ICS and SCADA: A New Window of Vulnerability
There is quite a buzz these days about Microsoft’s end-of-support announcement for Windows XP. Attackers have been exploiting Windows for a long time, and organizations have become proficient in patching windows on a monthly cadence. If one were to study the data, we might find that pizza deliveries are higher around patch Tuesday than any other Tuesday in a month. What we don’t hear as much about is the vulnerabilities that might exist not in Windows, but in the software that runs critical infrastructure. SCADA or ICS systems are used to control everything from manufacturing plants, utilities and most industrial automation.
Much like other operating system software used by IT systems, these industrial controllers can suffer from the same risk of vulnerabilities. In fact, the disclosure of vulnerabilities in industrial control systems and SCADA is on the rise. Vulnerabilities are being discovered in the controllers themselves as well as the software used to control them. This is significant because attackers don’t have to break into the controllers directly to achieve attack success, but can infect the applications used on computers that program the controllers. In fact, the latest Ixia Strike Pack (Ixia ATI Update 2014-07 (200892) includes two such SCADA/ICS vulnerabilities: one in a Siemens product and one in a Mitsubishi product. In the case of the Mitsubishi vulnerability, Ixia ATI security researchers discovered it as part of their ongoing research. Both of these vulnerabilities existed because the program that built programs for the controllers had Active-X vulnerabilities. If an attacker were to target an organization, they could infect the end user device used to program the controller, and through that machine infect the controller.
With Ixia, organizations can test their security protections for signatures that cover this vulnerability and assess the risk that their infrastructure could be exploited in this way. While SCADA/ICS controllers aren’t the low hanging fruit that an unpatched Windows XP system is, moving forward it presents an increasing risk that needs to be comprehended with security mitigation solutions and the assessment and test of security.