According to a new study by IoActive and Embedi, a significant number of SCADA apps are shot through with worrying vulnerabilities, which dangerously expose mission critical processes and infrastructure within industrial control system (ICS) environments.
IoActive and Internet of Things (IoT) specialist Embedi teamed up “to understand how the landscape has evolved and assess the security posture of SCADA systems and mobile applications in this new IIoT [Industrial Internet of Things] era”.
The researchers took 34 mobile applications, which are increasingly used in Supervisory Control and Data Acquisition (SCADA) systems, at random from the Google Play store. Authors Alexander Bolshev, Security Consultant, IOActive and Ivan Yushkevich, Information Security Auditor, Embedi, wanted to find out if the increasing use of SCADA mobile apps is unduly exposing ICS environments to the risk of accidental insider threat, or the risk of external attack.
Altogether, Bolshev and Yushkevich found 147 vulnerabilities – an increase from 2015 of 1.6 per app. The top five security weaknesses that they identified were: code tampering (94% of the studied apps), insecure authorization (59%), reverse engineering (53%), insecure data storage (47%) and insecure communication (38%).
Attackers don’t even need physical access to a user’s smartphone as they can gain access via a fake malicious app that a user downloads by mistake. The malware embedded within that app could then attack the vulnerable application within the ICS environment.
The authors of the report primarily lay the blame on developers rushing the SCADA apps to market without properly incorporating security into their design.
There’s not much an end-user can do to fix bugs in a mobile application themselves. The fixes will need to be done by the vendors,” IOActive Principal Security Consultant, Jason Larsen, told Infosecurity.
“A good start would be transparency. If an application is built using secure programming practices and has gone through a review, documenting that would go a long way.”
The report lists the most important items to consider when developing a mobile SCADA application, emphasizing that developers need to understand that their app is a gateway to ICS systems and this “should influence all of your design decisions, including how you handle the inputs you will accept from the application and, more generally, anything that you will accept and send to your ICS system”.
In its conclusion, the authors note the differences between their last report in 2015 and the landscape today and state that things have continued to evolve without robust security in mind, “and the landscape is less secure than ever before”.
Over the last several years, the number of security incidents happening in SCADA systems has gone up and widespread implementation of the IoT/IloT connects increasing numbers of mobile devices to ICS networks.
They add, “the industry should start to pay attention to the security posture of its SCADA mobile applications, before it is too late”.
The full white paper can be downloaded here.