SCADA security arms race underway

The race between industrial control system attackers and defenders didn't start with the Stuxnet worm...

While the race between industrial control system attackers and defenders didn't start with the Stuxnet worm, it certainly acted as a catalyst to a new arms race and more researchers taking a closer look at the quality of SCADA software.

For instance, just days ago, the three-person Moscow-based security consultancy Gleg announced it would update its Agora exploit pack (used in security testing applications) with scores of zero-day SCADA system vulnerabilities that had just been released. Some of those vulnerabilities were released with exploit code.

That release of SCADA exploits prompted a flurry of activity among some in the security community. Security and SIEM vendor Nitrosecurity, for instance, along with the Emerging Threats open source community, the Open Information Security Foundation, and control system security consultancy Digital Bond and others, worked together to deliver intrusion detection signatures for SCADA vulnerabilities released by security researcher Luigi Auriemma.

Now, with the release of zero-day vulnerabilities for the software that controls industrial systems -- much in the way vulnerabilities are fully disclosed for enterprise and consumer applications -- some are now asking if SCADA system security is going to quickly begin to resemble the security of traditional software and operating systems.

"There are some parallels between SCADA and traditional PC/server security problems," says Gartner analyst John Pescatore. "Windows and other commercial operating systems were first written assuming they would only be connected to trusted LANs, and when they were connected to the Internet all hell broke loose," he says. "Most SCADA, process control, and medical machinery was written assuming it would only be on an isolated, trusted network. But often those things are on networks that increasingly do have paths to the Internet -- even if the path is only via USB drives," Pescatore says.

Adds Scott Crawford, managing research director Enterprise Management Associates, "That has been a longstanding assumption about SCADA security that bears some investigation," he says. "The biggest assumption in my mind is that these are mostly non-networked systems or their networks are meaningfully 'air gapped' from more public environments. While that may be true in some deployments, it begs the question of how difficult it would be for a malicious party to move from a widely accessible target to a more protected one such as a SCADA system. It also begs the question of how well these environments are instrumented to detect potential compromise," Crawford says.

If the recent flurry of SCADA vulnerabilities and the success of Stuxnet are any indication, than it's not too far a leap to expect industrial system operators to start to more carefully look for exploit and malware attacks. And the extent that is being done varies greatly from one company to the next, says Mohan Ramanathan, solutions architect for critical infrastructure at Nitrosecurity. "Some are taking it very seriously, and they're deploying the appropriate monitoring and intrusion prevention systems to protect these networks, while others are nowhere near that mature," Ramanathan says.

However, Gartner's Pescatore does not see SCADA and process control systems security as entirely similar to traditional IT security efforts. "These systems are mostly limited to single-function servers or appliances, vs. user PCs. Simple strategies like whitelisting have proven very effective on things like ATM machines, kiosks and other servers or appliances where users don't have to be allowed to install arbitrary software," he says. He also contends that the same level of profit motive doesn't exist to attack these systems. "The vast majority of clever attack code is written by those looking for financial gain -- even Stuxnet mostly used known techniques bundled together, and the vast majority of attacks going against process control systems are nowhere near as sophisticated as Stuxnet," he says.

Maybe so, but if Ramanathan is correct, it may not be as smooth a ride for SCADA system operators in the future as it was in the past. "In terms of the general threat landscape, over the last five or 10 years, the development of exploits and attacks have been relatively low. However, we've seen a rapid increase in the development of attack software to get into these systems as well as more attack traffic," he says. "It's definitely an area that is heating up."

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter as @georgevhulme [http://www.twitter.com/georgevhulme].

Read more about network security in CSOonline's Network Security section.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.

Tags risk managementmanagementdata securityNetworkingsoftwarenetwork securityfirewallsSCADAStuxnetGleg

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

George V. Hulme

CSO (US)
Show Comments

Cool Tech

Bang and Olufsen Beosound Stage - Dolby Atmos Soundbar

Learn more >

Toys for Boys

ASUS ROG, ACRONYM partner for Special Edition Zephyrus G14

Learn more >

Nakamichi Delta 100 3-Way Hi Fi Speaker System

Learn more >

Sony WF-1000XM3 Wireless Noise Cancelling Headphones

Learn more >

Family Friendly

Mario Kart Live: Home Circuit for Nintendo Switch

Learn more >

Philips Sonicare Diamond Clean 9000 Toothbrush

Learn more >

Stocking Stuffer

SunnyBunny Snowflakes 20 LED Solar Powered Fairy String

Learn more >

Teac 7 inch Swivel Screen Portable DVD Player

Learn more >

Christmas Gift Guide

Click for more ›

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers

MSI P65

This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang

MSI GT76

It really doesn’t get more “gaming laptop” than this.

Jack Jeffries

MSI GS75

As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr

MSI PS63

The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?