One of the scariest of the many dark corners in the world of Internet security is the back and forth over the integrity of the supervisory control and data acquisition (SCADA) systems that control much of our critical infrastructure.
Computerworld’s Lucian Constantin reports that Siemens has released updates for its SCADA systems. The vulnerabilities the patches are aimed at correcting include one in which unauthenticated attackers could execute arbitrary code on the SIMATIC WinCC SCADA server via specially crafted packets. This could lead to a full system compromise, which is a 10 on the Common Vulnerability Scoring System (CVSS). The other vulnerability enabled extraction of arbitrary files from the same server. It received a CVSS rating of 7.8.
Last month, the U.S. Department of Homeland Security issued an alert that a variant of the BlackEnergy malware had infiltrated SCADA systems that control oil and gas pipelines, the power grid and water distribution systems, according to Greentech Media. The report, which originated with ABC News, said that crackers sponsored by the Russian government were responsible. The hack was first made public by the Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT).
The team said that no interference in systems operations had been made. The speculation is that the malware is a deterrent against an attack on Russian systems. The Siemens system was among those targeted:
The report goes on to say that the likely initial infection was through systems running GE’s Cimplicity. The malware has also targeted Advantech/BroadWin WebAccess and Siemens' WinCC. Other vendors may also be affected. The vendors that have been identified have provided patches or are in the process of providing updates, according to EETimes.
Last summer, the National Institute of Standards and Technology (NIST) said that it is building a test bed aimed, according to The Register, at “addressing the SCADA industry’s chronic insecurity.” The project, which was officially named The Reconfigurable Industrial Control Systems Cybersecurity Testbed, is in its earliest stages of development. The story says that its first use will be on a chemical process with the foreboding name of “the Tennessee-Eastman problem.”
Rebecca Abrahams, the chief communications officer at Ziklag Systems offered a dire update on SCADA security in the Huffington Post. Essentially, SCADA is pretty much a train wreck and our enemies – private, governmental and the gray area in between – are pouring resources into exploiting the problems.
The answer, she writes, is twofold. Not only must SCADA must be replaced, but the underlying platform must also be changed:
In parallel, we need new, secure operating systems for our sensitive computer networks to replace unsuitable commercial products which, unless changed out, will lead to our destruction. Commercial network operating systems cannot be repaired -they must be scrapped. This is a tall order: but we have the expertise to do the job. In fact, even the Chinese are already putting in place their own operating system development to keep Western intelligence agencies out. We can build even better ones. We need to urgently.
The unfortunate reality is that it is entirely possible that the warning will be ignored. It also is easy to see what the possible result of that neglect will be.
Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at firstname.lastname@example.org and via twitter at @DailyMusicBrk.