Russia was able to hack into the U.S. electric grid this year because of security vulnerabilities in the online systems used to control it. 80 percent of U.S. utilities - from water reservoirs to gas pipelines - use these so-called “supervisory control and data acquisition” (SCADA) systems that are part of the wider “industrial Internet of Things.”
What makes this scary is that, because SCADA systems are huge and complicated, and because the people who run them often have limited resources and minimal technical expertise, patching every single security vulnerability is more or less impossible.
But researchers from MIT’s Computer Science and Artificial Intelligence Laboratory (CSAIL) say that they’ve developed something that could play a key role in solving this problem: a framework called SCADAsec123 that assesses the risk of different parts of SCADA systems and can be customized by organizations based on specific business parameters.
The framework gets its name from the fact that it outlines the three types of vulnerabilities that are most frequently exploited:
Buffer overflows errors: memory issues exacerbated by the fact that SCADA systems have to be running at all times
Input validation: issues caused by having text fields that hackers can put code into to exploit
Information exposure: situations in which sensitive data is accessed by unauthorized users, like when Russia got into the U.S. electric grid via phishing attacks on routers
“While these three areas are not necessarily the right focus for everyone, with this approach organizations can adopt a sort of ‘80-20 rule’ in which they put more resources into fixing a smaller group of vulnerabilities that are most likely to be targeted,” says Gregory Falco, a PhD candidate who co-wrote the paper with principal research scientist Howard Shrobe and research affiliate Carlos Caldera. “We think that these insights can be beneficial not just to senior security officers, but to the designers and developers of future systems.”
To develop their framework, the researchers used publicly available data from groups like the Department of Homeland Security (DMHS) showing examples of SCADA systems that have been successfully exploited.
“This work demonstrates that SCADA software vulnerabilities are exploited differently and, interestingly, more predictably,” says Dimitrios Serpanos, a professor of electrical and computer engineering at the University of Patras in Greece who is also the director of the Industrial Systems Institute. “The team’s schema can be extremely useful to industrial system security engineers and managers, who will be able to identify practical risks easier.”
Specific metrics exist for measuring the likelihood that particular vulnerabilities will be exploited, like the Common Vulnerability Scoring System (CVSS) that DHS uses. While many researchers discredit the system, the MIT team’s analysis showed that certain CVSS metrics actually work well for SCADA systems specifically. For example, they found that security vulnerabilities with higher “exploitability” and “impact” scores did tend to get exploited more.
“This is an important implication, since it shows that we really should be paying attention to some components of these scoring systems for protecting critical infrastructure,” says Falco.
Another framework for evaluating cyber risk was developed by the National Institute of Standards and Technology (NIST), but many organizations attest that it is too time-consuming and expensive for widespread adoption.
“SCADAsec123 could be a useful initial ‘quick-fix’ for organizations, before they implement the more time- and resource-intensive NIST framework,” says Falco.
As a next step, the team plans to build an automated attack planner for SCADA systems so that critical infrastructure operators can audit the security of their systems. This could be used together with SCADAsec123 to identify and fix systems’ most pressing security flaws. They are working with NASA’s Jet Propulsion Laboratory to implement an early version of this program for a space mission system and are also looking to collaborate with other interested organizations.
“For companies who feel like they are always passively reacting to security threats, our prioritization method can help them proactively predict which systems are most likely to be attacked,” says Falco. “We feel that this approach could really transform how people do risk management on vulnerable systems.”
This project was funded, in part, by Cybersecurity@CSAIL.