Comments
Large Electric Utilities Earn High Security Scores
Newest First  |  Oldest First  |  Threaded View
Page 1 / 2   >   >>
jweiss950
50%
50%
jweiss950,
User Rank: Apprentice
6/3/2014 | 10:56:27 PM
Re: The comments and conclusions do not apply to control systems.
The mission of an electric utility is to generate, transmit, and/or distribute electricity. The means of doing that is with control systems.  Business IT systems are necessary for front-office business operations but not for the core mission of the utility. Unless you don't care if the lights are on, how can you make any conclusions on the security of an electric utility when you are not even looking at the control systems?  Moreover, since control systems are often networked systems, excluding them means the scope of the project was incomplete.

Joe Weiss
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
6/3/2014 | 3:54:01 PM
Re: The comments and conclusions do not apply to control systems.
If I'm following you, Joe, BitSight's report and analysis doesn't dispute that control systems themselves are notoriously security-deficient. This report was based on data gathered from malware attacks on networked systems of the large electric utilities. 
jweiss950
50%
50%
jweiss950,
User Rank: Apprentice
6/2/2014 | 8:04:58 PM
The comments and conclusions do not apply to control systems.
What makes a utility different than a commercial business are the industrial control systems that monitor and control the generation, transmission, or distribution of electricity (or water or natural gas). However, this article was written from an IT focus with little knowledge of control systems. Consequently, the statements and conclusions about security and resources may be relevant to the business IT systems in a utility but they are NOT relevant to the control systems. The comments on control systems seem to focus on patching as if that is the only or biggest problem - it is not. I encourage the readers to learn more about control system cyber security. I have written a book on the subject – Protecting Industrial Control Systems from Electronic Threats or you can view my lecture to a Masters class at Stanford - https://www.youtube.com/watch?v=S3Yyv53dZ5A

Joe Weiss
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/2/2014 | 9:32:50 AM
Re: Disruption Cause for Low and High Security
@RyanSepe  "What good is data security if your own trusted entities can't access it. This is why security is strongest and most efficient when ingrained at the start of product development."  Couldn't agree more!


The trouble, of course, is that utilities -- for good reason -- aren't keen on updating their software, so even if we start building software that's got security beautifully baked in, they're unlikely to start using it.


 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2014 | 5:15:38 PM
Re: Disruption Cause for Low and High Security
The first three bullets seem to advocate not patching while the others provide data as to why patching should occur.

But this is why risk analysis is so important. There is no absolute answer but what makes the most sense to you. Is the risk of patching acceptable versus the consequence of not patching?/Is the risk of patching acceptable versus the possiblitly of system shutdown during patch? I would say whichever merits the highest risk in the scenario above, this does not site other factors that should be taken into account, should be the option not taken. Thoughts?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
5/30/2014 | 1:54:26 PM
Re: Disruption Cause for Low and High Security
Thanks for the info @ christianabryant. But honestly, the data you cite doesn't inspire a lot of confidence...
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
5/30/2014 | 1:26:03 PM
Re: Disruption Cause for Low and High Security
I felt the same way as @RyanSepe but after researching and reading a couple excellent articles on the topic [1][2].

Some takeaways (assuming patches can be installed without shutting down the process) include:


  • "In a landmark study of the patches for post-release bugs in OS software, Yin et al showed that between 14.8% and 24.4% of all fixes are incorrect and directly impact the end user. And if that's not bad enough, 43% of these faulty 'fixes' resulted in crashes, hangs, data corruption or additional security problems."
  • "...patches don't always solve the security issues they were designed to address. According to Kevin Hemsley, a member of the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT), in 2011, ICS-CERT saw a 60% failure rate in patches fixing the reported vulnerability in control system products."
  • "Most patches require the shutdown and restart of the manufacturing process. Some can also break or remove functionality previously relied on by the control system. For example, one of the vulnerabilities the Stuxnet worm exploited was a hardcoded password in Siemens' WinCC SQL database."
  • The patching process often requires staff with special skills to be available; resources aren't always on-hand or budget doesn't allow for them.
  • "At the SCADA Security Scientific Symposium (S4) in January 2012, Sean McBride noted that less than half of the 364 public vulnerabilities recorded at ICS-CERT had patches available at that time."

[1] https://www.tofinosecurity.com/blog/scada-security-welcome-patching-treadmill

[2] http://www.tofinosecurity.com/blog/patching-scada-and-ics-security-good-bad-and-ugly
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
5/30/2014 | 1:19:35 PM
Re: Disruption Cause for Low and High Security
Agreed, @RyanSepe. The problem with many of these older ICS/SCADA systems is that they are old and predate the security threats we face today. Many were built for the pre-Internet days, so it's a legacy problem, too. 
RyanSepe
50%
50%
RyanSepe,
User Rank: Ninja
5/30/2014 | 11:23:46 AM
Re: Disruption Cause for Low and High Security
I agree. I think we need to remember as InfoSec Professionals that there is a functionality principle that needs to be adhered to. What good is data security if your own trusted entities can't access it.

This is why security is strongest and most efficient when ingrained at the start of product development. And hopefully with the many regulations in place for different types of institutions vendors will take that into consideration.
Bprince
50%
50%
Bprince,
User Rank: Ninja
5/30/2014 | 10:57:46 AM
Re: Disruption Cause for Low and High Security
I agree. Compensating measures have to be taken to keep those older systems safe. That's why strong perimeter security is important. Honestly, I just think there isn't much more that  can be done to secure some of these systems other than reduce their connectivity to the Internet as much as possible, but that can hurt business productivity.  Happy to see the utilities scoring so high on this.

BP
Page 1 / 2   >   >>


Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
10 Recommendations for Outsourcing Security
10 Recommendations for Outsourcing Security
Enterprises today have a wide range of third-party options to help improve their defenses, including MSSPs, auditing and penetration testing, and DDoS protection. But are there situations in which a service provider might actually increase risk?
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2021
Published: 2014-10-24
Cross-site scripting (XSS) vulnerability in admincp/apilog.php in vBulletin 4.4.2 and earlier, and 5.0.x through 5.0.5 allows remote authenticated users to inject arbitrary web script or HTML via a crafted XMLRPC API request, as demonstrated using the client name.

CVE-2014-3604
Published: 2014-10-24
Certificates.java in Not Yet Commons SSL before 0.3.15 does not properly verify that the server hostname matches a domain name in the subject's Common Name (CN) field of the X.509 certificate, which allows man-in-the-middle attackers to spoof SSL servers via an arbitrary valid certificate.

CVE-2014-6230
Published: 2014-10-24
WP-Ban plugin before 1.6.4 for WordPress, when running in certain configurations, allows remote attackers to bypass the IP blacklist via a crafted X-Forwarded-For header.

CVE-2014-6251
Published: 2014-10-24
Stack-based buffer overflow in CPUMiner before 2.4.1 allows remote attackers to have an unspecified impact by sending a mining.subscribe response with a large nonce2 length, then triggering the overflow with a mining.notify request.

CVE-2014-7180
Published: 2014-10-24
Electric Cloud ElectricCommander before 4.2.6 and 5.x before 5.0.3 uses world-writable permissions for (1) eccert.pl and (2) ecconfigure.pl, which allows local users to execute arbitrary Perl code by modifying these files.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.