As the details of STUXNET’s design unfolded last fall, like many, I was truly impressed by the pin-point precision that the malware authors used to ensure that their target, and only their target, was impacted by the virus. In this regard, STUXNET may be one of the most responsible piece of malware ever written, because it was carefully designed to avoid any collateral damage.
However, one of the unexpected outcomes of STUXNET is the extent to which it has aroused the “security researcher” community and has turned their attention from commercial IT products to industrial automation and control systems. While their motives vary, from seeking recognition and monetary gain to intending to cause harm, the end result is that there are suddenly a lot of very smart people actively looking to find and exploit vulnerabilities in industrial control system products. And, not surprisingly, they are having a lot of success in this relatively “untapped” market.
For example, on March 21, 2011, Italian security researcher Luigi Auriemma disclosed 34 vulnerabilities spanning four different industrial control systems. These disclosures exploited vulnerabilities within various core control system applications and services, making these susceptible to not only denial of service attacks, but also the ability to remotely execute code on these susceptible systems. Around the same time, a Russian company, GLEG Ltd, began selling the “Agora+SCADA” exploit pack. The pack contains 23 modules for attacking systems by various manufacturers – including nine zero-day exploits. Shortly thereafter, security researcher Rubén Santamarta notified US ICS-CERT of a vulnerability in BroadWin WebAccess, a web browser-based HMI product (also sold as Advantech). Mr. Santamarta has publicly released details of the vulnerability including exploit code and instructions on how to use it. And, if that’s not enough, last week at the TakeDownCon conference researchers from NSS Labs were politely asked by Siemens and the US Department of Homeland Security to cancel their planned demonstration of the vulnerabilities they discovered in Siemens industrial-control systems that could allow hackers with remote access to cause physical destruction to factories and power plants. An interesting fact that didn’t appear in the news stories is that NSS Labs operates a platform called ExploitHub. Promoted as an iPhone style app store for hackers, ExploitHub is a community-driven marketplace for non-zero-day exploits where security researchers can turn independent security research into a paying gig by selling their exploits. At the moment, there are two SCADA software exploits available for purchase on ExploitHub.
That’s a lot of activity in just a couple of months. And these are just the publicized disclosures. Many researchers disclose their findings “responsibly” by privately notifying the manufacturers and other authorities. While other, as noted above, opt for full disclosure and immediately publish or even sell their exploits.
Industrial automation has, almost overnight, found itself in the cross hairs of security researchers and hackers. One can argue that this attention to security vulnerabilities in control system products is good for the industry and will result in overdue improvements in these products. While there is truth to that, this trend is also potentially very dangerous as the market is currently ill equipped to manage the threat posed by the prolific publication of security vulnerabilities and corresponding exploit code.
Next Thursday, June 9th, I will be conducting an informational webinar that explores strategies that automation system suppliers can employ to improve the inherent security of their products while also staying one step ahead of the researchers who aim to expose their flaws. These strategies can also be useful in preparing to react to vulnerabilities found either internally or externally. I will also discuss suggestions for how end-users can enhance the security of their installed systems and respond to news of vulnerabilities found in the products they use.