Subscribe / Unsubscribe Enewsletters | Login | Register

Pencil Banner

After Stuxnet, a rush to find bugs in industrial systems

Robert McMillan | Oct. 14, 2011
Kevin Finisterre isn't the type of person you expect to see in a nuclear power plant. With a beach ball-sized Afro, aviator sunglasses and a self-described "swagger," he looks more like Clarence Williams from the '70s TV show "The Mod Squad" than an electrical engineer.

"Anyone can do this, basically, if they just put the time into this and get an understanding of how this works," Rios added. "It's not like you'll find a bug here and there. It's just like if you put the time into it, it's pretty ridiculous what the results are."



Edwards, the man in charge of ICS-CERT, acknowledged that the group's workload has exploded since it was started in 2009. "We've seen a 600 percent increase in the number of vulnerabilities that have been coordinated and worked through the ICS-CERT," he said. The allure of industrial control systems means more researchers are now focusing on that area, he said.


The situation is reminiscent of what happened to Windows a decade ago, when hackers began picking apart Microsoft's products, McCorkle said. Industrial vendors are "basically just 10 years behind the curve on security. It's like we're going back to the '90s," he said.

When researchers first turned to Microsoft in the late 1990s, the software maker was caught flat-footed. It was only after several years of antagonism between Redmond and the hackers ripping apart its software that Microsoft figured out how to work with hackers.

Researchers became so tired of the issues they uncovered being ignored that they started to release the technical details in order to force Microsoft to release a patch. The idea of this pattern happening over again in industrial systems is worrying. It's an area where a security flaw could lead to a chemical spill or a widespread power blackout, and where it can take months to schedule and install patches.

Just this week, a researcher named Luigi Auriemma sent the ICS-CERT team scrambling when he published details on four new vulnerabilities in industrial products, something he'd already done several times in the past year. Auriemma, an independent researcher in Milan, believes posting technical details is the quickest way to get things fixed. "Full disclosure is the best way to get attention on this matter," he said in an instant-message interview.

One former INL staffer who worked at the Control Systems Security Program during the time Finisterre released his Citec code says that there were problems in the early days. "Industry has already had difficult interactions with the 'hacker' culture when these first few vulnerabilities for industrial control systems surfaced a few years ago," said Robert Huber, co-founder of Critical Intelligence, an Idaho company that does research into industrial systems threats. "Back then, the vendors were completely unprepared for these disclosures," he said in an email interview.

But Huber thinks things are improving. "Many security researchers have worked with the vendors, or through an intermediary, to disclose vulnerabilities," he said. "Now, that said, the sheer number and interest may drive more researchers into the space to make a name for themselves without following the disclosure process, resulting in more vulnerabilities that are not coordinated.

"Only time will tell," he said.



Previous Page  1  2  3 

Sign up for CIO Asia eNewsletters.