By Byron V. Acohido
SEATTLE — At the root of concern about cyber attacks against our nation’s critical infrastructure is the profoundly hackable state of industrial controls.
Yet, discussion about the abject lack of security in ICS (Industrial Control Systems,) SCADA (Supervisory Control and Data Acquisition) and PLC (Programmable Logic Controller) systems has taken somewhat of a back seat to sexier security issues, such as insider hacking and denial of service attacks.
Based on discussions I heard at the Kaspersky Security Analysts Summit in Punta Cana and at the RSA Conference in San Francisco last month, there is no driving force that will cause this gaping exposure to be substantively narrowed anytime soon.
The voluntary NIST standards stemming from President Obama’s cybersecurity executive order at least gets the ball rolling, says Chris Blask, chair of ICS-ISAC, the Industrial Control System Information Sharing and Analysis Center.
“We’re lacking the drivers to get the necessary work done, but there are steps being taken in the right direction,” Blask says.
Last Watchdog asked Billy Rios, Qualys’ Director of Threat Intelligence to paint the bigger picture. Rios gave an eye-opening talk at the Kaspersky conference in Punta Cana demonstrating the gaping vulnerabilities in airport security controls systems.
More: SANS holds ICS summit in Orlando
LW: How would you summarize the nature and scale of vulnerabilities that lurk in control systems for buildings, manufacturing plants and utilities?
Rios: We’re in a pretty sad state of affairs. These are some of the worst vulnerabilities I’ve seen in a long time: hardcoded backdoor passwords; access to privileged shells without requiring a password; improper use of encryption; unauthenticated remote code execution by design; inadequate threat modeling; lack of exploit mitigation technology. The security of software like iTunes is much more robust than most ICS software.
LW: Why has this exposure come about?
RIOS: Security simply wasn’t architected into these devices and software. Organizations figured they could implement security later, so they put it off and didn’t think about it. Silicon Valley has a term for this; it’s called ‘technical debt.’ The ICS industry has accumulated an enormous amount of technical debt!
LW: Just because something is poorly configured, doesn’t mean it will get attacked. That said, what is the true nature and scope of this threat?
RIOS: While it’s easy to understand the technical portions of an attack, things like motivation, willingness, or emotion, all of which can be the catalyst for attack, are really difficult to measure.
Instead of trying to guess when/where a particular device will be attacked, I think a better strategy is to identify devices that represent the most risk to an organization and develop the appropriate defenses for those devices.
Simply discovering what devices you have on the network and understanding who those devices drive your business process is the foundation for securing these devices. Many organizations haven’t even taken this first step.
LW: Which organizations are at the most risk?
Rios: It’s difficult to generalize, but we’ve seen hospitals online and vulnerable, banks, police stations, fire stations, churches, schools, corporate headquarters, pretty much anything you can imagine. If you have a corporate campus, you are at risk. If you have a datacenter, you are at risk. If you have a badge access system that controls access to a sensitive facility, you are at risk.
While the general state of security for all of these devices is really poor, those devices that are directly exposed to the Internet are at the most risk. There is a project undertaken by a handful of security researchers that has identified 1 million ICS devices directly exposed to the Internet. These are the devices that are at the most risk.
LW: Are there basic remediation and/or best practices that could be done?
Rios: A good friend of mine ran an exercise that pit attackers and defenders against each other in a controlled environment. The most effective defense was to simply download and install patches on exposed devices. Pretty simple. If you have devices directly exposed to the Internet, please consider putting it behind a VPN or implementing some other type of access control.
