This is a culture of: `We need to know the password for everything – because when the power is down, we need access in a hurry.' Consequently these same admin teams, we find, have a habit of using factory/default passwords on their systems to ensure easy levels of access - at all times - for all engineers.
This is a cultural issue, and it's one that security vendors need to address head on.
There is also an interesting sociological angle here. Criminal gangs might have diminished interest in utilities because there may be little profit in breaking into them. And while Hactivists could conceivably cause problems, our observations suggest that many of these groups will avoid infrastructure targets because of the moral implications.
This leaves state-sponsored attackers as a primary threat, and makes CNI security an issue that screams for government oversight. The reality is that governments around the world have already staged attacks on rival states' CNI, but we hear about very few of these incidents in public. In the event of an attack on the US infrastructure – in all likelihood originating from a smaller rogue state – the outcome could constitute an act of war as damaging as any action taken with troops and physical armament.
In the US there is now a very clear focus on the CNI - and the federal government is starting to probe for vulnerabilities on these SCADA networks and then reporting back to the operators. The question we have to ask is whether it really is the government's place to complete these probes.
The free pass concept is that, if the government or its agencies complete the scan and give the `thumbs up’ to your SCADA system security, then if your systems do subsequently get attacked, you are exempt from possible legal action.
This is a positive approach as has the potential to bring everyone – from the lowest engineer to the highest security strategist -on board with SCADA security to ensure that we are all working toward a common goal: making our CNI more secure.
Some time ago I believed it was unlikely that any government would footprint or probe other states' CNIs. My observations have caused me change my mind, and I now believe it is naive to underestimate any foe. SCADA vulnerability is a central challenge to our national security – and we really do need to address this issue now, before a major incident takes place.
So what are the solutions?
There are a number of recommendations that I would make to ensure that SCADA-based systems are better protected. The good news is that most of these actions can be implemented using existing technologies and legislation, though there may be a need for some tweaks to the statute books. It should be remembered that we are talking about the IT systems that control our national infrastructure.
By subscribing to our early morning news update, you will receive a daily digest of the latest security news published on Help Net Security.
With over 500 issues so far, reading our newsletter every Monday morning will keep you up-to-date with security risks out there.