ICS-CERT was set up two years ago to handle the kind of bugs that Beresford and Finisterre are now finding with ease. The number of incidents funneled through ICS-CERT has increased six-fold in the past few years, from dozens of issues to hundreds, according to Marty Edwards, director of the Control Systems Security Program and the person in charge of ICS-CERT.
"The reason we're seeing such an increase is because, quite frankly, SCADA and industrial control systems [have become] cool," he said. "Things like Stuxnet have raised the attention level that industrial control systems and critical infrastructure systems are getting."
For many hackers, industrial systems are a new frontier in their technical explorations. For others, they're a throwback to the early days of hacking, before PCs became the primary target. Finisterre started out on the telephone system when he was growing up in the small town of Sidney, Ohio. "In the early '90s my mom thought I was messing with the phones at our house, but it turned out that someone was tampering with the phone switch remotely. I ultimately went on a quest to help my mom fight the phone company claims that 'Your son must be doing something to cause all these faulty charges,'" he said.
Nearly 20 years later, as a professional security researcher, he grew bored with the run-of-the-mill software bugs he was finding and turned to industrial systems. That's what led to his work finding holes in CitecSCADA. "It was like an instant transport back to my high school days," he said,
There are signs that he is not alone and that the floodgates are about to open. ICS-CERT is currently working on about 50 known issues, but two researchers from the commercial sector say they've found hundreds more, some perhaps unimportant, but others potentially serious.
Billy Rios, a team lead in Google's security group, and Terry McCorkle, a member of the Information Security Red Team at Boeing, were having drinks together in February when they decided to take a close look at the type of industrial software Finisterre and others have been hacking. They wanted to see how many bugs they could find.
Working on their spare time, they downloaded as many industrial software packages as they could -- nearly 400 altogether, from Siemens, Rockwell Automation, Iconics and other vendors. All of them were freely available on the Internet. They set themselves a goal, to find 100 bugs in 100 days. But the pickings were so good they hit their target in three weeks. "We didn't even go through all the software we had, not even close,' McCorkle said.
In the end they found 665 issues in server software, driver packages and the Windows-based HMI (human-machine interface) software used to manage the machines on factory floors. Rios and McCorkle rate most of the bugs they've found as "non-critical," but they say about 75 of them could be used by criminals to damage an industrial system. "There's no single class of vulnerabilities that we nailed; it was just all over the board," Rios said.
"Anyone can do this, basically, if they just put the time into this and get an understanding of how this works," Rios added. "It's not like you'll find a bug here and there. It's just like if you put the time into it, it's pretty ridiculous what the results are."
Edwards, the man in charge of ICS-CERT, acknowledged that the group's workload has exploded since it was started in 2009. "We've seen a 600 percent increase in the number of vulnerabilities that have been coordinated and worked through the ICS-CERT," he said. The allure of industrial control systems means more researchers are now focusing on that area, he said.