Dated Windows software the weak link for SCADA systems

Unsecured and dated Windows operating systems are all that stand between critical infrastructure like power grids and major cyber attacks, according to Fritz Sands, senior vulnerability researcher at data security and cyber security firm Trend Micro.

SCADA (supervisory control and data acquisition) systems are typically used for control of industrial operations like manufacturing processes, state infrastructure like energy grids and water treatment plants, as well as facilities such as airports and buildings.

While many aspects of these systems are sophisticated and highly secure, the weak link, according to Sands, is the human-machine interface (HMI).

The HMI is software that acts as a centralized hub for managing critical infrastructure. If an attacker succeeds in compromising the HMI, nearly anything can be done to the infrastructure, including causing physical damage to SCADA equipment. Even if attackers decide not to disrupt operations, they can still exploit the HMI to gather information about a system or disable alarms and notifications meant to alert operators of danger to SCADA equipment, Sands says.

Traditionally, HMIs have been isolated on trusted networks, but with the pressure to facilitate remote monitoring and the evolution towards the internet of things (IoT), they are starting to get connected and are thus becoming more exposed.

INDUSTRY PROBLEM

According to Sands, the industry behind the development of SCADA systems has tended to focus more on equipment manufacturing and less on securing the software designed to control them. And a lack of global standards for HMI software has further exacerbated security problems.

According to Sands, most HMI systems run on antiquated Windows operating systems, namely Windows 95, 98 and XP, all of which no longer have any security upgrades from Microsoft.

"Windows is a sphere where hackers feel very comfortable. Instead of needing a complex tool set to attack SCADA controllers, they have 20 years of hacking skills used against Windows, SQL server, browsers and Adobe products. So they know what to do to look for," Sands told BNamericas.

"Microsoft and Adobe have developed tools to mitigate exploits. But none of those tools are in force for HMI, because they are running on old software. It's like hacking like its 1999," Sands said.

Trend Micro has also observed that the average time taken between the disclosing of a bug to a SCADA vendor and the releasing of a patch is up to 150 days.

LITTLE PRESS

According to Sands, attacks on SCADA networks are rarely publicized so it is hard to gauge the level of such activity in Latin America.

Two of the most well-known attacks worldwide were against Iranian nuclear systems in 2010, better known as "Stuxnet", and against the Ukrainian power grid in 2015.

The Stuxnet malicious computer worm was likely sponsored by an aggressor state and targeted engineering software, which provides HMI-like functionality. Reports state that as many as a fifth of Iran's nuclear power centrifuges were damaged by Stuxnet.

The other attack was on the Ukrainian power grid on December 23, 2015, where attackers managed to turn off the lights for more than 230,000 customers.

As HMIs were not isolated on the network, attackers were able to connect via the VPN and used remote access solutions to disable systems via the HMI.

"Customers of SCADA equipment, like governments, need to explain to vendors that they can't ignore this. Vendors like to sell shiny new sensors and hardware and the HMI software is often given little attention and is thrown in for free. It looks like a cost to them; they don't see the return on investment," Sands said.

"Standardization is a problem because of the fear that equipment will become like a commodity and that will drive profit margin lower. When equipment is proprietary you can demand a higher price. That's why Nikon and Canon lenses are not interoperable," he said.