Insecure industrial control systems, hacker trends prompt federal warnings

Security researchers fed up with what they see as the glacial pace with which vendors fix holes in industrial control systems have exposed vulnerabilities that raised concerns among federal officials.

The latest security weaknesses, as well as troubling trends in the hacker underground, led the Department of Homeland Security to warn late last week of an increasing security risk to the control systems used by power utilities, water treatment plants and manufacturing. The latest warning, issued Friday stemmed from a report of a vulnerability found in ICS equipment sold by 261 manufacturers.

Researchers with security vendor Digital Bond reported that Smart Software Solutions' CoDeSys product lets anyone upload code without authentication. The software is used in programmable logic controllers (PLCs), which are computers used in control systems to automate tasks.

Dale Peterson, chief executive for Digital Bond, said Germany-based Smart Software, known as 3S in the industry, designed the product without authentication, so the vendor knew about the vulnerability. "They chose to design the product that way," Peterson said Monday.

3S was not immediately available for comment.

Digital Bond, along with researchers from other organizations, have embarked on a research effort called Project Basecamp that is dedicated to exposing security weaknesses in ICS devices in order to prod manufacturers into fixing the problems. Many of the systems were built before the Internet was introduced in networks that also contain control systems.

"We call these insecure-by-design issues," Peterson said. "These PLCs that run power plants, oil pipelines and things like that were designed with no security in them and that's been allowed to continue."

[See also: Hacktivism moves from pranks to problems]

The vulnerability of control systems comes as interest in the devices has grown among hacktivist and anarchist groups.

"Hacktivist groups are evolving and have demonstrated improved malicious skills," DHS' cybersecurity division, ICS-CERT, said. "They are acquiring and using specialized search engines to identify Internet-facing control systems, taking advantage of the growing arsenal of exploitation tools developed specifically for control systems."

The DHS reported that several new exploit tools released publicly in February targeted PLCs from General Electric, Rockwell Automation, Schneider Electric and Koyo. The tools, which included the popular Metasploit penetration testing technology used by security pros and hackers, made it possible to leverage vulnerabilities to crash or restart affected devices.

The DHS also reported on the existence of publicly available specialized search engines, such as SHODAN and Every Routable IP Project, which researchers had used to compile a list of the IP addresses of more than a half million Internet-facing control systems.

The technology trends have raised the danger of hacktivist-led attacks against critical infrastructure, says the DHS. Whether disclosing weaknesses is making the systems less secure is unclear. Supporters say it forces vendors to move faster in fixing problems that most hackers already know exist. Others are not so sure.

"Putting something in the wild before vendors have a chance to understand what the problem is turns in to just unleashing something," said Bob Lockhart, an analyst for Pike Research.

The DHS notified 3S and asked the company to confirm the vulnerability and to report on how it can be plugged. Until a fix is released, the agency advised taking all affected systems off a network that is connected to the Internet.

No laws exist today governing security in industrial control systems, so companies must decide for themselves how to lock them down. Reid Wightman, a former employee of Digital Bond who led the research on 3S, said he advises companies to keep control systems on an isolated network.

However, that does not eliminate the inherent insecurity of many control systems, so Wightman, who now works for IOActive, advises clients to negotiate security.

"They should sit down and talk to their vendor and get security at the control level put into the contract," he said.

Read more about application security in CSOonline's Application Security section.

Join the CSO newsletter!

Error: Please check your email address.

Tags industrial control systemsDHSapplicationsData Protection | Application SecuritysecurityDigital BondAccess control and authenticationsoftwaredata protection

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Antone Gonsalves

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts