Hackers find targets
A recently leaked FBI cyberalert document dated July 23 revealed that earlier this year hackers gained unauthorized access to the heating, ventilation and air conditioning (HVAC) system operating in the office building of a New Jersey air conditioning company by exploiting a backdoor vulnerability in the control box connected to it — a Niagara control system made by Tridium. The targeted company installed similar systems for banks and other businesses.
The breach happened after information about the vulnerability in the Niagara ICS system was shared online in January by a hacker using the moniker “@ntisec” (antisec). Operation AntiSec was a series of hacking attacks targeting law enforcement agencies and government institutions orchestrated by hackers associated with LulzSec, Anonymous and other hacktivist groups.
“On 21 and 23 January 2012, an unknown subject posted comments on a known US website, titled ‘#US #SCADA #IDIOTS’ and ‘#US #SCADA #IDIOTS part-II’,” the FBI said in the leaked document.
“It’s not a matter of whether attacks against ICS are feasible or not because they are,” Ruben Santamarta, a security researcher with security consultancy firm IOActive, who found vulnerabilities in SCADA systems in the past, said via email. “Once the motivation is strong enough, we will face big incidents. The geopolitical and social situation does not help so certainly, it is not ridiculous to assume that 2013 will be an interesting year.”
Targeted attacks are not the only concern; SCADA malware is too. Vitaly Kamluk, chief malware expert at antivirus vendor Kaspersky Lab, believes that there will definitely be more malware targeting SCADA systems in the future.
“The Stuxnet demonstration of how vulnerable ICS/SCADA are opened a completely new area for whitehat and blackhat researchers,” he said via email. “This topic will be in the top list for 2013.”
However, some security researchers believe that creating such malware is still beyond the abilities of the average attackers.
The trend seems to be growing for both attacks and investments in the SCADA security field, according to Donato Ferrante. “In fact if we think that several big companies in the SCADA market are investing a lot of money on hardening these infrastructures, it means that the SCADA/ICS topic is and will remain a hot topic for the upcoming years,” Ferrante said via email.
However, securing SCADA systems is not as straightforward as securing regular IT infrastructures and computer systems. Even when security patches for SCADA products are released by vendors, the owners of vulnerable systems might take a very long time to deploy them.
There are very few automated patch deployment solutions for SCADA systems, Luigi Auriemma said via email. Most of the time, SCADA administrators need to manually apply the appropriate patches, he said.
“The situation is critically bad,” Kamluk said. The main goal of SCADA systems is continuous operation, which doesn’t normally allow for hot patching or updating — installing patches or updates without restarting the system or the program — he said.
In addition, SCADA security patches need to be thoroughly tested before being deployed in production environments because any unexpected behavior could have a significant impact on operations.
- Old OS X malware used in increased attacks against Uyghur groups (reviews.cnet.com)
- SCADA Experts Simulate ‘Catastrophic’ Attack (peromatech.wordpress.com)
- The SCADA That Cried Wolf: Who’s Really Attacking Your ICS Devices- Part 2 (community.spiceworks.com)
- New OS X Tibet malware variant surfaces (reviews.cnet.com)
- It’s not just about China and America – smaller countries want to wage cyberwar too (qz.com)
- Security 101: Securing SCADA Environments (fortinet.com)