Power plants in the US and Canada could be at risk of being taken over by cyber attackers, following the discovery of 25 new security vulnerabilities in the protocols used in their critical infrastructure systems.
While vulnerabilities in supervisory control and data acquisition (SCADA) and industrial control system (ICS) protocols are not new, the recent vulnerabilities stand out, as they lie in the protocol by which power plants and other parts of the electricity grid communicate internally, known as serial communication.
Serial communication was not previously considered a viable attack vector, as it is isolated from the Internet, the researchers explained.
Three researchers - independents Chris Sistrunk and Adam Tordoski, and Adam Crain, founder of Automatak, a company that develops testing tools for ICS/SCADA systems - are working on a Automatak-sponsored project, called Robus, after the Latin for 'source of strength'.
The project is an ongoing search initiative by Automatak and the three researchers that looks for zero-day vulnerabilities in SCADA/ICS protocols.
The researchers say all vulnerabilities discovered are first disclosed to the vendor and the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), a body that works to reduce risks within and across all critical infrastructure sectors through partnership with the intelligence community and law enforcement.
To date, the researchers have published the details of nine of the 25 vulnerabilities, and say they will publish the rest once full disclosures to the relevant vendors and ICS-CERT have taken place.
According to Wired, all the bugs disclosed to date seem to have been acknowledged and patches released by the relevant vendors. However, it is still up to those who physically maintain the vulnerable systems to apply the patches.
A serious threat?
Digital Bond, a company that performs control system security assessments, describes the vulnerabilities as a big deal.
Essentially, the vulnerabilities give potential attackers the ability to send servers that control these systems into infinite loops. Once this happens, they would be unable to respond to commands from the controllers, explained the company.
CEO of Digital Bond Dale Peterson said on the company's Web site: "There is no way to stop this with a firewall or other perimeter security device today."
He says the researchers have found this to be the case on nearly all of the systems they tested, and the repercussions could be serious, as, should enough substations be breached, attackers could bring down the systems that manage much of the US' power supply.
Not a new worry
For a long time, it's been no secret that industrial communication protocols are insecure, simply due to authorisation and authentication issues, says Sergey Mineev, security researcher at Kaspersky Lab.
"On the other hand, new-generation protocols exist where these weaknesses were removed, but in practice, they are rarely implemented due to problems they brought with installation, configuration and support. Besides, industrial systems have a long lifetime, and the old equipment might not be able to support modern security protocols."
Mineev says to date, 650 vulnerabilities in SCADA systems have been made public, and this number continues to grow. "This means attackers can easily disrupt the proper operation of almost any SCADA system out there."
He says this situation could be improved by government-level state regulators insisting on mandatory security testing of ICS before going into commercial operation, as well as through high-quality modern standards, methodology and procedures.
"Unfortunately, most countries do not have such a regulatory framework."