SCADA Security

Three years ago, the concept of industrial cyber security became a popular discussion topic within the industrial networking community. Now the discussion has risen to the level of heads of state within the international community. The Executive Order – Improving Critical Infrastructure Cybersecurity signed by President Obama in February of this year is just one indication of the importance being attached to this issue.

In my last blog, I shared some secrets on how to successfully use patching in SCADA and control systems.

This week, I’ll look at the pros and cons of using compensating controls as an alternative to patching, and discuss the requirements for success.

If you have read my previous blogs on patching for control system security, you might think I am completely against patching. Guess what? I’m not against them!

In my last blog, I discussed the reasons why critical industrial infrastructure control systems are so vulnerable to attacks from security researchers and hackers, and explained why patching for such systems is not a workable solution.

As regular readers of this blog know, after Stuxnet, security researchers and hackers on the prowl for new targets to exploit shifted their efforts to critical industrial infrastructure.

Unfortunately, the Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) applications they are now focusing on are sitting ducks.

Last week I received am email (shown further down on this page) purporting to be from the US Internal Revenue Service (IRS).

Editor’s Note: This is an excerpt from ISSSource.

It wasn’t that long ago when cyber security seemed like a foreign language to those folks entrusted with running companies. It was not like they didn’t know about it, but it just was not top of mind.

Not anymore.

With cyber threats evolving to the point where they are affecting their companies and their customer’s companies, chief executives are taking a new look and approach to how they attack cyber security.

Editor's Note: this is an excerpt from the Pike Research Blog.

The story goes that a group of business people were stranded on a desert island with a bountiful supply of canned and therefore imperishable food, but no way to open the cans. As the group struggled to find a solution the lone economist in the group piped up, “Assume a can opener…”

We all agree that SCADA and Industrial Control System security needs to improve. However there is a lot of disagreement on what exactly needs to happen to make security for industrial systems easier to deploy and more effective.

As a reader of this blog you likely don’t need to be convinced that SCADA and ICS Security need to be greatly improved. There are several ways to go about accomplishing that, and I am glad that there is a healthy dialogue underway on this topic within the industrial security community. This includes the back and forth between myself and Dale Peterson of Digital Bond, that continues with this article.

The SCADA Security Scientific Symposium (S4), put on by Digital Bond every year, is an event I look forward to. It brings together the leading researchers and thinkers on ICS security and is always exciting.

Google gave interviews over the holidays discussing the top searches done by people in various countries in 2012 (Google Zeitgeist 2012). “Zeitgeist” is “spirit of the age or spirit of the time” and it is interesting to see that for the U.S. the top search for the year was for Whitney Houston, while in Germany it was for EM12 (European football championships) and in Australia it was for Gangnam Style.

Early in 2012 Eric Byres wrote a blog article predicting what he thought would happen in 2012 with regards to SCADA and ICS security. I went back to his blog and highlighted the four main predictions he made. Then I asked him to rate himself on each one.

Browsing this week’s industry newsletters, I noticed that Automation World had two related stories on new technologies:

Editor's Note

Last year Eric’s holiday gift suggestion got his culinary juices flowing with the idea of a sous-vide oven; or for the true controls engineer, the plans to build your own. He was pleasantly surprised a few weeks later, when a sous-vide oven arrived under the tree.

“Lacking extravagant IT budgets, automation systems also require cyber security systems that just work, with a minimum of human intervention.”

Who is responsible for fixing the thousands (some say 100,000) of vulnerabilities that exist in PLCs, DCS, RTUs and other automation devices that are in use in facilities around the world?

On the one hand, we have the position of Dale Peterson at Digital Bond. Dale ardently argues for (and takes) aggressive measures to pressure ICS vendors into making their products more secure. Through their 2012 Project Basecamp and subsequent disclosures, Digital Bond publically released vulnerability details for a large number of controllers.

In last week's blog, Heather wrote an excellent summary of Mark Cooksley's network security presentation regarding "Why Industrial Networks are Different than IT Networks". In it she noted that the number one goal of ICS security is based on the concern for safety. This is spot-on in my opinion. However, there is more to consider when it comes to industrial security priorities…

Previously we looked at the question of “Why are PLCs so insecure?” Today we are going to come at SCADA security from another angle, which is “Why is securing Industrial Networks different than securing IT Networks?” We will also look at three ways to address these differences.