“With SCADA software being primarily responsible for critical operations and national infrastructures, an attack of this nature could not only result in the loss of data, but can also cause damage to physical assets and in certain scenarios, the loss of life,” said Ross Brewer, vice president and managing director International Markets at LogRhythm, in an email to Infosecurity. “As such it’s no surprise that arguably most notorious cyber attacks of the past couple of years – such as the Stuxnet and Flame viruses – have been SCADA breaches.”
Nonetheless, they appear to be easy pickings. On Thanksgiving, Aaron Portnoy, the vice president of research at Exodus Intelligence, was able to uncover no fewer than 23 vulnerabilities in SCADA systems in just a few hours. The first exploitable zero-day took a mere seven minutes to discover. “I had a morning’s worth of time to wait for a turkey to cook, so I decided to take a shot at finding as many SCADA 0day vulnerabilities as possible,” he explained.
It was, he added, ridiculously simple, indicating a decided lack of up-to-date security and coding.
“For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison,” Portnoy said, noting that he reported all of the vulnerabilities to ICS-CERT, the group responsible for collaborating with SCADA vendors to ensure vulnerabilities are fixed. “The most difficult part of finding SCADA vulnerabilities seems to be locating the software itself.”
Fundamentally, SCADA systems were never really designed to be secure, Brewer said. “At least not from an IT perspective,” he noted. “With much of existing national infrastructure developed prior to the rise of the Internet, the focus of control system security is often limited to physical assets. This latest discovery of a host of SCADA vulnerabilities should therefore make it clear to organizations and governments alike that lax security is never an option and they must urgently re-examine the tools that are currently defending our control systems.”
For now, cyber attacks on SCADA systems are rare when compared to the number of incidents involving web applications or enterprise IT networks, but the threat they pose is disproportionately severe. As such, security must be updated. “Unfortunately, traditional perimeter cybersecurity defenses such as anti-virus software are no longer enough to ensure protection – the Flame virus, for example, avoided detection from 43 different anti-virus tools and took over two years to detect,” Brewer said.
What’s required is continuous monitoring of all log data generated by IT systems, so that organizations can automatically baseline normal, day-to-day activity across systems and multiple dimensions of IT infrastructure, he recommended. This would enable the real-time detection, response and investigative analysis of even the most sophisticated attacks that go against this definition of normal behavior.
“In order to subvert this approach, hackers would have to simultaneously break into their target SCADA systems, and into the log management system to modify specifically the pieces they were looking for – a very difficult if not impossible task,” Brewer said. “With the increasing computerization of critical infrastructure services, only by adding these additional levels of protection can anomalies be identified in real-time and cyber threats be responded to.”