This is your power plant on Windows

If you’re wondering where the next big disaster will come from, consider the news about SCADA (supervisory control and data acquisition), the industrial systems used to monitor and control a raft of functions at power plants, refineries, water systems, and manufacturing plants. Doesn’t ring a bell? Here’s a tip: Siemens’s Windows-based Simatic WinCC SCADA systems were the suspected target of the Stuxnet worm that devastated Iran’s nuclear program by altering the spin rate of its uranium centrifuges.

A CERT advisory on April 1 for a different Siemens SCADA product called out vulnerabilities allowing an intruder to perform DoS attacks, directory traversal, and arbitrary code execution. Additionally, an Ecava SCADA product was cited in a March 23 advisory warning of an unauthenticated SQL vulnerability that could allow data leakage, data manipulation, and remote code execution. Siemens and Ecava both issued patches.

Siemens and Ecava aren’t alone. The previous Monday Italian researcher Luigi Auriemma published details of 34 vulnerabilities in four SCADA products, complete with exploit code; Auriemma had no previous experience with SCADA systems but was able to discover vulnerabilities within hours simply by downloading free trial versions. The day before Auriemma’s announcement, researcher Ruben Santamarta revealed vulnerabilities and source code for Advantech products that could be used to attack a power grid. Santamarta felt forced to publish the source code after the vendor denied there was a problem.

A week prior, GLEG, a Russian-based security firm announced it was releasing its Agora SCADA + pack with 11 zero-day SCADA system vulnerabilities in an effort to “collect all publicly available SCADA vulnerabilities in one exploit pack.” Shortly after the tool was released, the company website suffered a sustained DoS attack.

Though in Iran’s case Stuxnet was propagated through removable media, the fact is that many of today’s SCADA systems not only run on Windows, but often sit on networks with paths to the Internet that can be discovered and breached by a clever hacker. Many are not routinely patched, because it’s difficult to test patches to ensure they won’t disrupt the systems they’re meant to manage.

More worrying, poor security practices are not unusual at critical infrastructure facilities. Witness the case of a Southern California water system, highlighted in a recent Los Angeles Times article, that hired current eEye Digital Security CTO and well-known hacker Marc Maiffret to test its network vulnerabilities. Within one day, Maiffret managed to take over systems that added chemical treatments to drinking water, with the potential of rendering water undrinkable for thousands of local residents. It turned out he discovered that employees were logging into the network from their unsecured home computers and opening up the system to outside vulnerabilities.