Vulnerabilities / Threats
2/12/2013
12:58 PM
Dark Reading
Dark Reading
Products and Releases
50%
50%

SANS Releases First Of Its Kind Deep-Dive Survey On SCADA Security Practices

Survey revealed that respondents are putting most of their security focus on the computers operating their proprietary control systems

BETHESDA, Md., Feb. 12, 2013 /PRNewswire-USNewswire/ -- According to a survey of nearly 700 SCADA and other control system operators, awareness of risk is high, while protections are lagging.

"Control system cyber assets are vulnerable, threats are escalating and the industry is aware of these facts," says survey paper author Matthew Luallen, a senior SANS analyst and SCADA/process control system expert who teaches on this subject at DePaul University. "Stuxnet can be cited for finally raising risk awareness, but some of this awareness is experiential: In the survey, 33% of respondents know or suspect they've been breached."

Sponsored by ABB, Industrial Defender and Splunk, the survey revealed that respondents are putting most of their security focus on the computers operating their proprietary control systems. Unfortunately, they're doing so to the neglect of the Program Logic Controllers and other proprietary SCADA devices running atop of these computers, which have little or no native security.

"Operators need to better align their security and compliance programs with their most critical directive of preventing disruptions to service or operations," advises Deb Radcliff, executive editor of the SANS Analyst Program.

"SCADA operators should layer their security and work with their control system vendors -- who are also aware of the risk and making improvements."

Readers are invited to attend a SANS webcast to learn the full results of the survey. This webcast is scheduled for February 20, 2013, at 1 PM EST. Those who register for the webcast will also receive an advanced copy of the published results paper developed by Mr. Luallen.

"This is the first time I have seen a succinct review of the problems faced by all industries using SCADA technologies," says Barbara Filkins, SANS analyst, advisor to the survey and healthcare privacy expert. "I'm voluntary president of our mutual water company and our board is considering installing a SCADA system.

I will definitely use some of the findings in this survey to help guide our selection."

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted, and by far the largest, source for world-class information security training and security certification in the world. GIAC, an affiliate of the SANS Institute, is a certification body featuring over 20 hands-on, technical certifications in information security.

SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; and it operates the Internet's early warning system - the Internet Storm Center. At the heart of SANS are the many security practitioners in varied global organizations from corporations to universities working together to help the entire information security community. (www.sans.org)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3580
Published: 2014-12-18
The mod_dav_svn Apache HTTPD server module in Apache Subversion 1.x before 1.7.19 and 1.8.x before 1.8.11 allows remote attackers to cause a denial of service (NULL pointer dereference and server crash) via a REPORT request for a resource that does not exist.

CVE-2014-6076
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allow remote attackers to conduct clickjacking attacks via a crafted web site.

CVE-2014-6077
Published: 2014-12-18
Cross-site request forgery (CSRF) vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote attackers to hijack the authentication of arbitrary users for requests that insert XSS sequences.

CVE-2014-6078
Published: 2014-12-18
IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 do not have a lockout period after invalid login attempts, which makes it easier for remote attackers to obtain admin access via a brute-force attack.

CVE-2014-6080
Published: 2014-12-18
SQL injection vulnerability in IBM Security Access Manager for Mobile 8.x before 8.0.1 and Security Access Manager for Web 7.x before 7.0.0 FP10 and 8.x before 8.0.1 allows remote authenticated users to execute arbitrary SQL commands via unspecified vectors.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.