SCADA security arms race underway

The race between industrial control system attackers and defenders didn't start with the Stuxnet worm...

While the race between industrial control system attackers and defenders didn't start with the Stuxnet worm, it certainly acted as a catalyst to a new arms race and more researchers taking a closer look at the quality of SCADA software.

For instance, just days ago, the three-person Moscow-based security consultancy Gleg announced it would update its Agora exploit pack (used in security testing applications) with scores of zero-day SCADA system vulnerabilities that had just been released. Some of those vulnerabilities were released with exploit code.

That release of SCADA exploits prompted a flurry of activity among some in the security community. Security and SIEM vendor Nitrosecurity, for instance, along with the Emerging Threats open source community, the Open Information Security Foundation, and control system security consultancy Digital Bond and others, worked together to deliver intrusion detection signatures for SCADA vulnerabilities released by security researcher Luigi Auriemma.

Now, with the release of zero-day vulnerabilities for the software that controls industrial systems -- much in the way vulnerabilities are fully disclosed for enterprise and consumer applications -- some are now asking if SCADA system security is going to quickly begin to resemble the security of traditional software and operating systems.

"There are some parallels between SCADA and traditional PC/server security problems," says Gartner analyst John Pescatore. "Windows and other commercial operating systems were first written assuming they would only be connected to trusted LANs, and when they were connected to the Internet all hell broke loose," he says. "Most SCADA, process control, and medical machinery was written assuming it would only be on an isolated, trusted network. But often those things are on networks that increasingly do have paths to the Internet -- even if the path is only via USB drives," Pescatore says.

Adds Scott Crawford, managing research director Enterprise Management Associates, "That has been a longstanding assumption about SCADA security that bears some investigation," he says. "The biggest assumption in my mind is that these are mostly non-networked systems or their networks are meaningfully 'air gapped' from more public environments. While that may be true in some deployments, it begs the question of how difficult it would be for a malicious party to move from a widely accessible target to a more protected one such as a SCADA system. It also begs the question of how well these environments are instrumented to detect potential compromise," Crawford says.

If the recent flurry of SCADA vulnerabilities and the success of Stuxnet are any indication, than it's not too far a leap to expect industrial system operators to start to more carefully look for exploit and malware attacks. And the extent that is being done varies greatly from one company to the next, says Mohan Ramanathan, solutions architect for critical infrastructure at Nitrosecurity. "Some are taking it very seriously, and they're deploying the appropriate monitoring and intrusion prevention systems to protect these networks, while others are nowhere near that mature," Ramanathan says.

However, Gartner's Pescatore does not see SCADA and process control systems security as entirely similar to traditional IT security efforts. "These systems are mostly limited to single-function servers or appliances, vs. user PCs. Simple strategies like whitelisting have proven very effective on things like ATM machines, kiosks and other servers or appliances where users don't have to be allowed to install arbitrary software," he says. He also contends that the same level of profit motive doesn't exist to attack these systems. "The vast majority of clever attack code is written by those looking for financial gain -- even Stuxnet mostly used known techniques bundled together, and the vast majority of attacks going against process control systems are nowhere near as sophisticated as Stuxnet," he says.

Maybe so, but if Ramanathan is correct, it may not be as smooth a ride for SCADA system operators in the future as it was in the past. "In terms of the general threat landscape, over the last five or 10 years, the development of exploits and attacks have been relatively low. However, we've seen a rapid increase in the development of attack software to get into these systems as well as more attack traffic," he says. "It's definitely an area that is heating up."

George V. Hulme writes about security and technology from his home in Minneapolis. He can be found on Twitter as @georgevhulme [http://www.twitter.com/georgevhulme].

Read more about network security in CSOonline's Network Security section.

Join the PC World newsletter!

Error: Please check your email address.

Tags firewallsdata securityrisk managementNetworkingsoftwareStuxnetGlegnetwork securitymanagementSCADAsecurityphysical security

Our Back to Business guide highlights the best products for you to boost your productivity at home, on the road, at the office, or in the classroom.

Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

George V. Hulme

CSO (US)
Show Comments

Most Popular Reviews

Latest News Articles

Resources

PCW Evaluation Team

Azadeh Williams

HP OfficeJet Pro 8730

A smarter way to print for busy small business owners, combining speedy printing with scanning and copying, making it easier to produce high quality documents and images at a touch of a button.

Andrew Grant

HP OfficeJet Pro 8730

I've had a multifunction printer in the office going on 10 years now. It was a neat bit of kit back in the day -- print, copy, scan, fax -- when printing over WiFi felt a bit like magic. It’s seen better days though and an upgrade’s well overdue. This HP OfficeJet Pro 8730 looks like it ticks all the same boxes: print, copy, scan, and fax. (Really? Does anyone fax anything any more? I guess it's good to know the facility’s there, just in case.) Printing over WiFi is more-or- less standard these days.

Ed Dawson

HP OfficeJet Pro 8730

As a freelance writer who is always on the go, I like my technology to be both efficient and effective so I can do my job well. The HP OfficeJet Pro 8730 Inkjet Printer ticks all the boxes in terms of form factor, performance and user interface.

Michael Hargreaves

Windows 10 for Business / Dell XPS 13

I’d happily recommend this touchscreen laptop and Windows 10 as a great way to get serious work done at a desk or on the road.

Aysha Strobbe

Windows 10 / HP Spectre x360

Ultimately, I think the Windows 10 environment is excellent for me as it caters for so many different uses. The inclusion of the Xbox app is also great for when you need some downtime too!

Mark Escubio

Windows 10 / Lenovo Yoga 910

For me, the Xbox Play Anywhere is a great new feature as it allows you to play your current Xbox games with higher resolutions and better graphics without forking out extra cash for another copy. Although available titles are still scarce, but I’m sure it will grow in time.

Featured Content

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?