Physically tampering with gasoline tanks is dangerous enough, given how volatile gas can be. Altering a fuel gauge can cause a tank to overflow, and a simple spark can set everything ablaze. But imagine how riskier it is if a hacker can do all this remotely, especially now that a number of fuel companies worldwide use Internet-connected systems to monitor their tanks.
As we shared in our presentation in BlackHat today, we wanted to test the security of these automated gas tank systems. Using a custom honeypot we call GasPot, we got an idea of how several attackers are abusing the system and which targets they prefer. The GasPots in the United States, for example, were very popular for attackers. This result was in line with our expectations set at the beginning of the research. Some evidence suggests links to either the Iranian Dark Coders (IDC) Team, as well as the Syrian Electronic Army.
You can find the full details of the study in our paper, The GasPot Experiment: Unexamined Perils in Using Gas-Tank-Monitoring Systems.
What can attackers do?
The types of attacks depend entirely on the sophistication of the tank monitoring systems installed. Simple ones can only enable attackers to monitor the status of the system, while more sophisticated systems allow attackers to take control of and manipulate their targets’ tanks.
The possible attacks and the motivations behind them vary significantly. They can either be simple acts of vandalism (modifying the gas tank’s product label is very popular), or be far more malicious attacks (changing the behavior of the tanks, turning them into public safety hazards).
How Hard Will Patching Be?
Patching has always been a key challenge when it comes to online attacks that affect Internet-connected devices or infrastructure. We always have to ask how these gadgets or systems can be updated. Whether they’re cars, million-dollar SCADA systems, or gasoline tanks, updating their software poses several questions. Who will be responsible for applying the patch; will it be the vendor or the user? What kinds of expertise or tools are needed? What are the costs? Will all of the vulnerable devices get patched?
The available information from the world of SCADA systems suggests that organizations are simply unprepared to deal with patching devices. A 2013 European Union Agency for Network and Information Security (ENISA) report cited two numbers that are accepted within the SCADA security community: patches fixing problems in ICS software had a 60% failure rate, and that less than half of vulnerabilities had a patch in the first place. Overall, it is estimated that only 10-20% of organizations bother to install the ICS/SCADA patches that their vendors do provide.
In the world of consumer software, such statistics would be unacceptable. However, thanks to the multiple of challenges facing ICS patching (technical, operational, and financial), this is not considered out of the ordinary. Simply put, these systems are in situations where patching is either expensive, impractical, or not feasible.
Device security is a priority
Security has simply not been a priority for device manufacturers up to this point. Why would it? The rough-and-tumble online world, where anything can be attacked from anywhere, is not exactly a part of their corporate experience. They may not completely understand the risks of making their devices Internet-ready; the benefits may be evident to them, but the downsides are not.
Manufacturers and security vendors should work together to help secure these devices from these new threats. Physical security has been understood to be important for some time. It’s about time for online threats to reach this level of significance as well.
