5 ‘more’ reasons SCADA security is fragile

1. The Black Box

More often than not devices within critical infrastructure operate as a black box. The organization operating them is not allowed to make system changes because it will void the vendor warranty. In fact many systems are not field upgradable at all. You need to shut them down, box them up and send them to the vendor so they can apply the updates and send it back.

As I stated in my previous blog, these devices are purpose-built and only perform a small number of functions. While that’s true, there are issues that make these black boxes susceptible to cyber attacks.

• Security patches can’t be applied to applications and operating systems
• You can’t install anti-malware on the endpoint, HIPS or firewalls
• You can’t preform system hardening

Often these systems ship with extraneous capabilities and content you might not want on a production device like:

• FTP
• HTTP
• SNMP
• Telnet
• Sample programs
• Debugging code

2. More and Faster

There are more industrial control system vendors and solutions than ever and like most vendors they are incentivized to produce products quickly and with lots of great features. Security is often an afterthought. These issues result with an increase in the volume, velocity and variety of vulnerabilities.

Along with the increased attacks surface there are more tools being created to exploit these systems. A number of SCADA security experts have already proven that the number of exploits is high. In a famous demonstration, researchers McCorkle and Rios identified 100 bugs in 100 days in ICS and the SCADA systems managing them.

3. ROI Measured in Decades

When you spend several million dollars on a turbine you are going to measure the ROI over decades. What happens in some cases is that the IT devices that are used to manage the long-term assets also stick around for decades. This “set it and forget it” approach introduces weaknesses. I already discussed the issues with a black box and not being able to secure it. How can that situation get any worse?

We don’t run discontinued, unsupported operating systems at home. Why not? They are slow, vulnerable and lack the capabilities we want. But for industrial control systems they are fast enough and they have all the capabilities needed because what they did 20 years ago is what they are needed for today. The real issue is that they grow increasingly vulnerable by the day. I see more Windows NT 4.0 and even 3.51 in the critical infrastructure sector than pretty much anywhere else and patches aren’t being developed for discontinued and unsupported operating systems.

4. Regulations

There are a number of regulatory mandates for organizations within the critical infrastructure sector. Most of these have nothing to do with cyber security. For example there are extensive regulations regarding vegetation growth around power lines if you ever need to read something that will put you to sleep.

There are some regulations that address or partly address cyber security but the security community largely feels that they are lacking in depth and simply do not have the teeth to be effective.

Regardless, just like Sarbanes-Oxley for publically traded companies and PCI for organizations dealing with credit cards, while cyber security regulations don’t necessarily help increase security they do increase awareness. Some of the key mandates and regulatory bodies in critical infrastructure related to cyber security include:

• NERC CIP for electric
• CFATS for chemical
• NRC 73.54 for nuclear
• EG2 for smart grids
• ISO and NIST standards

5. Government

Outside of regulatory mandates what else can government do? I actually think that the federal government can help and that the help doesn’t need to come in the form of new regulations.

Accelerated Deprecation

We need to allow these organization to take advantage of accelerated deprecation so that they can invest in improved, more secure solutions that protect their ICS, SCADA and IT zones.

Information Sharing with Limited Liability Benefits

I’ve written about this topic before in great detail. The net is that organizations operating industrial control systems generally make up what would be considered critical infrastructure. Because their infrastructure is, well, critical, prudence dictates that it’s in everyone’s best interest that they not be impacted by cyber attacks. They will gain value through industry information sharing consortiums, and real-time threat feeds that keep their cyber security controls operating with the latest intelligence.

By actively participating in said consortiums, utilizing threat feeds and working towards security best practices their liability should be limited if a breach does occur. I know this is more of a carrot than a stick approach, but I think it’s about time that we try something new and stop treating organizations like they are the devil when they inevitably experience some type of breach.

Government-backed Reinsurance Programs

Cyber attack insurance has always been a challenging concept and most organizations would agree that it’s lacking. When an incident does occur they are often afraid to pull the trigger on the insurance because there is the fear that something even worse may be around the corner. It is simply an immature insurance offering that may stand some benefit by the government insuring the insurance companies – reinsurance, until insurance companies and organizations will policies know how to handle cyber insurance more effectively.

Investment in STEM, R&D and Scholarships for Cyber Security

This impacts more than SCADA security and critical infrastructure but it’s a big part of an even bigger picture. With more government programs focused on STEM (science, technology, engineering and math) in the from of funding for R&D, scholarships and similar incentives linked to information security we can continue to ensure they we are developing thought leaders in the next generation. This is a very hot initiative in many other countries, especially emerging markets. It’s an imperative for any country that wants to remain competitive in the future to make these investments in information security and other STEM fields.

This list and my list from the previous blog are by no mean exhaustive. What are you seeing in terms SCADA security issues?

Image credit: Flickr/srv0