Sunday, 5 February 2012
Vulnerable national infrastructures are a cause for concern
Vulnerable national infrastructures are a cause for concern
By Robert Westervelt, News Director, SearchSecurity | Aug 2, 2010
0 comments
Digg
PrintLAS VEGAS -- An analysis of more than 120 security assessments of the networks and systems that manage power plants, oil refineries and other critical national infrastructure facilities across the U.S. uncovered tens of thousands of security vulnerabilities, outdated operating systems and unauthorized applications.
Jonathan Pollet, founder and principal consultant of Red Tiger Security, a Houston-based firm specializing in security for national critical infrastructure, conducted and analyzed the assessments, which took place during the past nine years. During a presentation Wednesday at Black Hat 2010, Pollet said the companies that maintain critical infrastructure facilities must be forced to improve security.
"It's kind of like a ticking time bomb," Pollet said. "I'm hoping the message that we're giving here can open a few eyes."
While companies that run supervisory control and data acquisition systems (SCADA) often claim those systems are secure because they are disconnected from the outside world and surrounded by a myriad of physical and technical security controls, Pollet's analysis of the assessments found just the opposite to be true.
Pollet said some facilities had computers running Windows 95, while machines critical to the operations of the facilities were riddled with unauthorized software, from peer-to-peer applications to games to pornography.
Not surprisingly, Pollet said much of that unauthorized software contained major vulnerabilities, including downloaders designed to connect to the Internet. Applications were found that connect to gaming software servers, adult video directory scripts and online dating service databases. At one facility, security experts discovered a machine at the core of the operation had the popular Counter Strike game installed, which connects to an external server to compete with other players.
"There's no need for a zero-day," Pollet said, "there are already plenty of ways in." Critical infrastructure and SCADA system security have been an increasing priority of the federal government in recent years. A report issued by McAfee Inc. and the Center for Strategic and International Studies (CSIS) found that critical infrastructure facilities in many developed countries are in a dire need of security improvements. In the same report, a survey of 600 IT and security executives -- two-thirds of respondents -- acknowledged that their SCADA systems were connected to IP networks or the Internet, creating security issues that were not being addressed.
This article originally appeared on SearchSecurity
Similar
knowledge_central_tab
Knowledge Central
When good backups go bad
Business transactions are faster and have a broader reach to more people in more countries than ever before. Businesses of all sizes can cast a global shadow by setting up a website and conducting business over the Internet. At the same time the volume of data is growing, so are the threats.
Does application security pay?
In the past, businesses confronted the threat of cyber attacks and data breaches primarily by building firewalls and other “perimeter defenses” around their networks, but the threat has continued to evolve, and more criminals are hacking into applications that are running on a plethora of new devices and environments, including cloud, mobile, and social media. Which begets the question: Is it still worthwhile investing in application security?
Red Cross overhauls ID management
Red Cross named the first recipient of the CourionCare Program for Non-Profits with massive overhaul to security and identity management.
Red Cross overhauls ID management
That program helped the agency reduce the risk of security and compliance breaches by automatically eliminating system access when a user changed responsibilities or left the organization.
