Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


09:30 AM
Connect Directly

SCADA State of Denial

More bugs and security tools for process control industry - but it's more a mindset than a technology problem

Utilities and other process-oriented companies that run supervisory control and data acquisition (SCADA) systems are starting to feel the heat of security vulnerabilities -- and hackers.

Some of these risks -- and bugs -- are unique to their environments, which historically weren't secured because they were built to be isolated, closed systems, but they also share the same Microsoft vulnerabilities as a typical enterprise does. These once-cloistered systems and networks are increasingly using off-the-shelf products such as Microsoft-based operating systems and IP-based networking equipment, and require interconnection via the Internet as well, which also opens the door to attackers from the outside in addition to the inside.

Researchers recently disclosed new vulnerabilities in the OLE for Process Control (OPC) protocols, open source interfaces for process-control apps. And meanwhile, some security vendors are forging partnerships to beef up their security offerings for the SCADA market.

With critical infrastructures at risk when it comes to power (nuclear and otherwise), water, and transportation companies running these systems, the stakes are obviously much higher. Trouble is, these companies aren't necessarily approaching security properly, security experts say.

"It's an industry in denial," says Robert Graham, CEO of Errata Security. "They don't believe they have the security problems they have. It's not a technical issue, but a political issue."

One of the biggest missing links is authentication: Many don't even bother using authentication because they consider their systems closed and therefore safe, he says. "They put in Windows with no intention of ever patching it, and then they are surprised when they get hit by a worm," Graham says. Or they avoid patching and vulnerability testing because these processes pose risks of their own for SCADA systems -- introducing other bugs to their highly sensitive and uptime-demanding systems, for instance. And rebooting isn't an attractive option for these systems that absolutely must be available, either.

Many of these companies assess risk based on past experience with major security events. "They are managed by a Pearl Harbor-type mentality," Graham says. "Until there's a Pearl Harbor, there is no risk as far as they are concerned."

But that doesn't mean attacks aren't actually hitting SCADA-based systems today. "Hacks are happening, they are just not being publicized," he says.

OPC-based systems, for instance, typically run without usernames and passwords, which leaves them ripe for attack, according to Graham. Attacks exploiting the latest OPC bugs could be avoided if logins were required in the app because the attacker needs login privileges to do his dirty work.

Ron Gula, CEO and CTO for Tenable Network Security, says he does see some progress in locking down SCADA-based operations. "SCADA needs work, but it's not as bad as people think."

One problem he points to is the SCADA security auditing process, however. Because these systems are so sensitive to change, audits typically aren't as detailed as with Sarbox or other regulations, he notes. "Auditing is not as in-depth in my opinion or as transparent for SCADA" as it is for other industries.

And some security experts say commercial IDS/IPS, antivirus, and SIM products don't really fit for SCADA. Mark Fabro, CEO of Lofty Perch, which makes SIM solutions for the water utility industry as well as other critical infrastructure companies, says commercial IDS/IPS and SIM systems don't map well to industry control systems, where there are thousands of different protocols, many of them proprietary.

"These older protocols, DNP and ICCP, for instance, were designed for communicating with entities that were separate from the rest of the world, so there's no authentication, and it's an insecure stack," he says. "But if an attacker gets in, you need security to monitor and trap him... The trigger becomes very important."

His company this month partnered with Endeavor Security, which developed and is supplying IPS signatures specifically for SCADA systems to Lofty Perch. "No one has ever really taken SCADA-oriented logs and generated signatures for them," says Chris Jordan, Endeavor's CEO.

Meanwhile, SCADA security supplier Verano this month purchased the Managed Security Services Division of e-DMZ Security LLC, and is now offering a co-managed security service for the real-time SCADA and control environment.

There are some SCADA security initiatives underway, too. The North American Electric Reliability Council, for instance, has come up with the Critical Infrastructure Protection (CIP) standards, which cover everything from attack and abuse to availability. It also tries to balance securing SCADA without inviting trouble when installing new security tools or fixes on SCADA systems.

— Kelly Jackson Higgins, Senior Editor, Dark Reading

  • Endeavor Security
  • Errata Security Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

    Comment  | 
    Print  | 
    More Insights
  • Comments
    Newest First  |  Oldest First  |  Threaded View
    Navigating Security in the Cloud
    Diya Jolly, Chief Product Officer, Okta,  12/4/2019
    SOC 2s & Third-Party Assessments: How to Prevent Them from Being Used in a Data Breach Lawsuit
    Beth Burgin Waller, Chair, Cybersecurity & Data Privacy Practice , Woods Rogers PLC,  12/5/2019
    Register for Dark Reading Newsletters
    White Papers
    Cartoon Contest
    Write a Caption, Win a Starbucks Card! Click Here
    Latest Comment: Our Endpoint Protection system is a little outdated... 
    Current Issue
    Navigating the Deluge of Security Data
    In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
    Flash Poll
    Rethinking Enterprise Data Defense
    Rethinking Enterprise Data Defense
    Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
    Twitter Feed
    Dark Reading - Bug Report
    Bug Report
    Enterprise Vulnerabilities
    From DHS/US-CERT's National Vulnerability Database
    PUBLISHED: 2019-12-10
    IBM Cloud Pak System 2.3 is vulnerable to cross-site request forgery which could allow an attacker to execute malicious and unauthorized actions transmitted from a user that the website trusts. IBM X-Force ID: 158015.
    PUBLISHED: 2019-12-10
    IBM SmartCloud Analytics 1.3.1 through 1.3.5 could allow a remote attacker to gain unauthorized information and unrestricted control over Zookeeper installations due to missing authentication. IBM X-Force ID: 159518.
    PUBLISHED: 2019-12-10
    Platform System Manager in IBM Cloud Pak System 2.3 is potentially vulnerable to CVS Injection. A remote attacker could execute arbitrary commands on the system, caused by improper validation of csv file contents. IBM X-Force ID: 165179.
    PUBLISHED: 2019-12-10
    IBM WebSphere Application Server - Liberty is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force ID: 171245...
    PUBLISHED: 2019-12-10
    The Last.fm desktop app (Last.fm Scrobbler) through 2.1.39 on macOS makes HTTP requests that include an API key without the use of SSL/TLS. Although there is an Enable SSL option, it is disabled by default, and cleartext requests are made as soon as the app starts.