The SCADA Security Survival Guide

That SCADA and industrial control system vulnerabilities are no secret doesn’t make them any less concerning. Most worrisome is how little headway the power generation and distribution industry has made to secure the machinery so crucial to our civilization. CSO has covered numerous cases where such systems either came under attack or their vulnerabilities were exposed:

SCADA systems in Australia easy target for malware warns expert

Lack of patching, antivirus on PCs which run SCADA systems need addressing, says security consultant

Important SCADA systems secured using weak logins

Thousands of critical SCADA systems reachable from the Internet are secured by dangerously weak default passwords

Nearly two-dozen bugs easily found in critical infrastructure software

All of the bugs were previously unknown security holes

DHS investigates reported vulnerabilities in Siemens RuggedCom

DHS is taking the findings of researcher Justin W. Clarke seriously, investigating his claim that Siemens RuggedCom products could be exploited to attack critical infrastructure

U.S. seeking to build international unity around cyberdefense for industrial control systems

DHS-sponsored “International Partners Day” draws participation from Europe, Israel, Japan

Don’t expect any of these attacks on SCADA and ICS to slow any time soon. In his talk, “Who’s Really Attacking Your ICS Devices?”, presented recently at Black Hat Europe 2013, Trend Micro Threat Researcher Kyle Wilhoit explained how he’d constructed a SCADA/ICS honeypot. Once deployed, that honeypot was struck within 18 hours of being connected to the Internet. For nearly a month his honeypot logged 39 attacks from 14 countries. A dozen of those attacks were targeted. And while China, with 35 percent of the total number of attacks, was the most prolific — it certainly wan’t the only attacking nation as the United States accounted for nearly a fifth of all attacks.

As many security teams at utilities and industrial plants report that they’re just now looking for ways to bolster their security, they’re also describing a dangerous separation between the IT teams, the security teams, and the field operations teams.

“There does exist this major disconnect between the people who do SCADA/ICS operations and engineering and the people who do IT security. They’re each convinced that they know what is good and true, and they’re not listening much to each other,” says James Arlen, utility security expert and senior consultant at Leviathan Security Group.

Additionally, says a security analyst at a utility in the southeastern United States, there’s a degree of momentum in doing things the way they’ve been done for decades, with little interest in change. “The operations people turn the wrenches and make the system run. And despite there being a lot of awareness training out there in the field, how do you make somebody really understand the problem? That’s the challenge. We’re talking “security speak” to people really don’t understand and they are trying to answer us in “plant, substation speak,” where we don’t really understand that,” he says.

There’s also a technological gap. “Right now the best thing they have in place to protect these industrial systems are access control lists at the perimeter. They really don’t have meaningful firewalls yet, or other security technologies. From the IT security perspective, ICS and SCADA are firmly in the world of 1995,” says Arlen.

Despite being vulnerable, explains Patrick C. Miller, president and CEO at the Energy Sector Security Consortium, the utilities are taking steps to isolate and secure these systems, and they may actually be more resilient to attack because the industry is built upon a hodgepodge of disparate equipment and technologies. “The thing is that you can’t really cause much physical damage in a widespread case. You can disrupt an individual rig or utility, but a catastrophe over a widespread geography? Very hard to do,” says Miller.

While there’s some solace in that opinion, it certainly wouldn’t be any comfort to anyone affected by a downed power plant or whose home went dark due to transmission interruptions. Here’s a roundup of some of our coverage that helps to detail how to lessen the chances of that happening:

Employees put critical infrastructure security at risk

Sweeping change needed to boost critical infrastructure security handcuffed by lack of cooperation between IT, grid operations workers

The future of SCADA-control security

Greg Machler looks at how critical industries will shore up their SCADA-control weaknesses in order to protect against terror attacks.

Businesses prepare for cyberattacks, in secret

A group of NZ organizations have established voluntary standards to guard against digital attacks

Vendors join fight to secure privileged access

Experts say building-in security is better for future critical infrastructure systems, but Cyber-Ark’s Privileged Identity Management Suite is welcome now.

Infosec experts speak out on natural gas pipeline attacks

Three infosec experts share their thoughts on the gas pipeline attacks