Hackers exploit SCADA holes to take full control of critical infrastructure

Is critical infrastructure any more secure than it was a year ago, or five years ago? Well according to three different reports from experts, it doesn’t seem like it. Instead, it seems like critical infrastructure is a ripe target that is pretty sweet for attackers. We’ll look at three different cybersecurity reports about hacking critical infrastructure, ranging from small dish satellite systems (VSATs) to taking full control of industrial control systems.

10,500 small dish satellite systems vulnerable to cyber attacks

We’ll start with very small aperture terminals, or VSATs, which are small satellite dish-based computer systems, that provide broadband Internet access to remote locations, or transmit point of sale credit card transactions, SCADA and other narrowband data. There are over 2.9 million active VSAT terminals in the world, with two-thirds of those devices the U.S., being used in the defense sector to transmit government and classified communications, used by financial industries like banks to transmit sensitive data, and used by the industrial sector such as energy to transmit from power grid substations, or oil and gas to transmit from oil rigs. Over 10,000 of those devices are “open” for targeted cyber attacks.

10,000 VSAT small dish satellite systems waiting to be hacked

In fact, after running a scan, Cyber intelligence firm IntelCrawler found that many of the “VSAT devices have telnet access with very poor password strength, many times using default factory settings. The fact that one can scan these devices globally and find holes is similar to credit card thieves in the early 2000's just googleing the terms ‘order.txt’ and finding merchant orders with live credit cards.”

IntelCrawler discovered VSAT devices connected "to many interesting devices all over the world, starting from Alaska climate metering systems to industrial control devices in Australia." Regarding interesting government and classified communications in "clear and present danger for hacks," they mentioned the Ministry of Civil Affairs of China infrastructure and the Ministry of Foreign Affairs of Turkey.

“We found thousands and thousands of these systems with what are essentially their digital front doors left wide open,” IntelCrawler’s president Dan Clements told CS Monitor. “Someone needs to be aware that there are vulnerabilities here that could affect critical infrastructure, including utilities and financial systems.”

VSAT satellites are easily visible in Google maps and Google Earth

Some of the small VSAT satellites are easily visible in Google maps and Google Earth. "There's a lot of information that could be used in a nefarious way," Clements said. "Certainly you could put together a plan to go after certain grids or dams or power plants and have access to the centralized network at some point."

Targeted cyber attacks on the energy sector

Symantec published a paper [pdf] and an infographic about targeted attacks on the energy sector.

Symantec report on cyberattacks against the energy sector

Attackers target the energy sector "to steal intellectual property on new technology, like wind or solar power generators or gas field exploration charts." But “the sector is also a major target for sabotage attacks, which will not generate direct profit for the attacker. Such disruptive attacks do already happen and may lead to large financial losses. State sponsored agents, competitors, internal attackers or hacktivists are the most likely authors of such sabotage attacks.”

Modern energy systems are increasingly complex. “There are supervisory control and data acquisition (SCADA) or industrial control systems (ICS) that sit outside of traditional security walls,” Symantec explained. “And as smart grid technology continues to gain momentum, more new energy systems will be connected to the Internet of Things, which opens up new security vulnerabilities related to having countless connected devices.” Additionally, “the increasing number of connected systems and centralized control for ICS systems means that the risk of attacks in the future will increase.”

SCADA Strangelove: Zero-days & hacking for full remote control

Speaking of critical SCADA systems online and the risks to them…after finding more than 60,000 exposed control systems online, two Russian security researchers found vulnerabilities that could be exploited to take “full control of systems running energy, chemical and transportation systems.”

At the Chaos Communication Congress, 30C3, Positive Research chief technology officer Sergey Gordeychik and consultant Gleb Gritsai said they demonstrated “how to get full control of industrial infrastructure” to the energy, oil and gas, chemical and transportation sectors. “The vulnerabilities,” according to the Australian IT News, “existed in the way passwords were encrypted and stored in the software's Project database and allowed attackers to gain full access to Programmable Logic Controllers (PLCs) using attacks described as dangerous and easy to launch.”

They probed and found holes in “popular and high-end ICS and supervisory control and data acquisition (SCADA) systems used to control everything from home solar panel installations to critical national infrastructure.” There are also numerous vulnerabilities in “home systems -- exposed to the public internet and at risk of attack.”

In one case, the researchers responsibly disclosed a “vulnerability in the cloud SCADA platform Daq Connect which allowed attackers running a demonstration kiosk to access other customer installations." The vendor's totally unhelpful response was to tell the researchers “to simply 'not do' the attacks.”

The SCADA Strangelove project has identified more than 150 zero-day vulnerabilities in SCADA, ICS and PLCs, with five percent of those being “dangerous remote code execution holes.” At 30C3, they released an updated version of THC-Hydra, “a password-cracking tool that targeted the vulnerability in Siemens PLC S-300 devices,” and a “Pretty Shiny Sparkly ICS/SCADA/PLC Cheat Sheet,” identifying almost 600 ICS, PLC and SCADA systems, so you too can “become a real SCADA Hacker.”

Below is the SCADA StrangeLove 2 presentation video from 30C3.

A look inside the Microsoft Local Administrator Password Solution
View Comments
Join the discussion
Be the first to comment on this article. Our Commenting Policies