Ageing control systems expose utilities to hack attacks

Claims that hackers attacked two US water companies have focused attention on the computer systems behind the fabric of everyday life.

One attack is alleged to have caused a water pump burnout after hackers repeatedly turned the equipment on and off after gaining access to its control system - although the FBI said it could find no evidence to support the claims.

In another separate attack a hacker who calls himself pr0f, external claimed to have broken into a control system that kept water supplied to a town in Texas.

The hacker was reluctant to call it a "hack" because he said the system had only been protected by a three-character password which "required almost no skill" to get around.

Prior to these incidents there have been reports of the Duqu Trojan targeting other industrial control systems. It is thought to have been designed to gather intelligence to help launch more damaging assaults.

That malware followed the Stuxnet worm which was directed against equipment used in Iran's nuclear programme. Iran has denied that it had any impact.

Claims aside, the incidents have led to renewed scrutiny of the computers that go by the collective name of supervisory control and data acquisition (Scada) systems.

That formidable name is best thought of as "automation Lego", said Dr Richard Piggin, a security expert at engineering and design consultancy Atkins.

When companies wanted to automate a process or move stuff around it was these Scada building blocks that they used, said Dr Piggin.

Some of the attacks reported in the media have been aimed at industrial scale systems. Evidence from one widely-reported intrusion suggested that Russia and China had conducted reconnaissance of US power grid computer controls.

However, said Dr Piggin, Scada systems are very widespread and control processes both big and small.

"The control system can be just a couple of buttons to do a car wash or a console to spin the London Eye," he said.

Other Scada systems control the movement of goods inside warehouses, the direction components and semi-assembled parts are sent along production lines, and the transport of bags from a plane's cargo hold to disembarked passengers.

What made such systems vulnerable, said Dr Piggin, was their longevity compared to desktop computers.

"The issue has been that these systems can have long life cycles," he said. "It's not uncommon that they will be in use for 15-20 years."

The equipment's defences against threats that are common today, such as malicious and recreational hackers, can be lacking because the dangers did not exist when the systems were first installed.

Also, the dedicated computers that spring motors and conveyors into life are typically too small to run defences, such as anti-virus and firewalls, that are common on desktop PCs.

This perhaps explains why security experts are finding so many holes in the software used in Scada systems.

NSS Labs researcher Dillon Beresford has uncovered bugs in the control code for some Scada systems that he claimed were "more serious than Stuxnet".

Similarly, Italian security researcher Luigi Auriemma has uncovered dozens of flaws in the commonly used Scada systems. Mr Auriemma said some of the loopholes could give an attacker complete control over a target system.

Dr Piggin said the growing list of problems had prompted a response from governments.

Nations have embarked on long-term programmes that will see Scada systems hardened and protected against attack.

Best practices are being developed to ensure that casual attacks do not succeed.

"There are programmes in the US and Europe covering control systems in water, energy, electricity and chemical industries," he said. "They recognise that it's a serious threat."