Despite Stuxnet, Duqu, control system flaws still overlooked

Most efforts to fix infrastructure threats are wrongly focused, security pros say

By , Computerworld |  Security, Duqu, Stuxnet

"If you haven't protected HMI's, shame on you," Weiss said. But the bigger threats really are the control system flaws that allow attackers to send commands that cause physical equipment to shut down, overheat or blow-up, he added.

Stuxnet showed how programmable logic controllers could be overwritten to send commands that caused equipment to fail, he said. Despite that warning, little has changed. "Prior to Stuxnet there were zero programs for securing PLCs. To this day there are no programs for securing PLCs," Weiss said.

A lot of the problems have to do with insecure design, Peterson said.

For example, in many cases anyone with logical access to a control system can upload firmware on it without authentication, he said. Passwords are often hardcoded into systems many have administrative backdoors, and very basic buffer overflow errors.

Often, "there is no security around write commands or turning things on and off, or changing a process. You want some control over what happens," Peterson said.

The problem is not an easy one to fix, Peterson added.

Major control systems do not get replaced for years. And even if they were replaced, the replacement systems are likely to be as vulnerable as their predecessors, he said.

"The real shame is that most vendors don't even have a secure system you can buy today. It's a problem that has had little progress," Peterson said.

According to Weiss, the real focus has to be on coming up with a contingency plan in the event of an attack. Many deficiencies in control systems cannot be patched, he said. "There is no antivirus for it," he said. So the focus now has to be on resilience and recovery, he said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan , or subscribe to Jaikumar's RSS feed . His e-mail address is jvijayan@computerworld.com .

Read more about security in Computerworld's Security Topic Center.


Originally published on Computerworld |  Click here to read the original story.
Join us:
Facebook

Twitter

Pinterest

Tumblr

LinkedIn

Google+

Answers - Powered by ITworld

ITworld Answers helps you solve problems and share expertise. Ask a question or take a crack at answering the new questions below.

Ask a Question
randomness