Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats

3/13/2013
07:19 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

ICS-CERT, SCADA Patching Under The Microscope

Existing process of vulnerability reporting, patching doesn't go far enough in improving the overall security of critical infrastructure systems, SCADA experts say

Third installment in an occasional series on SCADA security

The U.S. Department of Homeland Security's ICS-CERT has been regularly issuing vulnerability advisories for SCADA products over the past couple of years, and vendors increasingly have been issuing patches, but the gaping and easily exploitable design flaws inherent in many products remain.

Some renowned SCADA security experts contend that the current process of reporting bugs, patching bugs, and issuing alerts via ICS-CERT falls short. The bigger ICS/SCADA systems that control power plants or chemical plants are not typically the subject of ICS vulnerability alerts, they say, and most vendors still aren't fixing features in their products that were created prior to the networked environment, or that just don't factor in security (think lack of authentication).

Read previous articles in this series on SCADA security:

>> Part 2: SCADA Security 2.0

>> Part 1: The SCADA Patch Problem

ICS-CERT has been lauded for helping raise awareness of security problems in the systems and software that run power plants, as well as for as other services it provides to the ICS industry, including incident response and free tools. ICS-CERT responded to 177 cyberattack incidents reported by industrial control system operators last year, according to its newly published annual report (PDF).

Ralph Langner of Langner Communications, a security expert who was one of the first to discover Stuxnet, says the current ICS vulnerability advisory process covers only smaller flaws that can be patched, while the bigger security holes lay within the design features of the products. "The reality is that the most serious vulnerabilities in control systems are deliberate design features, not bugs," Langner says. And ICS-CERT doesn't handle insecure design features, he notes.

"ICS-CERT doesn't deal with insecure design features and is even reluctant to call those vulnerabilities -- quite a stretch because, by any definition, a vulnerability is a system property that an attacker can exploit, no matter if it came into existence by oversight or by poor design," Langner says.

The focus on bugs in micro-PLCs and human machine interface (HMI) software is missing the mark, he says. "Big DCS products that are used to control power plants or chemical plants, for example, don't make it into ICS-CERT publications, no matter how easily they can be exploited," Langner says.

Dale Peterson, CEO of SCADA security consultancy Digital Bond, says the advisories issued by ICS-CERT don't do much to improve overall security of SCADA systems. "Most of the vulnerabilities [in the alerts] have little impact on the security of the systems," says Peterson, who has been blogging recently on building a better ICS-CERT process.

He says that instead of vulnerability coordination, ICS-CERT should provide support to US-CERT in that regard. ICS-CERT should prioritize vulnerabilities based on how "the vulnerability affects a system on their critical infrastructure list AND the vulnerability affects the security posture of the system," which would give ICS-CERT the breathing room to drill down on fewer but more relevant security flaws, Peterson wrote in a blog post earlier this week. "The second requirement is important and often leads to misallocation of ICS-CERT effort. Does it really matter if there is a CSRF or buffer overflow vulnerability in a device that you can connect to and take complete control using a feature?"

But other SCADA experts say ICS-CERT is getting a bad rap. Eric Byres, CTO and vice president of Tofino Security, a division of Belden, says it's not ICS-CERT's mandate to deal with the systemic problems in control systems. "It's the elephant in the room. Yeah, these systems were never designed with security in mind; some were designed 20 to 30 years ago. Vendors are aware of the problem," Byres says.

It will take major players, such as Exxon and Duke Energy, among other corporations, with the ICS purchasing power, he says, to force vendors to step up and fix the systemic security issues. "It's not ICS-CERT's mandate to stand on the bandwagon and scream and yell and advocate. Its [mandate is] information dissemination, testing, and training," he says.

Byres says ICS-CERT is making a difference in SCADA security -- as a mechanism for researchers to disclose vulnerabilities responsibly, and its DHS-backed status gives it a higher level of visibility at the executive board level of SCADA vendors. "Schneider gets railed on, but the size of their security team was zero two years ago, and now it's about 20," he says. "[Vendors] are dumping tens of millions of dollars into this problem."

Doug Powell, a security expert who works for Canada's third largest utility, says ICS-CERT is doing exactly what it was created to do. "Is that adequate or enough to tell people a patch is required even if the patch is not relevant or if it's not applicable? That's not ICS-CERT's problem," says Powell. "It's got to be some responsibility for the vendor or owner-operator to take that information handed to them and do something with it."

