April 01, 2011, 8:45 AM — While the race between industrial control system attackers and defenders didn't start with the Stuxnet worm, it certainly acted as a catalyst to a new arms race and more researchers taking a closer look at the quality of SCADA software.
For instance, just days ago, the three-person Moscow-based security consultancy Gleg announced it would update its Agora exploit pack (used in security testing applications) with scores of zero-day SCADA system vulnerabilities that had just been released. Some of those vulnerabilities were released with exploit code.
That release of SCADA exploits prompted a flurry of activity among some in the security community. Security and SIEM vendor Nitrosecurity, for instance, along with the Emerging Threats open source community, the Open Information Security Foundation, and control system security consultancy Digital Bond and others, worked together to deliver intrusion detection signatures for SCADA vulnerabilities released by security researcher Luigi Auriemma.
More on Enterprise Risk Management
- ERM: Get started in 6 steps
- Turning ERM strategy into specific systems projects
- The CISO's new focus: IT risk
Now, with the release of zero-day vulnerabilities for the software that controls industrial systems -- much in the way vulnerabilities are fully disclosed for enterprise and consumer applications -- some are now asking if SCADA system security is going to quickly begin to resemble the security of traditional software and operating systems.
"There are some parallels between SCADA and traditional PC/server security problems," says Gartner analyst John Pescatore. "Windows and other commercial operating systems were first written assuming they would only be connected to trusted LANs, and when they were connected to the Internet all hell broke loose," he says. "Most SCADA, process control, and medical machinery was written assuming it would only be on an isolated, trusted network. But often those things are on networks that increasingly do have paths to the Internet -- even if the path is only via USB drives," Pescatore says.