ICS

Today I am glad to be writing about a good news story. That story is that Belden's Eric Byres is being awarded the ISA (International Society of Automation) Excellence in Leadership award for his contributions to the automation industry in the area of industrial security.

This award must be particularly exciting for Eric because it is ISA's most prestigious award and is awarded by his peers, that is, members of ISA.

ISA President Terrence G. Ives remarked:

Engineers as well as IT staff in the process control and SCADA industries have varying levels of knowledge about industrial cyber security. We come across this regularly when talking to people at industry events or speaking with customers or partners. To help you, no matter where you are in the learning curve, we have recently released a five-part video series.

This article summarizes the videos and provides you with direct access to them.

This is an excerpt from the Think Forward blog at verizonbusiness.com

In a move that may be helpful for critical infrastructure asset owners, on July 23  the Industrial Control Systems Joint Working Group (ICSJWG) published a new document on a framework for disclosing Industrial Control System (ICS) vulnerabilities.

 I am flying home from Digital Bond’s S4 SCADA Security Symposium as I write this (BTW this was a stellar event where, even as a security expert, I learnt an amazing amount).  After listening to two days of excellent, but scary talks, the first thing that comes to mind is “SCADA/ICS security is in worse shape than I thought”. Much worse shape…

On December 12, Rubén Santamarta publicly announced details of multiple vulnerabilities affecting the Schneider Electric Quantum Ethernet Module. These are serious vulnerabilities, involving hard-coded passwords that give an attacker complete access to the device.  As Reid Wightman puts it 

Last week I discussed the first steps to take to get started to improve ICS and SCADA Security in your facility.  Those steps included:

• Step 1 - Conducting a Security Risk Assessment,
• Step 2 - Learning Industrial Cyber Security Fundamentals, and
• Step 3 - Understanding the Unique Requirements of ICS and SCADA Cyber Security.

This week I discuss the remainder of the process.

Earlier this month I came across a great article called “The new paradigm for utility information security: assume your security system has already been breached” by Ernie Hayden of Verizon’s Global Energy & Utility Practice.  I highly recommend you read it, for the reasons I explain in this blog post.

In the past two months, the number of serious security vulnerabilities being reported in SCADA and ICS products has sky rocketed. In late March, I blogged about how Luigi Auriemma published 34 vulnerabilities (with free exploit code) for 4 popular HMI packages.

Nowadays Stuxnet has become a household term the second anyone talks about cyber security for industrial control systems (ICS). This sophisticated piece of malware first identified in 2010, showed just how powerful an ICS compromise could be in terms of both the impact to manufacturing operations and the possibility of mechanical damage. Was this an isolated attack, unlikely to occur again, or the beginning of a new era in ICS security issues?

One of the mantras about good SCADA security is that it is primarily dependent on people and processes, not technology.

Thus if you have an ICS security problem, first look for solutions such as user training or better processes rather than  technology solutions.  This sounds good on the surface, but I’m not sure it’s true.

Performing tasks securely just isn’t part of human nature. Doing them the easiest way possible is. Unless the secure way is also the easy way, security will lose 9 times out of 10.

As mentioned in a blog article we wrote earlier this week, an Italian “Security Researcher” named Luigi Auriemma published thirty-four SCADA product vulnerabilities against four SCADA products (the complete list of vulnerabilities and companies is provided in the earlier article).

One of the unfortunate facts about security is that if you can find one vulnerability, you can usually find lots more. Vulnerabilities are not just bad luck – they are caused by a poor Software Security Assurance (SSA) process (or a complete lack of one). Next in line for blame are experienced professionals who do little in terms of security assessments prior to commissioning systems in actual production facilities.

Selling the concept of security for SCADA and ICS might still be struggling, but publishing vulnerabilities for SCADA and ICS equipment seems to be a growth industry.

Thirty-Four SCADA Product Vulnerabilities

On Monday an Italian “Security Researcher” published a raft of vulnerabilities (34 in all) against four SCADA products. Below are the affected products with links to the US-CERT announcements:

There has been a lot of media coverage and discussion of the Stuxnet malware, and its impact on industrial control system (ICS) and SCADA security. We are one of the groups guilty of creating a Stuxnet publishing industry.

Over the past four months, Joel Langill, Andrew Ginter and I have been working on a really cool research project. We have been investigating how Stuxnet would infect an industrial site protected by a “high security architecture.”

February has not been a good month for ICS and SCADA security, at least not if you want to feel secure.

Last week I had the chance to attend a very interesting seminar at the Stanford Research Institute called the DHS/SRI Infosec Technology Transition Council Meeting (ITTC). It wasn’t focused on SCADA or ICS or even Stuxnet, yet some of the talks had a lot of applicability to the control systems world.

Recently a partner of ours, Invensys Operations Management, won the prestigious Breakthrough Product of the Year Award for 2010 from Processing Magazine. They won it for a product that we helped engineer, the Triconex Tofino OPC Firewall.

We think this is a big deal for two reasons. Obviously one reason is that a product we help create won a major award – pretty cool.

Over the past month, there has been no shortage of reports on how Stuxnet is attacking the Iranian Nuclear Program. Unfortunately, good advice on what exactly Industrial Control System (ICS) owner/operators can do to protect themselves against Stuxnet (and its future offspring) is in short supply. In fact much of what passes as technical guidance is either too IT-focused or simply wrong.

In reviewing material about Industrial Control Systems (ICS) there is one element that, in my opinion, is the most important factor to consider - especially in light of the recent hubbub about Stuxnet and ICS Security. That element is human centered design.

Every aspect of the control system life cycle, whether it is Concept, Design, Construction, Operation, Maintenance, Safety or Security, includes the human element. It is nothing new, but we all see time and time again where human factors, rather than technical factors play a major role in security and or safety issues.