Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:30 AM
Connect Directly

SCADA State of Denial

More bugs and security tools for process control industry - but it's more a mindset than a technology problem

Utilities and other process-oriented companies that run supervisory control and data acquisition (SCADA) systems are starting to feel the heat of security vulnerabilities -- and hackers.

Some of these risks -- and bugs -- are unique to their environments, which historically weren't secured because they were built to be isolated, closed systems, but they also share the same Microsoft vulnerabilities as a typical enterprise does. These once-cloistered systems and networks are increasingly using off-the-shelf products such as Microsoft-based operating systems and IP-based networking equipment, and require interconnection via the Internet as well, which also opens the door to attackers from the outside in addition to the inside.

Researchers recently disclosed new vulnerabilities in the OLE for Process Control (OPC) protocols, open source interfaces for process-control apps. And meanwhile, some security vendors are forging partnerships to beef up their security offerings for the SCADA market.

With critical infrastructures at risk when it comes to power (nuclear and otherwise), water, and transportation companies running these systems, the stakes are obviously much higher. Trouble is, these companies aren't necessarily approaching security properly, security experts say.

"It's an industry in denial," says Robert Graham, CEO of Errata Security. "They don't believe they have the security problems they have. It's not a technical issue, but a political issue."

One of the biggest missing links is authentication: Many don't even bother using authentication because they consider their systems closed and therefore safe, he says. "They put in Windows with no intention of ever patching it, and then they are surprised when they get hit by a worm," Graham says. Or they avoid patching and vulnerability testing because these processes pose risks of their own for SCADA systems -- introducing other bugs to their highly sensitive and uptime-demanding systems, for instance. And rebooting isn't an attractive option for these systems that absolutely must be available, either.

Many of these companies assess risk based on past experience with major security events. "They are managed by a Pearl Harbor-type mentality," Graham says. "Until there's a Pearl Harbor, there is no risk as far as they are concerned."

But that doesn't mean attacks aren't actually hitting SCADA-based systems today. "Hacks are happening, they are just not being publicized," he says.

OPC-based systems, for instance, typically run without usernames and passwords, which leaves them ripe for attack, according to Graham. Attacks exploiting the latest OPC bugs could be avoided if logins were required in the app because the attacker needs login privileges to do his dirty work.

Ron Gula, CEO and CTO for Tenable Network Security, says he does see some progress in locking down SCADA-based operations. "SCADA needs work, but it's not as bad as people think."

One problem he points to is the SCADA security auditing process, however. Because these systems are so sensitive to change, audits typically aren't as detailed as with Sarbox or other regulations, he notes. "Auditing is not as in-depth in my opinion or as transparent for SCADA" as it is for other industries.

And some security experts say commercial IDS/IPS, antivirus, and SIM products don't really fit for SCADA. Mark Fabro, CEO of Lofty Perch, which makes SIM solutions for the water utility industry as well as other critical infrastructure companies, says commercial IDS/IPS and SIM systems don't map well to industry control systems, where there are thousands of different protocols, many of them proprietary.

"These older protocols, DNP and ICCP, for instance, were designed for communicating with entities that were separate from the rest of the world, so there's no authentication, and it's an insecure stack," he says. "But if an attacker gets in, you need security to monitor and trap him... The trigger becomes very important."

His company this month partnered with Endeavor Security, which developed and is supplying IPS signatures specifically for SCADA systems to Lofty Perch. "No one has ever really taken SCADA-oriented logs and generated signatures for them," says Chris Jordan, Endeavor's CEO.

Meanwhile, SCADA security supplier Verano this month purchased the Managed Security Services Division of e-DMZ Security LLC, and is now offering a co-managed security service for the real-time SCADA and control environment.

There are some SCADA security initiatives underway, too. The North American Electric Reliability Council, for instance, has come up with the Critical Infrastructure Protection (CIP) standards, which cover everything from attack and abuse to availability. It also tries to balance securing SCADA without inviting trouble when installing new security tools or fixes on SCADA systems.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Endeavor Security
  • Errata Security Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Recommended Reading:

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    COVID-19: Latest Security News & Commentary
    Dark Reading Staff 7/2/2020
    Ripple20 Threatens Increasingly Connected Medical Devices
    Kelly Sheridan, Staff Editor, Dark Reading,  6/30/2020
    DDoS Attacks Jump 542% from Q4 2019 to Q1 2020
    Dark Reading Staff 6/30/2020
    Register for Dark Reading Newsletters
    White Papers
    Current Issue
    How Cybersecurity Incident Response Programs Work (and Why Some Don't)
    This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
    Flash Poll
    The Threat from the Internetand What Your Organization Can Do About It
    The Threat from the Internetand What Your Organization Can Do About It
    This report describes some of the latest attacks and threats emanating from the Internet, as well as advice and tips on how your organization can mitigate those threats before they affect your business. Download it today!
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2020-07-02
    Apache Guacamole 1.1.0 and older may mishandle pointers involved inprocessing data received via RDP static virtual channels. If a userconnects to a malicious or compromised RDP server, a series ofspecially-crafted PDUs could result in memory corruption, possiblyallowing arbitrary code to be executed...
    PUBLISHED: 2020-07-02
    A vulnerability in the web-based management interface of Cisco Unified Communications Manager, Cisco Unified Communications Manager Session Management Edition, Cisco Unified Communications Manager IM & Presence Service, and Cisco Unity Connection could allow an unauthenticated, remote attack...
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, when users run the command displayed in NGINX Controller user interface (UI) to fetch the agent installer, the server TLS certificate is not verified.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the Neural Autonomic Transport System (NATS) messaging services in use by the NGINX Controller do not require any form of authentication, so any successful connection would be authorized.
    PUBLISHED: 2020-07-02
    In versions 3.0.0-3.5.0, 2.0.0-2.9.0, and 1.0.1, the NGINX Controller installer starts the download of Kubernetes packages from an HTTP URL On Debian/Ubuntu system.