Milagli / Shutterstock
As if there weren’t a sufficient number of things to worry about related to the Heartbleed vulnerability disclosed earlier this month, you can now add this to the list: Many of the world’s computers used to control and manage heavy industrial equipment may be vulnerable, too.
The good news is that many of the manufacturers of these systems are issuing patches to plug the hole. The bad news is that there are so many of these systems in place it’s going to be tricky to find them all.
They’re known as SCADA systems — it stands for supervisory control and data acquisition — and they’re basically computers that sit on top of pretty much any kind of industrial equipment you can imagine, from machinery in factories to pumps and generators at energy utilities to pretty much any kind of public infrastructure.
And since many of them have been hooked up to the Internet so that they can be managed remotely, many of them have built-in Web interfaces just like your typical home router. Often those Web interfaces have had a layer of encryption added to them to protect them from, well, hacking. And in a lot of cases that encryption has been OpenSSL, the open source security software. The Heartbleed bug is found in one particular version of OpenSSL, one that was widely adopted around the world for nearly two years before the bug was discovered.
“The pernicious thing about OpenSSL is that it’s used everywhere,” said Oliver Tavakoli, CTO of Vectra Networks, a network security firm based in San Jose, Calif. “If the management systems are on any kind of IP network and they have a Web-based interface, typically they would use OpenSSL, and that means they’re potentially vulnerable to Heartbleed.”
Heartbleed, you’ll remember, allows an attacker to essentially scoop out random batches of data from a vulnerable system’s active memory literally at will. Those batches of data can contain sensitive information that gets stored in the course of the system’s routine operation, including passwords and user credentials. It has also been proven that Heartbleed can be used to steal the private keys used to generate a server certificate, allowing an attacker to set up other machines that impersonate legitimate systems and thus lure unwitting users to give up their account details.
Where these industrial computers come into play is that they don’t always look like computers, but are connected to corporate networks all the same. They may be machines that regulate the operation of a key piece of machinery in a factory, or that control the air conditioning system in a building. “They’re systems that people wouldn’t readily identify as a computer. And they’re often a nightmare to patch,” said Frank Heidt, CEO of The Leviathan Group, an information security consulting firm in Seattle.
Once in control of the SCADA systems, an attacker could in theory then make the industrial gear they manage do things they’re not intended to do. An attacker could shut down a pump or a generator or make something run faster or slower than it’s supposed to, or otherwise disrupt routine operations.
Some of these systems are getting patched. You can see a few examples of advisories on the subject from the U.S. government’s Industrial Control Systems Cyber Emergency Response Team.
But the language in the advisories is troubling. One concerning software running on gear from Siemens, the German industrial giant, is pretty plain: “The Heartbleed vulnerability could allow attackers to read unallocated memory of OpenSSL running processes. This could reveal secrets like transmitted data, passwords, or private keys,” it reads. It goes on to add that an attacker with “low skill” could carry out such an attack. Thankfully, Siemens has issued patches for some of the vulnerable systems and is working on patches for others.
It’s unclear how many systems could be affected. Heidt puts the number of machines in the thousands. OpenSSL is freely available, making it an attractive option to anyone creating software for use on these systems. “Anyone setting up systems like these would have used OpenSSL,” Heidt said. “The odds are very high that it gets used in these circumstances.”
The vulnerable version of OpenSSL was available for about two years, which at least sets some theoretical limit around what gear might be vulnerable. Anything using an older or newer version of OpenSSL would not be vulnerable. “There’s about a two-year window to consider,” Heidt said.
So what to do if you manage such equipment? Take a detailed inventory of what’s on your network and pay special attention to things you wouldn’t otherwise consider to be computers. Security vendors may help with this. Then, as with Web servers and other systems that have been patched in recent weeks, keys and certificates for these systems will have to be revoked and regenerated, and new passwords created for anyone who uses them. “We’ll have to be vigilant for an extended period of time until every piece of infrastructure that’s on the network has been locked down,” Tavakoli said.
Once you’ve done that, you have to deal with the “known unknown” aspect of Heartbleed, which is to consider the possibility that your systems have already been attacked and that you simply don’t know it. Heartbleed attacks leave practically no trace. If your systems were vulnerable for any length of time, you may have to proceed under the assumption that they were compromised and then decide what to do. “You have to assume yes or no,” Heidt said, “and then decide how to mitigate that.” And that’s a much more complicated question we’ll be wrestling with for some time to come.
It’s not the first time we’ve had some kind of wake-up call about the vulnerability of these SCADA systems. Stuxnet, a computer worm said to have been created by the U.S. and Israel for the purpose of sabotaging Iran’s nuclear weapons research facilities, burrowed its way from traditional computers running Windows into SCADA systems regulating nuclear centrifuges.
According to a 2011 account in the New York Times, once under the remote control of U.S. and Israeli agents, the centrifuges were made to spin out of control while indicating to Iranian workers on the scene that they were operating normally. Many of the centrifuges exploded, and the Iranian nuclear research program was by some estimates set back by two years, though assessments on its long-term effects have varied. (The U.S. and Israel have never officially acknowledged responsibility for Stuxnet.)
Whatever effect it had, Stuxnet served as a warning that these industrial control systems are vulnerable to attacks. In 2012, research conducted by volunteers called Project Basecamp documented vulnerabilities inside of three commonly used models of programmable logic controllers, a type of SCADA system that sits between a traditional computer and an industrial machine.
Heidt said that organizations using these systems are often conservative about installing patches on them because they can have other unintended effects or because taking them offline can be disruptive. That said, patches for Heartbleed may turn out to be fairly straightforward and less disruptive. “Simply fixing this one appears to be a no-brainer,” he said. It’s the follow-on work that will be costly and time-consuming.