My blog has been very quiet lately as I’ve been on vacation. I seem to have come back to a changed world, one which has woken up to the reality that industrial process supervisory systems are actually vulnerable to attack by sophisticated malware, such as the Stuxnet worm. It’s a new scare to the average citizen, but one that should come as no surprise to any security professional.
I’ve been concerned about this issue for twenty years, having worked in the oil and gas industry and seen, at first hand, the way that SCADA systems are designed and operated. In the early days, the biggest problem was that the engineers who built them had absolutely no security experience and liked to dial in over unauthenticated links to maintain them.
Even after many of them had been well and truly hacked, by relatively benign hackers, the security solution space was dogged by the fact that their use tended to fall outside the scope of the IT Security function. The primary business concern was safety and reliability, rather than security and sabotage (a mindset that focuses on cock-up more than conspiracy). And these systems were felt to be reasonably well protected, as they used specialised operating systems and private infrastructure. Complacency was further fuelled by an absence of major incidents.
This situation is a typical consequence of our flawed approach to risk management. New technologies don’t come equipped with appropriate security countermeasures. Risk assessments are backward-looking, and standards don’t emerge until long after associated problems have surfaced. We also apply security to the wrong end of the system development cycle, starting with operational fixes that have an immediate impact, rather than focusing on the root causes of inappropriate security requirements and design principles.
Quick fixes are not good enough to deter a targeted, sophisticated threat from a well-funded, hostile intelligence service. Today’s SCADA systems were not designed to withstand zero day attacks from knowledgeable agencies with the capability to exploit the wide range of human weaknesses present in everyday operations. Mitigating such risks demands a step change in the security standards for building and operating systems supporting critical national infrastructure.
In particular, we need to focus on the early stages of the systems design cycle and incorporate plenty of additional defence-in-depth to take account of future increases in the security risk environment. Realising this will be a challenge in the current economic environment, but there is no prudent alternative. We must bite this bullet to get to grips with the new threat environment.