Control systems are a dream for hackers and Hollywood script-writers. They run power plants, dams, train lines and traffic lights — and they’re becoming more vulnerable to attacks that can inflict spectacular, physical destruction.
According to research released today by NSS Labs Inc., a computer-security firm, the number of vulnerabilities found in control systems worldwide jumped in 2012 to 124, up from 74 in 2011.
These aren’t normal security holes, like the kinds constantly found in Web browsers and consumer operating systems. They’re more serious, often involving obscure vendors with few ways to update their products. Attacks could look like “Live Free or Die Hard,” the 2007 Bruce Willis blockbuster about Internet attacks crippling U.S. infrastructure.
Security experts who make money from selling fixes — and politicians angling for government funds — are often eager to hype the threat from such bugs. But the numbers released by NSS show an unsettling trend.
Of the top 20 control-system vendors affected, few are household names, and attacks are already happening. The U.S. and Israel were allegedly behind the Stuxnet computer worm that damaged an Iranian nuclear plant in 2010, according to the New York Times, for instance.
One reason for the increase is that security researchers are looking for control-system bugs more often. We reported in this story about Project Basecamp, a group of elite researchers that is releasing information about control-system bugs to shock the industry into improving its security.
All of this heightened attention is giving the public a better sense of the scale of the problem with control-system insecurity. As for NSS Labs’ report, it’s a small window into this world since it’s based only on publicly available information (including from Project Basecamp and the U.S. government here and here), but it highlights one of the most urgent issues in computer security today.