January 29th, 2009
"Zombies ahead!" sign says something about SCADA security
An electronic road sign hacked to alert drivers to hoards of the undead provides a nice pedagogical example of why SCADA security is such a “big deal”.
Earlier this week a road sign was hacked to warn drivers about zombies disturbing their evening commute. The hack itself was trivial: an intrepid individual discovered that electronic road signs shared a common default password. The default password would have been discovered and publicized years ago if the systems were connected to the internet, but they were left alone for years as very few people had the gumption to walk up to one of the signs and attempt what is essentially a dictionary attack against the authentication mechanism. Without the forcing function that is sustained attack, engineers have no reason to improve the security of their systems.
It seems that everyone laughed off the hack as a simple gag, but you are left to wonder what security problems that already exist in systems that are semi-attached to the grid.
There are a large class of systems that are semi-attached to the grid which do have similar security problems. Known as SCADA (Supervisory Control And Data Acquisition) Systems, these computers are responsible for controlling physical plant like nuclear reactors and oil refineries. Many of these systems were deployed years ago, well before the information security industry fully understood code quality problems and how they can be exploited by attackers. That is all well and good as long as you can guarantee an air-gap between the control network and anything a human being can touch.
Maintaining a guarantee that none of the systems will touch a publicly accessible network is pretty challenging for ten to twenty years as you bring on new staff that may not know why the air gap was originally put into place. Eventually someone hooks up the SCADA system network to a PC that provides a nice Windows XP-based visualization interface, and they also hook it up to the internet so they can get pages at home when something goes wrong.
The Feds have known about this issue for some time, and have invested heavily in improving SCADA system security. Hopefully they complete the job before some hacker discovers the system, and well… it’s “Zombies ahead!” time.
Adam J. O'Donnell, Ph.D. is an R&D engineer who has focused on computer security since 2000. He currently is the Director of Emerging Technologies at Cloudmark, a messaging security company located in San Francisco. See his full profile and disclosure of his industry affiliations.
Subscribe to Zero Day via Email alerts or RSS.
