SCADA Security Directions 2013


January is the Cruelest Month

January is a month I dread. It’s not the cold, the rain and the grey skies here on the west coast of Canada (although that is bad enough). And it is not the post-Christmas avalanche of credit card bills (also bad). The nightmare for me is the annual “SCADA Security Predictions for the Next Year” article that I have to write in January.

 

It’s not only the cold west coast, rainy, grey weather in the month of January that Eric Byres dreads, he also dreads predicting SCADA security events for the coming year. Image Credit: Kevin Oke Photography

 

You see, every January I get asked to make between three and five predictions for the upcoming year. Then every December people remind me that I made those predictions 12 months ago. Then they get to tell me how poorly I did. In between January and December I get to worry.

 

Take my predictions for 2012. I thought I had done well, getting two out of three predictions right with one still undecided. Then Sean McBride informed me that I had counted wrong. I had announced that there were 569 new SCADA/ICS vulnerabilities in 2012. Unfortunately (for me), this is cumulative total since 2001. Only 248 new vulnerabilities were announced in 2012. Since I predicted there would be 500 new vulnerabilities in 2012, I was way off base and only scored 0.333 for my 2012 predictions. Not so good.

I Predict… That Not Much Will Change in 2013???

Part of the problem is that the industrial automation world moves glacially slow compared to sectors like home computing or communications, making predictions of any signification change a challenge. As Dale Peterson of Digital Bond has pointed out, too little has changed in the past decade when it comes to SCADA security. He is right, but it is not just security that moves slowly in this industry. Things that take years in other sectors take decades for industrial systems.

 

Take industrial wireless – back at the turn of the century, it was promoted as the technology that would soon dominate the plant floor. Over ten years later, Frost & Sullivan Research Analyst Anna Mazurek writes, “The market needs another 4-5 years of pilot applications and technology trials to address all pending concerns...” Industrial wireless will come, but the time scale is much longer than a year or two.

 

Of course, I could take the easy way out and predict what will not happen in 2013. For example, the confusion over which NERC-CIP version companies should be complying with will not get sorted out in 2013. A cyber security bill will not get passed by the US senate in 2013. And most PLC and SCADA vendors will continue to ship insecure controllers using insecure protocols in 2013.

 

But that is cheating, so once again I stick my neck out and make a few real predictions of events and trends in the SCADA and ICS world.

Prediction #1 – Tablets (iPad and Android) will start to be used in SCADA and ICS

Back in December, I blogged about a survey that asked engineers to identify their unfulfilled industrial networking desires. The number one item turned out to be “Connecting to the factory with a smart phone”. This is the year that the mainstream control system vendors will start promoting iOS apps and iPhones/iPads will start to be used for industrial applications.

 

Eric Byres’ number one prediction for 2013 is that tablets will start to make their way onto the plant floor, further complicating plant floor security. Image credit: Apple Store

 

As with all industrial technologies, we won’t see a full invasion of iDevices on the plant floor in 2013, but the wall will be breached. Maintenance and support will be the first applications. When your maintenance team is trying to repair that failed transmitter or troubleshoot that drive at 2:00 AM, it is very nice to be able to check the inventory system for spare parts or review the online manuals for troubleshooting advice. Being able to do that right where the problem is (rather than having to go back to the office) will be a powerful driver for allowing tablet devices on the plant floor.

 

This won’t be pretty from a security point of view, but we will have to get used to it. Maybe it will drive the industry to deploy holistic security strategies rather than the security band-aids so often seen now.

Prediction #2 – International Security Standards Start to Mature

One of the issues for companies wanting to start securing their ICS is the existence of so many competing SCADA and ICS security standards. Last year the security committees at ISA and IEC joined forces and the result was the ratification of ISA/IEC 62443-2-1 - Industrial automation and control systems security management system.

 

This year there will be more coalescing of different industry and national documents into coherent international standards. At the same time, the usability and consistency of the standards will improve – a number of new or substantially improved documents will be released – for example, a completely rewritten 62443-02-01 may be available before December.

Prediction #3 – Independent SCADA/ICS Security Professional Certifications Will Be Available

Today anyone who can use SCADA and security in the same sentence can call themselves a SCADA security expert. This year will see the release of certifications for SCADA/ICS Security Professionals. The best will be independent of both ICS/security vendors and the various training companies and will just focus on testing subject matter expertise.

