Jonathan Pollet, founder of Red Tiger Security, a consulting and testing company that specializes in SCADA and critical infrastructure, notes: SCADA Engineers and System Integrators know how to design, commission, and maintain real-time control systems, but typically do not have the right skill sets and training to embed security into those systems. They typically do not understand how to properly harden the servers, operator workstations, and network infrastructure, and in most cases, these systems are commissioned with default passwords and administrator accounts with no passwords.
Despite the lack of awareness about SCADA security among most security professionals, the risks associated with SCADA exploits and vulnerabilities are significant. Very worst case scenarios of distributed SCADA attacks include bringing down the power grid to a major metropolitan city (or cities) and tampering with the temperature monitoring at a nuclear power plant causing a meltdown. Yet, rather alarmingly, the exposures in existing SCADA systems read like a penetration test of an Internet connected company circa 1998. If that sounds far-fetched, consider the May 2010 report from the Idaho National Laboratory for the US Department of Energy, which documents results from 24 ICS (industrial control systems) assessments completed between 2003 and 2009. The report found:
Large ICS attack surfaces created by excessive open ports allowed through firewalls and unsecure and excessive services listening on them. Well-known unsecure coding practices account for most of the ICS software vulnerabilities, which result in system access vulnerability or Denial of Service (DoS). (NSTB Assessments Summary Report: Common Industrial Control System CyberSecurity Weaknesses May 2010)
The underlining systems that control and monitor the generation, transmission, and distribution of electric power are utilizing similar computer networking components and architectures as Enterprise IT networks, yet they do not receive the same level of security maintenance or lifecycle planning. These systems often are at least a year out of patch cycle, typically do not have any logging enabled, and rarely utilize any monitoring defense techniques like IDS, network, or host event monitoring. (The Dirty Underbelly of SCADA)
Knowing that the systems managing our critical infrastructure have large attack surfaces and may be up to a year out of date on patches is a sobering realization. However, there is a bright side to this equation we already know how to correct many of these problems. Although patch testing cycles and technical control change management processes may take longer for critical infrastructure and other high-value devices (such as medical equipment), as network and application security professionals we have long histories in implementing patches and controls. In other words, while SCADA networks are not the same animal as a typical Fortune 1000 corporate network, many of the lessons we have learned on corporate networks can be applied, carefully and with appropriate caution, to SCADA systems.
Take a look at some of the recommendations from the INL report to the DOE:
- Create a security culture
- Enhance ICS test suites
- Redesign network protocols for security
- Create custom protocol parsers for common IDSs
- Implement and test strong authentication and encryption mechanisms
--Sample recommendations taken from: NSTB Assessments Summary Report: Common Industrial Control System CyberSecurity Weaknesses May 2010
These are steps and approaches that security professionals have worked with for years. While it may take some time for those of us without SCADA experience to get up to speed, theres no excuse for SCADA security to exist in a vacuum without proper risk management and controls.
In addition to traditional network security professionals getting up to speed on SCADA, another critical step that needs to happen is for SCADA experts, engineers, and integrators to start working collaboratively with security teams to increase protection of SCADA systems to close the exposure gap. Pollet comments that SCADA professionals: . . . see security as an IT problem. He explains that the problem with simply chucking the responsibility over the fence to the IT side is that while IT Professionals understand security, they often have never worked in or around industrial plant environments, and lack the understanding of how SCADA systems function.
As seasoned IT risk professionals know, security works best when it is built in from the very beginning of the process. Bolt-on security is costly and inefficient. To strengthen our critical infrastructure we must work together and incorporate security throughout the development and implementation of SCADA deployments. If youre an IT security expert, take time to read through the documents cited in this article and consider getting more involved with SCADA security.
Additional SCADA resources recommended by Red Tiger Security:
US CERT Control Systems Security Program (CSSP) web site: http://www.us-cert.gov/control_systems/
ICSJWG conferences (held twice a year): http://www.us-cert.gov/control_systems/icsjwg/index.html
SANS SCADA conferences (held every year in the US and Europe): http://www.sans.org/eu-scada-security-summit-2010/
Red Tiger 5 Day SCADA Security Training: http://www.redtigersecurity.com/scada-security-advanced-5-day/
Red Tiger RSS feeds: http://www.redtigersecurity.com/rss/
Follow eSecurityPlanet on Twitter @eSecurityP.