SCADA security: Bad app design could give hackers access to industrial control systems

'Shocking' flaws show apps for industrial control systems are being built without enough thought for security, according to researchers.
Written by Danny Palmer, Senior Writer

Video: Hackers' latest target: The companies that supply your power and water

Mobile applications used to help control internet-connected SCADA (industrial control and supervisory control and data acquisition) systems are riddled with security vulnerabilities which, if exploited, could be used by attackers to disrupt or damage critical infrastructure.

Electricity and water companies are just two examples of the sort of businesses which are increasingly using mobile devices to aid with the remote monitoring of services; security companies have warned that weaknesses in the applications developed for smartphones puts whole systems at risk from hackers.

Titled SCADA and Mobile Security in the Internet of Things Era, the analysis by security companies IOActive and Embedi suggests that if they can remotely gain access to the mobile devices utility companies use, attackers can perform harmful actions.

"The flaws we found were shocking, and are evidence that mobile applications are being developed and used without any thought to security," said Alexander Bolshev, security consultant for IOActive.

"If the smartphone users download a malicious application on any type on the device, that application can then attack the vulnerable application used for ICS [industrial control systems] software and hardware," he added.

Researchers randomly selected and tested 34 applications for SCADA systems available in the Android Google Play Store and found 147 vulnerabilities across the sample. Previous analysis conducted in 2015 found 50 issues across 20 apps, leading researchers to conclude that security in this sector has got worse, not better, with an increase of an average of 1.6 vulnerabilities per application.

Organisations may potentially be rushing to develop industrial control apps in order to take advantage of the benefits they can bring to SCADA systems, but failing to put in the same security controls associated with every other aspect of the environment.

Download now: Intrusion detection policy (free PDF)

"The early adopters are creating applications using the same rapid development mindset popular in mobile, rather than the measured and tested development that is usually expected in industrial control," Jason Larsen, director of advisory services at IOActive, told ZDNet.

Researchers found that 94 percent of tested apps were vulnerable to code tampering, which could lead to the application being exposed and exploited on a rooted device, with very little user interaction required.

Insecure authorisation was found to be a problem for 59 percent of the tested apps, with some apps failing to even include a password or any other form of verification that the app was in the hands of the correct user. This is potentially very dangerous, as an absence of password protection could allow attackers to physically access an unattended or stolen device, or even use it remotely via the use of malware.

See also: Defending against cyberwar: How the cybersecurity elite are working to prevent a digital apocalypse

Other problems found to be common among the tested apps was that 53 percent were susceptible to being reverse engineered thanks to the use of non-obfuscated code, allowing attackers to see the inner workings of the app and which patches have and haven't been applied.


Mobile apps used to help run internet connected systems at power plants could be abused by hackers, a report warns.

Image: iStock

Meanwhile, just under half of the apps tested were found to have insecure data storage and unintended data leakage, which could provide attackers with access to the app or data about the SCADA systems. This, the report says, could enable the attacker to tamper with the data, to disrupt systems or enable further attacks.

In many cases, however, the attackers would need to be skilled and have knowledge of the systems in order to carry out specific attacks.

"Most processes have safety systems that prevent the process from entering an unsafe state. Randomly clicking around on an operator's screen generally doesn't lead to catastrophic failure, but that doesn't mean the impact won't be severe and costly," said Larsen.

"In the 2016 Ukrainian attacks, the attackers simply switched all the field equipment to off, but noone is going to argue that the attack wasn't effective."

Read: IT leader's guide to big data security

In order to protect SCADA systems from being attacked via mobile, developers must take as much care with security of the apps as they would with any other part of an industrial control system.

"Developers need to keep in mind that applications like these are basically gateways to mission critical ICS systems," said Ivan Yushkevich, information security auditor for Embedi. "It's important that application developers embrace secure coding best practices to protect their applications and systems from dangerous and costly attacks."

IOActive and Embedi informed the impacted vendors of the findings through responsible disclosure, and are coordinating with them to ensure fixes are put in place. In addition, it's recommended that any mobile device using used in ICS environments should have reinforced security.

"Mobile devices can be hardened like any other device and a good security architecture can always help. Most mobile devices need to connect to the internet to receive updates, but they don't need to be connected to both an industrial control environment and the internet at the same time," said Larsen.

"It should always be assumed that the control network perimeter will eventually be breached."

Recent and related coverage

Hackers are attacking power companies, stealing critical data: Here's how they are doing it

Attackers are particularly interested in industrial control systems -- and they're still at it right now.

Bad passwords and weak security are making ships an easy target for hackers

Researchers have found that lax security makes it easy to track a ship sailing on international waters.

Micro-fortresses everywhere: The cloud security model and the software-defined perimeter

A months-old security firm has become the braintrust of engineers working to build the Software-Defined Perimeter -- a mechanism for enforcing firewall and access rules on a per-user level. How would SDP remake the ancient plan of the software fortress?


Editorial standards