Waking up to the emerging cyber security threat landscape

My blog has been very quiet lately as I’ve been on vacation. I seem to have come back to a changed world, one which has woken up to the reality that industrial process supervisory systems are actually vulnerable to attack by sophisticated malware, such as the Stuxnet worm. It’s a new scare to the average citizen, but one that should come as no surprise to any security professional.

I’ve been concerned about this issue for twenty years, having worked in the oil and gas industry and seen, at first hand, the way that SCADA systems are designed and operated. In the early days, the biggest problem was that the engineers who built them had absolutely no security experience and liked to dial in over unauthenticated links to maintain them.

Even after many of them had been well and truly hacked, by relatively benign hackers, the security solution space was dogged by the fact that their use tended to fall outside the scope of the IT Security function. The primary business concern was safety and reliability, rather than security and sabotage (a mindset that focuses on cock-up more than conspiracy). And these systems were felt to be reasonably well protected, as they used specialised operating systems and private infrastructure. Complacency was further fuelled by an absence of major incidents.

This situation is a typical consequence of our flawed approach to risk management. New technologies don’t come equipped with appropriate security countermeasures. Risk assessments are backward-looking, and standards don’t emerge until long after associated problems have surfaced. We also apply security to the wrong end of the system development cycle, starting with operational fixes that have an immediate impact, rather than focusing on the root causes of inappropriate security requirements and design principles.

Quick fixes are not good enough to deter a targeted, sophisticated threat from a well-funded, hostile intelligence service. Today’s SCADA systems were not designed to withstand zero day attacks from knowledgeable agencies with the capability to exploit the wide range of human weaknesses present in everyday operations. Mitigating such risks demands a step change in the security standards for building and operating systems supporting critical national infrastructure.

In particular, we need to focus on the early stages of the systems design cycle and incorporate plenty of additional defence-in-depth to take account of future increases in the security risk environment. Realising this will be a challenge in the current economic environment, but there is no prudent alternative. We must bite this bullet to get to grips with the new threat environment. 

Join the conversation

1 comment

Send me notifications when other members comment.

Please create a username to comment.

This is an unnerving and serious reality. Security is an increasingly complex issue that is reaching across every technological aspect of business and our lives. There is work to be done to ensure that these systems are secure and protected against threats. The flaw in risk management seems to be ubiquitous across many industries, not just the oil and gas industries. There is a need for all industries, large and small, to be aware of the impact and consequences associated with malware and other cyber risks. How do we get there? Security needs to be part of far greater internal strategy. Organizations need to take a more proactive and integrated approach to security that protects their company, data, customers, and stakeholders at large against a more complex, and changing, cyber threat landscape. Time, money and resources are required to effectively develop software and systems, educate and train employees, and effectively secure deployed hardware. This will not be an easy task for most organizations, but it will be an invaluable one in the long-term. Thank you, Ashley, Absolute Software http://blog.absolute.com/ @absolutecorp