide, perhaps?
*laughs*
Anyone connecting SCADA to an internet-connected network has more than enough stupid to go around. No need to blame SCADA for that.
regardless of your authoritative Wikipedia source!
How *cute* of you completely ignore my own statements to it's lack authority and imply I intended it otherwise. You should be in politics...
Score: 0
|Google doesn't reference it? That proves it! It doesn't exist. Take it up with Google.
The irony is that we were involved in the mitigation of the breech and subsequent shutdown as it took 3 days to systematically bring the remote control network back up in conjunction with the Secret Service and others in late August 2003 just a week after the NE blackout (and you certainly wouldn't want to examine that issue that involved the failure of SCADA and the human operators to alleviate a cascading power network failure!!LOL!) A subset of issues created by the blackout led to a compromise of the railroad's control system.
Gee, and you believe everything as you read it in the press? The silence regarding the incident has been staggering! And yes, some in the press were quite aware of the incident.
SCADA is increasingly a distributed networked monitor and control system, and often they utilize various Internet tunnels as well. Why one would somehow exempt SCADA from the security issues associated with any other wireless/wired network system is rather amazing. Sorry if the your concept of network security is limited to simply to the "Internet".
With your insight, and others like Wolf and Smith in the post above regarding Congressional idiots who exposed sensitive information on their own computers and then seek to blame others - despite their passage of laws such as SOX and others that hold owners of compromised systems liable for subsequent damages - all the while exempting THEMSELVES, I am surprised you with your insight are not in politics, as you share the same concept of risk and culpability regarding SCADA.
Your insight aside, all of the points stand.
Score: 0
|This is old news. They posted about this months ago on /. slashdot.
If you still don't have your acts together, thats very sad. Does not make one sleep well at night knowing script kiddie and bring down the entire grid.
Score: 0
|Right, so your only reference to an actual failure of the SCADA network from hacking is buried in secrecy.
...how nice.
Was the network hacked, or was there simply a failure that was poorly reacted to?
...I guess we'll never know.
Also, you're an idiot if you think for a moment that I even once implied security should not be looked at, or increased at every opportunity. I said *nothing* of the sort.
*yawn*
This is getting tiring. My comments regarded only the current state, on which the title of the article is utterly misleading as it implies the possibility of internet-based control of the grid. No chance. Not now. In the future? Possibly, if we're stupid enough to automate it and connect the controls to the internet. But not now, as the article implies. That's pure FUD.
Score: 0
|"Pure FUD"....whatever. LOL!
Stick your head back in the sand or that other orifice and go back to sleep.
But what do you expect of one who garners his knowledge of SCADA systems from Wikipedia?
The security risks to SCADA systems are no less than for any other distributed networked system - exacerbated due to the systems they control.
This topic is indeed old news.
Score: 0
|But what do you expect of one who garners his knowledge of SCADA systems from Wikipedia?
There you go again, implying the opposite of my *exact* words.
Wikipedia: (not authoritative,If you actually know what you are talking about, you might want to try backing up your arguments instead of making lame attempts to make people think I rely on Wikipedia when I myself stated it was not the authority on the subject.
...just a suggestion.
Score: 0
|Expert?? Sure, maybe...in FUD.
SCADA is mainly a monitoring tool (Real-time display of control data). The "control", at least in regards to the electrical grids and water supply, is still for the most part 1950's tech (humans are still throwing switches and shunting valves).
There is no "Fire Sale". It's just not possible.
Stanford's write up when they implemented SCADA:
http://www.stanford.edu/...ystems/scada_system.htm
Wikipedia: (not authoritative, but there's some good info there regarding it's uses and limitations)
http://en.wikipedia.org/wiki/SCADA
We going to start seeing these articles about SCADA vulnerabilities every few months now?
http://www.betanews.com/...d_in_one_day/1207855549
Score: 0
|