Beyond traditional IT, the problems are even worse. Embedded systems are proliferating in nearly every corner of daily life. But even large-volume vendors pushing the hardware to consumers and businesses are often heedless of the need to manage the underlying software, says Cesar Cerrudo, CTO of security firm IOActive Labs.
Worse, these customers often defer to the hardware vendors on matters relating to security or conclude (wrongly) that embedded systems are too obscure to warrant protection, Cerrudo says.
The opposite is true. In its research, IOActive has uncovered the routine use of insecure or hidden protocols, backdoor administrative accounts with hard-coded credentials that cannot be changed, and vulnerable user authentication features.
For industrial control systems, customer trust in unsupported and unsupportable embedded devices is a disaster in waiting. In one recent example, Cerrudo and his colleagues investigated the security of in-pavement wireless vehicle detection technology made by Sensys Networks. The technology has been deployed in 40 U.S. cities, including Washington, New York, Los Angeles, and San Francisco.
They discovered a wide range of design faults and insecurities in the Sensys products. Notably, the in-road sensors did not secure communications with access points used to collect data. That would allow a knowledgeable attacker to spoof the sensors and send bogus data to traffic management systems or to take control of critical infrastructure such as traffic lights.
Presented with IOActive's findings, Sensys Networks told Cerrudo that more recent releases of the company's hardware had fixed some of the prominent software vulnerabilities he had discovered. The problem: There is no way to update the hardware.
"Vendors will try to sell you on it being easy to use and low maintenance," Cerrudo says. "The problem is that when the system has a security issue, you don't have the proper mechanism to update them."
When security is absent from the design of the device, there are few options for securing it after the fact, short of replacing the hardware and software entirely, Cerrudo says.
Insecure by design
Industrial control systems too are being targeted by attacks, thanks to security problems stemming from embedded devices and other legacy hardware.
One example: The Department of Homeland Security's Industrial Control System CERT (ICS-CERT) recently issued an alert about a "sophisticated attack" on an "unprotected, Internet-connected, control system operating a mechanical device" by manipulating a SCADA protocol. "The device was directly Internet accessible and was not protected by a firewall or authentication access controls," ICS-CERT wrote.
Dale Peterson, CEO of Digital Bond, a consulting firm that works with industrial control system vendors and critical infrastructure operators alike, says exhorting infrastructure operators to patch misses the bigger point: Many industrial control systems and protocols are "insecure by design."
Sign up for CIO Asia eNewsletters.