Expert: Critical system flaws a 'ticking time bomb'

LAS VEGAS--While computer users fret about online identity theft and corporate executives worry about digital espionage, security issues in critical infrastructure affecting every single person present even more cause for alarm, an expert said at the Black Hat conference here on Wednesday.

"SCADA (supervisory control and data acquisition) systems are a lot less secure than IT (information technology) systems," Jonathan Pollet, founder of Red Tiger Security, said in his session, titled "Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters."

SCADA systems, used in power companies and utilities to monitor and control processes over wide areas, traditionally have weak firewalls protecting the distributed control and other systems, Pollet said.

Recent modernization efforts have brought connectivity to the Internet back to the control environment and use of Windows, opening up new paths for threats, he said. Plus, there are known flaws in smart meters being installed in homes and linked back to critical systems, he added.

"We've had customers download a Windows patch and that patch actually broke the SCADA system," he said.

The demilitarized zone between the SCADA networks and the corporate IT networks contain the highest number of vulnerabilities, yet is also the most connected network zone, Pollet said.

"It's only a manner of time before we see more attacks or incidents on SCADA networks due to weak security and improperly configured defenses. Someone needs to own the responsibility for managing security for those systems that fall in between the corporate IT and SCADA networks," he said. "It's kind of a ticking time bomb."

Pollet said that during his consulting at utilities and other SCADA sites he has found all sorts of unnecessary software running on computers connected to important systems that can cause security problems, such as BitTorrent clients for peer-to-peer file sharing, chat clients, adult video directory scripts, and even botnet code and malware.

And now we've had the first known malware targeting control systems. TheStuxnet worm spreads via USB drives and exploits a previously unknown vulnerability in Windows. It also uses a Trojan backdoor that looks to see if an infected machine is running a specific type of software created by Siemens.

"You don't need a SCADA Zero-Day" (exploit targeting an unpatched hole), Pollet said. "They are starting to peek out...but there are already a lot of vulnerabilities that are already out in the infrastructure."

Meanwhile, many power plant companies are trying to jump through loopholes in the regulations to reduce their "audit footprint," and controls are being bypassed, he said. Critical infrastructure companies are attempting to limit their responsibility and are not prepared to deal with the kinds of online attacks and espionage that keep chief information officers up at night, he said.

"We're starting to see advanced persistent threats creep into these systems," like the attacks on Google and others that were made public earlier this year, Pollet said. It's to the point "where SCADA operators don't think they're in control of their systems anymore."

Meanwhile, there is human machine interface software used in SCADA systems and supported on BlackBerry mobile devices that lets workers control processes while driving in their cars, James Arlen, principal at the Push The Stack consultancy, said in another presentation on Wednesday.

Asked during the question-and-answersession if there are vulnerabilities that could cause widespread problems in the critical infrastructure, he responded "yes."

There were at least three sessions at Black Hat related to critical infrastructure. Arlen said he had submitted a talk proposal for the past four years to the conference organizers and finally got the go-ahead this year.

Asked why the interest in the topic now, Black Hat Founder Jeff Moss said: "There is that much more research being done. The focus has started to shift in that direction."