SCADA, a network-enabled setup for controlling infrastructure, is hitting the headlines in force for falling victim to cyber scammers. There have been several incidents of unauthorized access to Supervisory Control and Data Acquisition (SCADA) systems recently, from guessing simple passwords, to full-on spear phishing attacks against a hardware vendor, which were then used to access infrastructure equipment at a water treatment site without permission. While we’ve discussed industrial hacking here and here, we now see more exploits in the wild.
The attacks range from targets-of-opportunity, basically checking every car at the mall for an open door or cracked window, to one targeting credentials at an upstream equipment supplier. They rely on the remote access capability that’s often used by hardware vendors (and remote workers) to manage pumps, motors, sensors and other equipment commonly used in municipal utilities, and a host of other facilities. While it’s hard to imagine a crack team of hackers getting all geared up just because a water pump in Illinois failed, it may be a pattern for things to come. If hackers were able to exploit control of a pump motor in a simple utility facility, many other potential high-value targets might be similarly vulnerable. After all, many facilities across multiple infrastructure industries use similar families of both equipment and control systems.
In the case of the Houston incident, the password consisted of 3 characters, a no-no in password security. Remote exploits by password cracking aren’t terrifically technical. It’s quite possible that a script kiddie crawled myriad IP’s until they found a target that fit the right signature response, then used the access to snoop around for things to play with. Brute force attempts get exponentially easier as fewer characters are used, so it’s not hard to imagine a trivial 3-character dictionary attack being successful. The hacker, going by the moniker of pr0f, didn’t make any attempts at nastiness, aside from accessing the system using the password, and parading around the results. He also opined that this simple test was part of a much larger potential problem.
Presenters at numerous security conferences would agree, having made this point already. Multiple breakout sessions at the last BlackHat targeted industrial control hacking, and how to help vendors beef up security. The single successful exploit against a class of industrial control equipment tends to turn into an exponentially large and distributed attack surface as it surfaces and is exploited before being remediated at the source.
Small municipal utilities face tough realities when considering how to respond to potential SCADA attacks. As budgets continually shrink, municipalities are expected to do more with less. Never mind hiring a dedicated security person to find and patch cyber holes in security defenses, many towns have a hard time retaining enough basic operating capital to keep the lights turned on and the motors humming even under the best of conditions.
Still, pressures from On High will continue to breathe down their necks as facilities become more interconnected, and scammers gather more intel on the systems. Also, equipment vendors will be expected to provide more comprehensive assurances that their equipment won’t be an easy target for attackers. Of course, having critical systems totally removed from publicly available networks also has merits that are hard to argue. But when central offices want to manage more remote offices with fewer staff, these emerging nuances will have to be sorted out, hopefully before large-scale damage is inflicted.
Author Cameron Camp, ESET