As the security by obscurity veil is lifted from the systems that control and protect our national infrastructure, we are again reminded of the importance of a prudent vulnerability / patch management program.
Multiple vulnerabilities in the AREVA e-terrahabitat SCADA system that is used to control core components of power plants and power distribution globally are at risk. The vulnerabilities can potentially allow an unauthenticated attacker to enter the system with administrative privilege and execute arbitrary commands, or cause a vulnerable system to crash.
A recent story in the Register indicates that a company spokesperson for AREVA suggested that “computers used at nuclear power plants are not connected to the Internet and therefore they’re not vulnerable to viruses of any kind.”
While in a perfect world that might be true, we unfortunately do not have the luxury of actually living in a perfect world. This was clearly shown as far back as in the summer of 2003 when we learned an important lesson regarding the troubling interconnectivity of Supervisory Control and Data Acquisition (SCADA) systems when an Internet worm crashed SCADA systems at multiple power plants, including a Nuclear Power Plant http://www.securityfocus.com/news/6767. It is important to note that the risk at the Nuclear Power plant could have been fully mitigated had a patch that had been available for over six months for the known vulnerability had been promptly installed.
Will the weak economy exasperate this already growing problem?
Operators of SCADA systems are under pressure (like the rest of us) to reduce costs and more often than not SCADA systems are today integrated with “back-end” systems within the enterprise LAN environment that are used to optimize power generation and distribution system efficiencies. While the SCADA system itself may not be directly connected to the public Internet, they (and their supporting sub systems) are often connected to the enterprise LAN and the enterprise LAN is in fact very often connected to the public Internet.
Bottom line – if the SCADA system connects to the LAN and the LAN connects to the public Internet then you are in fact exposing the SCADA system to the very same risks as any network connected to the public Internet.
Even if fully isolated from the public Internet a SCADA system that uses commercially available PC equipment (as many do), it is also exposed to the very same removable media threats that the enterprises face today. Hence, even if fully isolated from the public Internet a malicious person with physical access to a PC connected to a SCADA system network could simply use removable media such as a USB stick to insert malware into a SCADA network to wreak havoc.
With the growing number of publicly disclosed vulnerabilities in SCADA system software, making the assumption that your SCADA systems are not at risk because they are not “directly” connected to the Internet is in all likelihood a mistaken assumption that we simply cannot afford in the protection of our national infrastructure.
USCERT Vulnerability Note http://www.kb.cert.org/vuls/id/337569
