SCADA Security Zeitgeist 2012
Google gave interviews over the holidays discussing the top searches done by people in various countries in 2012 (Google Zeitgeist 2012). “Zeitgeist” is “spirit of the age or spirit of the time” and it is interesting to see that for the U.S. the top search for the year was for Whitney Houston, while in Germany it was for EM12 (European football championships) and in Australia it was for Gangnam Style. In a quick review only Canada and Australia included most searched categories for beer, with Molson topping the list in Canada and XXXX (pronounced four X) topping the list in Australia.
I thought I would apply the zeitgeist idea to SCADA security topics, and using our own blog statistics (a limited view of the industry I admit, but the only one I have the data for), have determined the following list of hot topics for the year.
#10 - SCADA Security: Justifying the Investment
Our gut feeling and our business growth last year indicated that a lot more organizations became aware of the need to address industrial cyber security. More projects for both retrofitting cyber security and planning it into new projects are underway. The interest amongst our readers in how to justify the investment in SCADA security supports our experience.
Frank Williams’ article recommends that organizations do a risk assessment, estimate the cost of potential security incidents, and then work that up to an annual cost model. The next step is to relate expenditure on ICS security to that model. The key is not to get bogged down in over analysis, but still have a pragmatic numbers-based rationale for security investment.
#9 - SCADA Security Basics: Why are PLCs so Insecure?
Another indicator that more and more people and organizations are concerned about SCADA security was seen by the response to an article about why PLCs are insecure. It is a simple question and Erik Schweigert, one of our embedded developers, explained how PLCs were developed before cyber security was a concern, in fact before the Internet existed.
His speculations on what would have been different if security had been considered in PLC design sparked quite a dialogue, with this blog generating more comments than any other blog last year. The comments stressed the difference between IT and ICS security, and the need for incentives such as customer demands or a clear adversary to spur automation vendors to design more secure products.
Before PLCs racks of relays, like the ones shown above (circa 1965), controlled industrial automation systems. Source: XL
#8 - Why SCADA Firewalls Need to be Stateful – Part 1 of 3
Joel Langill of SCADAhacker.com did a good job of explaining why it’s important for a firewall to know the “state” of a connection (based on previous traffic) when evaluating how to respond to the current packet. For example, a simplistic firewall would accept DNS response packets when no DNS query was ever issued, which could lead to a denial of service attack that could bring a system down.
This article was part one of a three part series. The series generated comments questioning whether discussing state is important nowadays since there “are no longer stateless firewalls out there”. However, Eric Byres responded that he has “found many stateless firewalls (and switches pretending to be firewalls), installed by consultants and vendors who should know better.” As Eric indicated, the point of this series was to educate engineers about the need for “stateful firewalls” and we hope it contributes to that goal.
#7 - Defense in Depth is Key to SCADA Security - Part 1 of 2
Defense in Depth is the cornerstone of our SCADA security philosophy at Tofino Security and throughout Belden. We were glad to see that so many people were interested in reading about its principles last year.
#6 - SCADA Security & Deep Packet Inspection – Part 1 of 2
The two-part series on Deep Packet Inspection (DPI), like the series Why Firewalls Need to be Stateful, examines limitations of SCADA and ICS protocols. In this case the limitation is that because of the lack of granularity of industrial protocols, a data read message looks exactly like a firmware update message. With a DPI firewall, after the traditional firewall rules are applied, it examines the content of the contained messages and applies more detailed rules.
DPI firewalls, like the Tofino Modbus TCP Enforcer, can determine if a message is a read or a write message and drop the write messages. It can also “sanity check” traffic for strangely formatted messages or unusual behaviors and block them. Part 2 of this series went on to explain the need for DPI firewalls in this new era of advanced malware.
#5 - Honeywell Leads ICS and SCADA World with ISASecure Certifications)
Eric Byres discussed why ISASecure certification is valuable in this article. It is because the ISASecure testing includes not just Communications Robustness Testing (CRT) but also Functional Security Assessment and Software Development Security Assessment. These tests consider the underlying design, development practices and vendor recommended deployment of the product, rather than just whether it stands up to some bad traffic.
After this article there was a debate in the blogosphere whether ISASecure means a product is truly secure or not. Our point of view is that ISASecure is a good indicator of security, and a major step forward for the SCADA/ICS world, while not an absolute guarantee of a product’s security.
#4 - Shamoon Malware and SCADA Security – What are the Impacts?
