The U.S. is leaving its energy infrastructure open to cyberattacks by not performing basic security measures, such as regular patching and secure coding practices, according to a report prepared by the Department of Energy.
Researchers at the Idaho National Laboratory tested 24 industrial control systems (ICSs) between 2003 and 2009 and published the results in a report completed in May and publicly released last month. (Click for PDF.) Steven Aftergood, secrecy expert at the Federation of American Scientists, blogged about the report on Monday.
The report comes on the heels of a discovery of malware written specifically for systems used for controlling industrial manufacturing and utility systems. That worm, written for a Siemens Windows application, has been a wake-up call to the security community that focuses on industrial control systems because it marked a shift from theory to reality, according to experts.
Although the national labs researchers tested actual control systems used in running the energy infrastructure, such as the electricity grid, they did not disclose the names of any companies. By publishing the results, the DOE hopes energy companies can better assess and secure their computer systems.
The government-funded tests confirm that there are security holes in the energy infrastructure that are due in part by industry's growing reliance on the public Internet. Improving the security of these systems can be accomplished through well-understood security practices, but requires more work on the part of energy professionals and software providers, according to the report.
"Published vulnerabilities in well-known applications and services create the most significant security risks to ICS. Of all the vulnerabilities in an ICS, these vulnerabilities are most likely to be exploited because attackers are likely to be aware of them," according to the report.
The report notes that the mechanisms for installing operating system patches have improved but that application-level patching is not done with the same regularity, which causes system vulnerabilities.
There are other potential points of entry for would-be attackers to take over control systems, such as poorly configured network defenses and weak passwords. The report concludes that security doesn't pervade the design and configuration of control systems as much as it should.
"ICS software mostly suffers from the lack of secure software design and coding practices...This lack of security culture contributes to poor code quality, network protocol implementations that rely on weak authentication and allow information disclosure, and vulnerable custom ICS Web services," it said.
The report echoes many of the concerns voiced by security professionals about industrial control systems, but it's not common for a government agency to acknowledge these weaknesses.
"The report offers common sense and best-practice recommendations that have been available for years," former senior Homeland Security official and RSA vice president Mischel Kwon told The Wall Street Journal.