That means risk analysis and evaluation, he says. "What could happen to me if I patch this miniscule [flaw] or if I don't do it? Those discussions happen" in utilities, he says. "There's always a risk calculation being done in the background [for patching]."

[Industrial control systems vendors are starting to patch security bugs, but actually installing the fixes can invite more trouble. See The SCADA Patch Problem.]

ICS-CERT's official mission is to issue alerts and advisories on cyberthreats and vulnerabilities that affect critical infrastructure. The organization is charged with analyzing malware, vulnerabilities, and new exploits, as well as to conduct incident response for critical infrastructure owner-operators, and to help coordinate risk management in the industry, according to information in its recent report.

A DHS National Protection and Programs Directorate (NPPD) spokesperson said in a statement in response to inquiries for this article: "Protecting critical infrastructure against growing and evolving cyber threats requires a layered approach. DHS actively collaborates with public and private sector partners every day to respond to and coordinate mitigation in the face of attempted disruptions to the Nation’s critical cyber and communications networks and to reduce adverse impacts on critical network systems," he said. "Last [fiscal] year, the Department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 177 incidents while completing 89 site assistance visits and deploying 15 teams with US-CERT to respond to significant private sector cyber incidents. "

No Locks
True ICS security isn't about patches, Langner Communications' Langner says. "It's kind of like telling a home owner to fix a broken wire frame on a window in order to keep burglars out, while not telling him that there is no lock on his front door," he says.

"ICS-CERT as such is a good idea, and they have a lot of good talent on board," Langner says. But Langner says it could be better deployed.

Digital Bond's Peterson says he and his team have stopped submitting bugs they find to ICS-CERT. Instead, Peterson says they work directly with the SCADA vendors they think will actually fix the flaws they find. "If [the vendor is] not going to fix it, we just keep it. We don't feel like it's going to make a difference" reporting it to ICS-CERT or a nonresponsive vendor, he says. "When we do report it, it's a fair amount of work on our side."

And patching is sometimes just window dressing: One SCADA vendor that Peterson declined to name talked up its new security team and that it had patched some bugs in its products. He says he asked them when they would begin authenticating the uploads of new software and firmware, and the company admitted they wouldn't be starting on that fix for two to three years.

Fixing a few bugs but not the real security risks that are simplest for attackers to exploit is the wrong answer, according to Peterson.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
DevSecOps: The Answer to the Cloud Security Skills Gap
Lamont Orange, Chief Information Security Officer at Netskope,  11/15/2019
Attackers' Costs Increasing as Businesses Focus on Security
Robert Lemos, Contributing Writer,  11/15/2019
Human Nature vs. AI: A False Dichotomy?
John McClurg, Sr. VP & CISO, BlackBerry,  11/18/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: -when I told you that our cyber-defense was from another age
Current Issue
Navigating the Deluge of Security Data
In this Tech Digest, Dark Reading shares the experiences of some top security practitioners as they navigate volumes of security data. We examine some examples of how enterprises can cull this data to find the clues they need.
Flash Poll
Rethinking Enterprise Data Defense
Rethinking Enterprise Data Defense
Frustrated with recurring intrusions and breaches, cybersecurity professionals are questioning some of the industrys conventional wisdom. Heres a look at what theyre thinking about.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-15073
PUBLISHED: 2019-11-20
An Open Redirect vulnerability for all browsers in MAIL2000 through version 6.0 and 7.0, which will redirect to a malicious site without authentication. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15072
PUBLISHED: 2019-11-20
The login feature in "/cgi-bin/portal" in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via any parameter. This vulnerability affects many mail system of governments, organizations, companies and universities.
CVE-2019-15071
PUBLISHED: 2019-11-20
The "/cgi-bin/go" page in MAIL2000 through version 6.0 and 7.0 has a cross-site scripting (XSS) vulnerability, allowing execution of arbitrary code via ACTION parameter without authentication. The code can executed for any user accessing the page. This vulnerability affects many mail syste...
CVE-2019-6176
PUBLISHED: 2019-11-20
A potential vulnerability reported in ThinkPad USB-C Dock Firmware version 3.7.2 may allow a denial of service.
CVE-2019-6184
PUBLISHED: 2019-11-20
A potential vulnerability in the discontinued Customer Engagement Service (CCSDK) software version 2.0.21.1 may allow local privilege escalation.