Comments
Large Electric Utilities Earn High Security Scores
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jweiss950
50%
50%
jweiss950,
User Rank: Apprentice
6/3/2014 | 10:56:27 PM
Re: The comments and conclusions do not apply to control systems.
The mission of an electric utility is to generate, transmit, and/or distribute electricity. The means of doing that is with control systems.  Business IT systems are necessary for front-office business operations but not for the core mission of the utility. Unless you don't care if the lights are on, how can you make any conclusions on the security of an electric utility when you are not even looking at the control systems?  Moreover, since control systems are often networked systems, excluding them means the scope of the project was incomplete.

Joe Weiss
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/3/2014 | 3:54:01 PM
Re: The comments and conclusions do not apply to control systems.
If I'm following you, Joe, BitSight's report and analysis doesn't dispute that control systems themselves are notoriously security-deficient. This report was based on data gathered from malware attacks on networked systems of the large electric utilities. 
jweiss950
50%
50%
jweiss950,
User Rank: Apprentice
6/2/2014 | 8:04:58 PM
The comments and conclusions do not apply to control systems.
What makes a utility different than a commercial business are the industrial control systems that monitor and control the generation, transmission, or distribution of electricity (or water or natural gas). However, this article was written from an IT focus with little knowledge of control systems. Consequently, the statements and conclusions about security and resources may be relevant to the business IT systems in a utility but they are NOT relevant to the control systems. The comments on control systems seem to focus on patching as if that is the only or biggest problem - it is not. I encourage the readers to learn more about control system cyber security. I have written a book on the subject – Protecting Industrial Control Systems from Electronic Threats or you can view my lecture to a Masters class at Stanford - https://www.youtube.com/watch?v=S3Yyv53dZ5A

Joe Weiss
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/2/2014 | 9:32:50 AM
Re: Disruption Cause for Low and High Security
@RyanSepe  "What good is data security if your own trusted entities can't access it. This is why security is strongest and most efficient when ingrained at the start of product development."  Couldn't agree more!


The trouble, of course, is that utilities -- for good reason -- aren't keen on updating their software, so even if we start building software that's got security beautifully baked in, they're unlikely to start using it.


 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2014 | 5:15:38 PM
Re: Disruption Cause for Low and High Security
The first three bullets seem to advocate not patching while the others provide data as to why patching should occur.

But this is why risk analysis is so important. There is no absolute answer but what makes the most sense to you. Is the risk of patching acceptable versus the consequence of not patching?/Is the risk of patching acceptable versus the possiblitly of system shutdown during patch? I would say whichever merits the highest risk in the scenario above, this does not site other factors that should be taken into account, should be the option not taken. Thoughts?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/30/2014 | 1:54:26 PM
Re: Disruption Cause for Low and High Security
Thanks for the info @ christianabryant. But honestly, the data you cite doesn't inspire a lot of confidence...
gnuian
50%
50%
gnuian,
User Rank: Ninja
5/30/2014 | 1:26:03 PM
Re: Disruption Cause for Low and High Security
I felt the same way as @RyanSepe but after researching and reading a couple excellent articles on the topic [1][2].

Some takeaways (assuming patches can be installed without shutting down the process) include:


  • "In a landmark study of the patches for post-release bugs in OS software, Yin et al showed that between 14.8% and 24.4% of all fixes are incorrect and directly impact the end user. And if that's not bad enough, 43% of these faulty 'fixes' resulted in crashes, hangs, data corruption or additional security problems."
  • "...patches don't always solve the security issues they were designed to address. According to Kevin Hemsley, a member of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), in 2011, ICS-CERT saw a 60% failure rate in patches fixing the reported vulnerability in control system products."
  • "Most patches require the shutdown and restart of the manufacturing process. Some can also break or remove functionality previously relied on by the control system. For example, one of the vulnerabilities the Stuxnet worm exploited was a hardcoded password in Siemens' WinCC SQL database."
  • The patching process often requires staff with special skills to be available; resources aren't always on-hand or budget doesn't allow for them.
  • "At the SCADA Security Scientific Symposium (S4) in January 2012, Sean McBride noted that less than half of the 364 public vulnerabilities recorded at ICS-CERT had patches available at that time."

[1] https://www.tofinosecurity.com/blog/scada-security-welcome-patching-treadmill

[2] http://www.tofinosecurity.com/blog/patching-scada-and-ics-security-good-bad-and-ugly
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/30/2014 | 1:19:35 PM
Re: Disruption Cause for Low and High Security
Agreed, @RyanSepe. The problem with many of these older ICS/SCADA systems is that they are old and predate the security threats we face today. Many were built for the pre-Internet days, so it's a legacy problem, too. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2014 | 11:23:46 AM
Re: Disruption Cause for Low and High Security
I agree. I think we need to remember as InfoSec Professionals that there is a functionality principle that needs to be adhered to. What good is data security if your own trusted entities can't access it.

This is why security is strongest and most efficient when ingrained at the start of product development. And hopefully with the many regulations in place for different types of institutions vendors will take that into consideration.
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/30/2014 | 10:57:46 AM
Re: Disruption Cause for Low and High Security
I agree. Compensating measures have to be taken to keep those older systems safe. That's why strong perimeter security is important. Honestly, I just think there isn't much more that  can be done to secure some of these systems other than reduce their connectivity to the Internet as much as possible, but that can hurt business productivity.  Happy to see the utilities scoring so high on this.

BP
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7437
Published: 2015-03-29
Multiple integer overflows in potrace 1.11 allow remote attackers to cause a denial of service (crash) via large dimensions in a BMP image, which triggers a buffer overflow.

CVE-2013-7438
Published: 2015-03-29
Multiple buffer overflows in pbm212030 allow remote attackers to cause a denial of service (crash) or possible execute arbitrary code via a crafted PBM image, related to (1) stream line data, which triggers a heap-based buffer overflow, or (2) vectors related to an "internal intermediate heap-based ...

CVE-2014-5427
Published: 2015-03-29
Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integration Engine (NIE) 5xxx-x, and NxE8500, allows remote attackers to read pa...

CVE-2014-5428
Published: 2015-03-29
Unrestricted file upload vulnerability in unspecified web services in Johnson Controls Metasys 4.1 through 6.5, as used in Application and Data Server (ADS), Extended Application and Data Server (aka ADX), LonWorks Control Server 85 LCS8520, Network Automation Engine (NAE) 55xx-x, Network Integratio...

CVE-2014-9205
Published: 2015-03-29
Stack-based buffer overflow in the PmBase64Decode function in an unspecified demonstration application in MICROSYS PROMOTIC stable before 8.2.19 and PROMOTIC development before 8.3.2 allows remote attackers to execute arbitrary code by providing a large amount of data.

Dark Reading Radio
Archived Dark Reading Radio
Good hackers--aka security researchers--are worried about the possible legal and professional ramifications of President Obama's new proposed crackdown on cyber criminals.