US researchers have identified 25 zero-day vulnerabilities in industrial control SCADA software from 20 suppliers that are used to control critical infrastructure systems.
Attackers could exploit some of these vulnerabilities to gain control of electrical power and water systems, according to Wired.com.
Nine of these potential exploits have so far been reported to the suppliers concerned and the US Department of Homeland Security.
The vulnerabilities were found in devices that are used for serial and network communications between servers and substations.
Electrical engineer Chris Sistrunk and consultant Adam Crain said these products have been overlooked as hacking risks because the security of power systems is focused on IP communication.
Serial communication has not been considered as an important or viable attack vector, but the researchers say breaching a power system through serial communication devices can be easier than attacking through the IP network because it does not require bypassing layers of firewalls.
More on critical national infrastructure
- Critical infrastructure providers are less engaged with government cyber protection
- Government to monitor companies supporting critical national infrastructure
- Is UK critical national infrastructure properly protected?
- Cyber security study reveals mismatch between awareness and preparedness
- Critical infrastructure security in dire need for standards
In theory, an intruder could exploit the vulnerabilities simply by breaching the wireless radio network over which the communication passes to the server.
In light of these new risks to SCADA control systems, organisations and governments should take urgent action to build up cyber defences, said Ross Brewer, vice president and managing director for international markets at security firm LogRhythm.
“Traditional perimeter cyber security tools, such as anti-virus software, have proven their shortcomings time and time again,” he said.
Brewer said the Flame virus, for example, avoided detection from 43 different anti-virus tools and took more than two years to detect.
Instead, organisations must have tools in place that allow them to indentify threats, respond and expedite forensic analysis in real time.
To achieve this, Brewer said continuous monitoring of all log data generated by IT systems is required to automatically baseline normal, day-to-day activity across systems and multiple dimensions of the IT estate and identify any and all anomalous activity immediately.
“With increased computerisation, critical infrastructure services become far more vulnerable, and without advanced levels of protection it could be lights out, and worse, for all,” he said.