critical infrastructure security

January is the Cruelest Month

The SCADA Security Scientific Symposium (S4), put on by Digital Bond every year, is an event I look forward to. It brings together the leading researchers and thinkers on ICS security and is always exciting.

Early in 2012 Eric Byres wrote a blog article predicting what he thought would happen in 2012 with regards to SCADA and ICS security. I went back to his blog and highlighted the four main predictions he made. Then I asked him to rate himself on each one.

Editor's Note

Last year Eric’s holiday gift suggestion got his culinary juices flowing with the idea of a sous-vide oven; or for the true controls engineer, the plans to build your own. He was pleasantly surprised a few weeks later, when a sous-vide oven arrived under the tree.

“Lacking extravagant IT budgets, automation systems also require cyber security systems that just work, with a minimum of human intervention.”

Who is responsible for fixing the thousands (some say 100,000) of vulnerabilities that exist in PLCs, DCS, RTUs and other automation devices that are in use in facilities around the world?

On the one hand, we have the position of Dale Peterson at Digital Bond. Dale ardently argues for (and takes) aggressive measures to pressure ICS vendors into making their products more secure. Through their 2012 Project Basecamp and subsequent disclosures, Digital Bond publically released vulnerability details for a large number of controllers.

In last week's blog, Heather wrote an excellent summary of Mark Cooksley's network security presentation regarding "Why Industrial Networks are Different than IT Networks". In it she noted that the number one goal of ICS security is based on the concern for safety. This is spot-on in my opinion. However, there is more to consider when it comes to industrial security priorities…

Previously we looked at the question of “Why are PLCs so insecure?” Today we are going to come at SCADA security from another angle, which is “Why is securing Industrial Networks different than securing IT Networks?” We will also look at three ways to address these differences.

Ed. Note: This is a significant update to an article first published on Sept 25, 2012. The original article is available as a download in Related Links.

Last week I wrote about a serious issue in the patching of SCADA and ICS systems. Just when you think you are installing all needed patches, some critical ones are getting missed.

Yesterday afternoon I received a note from another security expert that has left me a bit stunned. Like most of you, I assumed that if you are patching your Windows computers on your SCADA or ICS system (using some variation of Microsoft Windows Update), then any vulnerable services that can be patched will be patched. Well guess again – you may still have a number of open vulnerabilities that are happily being missed by the Windows update service.

For those of us passionate about industrial security it is great to see it being integrated into networking training as it was at the Belden Industrial Ethernet Infrastructure Design Seminar held near Chicago earlier this week.

To understand the problems faced by SCADA users, the team at Regency IT Consulting wanted to build a basic test rig. The goal with the rig was to help us understand the users’ challenges and to interact with the technology and protocols.

Last week Eric Byres addressed the difference between SCADA, ICS and other jargon in our industry. This week I am going to address a question I am often asked “Why are industrial networks so hard to secure?” This is a big topic, so today I will address only “Why are PLCs so Insecure?”

Recently I saw a posting on LinkedIn asking “What’s the difference between a SCADA system and an ICS system, and if there is no difference, then why do we have two different names?”

This is a good question, because unless you have worked in the industrial automation field for a few decades, the terminology can seem very confusing. Not only do we have SCADA versus ICS, we also have terms like Process Control, Discrete Control, Industrial Automation, Manufacturing Automation Systems, Distributed Control Systems, Energy Management Systems and so on.

Editor's Note: This is an updated version of this article, which was first published on June 14, 2011.

Over the past month, I have received a number of emails and seen a number of LinkedIn articles suggesting that I was attacking the concept of data diodes when I stated that Air Gaps are a myth. Unfortunately, this is a serious misunderstanding of my message to the SCADA/ICS community.

Finding a way to determine the right level of investment in ICS and SCADA Security has been an ongoing challenge for industry. In an earlier article the Total Cost of Ownership approach for calculating investment level was described. Today I present another method called Value at Risk (VaR).

Virtual Local Area Networks (VLANs) should not be counted on as a security feature of modern managed Ethernet switch networks. This is now common knowledge, both in IT departments and also in the Industrial Control Community. Indeed in Eric Byres’ article Why VLAN Security isn't SCADA Security at all he points out that switches with VLANS are not firewalls. But are VLANs the boogeyman of industrial control system security...or are they underestimated helpers?