The safety and security of nuclear facilities, power plants and oil/gas production seems a little shakier in recent days. No, this isn't about instability in the Middle East or a nuclear incident in Japan. Two recent announcements have shaken up the industrial controls security community.
The first announcement was that a security vendor had collected and offered for sale a set of exploits for 23 security vulnerabilities. The second was the public disclosure of 34 vulnerabilities with proof-of-concept exploit code by a security researcher. With Stuxnet serving as a backdrop, it's clear that Industrial Control Systems (ICS) are firmly in the crosshairs.
These vulnerabilities and exploits affect systems called SCADA, for Supervisory Control and Data Acquisition. These SCADA systems control highly complex processes and provide relevant and timely information to human operators who can provide another layer of control. This combination of automated and manual control provides a robust security model. Security vulnerabilities in these systems could potentially allow an attacker to manipulate or disrupt industrial processes, posing a threat to safety, security and reliability.
SCADA systems and networks are common in electrical and water utilities, manufacturing, transportation, nuclear, oil and gas, and petrochemical industries.
SCADA systems have a long history, and in many cases trace their heritage directly to the pre-Internet days of mainframe computing. In this environment, the lack of network connectivity meant there was little ability for non-trusted data to find its way to these systems. As SCADA systems have moved to modern networked environments, they've frequently adopted proprietary protocols (such as DNP3 and Modbus) that were added to the existing systems. These proprietary communications were often designed with little focus on security or the possibility of encountering malformed or malicious input. The rise of web interfaces and portals has also increased the attack surface. Meanwhile, the closed secretive nature of these systems has also meant that they haven't received the public scrutiny focused on other software packages.
The security researcher Luigi Auriemma stated he made no effort to contact the companies beforehand so they could provide a fix for the vulnerabilities. In doing so, he said, '90 percent of the job of fixing a bug is just finding it first. But it's not that simple with SCADA. Even after there is a technical fix, the vendor still has to perform testing to ensure it does not introduce new problems. And the organizations using the equipment must go through rigorous testing and change management procedures to minimize disruption of vital production processes. So in reality, these organizations may not be able to patch the vulnerabilities for months or longer.
Though many don't like to talk about it, SCADA systems are usually more prone to vulnerabilities than most. The age of hardware, proprietary software, lack of basic security features, lack of basic encryption and ready access to vulnerable business networks make these systems both difficult to protect and attractive targets for attackers. Sometimes the unique configurations and system constraints make applying a patch, even when it is available, impossible.
So is it time to panic? Not quite. Organizations employing a defense-in-depth strategy that contains multiple layers of security will find themselves more resilient. Put into practice, defense-in-depth allows organizations to protect their systems and their networks in a way that should allow them to compensate for these types of vulnerabilities. That's because defense-in-depth assumes systems are not impervious to attack. A multi-layered security architecture and design provides significant resistance to attack and reduces the overall risk associated with any one class of vulnerability. A strong defense-in-depth strategy will likely include at least the following:
- A defined security strategy based on mitigating risk
- Regular security testing
- Strong identity and access controls
- Logical and physical device separation
- Minimum-necessary network access controls and account permissions
- Security training and awareness programs
These recent disclosures of attacks and vulnerabilities are a keen reminder that cyber threat attack surfaces are rapidly increasing. They highlight the need for comprehensive defense-in-depth strategies, no matter what types of systems are to be protected. Every network or system has vulnerabilities that adversaries will attack and exploit with enough time and will; SCADA systems are no different. The keys to surviving these attacks are knowing your environment, having a strong and layered defense strategy tailored to that environment, using tools and processes to quickly recognize an attack, and executing a plan to mitigate the threat.
Barry Hensley, Jeff Jarmoc and Don Smith contributed to this article.