Highlights
– Core Security discovers new vulnerability in CitectSCADA software
– Buffer overflow vulnerability could allow attacker to gain access to industrial control system
– Attackers can exploit vulnerable SCADA systems to cause physical damage and threaten national security
On June 11, 2008 Core Security, an information technology security company, announced it discovered a vulnerability in CitectSCADA – supervisory control and data acquisition industrial control process software from Citect. The discovery indicates an attacker could theoretically exploit the buffer overflow vulnerability to shut down or gain remote control of an industrial control system.
According to Core Security, “thousands of companies using Citect’s SCADA systems could unknowingly be exposing critical industrial processes and assets that they otherwise sought to protect if they do not immediately move to apply the vendor-provided patch, or other suggested workarounds for the vulnerability issued by the software maker.”
SCADA Vulnerabilities Explained
Citect responded to the announced vulnerability stating that customers “are extremely unlikely to be at risk from potential security breaches found by Core Security” provided that “their systems are protected by industry-standard security guidelines.”
Unfortunately, Citect’s optimism is misplaced. Recent history has demonstrated that although industrial control systems should be segmented and protected from general Internet traffic, many systems are exposed via undocumented network connections. As stated by Core Security experts, “the reality is that many organizations do have their process control networks accessible from wireless and wired corporate data networks that are in turn exposed to public networks such as the Internet.”
The danger of these undocumented connections is that these connections in combination with vulnerable SCADA software, such as CitectSCADA, may allow unauthorized users to manipulate the underlying control system.
Previous SCADA Attacks
While its unclear whether malicious hackers have previously exploited this vulnerability, a number of examples illustrate that malicious attackers have previously exploited other vulnerabilities in SCADA systems.
• In January 2008, the Central Intelligence Agency (CIA) announced that hackers had caused power outages in several foreign cities. Specifically, a senior CIA analyst stated, “We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. We do not know who executed these attacks or why, but all involved intrusions were through the Internet.” The analyst further noted that in some cases these attacks were followed up by “extortion demands.”
• Additionally, a test performed in March 2007 and sponsored by the Department of Homeland Security (DHS) demonstrated how vulnerability in a SCADA system could be exploited to disable a power generator.
• In another incident, the Slammer worm, while not designed to target components of critical infrastructure, had a deleterious impact. The North American Electric Reliability Council (NERC) noted in a June 20, 2003 report that the Slammer worm was able to infiltrate critical systems “through corporate networks until it finally reached the critical SCADA network via a remote computer through a VPN connection.” As the worm proliferated, it saturated these critical networks and blocked SCADA traffic at a power station. While the worm did not shut off the power station, it “essentially shut off the control system.”
• Further, studies published by the British Columbia Institute of Technology (BCIT) show that the number of incidents that effect SCADA and other industrial control systems have increased since 2001. Although this study did not conclude whether the increase in documented attacks is due to an actual increase in attacks or an increase in vigilance and reporting of attacks, this latest incident in which hackers disabled a power generation system and extorted the system operators for a payoff demonstrate that malicious actors have developed a means to profit from attacks against SCADA systems.
• Finally, in the spring of 2000, a disgruntled ex-contractor of Maroochy Shire broke into the sewage and wastewater system, gained control of SCADA infrastructure, and leaked hundreds of thousands of pounds of sewage onto the grounds of a Hyatt Regency hotel in Queensland, Australia. The ensuing investigation discovered that the ex-contractor, Vitek Boden, was intent on exacting revenge on Maroochy Shire for failing to award him a more lucrative contracting position.
Conclusion
These examples indicate attacks against SCADA systems should no longer be considered an over the horizon threat. As more SCADA administration systems are designed to communicate over TCP/IP networks it is likely that these systems will come under increasing attack. The availability of these SCADA systems over TCP/IP networks, like the Internet increase the possibility that malicious attackers will be able to sabotage these systems.
Vulnerable and available SCADA systems present a real threat to US national security, as attackers could exploit these vulnerabilities to cause serious physical and economic damage.