I do worry about the security of our industrial control and SCADA systems. I have been for the last 24 years in fact, ever since I first encountered them. In my view the real problem has always been bridging the gap between the theoretical vulnerabilities of these systems and the everyday business reality of managing a process plant.
Seen from the plant manager’s perspective it’s very simple. There are pressures to cut costs, sweat assets and provide round-the-clock connectivity to remote or mobile engineers. These systems are rarely (if ever) brought down by a hacker or malware. But every now or then an auditor, IT or security person who knows next to nothing about how the plant works comes round and tells you to either disconnect the contractors who keep the plant running, or to rip out and rebuild all the instrumentation at enormous cost.
Not very compelling is it? Unfortunately the security community have learned very little over the last 20 years about how to solve the problem. The first SCADA systems emerged in the late 1980s and many were quickly hacked through insecure public network connections. We designed makeshift firewalls to protect them (in those days we called them “relays” because the term hadn’t been invented) but we failed to keep up with all the connectivity requirements and many early implementations were disconnected or by-passed.
Two decades later we face the same problem though the threat has become much more serious: professional attackers with sinister motives rather than casual teenage hackers. But many security professionals still don’t understand the business environment. Penetration testers turn up, conduct a few network scans and then recommend hardening or disconnecting insecure platforms. The problem is you can’t disconnect or patch essential platforms that need to run and be managed 24 hours a day.
A few years ago Idaho National Labs blew up an Aurora power generator through a hacking attack. Security professionals made a big deal about it, many suggesting we should disconnect them, though I have a suspicion that this particular attack could have been prevented by a $10 dollar hardware enhancement. Why did nobody suggest that?
This week I see that Trend Micro have published a report on the security of Industrial Control Systems. Not surprisingly they found that there are lots of insecure platforms connected to the Internet. The answer? Disable Internet access and apply patches.
Am I alone in thinking that the answer should be to look at the methods of operation and the real potential hazards, and then come up with secure solutions that actually fit the operational requirements? Unfortunately we seem to have evolved a tick-box, commodity-based security profession that can do little more than point out the blindingly obvious.