Prediction #4 – The Industrial Safety World Makes Security a Priority

A few years ago, I predicted that companies would start to combine industrial safety and industrial security analysis. It happened, but much more slowly than I expected (surprise??). So I am dragging my old prophesy out again, but with a twist. This year, security consultancies like TUV will make a major push into the SCADA/process security markets (of course, safety companies like exida have been doing that for a few years now). At the same time, the IEC safety standards will start to be reevaluated in terms of security. Hopefully efforts like the LOGIIC analysis of Safety Instrumented Systems will start to make headlines too and not stay hidden under a bushel.

Prediction #5 - A Big Security Event will Impact Industrial Systems, This Time Close to Home

Last year I predicted that there would not be another major security event like Stuxnet – was I ever wrong. Flame and Shamoon, plus others like Gauss, hammered the energy industry in the Middle East. So this year, I will go the other direction and say there will be at least one major event impacting industry and it will be in either Europe or North America.

 

I hope I am wrong about this one.

 

How do you think ICS and SCADA security will change in 2013? Let me know your thoughts.

Related Content to Download

Presentation - "Advanced Persistent Threat: A Real Problem, with Real Solutions"

 

Download this presentation and benefit from:

 

•    Definitions of APT and The Threat Continuum

 

•    Examples of Advanced Persistent Threat (APT) attacks on major companies

 

•    A summary of the advanced approaches companies use to defend against APTs

Related Links

•    Blog: SCADA Security 2012 Crystal Ball
•    Blog: 2012 SCADA Security Predictions - How Did Eric Byres Do?
•    Website, Digital Bond: S4 Basecamp
•    Website, Frost & Sullivan: Industrial Wireless Devices will Support Building Plants of the Future, Says Frost & Sullivan
•    Blog: The iPhone is coming to the Plant Floor – Can we Secure it?
•    Website, DHS: LOGIIC Safety Instrumented Systems (SIS) Project

 

RSS Feed Subscribe to the "Practical SCADA Security" news feed

 

Author Eric Byres


© Tofino Security 2013 | All Rights Reserved | Tofino Security is a Belden Brand



Prediction #1 was too easy

Prediction #1 was true before you made it. That's too easy.

Prediction #1 was too easy - Really?

I might have missed something, but I have not seen any mainstream control system vendors offering iOS apps for use on the plant floor.

Just to be clear, use of apps and mobile devices on the plant floor was the intent of my prediction. Certainly there are some start up companies offering that sort of mobile application. However no Emerson, Honeywell, or ABB sized players were offering true industrial apps that I can find.

For example, Honeywell has lots of offerings in the Apple Store, but when you look at these, they are all for their building automation business and not industrial. The other big DCS/PLC companies offer some business intelligence apps, but none of these seem to be intended for the plant floor. Emerson has what looks like a DeltaV app, but all it does is calculate your savings if you install a DeltaV. More marketing than industrial IMHO.

If you know of some true industrial apps for use on the plant floor, please do share them. It will make it a little easy for me to make my predictions this year. After last year's record, that would be a good thing :-)

Regards,
Eric

Prediction #4 – The Industrial Safety World Makes Security a Pri

Hello,
I agree with the prediction, but for a different reason.
While these issues have been known about for a long time, it is only more recently that wide scale ICS owners have started to take the threat seriously.

On the supply-side, we've tried hard with the scare stories, but they are largely unheard (apart from the top end of the market). What is starting to change is the understanding of the threat, so we are getting better visibility of the business risks at board level. This is leading to more questions being asked about how systems are being protected. From my perspective as a supplier, I’ve seen that translated into a greater level of enquiries about how can we protect ourselves.

Great blogs by the way – keep it up!

Colin

Post new comment

The content of this field is kept private and will not be shown publicly.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Allowed HTML tags: <a> <p> <span> <div> <h1> <h2> <h3> <h4> <h5> <h6> <img> <map> <area> <hr>
  • Lines and paragraphs break automatically.

More information about formatting options

CAPTCHA
This question is to prevent automated spam submissions. Data entry is case insensitive.
Image CAPTCHA
Enter the characters shown in the image.