Monday, January 23, 2012

Attention Electric Sector: Wired Reports on Basecamp - SCADA Exploits in the Wild

Several vendors of PLCs and other equipment related to grid operations, in a study described in a recent edition of Wired's "Threat Level" blog, have had their wares probed by a team of experts led by Dale Peterson of Digital Bond, a respected boutique energy-sector control system security shop.

Before saying more, I keep going back to the post called the Value of Black Hat for Smart Grid Security, and maybe now also the Travis Goodspeed Smart Grid Skunkworks piece, because they both showed security technologists trying to spur vendors into action to improve the cybersecurity characteristics of their grid products by describing and sometimes demonstrating vulnerabilities they've found to audiences of cyber security professionals.

This is different, however. Saying they were concerned that their findings might be downplayed and/or ignored by the vendors in question, this time the Peterson-led researchers not only identified the numerous vulnerabilities, but they developed the attack code required to take advantage of them using a tool called Metasploit, and they didn't stop there. They also made the exploits available to the general public without giving the vendors or DHS' ICS Cert a chance to intercede.

As Peterson puts it:
... a large percentage of the vulnerabilities the researchers found were basic vulnerabilities that were already known to the vendors, and that the vendors had simply “chosen to live with” them rather than do anything to fix them.  Everyone knows PLC’s are vulnerable, so what are we really disclosing? We’re just telling you how vulnerable they are.
I definitely have mixed feelings about this. It's certainly raising the stakes to a whole new level. Utilities probably need to double-check their assets to see how many of them match those in the study, and see if there are any vulnerabilities they didn't know about previously. Chances are most if not all have mitigating strategies in place already that should cover them ... but still.

The vendors identified in the report are likely in turmoil as result of the report, and my guess is this topic is going to be owned by their lawyers for some time, if not from now on. And that might mean that instead of accelerating remediation efforts by vendors, this action may contribute to an unwitting slow-down. But I don't really know, and we'll all have to see how this plays out.

On the plus side, the research has led to some new products and plug-ins for utilities that can simplify the job of identifying insecurely configured control systems. Not sure if they'll trust them enough to use them, but maybe.

That's it for now. My highest value on the blog is accuracy. I would be happy to get reader clarification if I've garbled this somehow. Thanks and stay tuned.

BTW: You can read the full Wired article HERE.

Photo credit: tallkev on