Lowly control systems vulnerable to hacks, according to UAH expert

Dr. Ray Vaughn, UAH vice president for research, during a lecture on industrial control systems security. Dr. Vaughn says there are 10 top concerns with the security of industrial control systems. Photo: Michael Mercier | UAH

HUNTSVILLE, Ala. (May 28, 2014) – In the age of smartphones, gaming, apps and super-gadgets, the industrial systems that control elevators, heating and cooling systems, water treatment plants and the like just don't seem all that glamorous and they are often a low priority.

That's exactly why they are so vulnerable to takeover by hackers, as Dr. Ray Vaughn, vice president for research at The University of Alabama in Huntsville, knows all too well. Prior to coming to UAH, Dr. Vaughn and a research assistant helped nab one such miscreant.

Dr. Vaughn will speak June 4 on the "Top Ten Concerns with Security of Industrial Control Systems in Critical Infrastructure Applications" at the sixth annual North Alabama Cybersecurity Summit being held June 4-5. Also at the conference, UAH Chief Information Security Officer Russ Ward will be part of a June 5 panel discussion on mobile device security.

Dr. Vaughn joined UAH's administration after serving as the associate vice president for research at Mississippi State University.

Since arriving at UAH, a National Center of Academic Excellence in Information Assurance Education, Dr. Vaughn has been working to establish full scholarships to study Cybersecurity that are expected to be funded by the National Science Foundation's Scholarship for Service (SFS) program. The scholarships pay for tuition, reimburse health insurance up to a maximum of $2,000 a year, reimburse books up to $1,000 a year and pay for professional development travel up to $3,000 a year.

While at Mississippi State, in 1997 Dr. Vaughn founded and directed the Critical Infrastructure Protection Center there. The center was supported by the Department of Homeland Security (DHS) as an outreach effort to operators of the nation's critical infrastructure. The center supported training activities and research, which is primarily focused in the area of industrial control system security.

"In 2009, my graduate student and I identified a hacker who went by the pseudonym of 'Ghost Exodus' and had posted evidence on public websites of his exploits in penetrating and manipulating a SCADA (Supervisory Control and Data Acquisition) system located within a hospital in the Dallas, Texas, area," Dr. Vaughn says. "This individual was also the leader in a hacker group by the name of the Elektronic Tribulation Army (ETA) and was staging a botnet for a wide-spread denial of service attack on government systems."

UAH Chief Information Security Officer Russ Ward.

Ultimately, the pair identified the first industrial control systems (ICS) hacker convicted and jailed in the United States. He is currently serving seven years in a federal prison for implanting malicious code and manipulating a control system to operate an HVAC system within a hospital.

"Through my experience in this area, I have seen firsthand how vulnerable this sector really is," Dr. Vaughn says. "I believe that there have been many SCADA system vulnerabilities published and that the likelihood of an attack will continue to increase until reliable protection strategies can be put in place."

People often don't think of control systems as computer systems, Dr. Vaughn says, but they are. "They have different network protocols and they are often very small with limited computational capability, but they can also be manipulated through malicious attack and they are subject to denial of service attacks, reply attacks, protocol mutation attacks and others."

These systems control critical infrastructure like power grids, water systems, gas pipelines, dams and other applications that the nation depends on so an attack against them can affect large populations, or worse, can cause a loss of confidence in the utility or government's ability to operate safely.

UAH's highly specialized industrial control systems laboratory includes gas pipeline, water tank and water treatment control systems.

Industrial control systems water tank.

Water treatment control system.

"Since 2007, I have been engaged in the research reported in this presentation and have demonstrated both significant and exploitable vulnerabilities and also strategies that are plausible, affordable and reasonable to prevent or mitigate such attacks," says Dr. Vaughn.

ICS research at UAH and other universities strives to develop new solutions, understand the problem set and engage students in the research effort.

"I believe we have a special obligation here at UAH due to our high concentration of Dept. of Defense and government work. To further this research, UAH has acquired a highly specialized industrial control systems laboratory for research purposes in which I hope to partner with industry," Dr Vaughn says. "I think this research is an excellent area to work in and will help UAH move more into weapons system vulnerability analysis, medical device security and automotive system security."

Those top 10 concerns about industrial systems? They are:

• Controlling software is often flawed;
• No forensics trail;
• No third party validation;
• Protocols are not standard or robust;
• Lack of Cybersecurity tools for prevention, detection and response;
• Lack of awareness training in the industrial control systems community;
• Lack of vulnerability assessments in critical infrastructure ICS;
• Lack of information sharing;
• Research facilities and funding are lacking;
• Educational opportunities for industrial engineers and information technology (IT) specialists in this area.