Third installment in an occasional series on SCADA security

The U.S. Department of Homeland Security's ICS-CERT has been regularly issuing vulnerability advisories for SCADA products over the past couple of years, and vendors increasingly have been issuing patches, but the gaping and easily exploitable design flaws inherent in many products remain.

Some renowned SCADA security experts contend that the current process of reporting bugs, patching bugs, and issuing alerts via ICS-CERT falls short. The bigger ICS/SCADA systems that control power plants or chemical plants are not typically the subject of ICS vulnerability alerts, they say, and most vendors still aren't fixing features in their products that were created prior to the networked environment, or that just don't factor in security (think lack of authentication).

ICS-CERT has been lauded for helping raise awareness of security problems in the systems and software that run power plants, as well as for as other services it provides to the ICS industry, including incident response and free tools. ICS-CERT responded to 177 cyberattack incidents reported by industrial control system operators last year, according to its newly published annual report (PDF).

Ralph Langner of Langner Communications, a security expert who was one of the first to discover Stuxnet, says the current ICS vulnerability advisory process covers only smaller flaws that can be patched, while the bigger security holes lay within the design features of the products. "The reality is that the most serious vulnerabilities in control systems are deliberate design features, not bugs," Langner says. And ICS-CERT doesn't handle insecure design features, he notes.

"ICS-CERT doesn't deal with insecure design features and is even reluctant to call those vulnerabilities -- quite a stretch because, by any definition, a vulnerability is a system property that an attacker can exploit, no matter if it came into existence by oversight or by poor design," Langner says.

The focus on bugs in micro-PLCs and human machine interface (HMI) software is missing the mark, he says. "Big DCS products that are used to control power plants or chemical plants, for example, don't make it into ICS-CERT publications, no matter how easily they can be exploited," Langner says.

Dale Peterson, CEO of SCADA security consultancy Digital Bond, says the advisories issued by ICS-CERT don't do much to improve overall security of SCADA systems. "Most of the vulnerabilities [in the alerts] have little impact on the security of the systems," says Peterson, who has been blogging recently on building a better ICS-CERT process.

He says that instead of vulnerability coordination, ICS-CERT should provide support to US-CERT in that regard. ICS-CERT should prioritize vulnerabilities based on how "the vulnerability affects a system on their critical infrastructure list AND the vulnerability affects the security posture of the system," which would give ICS-CERT the breathing room to drill down on fewer but more relevant security flaws, Peterson wrote in a blog post earlier this week. "The second requirement is important and often leads to misallocation of ICS-CERT effort. Does it really matter if there is a CSRF or buffer overflow vulnerability in a device that you can connect to and take complete control using a feature?"

But other SCADA experts say ICS-CERT is getting a bad rap. Eric Byres, CTO and vice president of Tofino Security, a division of Belden, says it's not ICS-CERT's mandate to deal with the systemic problems in control systems. "It's the elephant in the room. Yeah, these systems were never designed with security in mind; some were designed 20 to 30 years ago. Vendors are aware of the problem," Byres says.

It will take major players, such as Exxon and Duke Energy, among other corporations, with the ICS purchasing power, he says, to force vendors to step up and fix the systemic security issues. "It's not ICS-CERT's mandate to stand on the bandwagon and scream and yell and advocate. Its [mandate is] information dissemination, testing, and training," he says.

Byres says ICS-CERT is making a difference in SCADA security -- as a mechanism for researchers to disclose vulnerabilities responsibly, and its DHS-backed status gives it a higher level of visibility at the executive board level of SCADA vendors. "Schneider gets railed on, but the size of their security team was zero two years ago, and now it's about 20," he says. "[Vendors] are dumping tens of millions of dollars into this problem."

Doug Powell, a security expert who works for Canada's third largest utility, says ICS-CERT is doing exactly what it was created to do. "Is that adequate or enough to tell people a patch is required even if the patch is not relevant or if it's not applicable? That's not ICS-CERT's problem," says Powell. "It's got to be some responsibility for the vendor or owner-operator to take that information handed to them and do something with it."

That means risk analysis and evaluation, he says. "What could happen to me if I patch this miniscule [flaw] or if I don't do it? Those discussions happen" in utilities, he says. "There's always a risk calculation being done in the background [for patching]."

[Industrial control systems vendors are starting to patch security bugs, but actually installing the fixes can invite more trouble. See The SCADA Patch Problem.]

ICS-CERT's official mission is to issue alerts and advisories on cyberthreats and vulnerabilities that affect critical infrastructure. The organization is charged with analyzing malware, vulnerabilities, and new exploits, as well as to conduct incident response for critical infrastructure owner-operators, and to help coordinate risk management in the industry, according to information in its recent report.

A DHS National Protection and Programs Directorate (NPPD) spokesperson said in a statement in response to inquiries for this article: "Protecting critical infrastructure against growing and evolving cyber threats requires a layered approach. DHS actively collaborates with public and private sector partners every day to respond to and coordinate mitigation in the face of attempted disruptions to the Nation’s critical cyber and communications networks and to reduce adverse impacts on critical network systems," he said. "Last [fiscal] year, the Department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 177 incidents while completing 89 site assistance visits and deploying 15 teams with US-CERT to respond to significant private sector cyber incidents. "

No Locks
True ICS security isn't about patches, Langner Communications' Langner says. "It's kind of like telling a home owner to fix a broken wire frame on a window in order to keep burglars out, while not telling him that there is no lock on his front door," he says.

"ICS-CERT as such is a good idea, and they have a lot of good talent on board," Langner says. But Langner says it could be better deployed.

Digital Bond's Peterson says he and his team have stopped submitting bugs they find to ICS-CERT. Instead, Peterson says they work directly with the SCADA vendors they think will actually fix the flaws they find. "If [the vendor is] not going to fix it, we just keep it. We don't feel like it's going to make a difference" reporting it to ICS-CERT or a nonresponsive vendor, he says. "When we do report it, it's a fair amount of work on our side."

And patching is sometimes just window dressing: One SCADA vendor that Peterson declined to name talked up its new security team and that it had patched some bugs in its products. He says he asked them when they would begin authenticating the uploads of new software and firmware, and the company admitted they wouldn't be starting on that fix for two to three years.

Fixing a few bugs but not the real security risks that are simplest for attackers to exploit is the wrong answer, according to Peterson.

Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.