Convenience often wins over security, and researchers from IOActive and Embedi have recently discovered the dire consequences of that adage. In January 2018, IOActive and Embedi released a white paper titled “SCADA and Mobile Security in the IoT Era.” Over the past two and a half years, they have found that 147 vulnerabilities in 34 popular Android mobile apps for SCADA systems.
What exactly is SCADA?
SCADA stands for Supervisory Control and Data Acquisition. SCADA is a computer system used to gather and analyze real-time data on a regular basis. For instance, it’s employed to control and keep track of equipment or a plant in the industries of water and waste control, telecommunications, energy, transport, and oil and gas refining. SCADA saves and makes logs for every event into a log file, and it gives warnings by sounding alarms if situations develop into hazardous scenarios.
Here’s an example of a SCADA system for a wastewater treatment plant:
https://www.youtube.com/watch?v=ZSFdOjxB-1I
So what did security researchers find?
The research team found security vulnerabilities ranging from insecure data storage and insecure communication to insecure cryptography and code-tampering risks.
The top five security weaknesses were:
- code tampering (94 percent of apps)
- insecure authorization (59 percent)
- reverse engineering (53 percent)
- insecure data storage (47 percent);
- and insecure communication (38 percent)
The same team also found 50 vulnerabilities across 20 Android apps in 2015. If successfully exploited, the vulnerabilities could allow cybercriminals to compromise industrial network infrastructure by disrupting an industrial process or causing a SCADA operator to unintentionally perform a harmful action on the system.
Alexander Bolshev, security consultant for IOActive, said the flaws they found were shocking and that they’re evidence that mobile applications are being developed and used without any thought to security.
“It’s important to note that attackers don’t need to have physical access to the smartphone to leverage the vulnerabilities, and they don’t need to directly target ICS (industrial control systems) control applications either,” Bolshev said in a press release. “If the smartphone users download a malicious application of any type on the device, that application can then attack the vulnerable application used for ICS software and hardware. What this results in is attackers using mobile apps to attack other apps.”
So what should SCADA mobile app developers do?
To protect SCADA systems from cyberattacks via mobile, developers must take as much care with apps’ security as they would with any other part of an industrial control system.
Ivan Yushkevich, information security auditor for Embedi, said developers need to keep in mind that applications like these are basically gateways to mission critical ICS systems. “It’s important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks,” Yushkevich said.
IOActive and Embedi informed the impacted vendors of the findings through responsible disclosure, and they’re coordinating with a number of them to ensure fixes are in place.
Jason Larsen, director of advisory services at IOActive, also said that any mobile device used in ICS environments should have reinforced security.
“Mobile devices can be hardened like any other device and a good security architecture can always help. Most mobile devices need to connect to the internet to receive updates, but they don’t need to be connected to both an industrial control environment and the internet at the same time,” said Larsen. “It should always be assumed that the control network perimeter will eventually be breached.”