Wednesday, November 28, 2012

How long does it take to find a security problem in Industrial control systems?

Seven minutes:
On Thanksgiving day I had a morning’s worth of time to wait for a turkey to cook, so I decided to take a shot at finding as many SCADA 0day vulnerabilities as possible. As we at Exodus we responsibly report all vulnerabilities we deal with, my goal was to report any such findings for free to ICS-CERT, the group responsible for collaborating with SCADA vendors to ensure vulnerabilities are fixed.


The most interesting thing about these bugs was how trivial they were to find. The first exploitable 0day took a mere 7 minutes to discover from the time the software was installed. For someone who has spent a lot of time auditing software used in the enterprise and consumer space, SCADA was absurdly simple in comparison.
For those who haven't been reading my Jeremiads on the subject, SCADA are the control computers that run the electric power grid, oil refineries, factories - the infrastructure of the modern economy.  Thousands have been connected to the Internet (to make them easier to manage).

Security wasn't an after thought, it wasn't thought of at all.

The researcher found 23 security bugs, ranging from code execution to file system manipulation to denial of service.  I'd go out on a limb and say that the denial of service ones are perhaps the most dangerous - I don't know that it would be possible to DoS a refinery and make it go boom, but I don't know that you couldn't, either.


Dave H said...

Denial of service is a very real threat to the power grid. Blocking control systems from being able to receive grid status (by blocking access to the meters, which by necessity are scattered all over the grid) would most likely cause a safety shutdown, at least in some parts of the grid. Kicking a refinery offline for a few hours may cause a jump in gas prices but won't significantly impact society. Turning off the lights will immediately cause a lot more mayhem.

dehakal said...

Actually refineries are very delicately balanced beasties. One does not just take a unit offline. For some of the units shut down is a process that can take a week or longer. For example the rapid 5 minute shut down of a 1980's Hydrocracker Unit is possible, the 2 mile diameter 300 foot deep hole where it was is an unfortunate side effect. Or so I was informed back when I did Non Destructive Testing for many of the local refinery's.