SCADA security arms race underway

Following Stuxnet, security researchers are now taking a closer look at the software that controls industrial systems.

By George V. Hulme

April 01, 2011CSO

While the race between industrial control system attackers and defenders didn't start with the Stuxnet worm, it certainly acted as a catalyst to a new arms race and more researchers taking a closer look at the quality of SCADA software.

For instance, just days ago, the three-person Moscow-based security consultancy Gleg announced it would update its Agora exploit pack (used in security testing applications) with scores of zero-day SCADA system vulnerabilities that had just been released. Some of those vulnerabilities were released with exploit code.

That release of SCADA exploits prompted a flurry of activity among some in the security community. Security and SIEM vendor Nitrosecurity, for instance, along with the Emerging Threats open source community, the Open Information Security Foundation, and control system security consultancy Digital Bond and others, worked together to deliver intrusion detection signatures for SCADA vulnerabilities released by security researcher Luigi Auriemma.

More on Enterprise Risk Management

Now, with the release of zero-day vulnerabilities for the software that controls industrial systems -- much in the way vulnerabilities are fully disclosed for enterprise and consumer applications -- some are now asking if SCADA system security is going to quickly begin to resemble the security of traditional software and operating systems.

"There are some parallels between SCADA and traditional PC/server security problems," says Gartner analyst John Pescatore. "Windows and other commercial operating systems were first written assuming they would only be connected to trusted LANs, and when they were connected to the Internet all hell broke loose," he says. "Most SCADA, process control, and medical machinery was written assuming it would only be on an isolated, trusted network. But often those things are on networks that increasingly do have paths to the Internet -- even if the path is only via USB drives," Pescatore says.

Adds Scott Crawford, managing research director Enterprise Management Associates, "That has been a longstanding assumption about SCADA security that bears some investigation," he says. "The biggest assumption in my mind is that these are mostly non-networked systems or their networks are meaningfully 'air gapped' from more public environments. While that may be true in some deployments, it begs the question of how difficult it would be for a malicious party to move from a widely accessible target to a more protected one such as a SCADA system. It also begs the question of how well these environments are instrumented to detect potential compromise," Crawford says.

RESOURCE CENTER