April 01, 2011, 8:45 AM — While the race between industrial control system attackers and defenders didn't start with the Stuxnet worm, it certainly acted as a catalyst to a new arms race and more researchers taking a closer look at the quality of SCADA software.
For instance, just days ago, the three-person Moscow-based security consultancy Gleg announced it would update its Agora exploit pack (used in security testing applications) with scores of zero-day SCADA system vulnerabilities that had just been released. Some of those vulnerabilities were released with exploit code.
That release of SCADA exploits prompted a flurry of activity among some in the security community. Security and SIEM vendor Nitrosecurity, for instance, along with the Emerging Threats open source community, the Open Information Security Foundation, and control system security consultancy Digital Bond and others, worked together to deliver intrusion detection signatures for SCADA vulnerabilities released by security researcher Luigi Auriemma.
More on Enterprise Risk Management
- ERM: Get started in 6 steps
- Turning ERM strategy into specific systems projects
- The CISO's new focus: IT risk
Now, with the release of zero-day vulnerabilities for the software that controls industrial systems -- much in the way vulnerabilities are fully disclosed for enterprise and consumer applications -- some are now asking if SCADA system security is going to quickly begin to resemble the security of traditional software and operating systems.
"There are some parallels between SCADA and traditional PC/server security problems," says Gartner analyst John Pescatore. "Windows and other commercial operating systems were first written assuming they would only be connected to trusted LANs, and when they were connected to the Internet all hell broke loose," he says. "Most SCADA, process control, and medical machinery was written assuming it would only be on an isolated, trusted network. But often those things are on networks that increasingly do have paths to the Internet -- even if the path is only via USB drives," Pescatore says.
Adds Scott Crawford, managing research director Enterprise Management Associates, "That has been a longstanding assumption about SCADA security that bears some investigation," he says. "The biggest assumption in my mind is that these are mostly non-networked systems or their networks are meaningfully 'air gapped' from more public environments. While that may be true in some deployments, it begs the question of how difficult it would be for a malicious party to move from a widely accessible target to a more protected one such as a SCADA system. It also begs the question of how well these environments are instrumented to detect potential compromise," Crawford says.
If the recent flurry of SCADA vulnerabilities and the success of Stuxnet are any indication, than it's not too far a leap to expect industrial system operators to start to more carefully look for exploit and malware attacks. And the extent that is being done varies greatly from one company to the next, says Mohan Ramanathan, solutions architect for critical infrastructure at Nitrosecurity. "Some are taking it very seriously, and they're deploying the appropriate monitoring and intrusion prevention systems to protect these networks, while others are nowhere near that mature," Ramanathan says.
However, Gartner's Pescatore does not see SCADA and process control systems security as entirely similar to traditional IT security efforts. "These systems are mostly limited to single-function servers or appliances, vs. user PCs. Simple strategies like whitelisting have proven very effective on things like ATM machines, kiosks and other servers or appliances where users don't have to be allowed to install arbitrary software," he says. He also contends that the same level of profit motive doesn't exist to attack these systems. "The vast majority of clever attack code is written by those looking for financial gain -- even Stuxnet mostly used known techniques bundled together, and the vast majority of attacks going against process control systems are nowhere near as sophisticated as Stuxnet," he says.
