IOActive and Embedi security researchers looked at the security of mobile SCADA apps back in 2015 and security was not brilliant. They have now repeated that research, and oh boy are things getting worse.
So what's going wrong, and why isn't security getting better in this supposedly cyber-aware era?
When the original research was conducted during Black Hat 2015, 'only' 50 issues were found across 20 such mobile SCADA applications. Yet the publication of a new whitepaper today by researchers at IOActive and Embedi, reveals 147 security vulnerabilities across 34 mobile applications used with Supervisory Control and Data Acquisition (SCADA) systems.
The latest research suggests, within just two years, the security situation has got worse to the tune of an average increase of 1.6 vulnerabilities per application tested.
The 'SCADA and Mobile Security in the Internet of Things Era' researchers warn that if these vulnerabilities were to be exploited, then a threat actor could compromise industrial network infrastructure.
Focussing on testing both software and hardware, using typical backend fuzzing and reverse engineering techniques, vulnerabilities were discovered that included: code tampering (94 per cent), insecure authorisation (59 percent), reverse engineering (53 percent), insecure data storage (47 percent) and insecure communication (38 percent).
One of the researchers, Alexander Bolshev from IOActive, described the security flaws as being "evidence that mobile applications are being developed and used without any thought to security." Bolshev points out that an attacker would not need physical access to leverage the vulnerabilities, nor would they need to directly target ICS control applications. "If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware" Bolshev warns.
Given that these applications are used in conjunction with SCADA systems, and that the vulnerabilities were found in greater number than just two years ago, we asked Ian Trump, vulnerability programme manager for Ladbrokes Coral Group, why the 'secure by design' message doesn't appear to be getting through in this mission-critical development environment?
"The best practices for ICS and SCADA implementation is to air gap those systems from the internet" Trump told SC Media UK, continuing "the rush of vendors to develop mobile SCADA applications seems to be on the surface the antithesis of this best practice, but enabling operators to keep an eye on critical systems on tablets and phones is an efficiency win, driven by cost reduction exercises." However, Trump insists the state of this second generation of mobile SCADA application development needs to be understood in the right frame of reference. "If the SCADA mobile application is publicly exposed, with no compensating VPN or 2FA access to the SCADA environment" he explains "then the vulnerabilities could be significant and exploitable." Especially if the application can push changes or adjustments into the SCADA system.
However, a mobile application protected with external security controls (and a myriad of layered defences) may be acceptable to the organisation, especially if it only receives data from the system and cannot communicate adjustments into the environment. "If the mobile SCADA mobile application is locked inside the air-gapped SCADA network" Trump says "then it presents as much of an Internet attack surface as everything else inside that environment." In other words, with mobility comes the responsibility to implement securely. "The research from IOActive is valuable in assisting vendors to improve mobile SCADA application security" Trump concludes "but secure architecture is the true battleground when it comes to ICS/SCADA environments..."
Andrea Carcano, founder and chief product officer at Nozomi Networks, told SC Media that their own research into SCADA vulnerabilities had detected several zero-day vulnerabilities in devices during the last four months alone. "As more vulnerabilities and security issues are brought into the open" Carcano insists, then "a larger cyber-security community is forming that is willing to share its expertise and knowledge with a common goal to identify, raise awareness, and provide solutions to cyber-security challenges..."
Is Zero Trust really achievable given the complexity in finance service organisations?
Brought to you in partnership with Forescout