PLC Security

Editor's Note: This is an updated version of this article, which was first published on June 14, 2011.

Over the past month, I have received a number of emails and seen a number of LinkedIn articles suggesting that I was attacking the concept of data diodes when I stated that Air Gaps are a myth. Unfortunately, this is a serious misunderstanding of my message to the SCADA/ICS community.

Finding a way to determine the right level of investment in ICS and SCADA Security has been an ongoing challenge for industry. In an earlier article the Total Cost of Ownership approach for calculating investment level was described. Today I present another method called Value at Risk (VaR).

Virtual Local Area Networks (VLANs) should not be counted on as a security feature of modern managed Ethernet switch networks. This is now common knowledge, both in IT departments and also in the Industrial Control Community. Indeed in Eric Byres’ article Why VLAN Security isn't SCADA Security at all he points out that switches with VLANS are not firewalls. But are VLANs the boogeyman of industrial control system security...or are they underestimated helpers?

Engineers as well as IT staff in the process control and SCADA industries have varying levels of knowledge about industrial cyber security. We come across this regularly when talking to people at industry events or speaking with customers or partners. To help you, no matter where you are in the learning curve, we have recently released a five-part video series.

This article summarizes the videos and provides you with direct access to them.

This is an excerpt from the Think Forward blog at verizonbusiness.com

In a move that may be helpful for critical infrastructure asset owners, on July 23  the Industrial Control Systems Joint Working Group (ICSJWG) published a new document on a framework for disclosing Industrial Control System (ICS) vulnerabilities.

Last week I discussed how security experts and ICS / SCADA vendors are giving up on the dream of the air gap as a viable security solution for the modern control system. Unfortunately, it is still all too easy to believe your control system is isolated.

Recently I had a very enlightening conversation with a control engineer who thought his system was air gapped.

Last week I updated my air gap blog from 2011. I noted some companies (like Siemens) no longer mention air gaps. Then to keep things balanced, I added new examples of consultants that support the air gap theory. In particular, I selected this quote from Paul Ferguson at Trend Micro:

Editor's Note:  This is an updated version of this article, which was first published on June 30, 2011

Did Iran really detect a planned "massive cyber attack" against its nuclear facilities, as reported by Reuters last week? And, have they really “taken [the] necessary measures” to contain it?

Professor Paul Dorey recently presented a paper about the seven important lessons the IT world has learned in managing Advanced Persistent Threats (APTs). In this article, I will discuss lessons #2, #3 and #4, and how to apply these lessons to ICS and SCADA security.

Recently a very complex worm called Flame has been discovered attacking companies in the Middle East, and it is an excellent example of what security experts call an Advanced Persistent Threat (APT). Figuring out how to defend against APTs is a major focus in the IT security world.

The discovery of the Flame malware last week focused the cyber security world on the sophisticated strikes targeting energy companies in the Middle East. Although Flame’s goal was espionage rather than damaging operations as Stuxnet did, it has been seen as one more indication that the industrial world is now in the bull’s eye of clever attackers.

Over the weekend a new super worm exploded onto the cyber security landscape. Known as Flame or sKyWIper, it appears to be targeting sites in the Middle East, just like the Stuxnet and Duqu worms did. But what does it have to do with SCADA or ICS security? At this stage the answer appears to be nothing and…everything.

Recently Rob Hulsebos wrote an article for this blog where he raised the perennial problem of programming errors contributing to security vulnerability. I have a newsflash for you - this isn’t new. It may be a new concept to some in the world of Industrial Control Systems, but it’s been a problem for software engineers since about 5 seconds after the first ever program successfully compiled.

It has been almost 25 years since I first started working in the industrial network field and 15 years since I first focused on SCADA and ICS security.  From the start, I have been amazed at how difficult it is to get people to see the whole picture.

For example, control engineers know what a PLC or control loop is, but constantly underestimate the impacts that cyber threats have on their industrial processes.  IT professionals understand the risks, but often don’t understand the processes and components.

The furor over the Siemens vulnerabilities and the fear that Son-of-Stuxnet could be around the corner has raised awareness of the need for cyber security to be taken seriously by the process and critical infrastructure industries.

My optimism regarding Siemens and its approach to SCADA/ICS security has just taken another big hit. There are major security problems at Siemens and they are not close to fixing them.

I am embarrassed I gave them such high marks in my previous blogs.

Over the past week, I have been digging into the Siemens S7 PLC vulnerabilities that were discovered by Dillon Beresford at NSS Labs in May. In the first blog article, I analyzed the contradictory information being circulated in an attempt to scrape out a few facts and guesses on what PLC products are actually affected and what the nature of the vulnerabilities are.

In my previous blog, I analyzed the contradictory information being circulated regarding the Siemens S7 PLC vulnerabilities that were discovered by Dillon Beresford at NSS Labs in May. By studying the various Siemens and NSS notices, we were able to scrape out a few facts.