SCADA Security Needs to Step Up: Report

Wednesday, May 24, 2017 @ 09:05 AM gHale

Attacks on SCADA systems could have an impact on a various networks and parts of the critical infrastructure, a new report said.

“Behind most modern conveniences, there exists a SCADA system somewhere that controls them,” Trend Micro researchers pointed out in a new report that looks at the potential of vulnerabilities affecting SCADA systems’ Human Machine Interfaces (HMIs).

Breach Costs on Rise
SMB ‘Easy Targets’ for Attackers
SharePoint for Vital Data, But is it Safe?
DDoS Attack Costs on Rise

“SCADA systems are at the core of water treatment plants, gas pipelines, electrical power distribution systems, wind farms, expansive communication systems, and even civil defense sirens. Therefore, attacks on SCADA systems have the potential to impact a wide range of systems and numerous pieces of critical infrastructure.”

In the end, if an HMI ends up compromised, attackers can do pretty much anything to the critical infrastructure.

Trend Micro researchers reviewed ICS-CERT advisories from 2015 and 2016 dealing with HMI vulnerabilities, and have cross-referenced them over 250 Zero Days purchased by the ZDI program.

They found:
• 20 percent of identified vulnerabilities are memory corruption issues
• 19 percent are credential management issues
• 23 percent are issues tied with lack of authentication/authorization and insecure defaults
• 9 percent are code injection issues that open HMI systems to common injection types as well as domain-specific issues

Researchers also found the mean time to patch vulnerabilities once they’ve been disclosed to the vendor is nearly the same as it has been in the last four years, which is about 140 days.

Naturally, some vendors are more quick to patch than others. Cogent Real-Time Systems and Trihedral Engineering are among the quickest, while larger vendors take on average over 200 days to produce a patch.

“SCADA system vendors tend to focus on the actual industrial equipment and not on the software that manages them because they make the most profit selling the hardware,” the researchers said.

“When it comes to the actual codes behind SCADA systems, a majority does not utilize basic defense-in-depth measures such as address space layout randomization (ASLR), SafeSEH, or stack cookies,” researchers said. “This may be related to the mistaken belief that these solutions will operate in a completely isolated environment. SCADA solution developers often have little experience with regard to user interface (UI) construction. This is coupled by the fact that developers do not know what the final operating environment will be like for the systems. This causes developers to make assumptions that are often incorrect.”

The report also shows errors that companies make in fixing the reported vulnerabilities. In many instances, they fix specific issues, but don’t go beyond that and, for example, replace banned APIs, problematic functions, etc.

There are solutions, however.

“Developers of HMI and SCADA solutions would be well advised to adopt the secure lifecycle practices implemented by OS and application developers over the last decade,” they said.

“SCADA developers also need to expect their products to be used in manners that they did not intend. For example, even though it should be considered a poor security practice, developers must assume their products and solutions will be connected to a public network. By taking the mindset that assumes a worst-case scenario, developers can implement more defense-in-depth measures to add protection.”

They also suggest vendors:
• Employ basic fuzzing
• Use the Microsoft Attack Surface Analyzer to identify security misconfigurations and increases in attack surfaces
• Audit for unsafe, banned APIs, and other problematic functions

“Bugs in SCADA systems will likely be with us for many years to come,” researchers said. “By working together, the security of these systems will continue to improve. While a completely secure system will likely never be created, implementing strong research and development tactics will be our best chance to keep the lights on as long as needed.”

Click here to download the report.

Leave a Reply

You must be logged in to post a comment.