Research: Infrastructure systems easy to hack, a little slow to patch

Cyber attacks on critical infrastructure are such a frightening prospect that four senators just introduced a bill to replace power plants’ hackable automated systems with unhackable human workers.  A security research team is showing exactly how big a problem automated systems might be. 

Fritz Sands and Brian Gorenc of Trend Micro’s Zero Day Initiative presented research at the DEF CON security conference on Saturday quantifying the different programming flaws in infrastructural control systems and how long they took to fix. 

{mosads}“These systems are supposed to be isolated [from the internet and other computers],” said Gorenc, “but they almost never are.”

When researchers talk about hacking critical infrastructure, they are really talking about hacking what are known as supervisory control and data acquisition (SCADA) systems. These are the systems targeted in the Stuxnet attack on Iran’s nuclear facilities and the recent massive Ukranian power outage. 

But SCADA controls more than power plants. They are the core of industrial automation, from water treatment plants to mineral transport to railways, all of which have been hacked in the past.

The researchers looked at more than 200 recent software vulnerability reports and found that problems that had been all but eliminated in, say, a web browser are alive and well in SCADA. Nearly 20 percent of the problems came from credential management – things like making it too easy to recover passwords by not encrypting them or hardcoding default passwords. 

Another 10 percent came from other insecure default settings – issues where the system was never designed to be secure. 

“Normally, these are things you never see anymore,” said Gorenc, referring to vulnerabilities in mainstream commercial software. 

These types of problems do frequently arise in internet of things products, like baby cameras and toys. It is not uncommon for manufacturers with more experience making a device than writing software to make basic security mistakes when forced to do the latter. 

When Gorenc and Sands looked how much time it took manufacturers to fix these mistakes after they were notified, they averaged around 150 days – which is in line with how much time it takes Microsoft to patch  Windows. But while established versions of Windows have been so thoroughly investigated by both Microsoft and a large cohort of independent researchers, it is unlikely that many people independently would come up with the same easy-to-use attack, SCADA systems are taking the same amount of time to patch vulnerabilities that were easy to find and use.

Different vendors had wildly different response times – ranging from under 100 days to around 225 days. 

In June, Senators Jim Risch (R-Idaho), Susan Collins (R-Maine), Angus King (I-Maine) and Martin Heinrich (D-N.M.) introduced legislation to use more analogue technology in place of hackable automated technology. 

“There should always be analogue backups that can be used if a system is compromised. But automation is going to happen,” said Gorenc.