Making SCADA systems more secure
Given that the very heart of our nation's infrastructure runs on SCADA, how do we make these systems more secure? Are there really so many active threats out there?
Here's what I believe is the heart of the issue: SCADA systems can be based on a combination of embedded controllers combined with Windows or Linux systems. This combination isn't terribly insecure in isolation, but once connected to the Internet (as a matter of convenience and for holistic management), every component now needs to be patched and managed for access and authorization since there are no longer any locked doors keeping the wrong people out.
Corporate IT systems are – most of the time – protected by network firewalls, intrusion and anomaly detection systems, endpoint security software, and other prevailing safeguards. Once they're connected to the Internet there's simply no excuse for SCADA networks not to employ – at the very least – those same essential layers of security to protect against external attacks. The bad news is that a great many SCADA deployments do not even begin to utilize these broadly adopted technologies.
And the bottom line is...
The bottom line is that a great many SCADA networks are designed and deployed by electrical engineers who lack IT security training, and I believe that this engineering culture is often naïve when it comes to the threats that foreign powers and sociopaths could have on their designs. Consequently many SCADA networks have a security blind spot, with a healthy dose of attention paid to whether the controls interact safely with their physical environments but far too little focus on how well the systems can withstand cyber attacks.
We've also found that management teams – especially at smaller utilities –fail to understand the need to change passwords regularly – believing they can trust everyone because they know everyone.
This is a culture of: `We need to know the password for everything – because when the power is down, we need access in a hurry.' Consequently these same admin teams, we find, have a habit of using factory/default passwords on their systems to ensure easy levels of access - at all times - for all engineers.
This is a cultural issue, and it's one that security vendors need to address head on.
There is also an interesting sociological angle here. Criminal gangs might have diminished interest in utilities because there may be little profit in breaking into them. And while Hactivists could conceivably cause problems, our observations suggest that many of these groups will avoid infrastructure targets because of the moral implications.
This leaves state-sponsored attackers as a primary threat, and makes CNI security an issue that screams for government oversight. The reality is that governments around the world have already staged attacks on rival states' CNI, but we hear about very few of these incidents in public. In the event of an attack on the US infrastructure – in all likelihood originating from a smaller rogue state – the outcome could constitute an act of war as damaging as any action taken with troops and physical armament.
In the US there is now a very clear focus on the CNI - and the federal government is starting to probe for vulnerabilities on these SCADA networks and then reporting back to the operators. The question we have to ask is whether it really is the government's place to complete these probes.
The free pass concept is that, if the government or its agencies complete the scan and give the `thumbs up’ to your SCADA system security, then if your systems do subsequently get attacked, you are exempt from possible legal action.