Attention electric sector: Wired reports SCADA exploits in the wild

1

By Andy Bochman

Several vendors of PLCs and other equipment related to grid operations, in a study described in a recent edition of Wired's "Threat Level" blog, have had their wares probed by a team of experts led by Dale Peterson of Digital Bond, a respected boutique energy-sector control system security shop.

Before saying more, I keep going back to the post called the Value of Black Hat for Smart Grid Security, and maybe now also the Travis Goodspeed Smart Grid Skunkworks piece, because they both showed security technologists trying to spur vendors into action to improve the cyber security characteristics of their grid products by describing and sometimes demonstrating vulnerabilities they've found to audiences of cyber security professionals.

This is different, however. Saying they were concerned that their findings might be downplayed and/or ignored by the vendors in question, this time the Peterson-led researchers not only identified the numerous vulnerabilities, but they developed the attack code required to take advantage of them using a tool called Metasploit, and they didn't stop there. They also made the exploits available to the general public without giving the vendors or DHS' ICS Cert a chance to intercede.

As Peterson puts it:

... a large percentage of the vulnerabilities the researchers found were basic vulnerabilities that were already known to the vendors, and that the vendors had simply “chosen to live with” them rather than do anything to fix them. Everyone knows PLC’s are vulnerable, so what are we really disclosing? We’re just telling you how vulnerable they are.

I definitely have mixed feelings about this. It certainly raises the stakes to a whole new level. Utilities probably need to double-check their assets to see how many of them match those in the study, and see if there are any vulnerabilities they didn't know about previously. Chances are most if not all have mitigating strategies in place already that should cover them ... but still.

The vendors identified in the report are likely in turmoil as result of the report, and my guess is this topic is going to be owned by their lawyers for some time, if not from now on. And that might mean that instead of accelerating remediation efforts by vendors, this action may contribute to an unwitting slow-down. But I don't really know, and we'll all have to see how this plays out.

On the plus side, the research has led to some new products and plug-ins for utilities that can simplify the job of identifying insecurely configured control systems. Not sure if they'll trust them enough to use them, but maybe.

That's it for now. My highest value on the blog is accuracy. I would be happy to get reader clarification if I've garbled this somehow. Thanks and stay tuned.

BTW: You can read the full Wired article HERE.

Andy Bochman is author of the Smart Grid Security Blog and an Energy Security Lead for IBM's Rational division, where the focus is on securing the software that runs the smart grid. Andy is a contributor to industry and national security working groups on energy security and cyber security. He lives in Boston, is an active member of the MIT Energy Club, and is the founder of the Smart Grid Security and DOD Energy Blogs.

You might also be interested in ...

New book guides smart grid security stakeholders