As if the 34 new SCADA exploits reported by Luigi were not going to be enough of a problem for the chemical security community, yesterday Joel Langill posted a copy of an advertisement from Gleg Ltd for the Agora SCADA+ exploit pack for CANVAS on his SCADAHacker blog. This ad claims to provide exploits for ICS software from ClearScada, DataRate and Indusoft. As of yesterday evening there was no ICS-CERT alert associated with these reported vulnerabilities.
Security Researcher Debate
The public availability of these 45 new SCADA exploits from security researchers before the software vendors were provided a chance to fix the problems has provoked some discussion within the cyber security research community. A number of researchers have made it clear that they would prefer to see the vendors given a chance to correct these problems before these exploits are made publicly available. This would reduce the risk to the user community as they would have a chance to upgrade their systems before these attack tools became generally available.
Other researchers have maintained that most of these recently released exploits deal with vulnerabilities that are very similar to those that have been reported in non-ICS systems for years now. They look at these vulnerabilities as problems that should have already been corrected by the vendors so they see no reason why the exploits should be held back.
This debate is of more than theoretical interest to the chemical security community. The public availability of these exploits potentially puts chemical facilities at risk for an attack on their control systems. These vulnerabilities already existed, but with these exploits publicly available, it has become easier for less talented hackers to utilize these vulnerabilities as entry points for attacks. These facilities will remain at higher-risk of potential attack until patches become available for these vulnerabilities.
New Era of ICS Cyber Security
Stuxnet made it clear to the whole world that attacks on industrial control systems were a very real possibility. A whole host of professional security researchers, black hat hackers, and interested amateurs are now directing their efforts at finding new vulnerabilities in ICS systems used in a whole host of critical infrastructure facilities. It seems inevitable that they will continue to find new vulnerabilities in more control systems.
As these exploits become more widely available, it is equally inevitable that they will be used in attempted attacks. Most of these attacks will have limited success, but even minor upsets at high-risk chemical facilities, for instance, can have terrible consequences. Similarly, other critical infrastructure facilities using these control systems will also see an increase in the attacks that will have adverse consequences.
Because of the interconnectedness of modern industrial production, attacks on any portion of the supply chain, including utilities, can have serious consequences for facilities with no direct exposure to the attack. Congress needs to recognize that the world has significantly changed. ICS security is no longer an academic issue; it will have real world consequences in the near future.
It is essentially too late for Congress to take a leadership role in this area. I expect that news of consequences of attacks to make headlines, long before a real ICS Cyber Security bill makes it through the legislative process (lacking a high profile attack any real ICS security legislation is probably years away, we’ll just have to do with the makeshift stuff in current bills). That means that, if we do have an attack with catastrophic consequences (and in today’s economy any economic consequence could end up being catastrophic), then we can expect Congress to over-react in what ever post-attack legislation they write.
I suppose that it’s too late to worry about that now. The attack code that will precipitate the cyber security crisis is probably being written now. Maybe the cyber attackers (terrorists, criminals, international business rivals, what ever) will be as incompetent and stupid as the terrorists have been since 9/11. We can always hope...