Utilities and other process-oriented companies that run supervisory control and data acquisition (SCADA) systems are starting to feel the heat of security vulnerabilities -- and hackers.
Some of these risks -- and bugs -- are unique to their environments, which historically weren't secured because they were built to be isolated, closed systems, but they also share the same Microsoft vulnerabilities as a typical enterprise does. These once-cloistered systems and networks are increasingly using off-the-shelf products such as Microsoft-based operating systems and IP-based networking equipment, and require interconnection via the Internet as well, which also opens the door to attackers from the outside in addition to the inside.
Researchers recently disclosed new vulnerabilities in the OLE for Process Control (OPC) protocols, open source interfaces for process-control apps. And meanwhile, some security vendors are forging partnerships to beef up their security offerings for the SCADA market.
With critical infrastructures at risk when it comes to power (nuclear and otherwise), water, and transportation companies running these systems, the stakes are obviously much higher. Trouble is, these companies aren't necessarily approaching security properly, security experts say.
"It's an industry in denial," says Robert Graham, CEO of Errata Security. "They don't believe they have the security problems they have. It's not a technical issue, but a political issue."
One of the biggest missing links is authentication: Many don't even bother using authentication because they consider their systems closed and therefore safe, he says. "They put in Windows with no intention of ever patching it, and then they are surprised when they get hit by a worm," Graham says. Or they avoid patching and vulnerability testing because these processes pose risks of their own for SCADA systems -- introducing other bugs to their highly sensitive and uptime-demanding systems, for instance. And rebooting isn't an attractive option for these systems that absolutely must be available, either.
Many of these companies assess risk based on past experience with major security events. "They are managed by a Pearl Harbor-type mentality," Graham says. "Until there's a Pearl Harbor, there is no risk as far as they are concerned."
But that doesn't mean attacks aren't actually hitting SCADA-based systems today. "Hacks are happening, they are just not being publicized," he says.
OPC-based systems, for instance, typically run without usernames and passwords, which leaves them ripe for attack, according to Graham. Attacks exploiting the latest OPC bugs could be avoided if logins were required in the app because the attacker needs login privileges to do his dirty work.
Ron Gula, CEO and CTO for Tenable Network Security, says he does see some progress in locking down SCADA-based operations. "SCADA needs work, but it's not as bad as people think."
One problem he points to is the SCADA security auditing process, however. Because these systems are so sensitive to change, audits typically aren't as detailed as with Sarbox or other regulations, he notes. "Auditing is not as in-depth in my opinion or as transparent for SCADA" as it is for other industries.
And some security experts say commercial IDS/IPS, antivirus, and SIM products don't really fit for SCADA. Mark Fabro, CEO of Lofty Perch, which makes SIM solutions for the water utility industry as well as other critical infrastructure companies, says commercial IDS/IPS and SIM systems don't map well to industry control systems, where there are thousands of different protocols, many of them proprietary.
"These older protocols, DNP and ICCP, for instance, were designed for communicating with entities that were separate from the rest of the world, so there's no authentication, and it's an insecure stack," he says. "But if an attacker gets in, you need security to monitor and trap him... The trigger becomes very important."
His company this month partnered with Endeavor Security, which developed and is supplying IPS signatures specifically for SCADA systems to Lofty Perch. "No one has ever really taken SCADA-oriented logs and generated signatures for them," says Chris Jordan, Endeavor's CEO.
Meanwhile, SCADA security supplier Verano this month purchased the Managed Security Services Division of e-DMZ Security LLC, and is now offering a co-managed security service for the real-time SCADA and control environment.
There are some SCADA security initiatives underway, too. The North American Electric Reliability Council, for instance, has come up with the Critical Infrastructure Protection (CIP) standards, which cover everything from attack and abuse to availability. It also tries to balance securing SCADA without inviting trouble when installing new security tools or fixes on SCADA systems.
Kelly Jackson Higgins, Senior Editor, Dark Reading