Could a Stuxnet like worm infiltrate the management system of the 747? It might be a small and unlikely possibility but complacency about the threat certainly doesn't help.

There used to be a general feeling among embedded systems programmers that security wasn't ever a problem - or at best hardly ever a problem.

Part of the reason was that embedded systems are traditionally not connected to the Internet and so not subjected to the same public exposure that provides an opportunity for bad people to do bad things.

I also have long thought that there was also an element in the psychology of low level programmers that made them believe that what they were doing was so difficult that no mortal hacker could understand it at a level that would enable them to do anything harmful. Yes, security by obscurity.

However, since the Stuxnet worm, SCADA -supervisory control and data acquisition - has become an acronym known by a much larger group of people and, yes, such systems can clearly be the target of an attack. Only recently a new variant of the Stuxnet worm has appeared and it seems that hackers other than governments could be interested in the security of SCADA systems. 

The big problem is we really don't have much idea of how many SCADA systems are connected to the internet and hence how many are open to an attack via a public network. A recent article by Craig S Wright, vice president of Global Institute for Cybersecurity looked at this idea and gave some examples based on personal experience. Some of the examples make scary reading.

The first is a discussion of the attitude of officials of the Sydney Olympic authority to the news that a Java class that read signal data from the railway system could be easily reverse engineered and changed to send data as well as receive it:

"not everyone has your skills Craig, we do not think others can do this".

Worse is the news that, once the Olympics were over, the money for security dried up and the system is probably still as vulnerable as it was.  Tales of undocumented network connections also don't do much for confidence, but the example that should bring a cold sweat to the surface of any right-minded programmer is the 747 engine management system.

"For those who do not know, 747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air."

I like "747 are big flying Unix hosts" but much as I admire the reliability of Unix it doesn't make me feel like taking a trip anytime soon.

"The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no exclusion controls. They filter incoming traffic, but all outgoing traffic is allowed. For those who engage in Pen Testing and know what a shoveled shell is... I need not say more."

A "shoveled shell" is simply a telnet/SSH session that is made in the outbound direction so making a forwarded port in the NAT unnecessary. 

The overall picture painted by the article is depressing. A story of having to hack together solutions to get a job done and the resulting kludges being less than stable and far from secure. There is also a much bigger reluctance to act on any finding of malware contamination. After all the system is running a factory or something big making a lot of money. If it is infected and still working why incur the cost of shutting it down and rebuilding the system?

Is this really the world of SCADA programming?

I really hope not, but somehow it fits in well with my limited experience of the subject.

Further reading:

FACT CHECK: SCADA Systems Are Online Now

On I-Programmer:

Cracking Stuxnet - a beginner's guide (video)

To be informed about new articles on I Programmer, subscribe to the RSS feed, follow us on Twitter or Facebook or sign up for our weekly newsletter.