Blogs that discuss current SCADA security events were very popular with our readers. This article looked at the very surprising Shamoon malware that, while not a sophisticated piece of code, succeeded in destroying the data on 30,000 to 55,000 computers at Saudi Aramco and other oil and gas concerns in the region.
Leon Panetta, the U.S. Defense Secretary described Shamoon as the most destructive attack the business sector has seen to date and a “significant escalation of the cyberthreat.” One of our readers concurred “I think Shamoon is the most worrying event in security, not so much because Shamoon is very advanced malware – it isn’t, but [because of] the destructive nature of the malware.”
Saudi Aramco’s headquarters complex. This is one of the sites where workstation hard drives were wiped clean by the Shamoon virus. Photo: Wikipedia
For automation professionals, although Shamoon did not impact SCADA or ICS systems, it is an indicator of how much industry; especially the energy industry, is the focus of cyber attackers. In addition, the Shamoon attack should inspire all organization to re-evaluate the threat level they assign to insiders and “hactivists” in their risk assessments.
#3 - Cyber Security Nightmare in the Netherlands
Another hot current event blog, written by Rob Hulsebos of Enode Networks, discussed the multiple cyber security threats the Netherlands faced early in 2012. The weak security and data mishaps detailed in the article added up to the disconcerting realization that the safety and privacy of millions of Dutch people were poorly protected.
#2 - Flame Malware and SCADA Security: What are the Impacts?
Flame, the super worm that exploded onto the cyber security scene in May of 2012, targeting the energy industry, was yet another security event that a lot of readers were keen to learn about. Similar to Stuxnet in the sense that it was a very sophisticated piece of code, Flame was a carefully crafted attack toolkit for industrial or political espionage.
Courtesy: David Ayres
Although Flame was an information stealer rather than a saboteur of industrial systems, it indicates that industry, especially the energy industry, is now a key target in a rapidly growing world of sophisticated, government sponsored malware.
Eric Byres concluded: “Call it “cyber warfare” or “cyber hype””, the bottom line is that the information/networked world is getting nastier by the day and SCADA and ICS is part of that world.”
#1 - #1 ICS and SCADA Security Myth: Protection by Air Gap
Our number one most read blog explains what Eric Byres thinks is the number one Myth of SCADA Security: Protection by Air Gap.
While an attractively simple sounding solution, in practice air gaps do not work. Today’s modern control systems need a diet of electronic information from the outside world. Severing the network connection with an air gap simply spawns new pathways – pathways like the mobile laptop and the USB key, which are more difficult to manage and just as easy to infect.
Eric Byres presenting "Unicorns and Air Gaps" at AusCERT 2012
While control system vendors and government authorities have accepted that a true air gap is impossible, there are still many end users and consultants who have not. Eric urges these groups to face up to the fact that modern malware like Stuxnet and Flame can take advantage of multiple pathways to the control system (such as “sneakernet” CDs, serial lines, USB drives etc.). Today’s cybersecurity countermeasures must address the reality of multiple pathways rather than cling to the air gap myth.
SCADA Security Zeitgeist 2012
In summary, the top topics for our readers in 2012 were:
• SCADA and ICS security concepts (why PLCs are insecure, why firewalls need to be stateful, Defense in Depth, Deep Packet Inspection, the myth of air gaps)
• Justifying the investment in SCADA security
• ISASecure certification of SCADA and ICS products
• The major cyber incidents of the year: Flame, Shamoon and cyber security incidents in the Netherlands
Does this list reflect the significant ICS security topics and trends of 2012 for you? Let us know your thoughts.
Related Content to Download
Technical Briefing Kit - "Understanding Deep Packet Inspection for SCADA Security"
Related Links – Top 10 Blog Articles of 2012
1. Blog: #1 ICS and SCADA Security Myth: Protection by Air Gap
2. Blog: Flame Malware and SCADA Security: What are the Impacts?
3. Blog: Cyber Security Nightmare in the Netherlands
4. Blog: Shamoon Malware and SCADA Security – What are the Impacts?
5. Blog: Honeywell Leads ICS and SCADA World with ISASecure Certifications
6. Blog: SCADA Security & Deep Packet Inspection – Part 1 of 2
7. Blog: Defense in Depth is Key to SCADA Security - Part 1 of 2
8. Blog: Why SCADA Firewalls Need to be Stateful – Part 1 of 3
9. Blog: SCADA Security Basics: Why are PLCs so Insecure?
10. Blog: SCADA Security: Justifying the Investment
Other Related Links
© Tofino Security 2013 | All Rights Reserved | Tofino Security is a Belden Brand