Monday, December 31, 2012

Reader Comment – 12-30-12 – Vulnerable Facilities

Dale Peterson, a long time reader and cybersecurity blogger/expert, left an interesting comment on yesterday’s post about industrial feedlot vulnerabilities. He noted that:

“A lot of control systems may not be critical infrastructure but have a big impact on an individual or business if compromised.
“A few years back we did an assessment at a prominent University. One of their big concerns was a multi-hour electrical outage or HVAC failure could wipe out numerous grad and doctoral students' research projects.”

Dale is absolutely correct; everyone that owns any kind of control system has something to lose if that control system is compromised, even if it is nothing more than the inconvenience of not being able to open your garage door. Of course, the same could be said about concerns about the general reliability of the system.

Risk Assessment

This is the reason that all control system owners, down to the garage-door opener owners, need to conduct a risk assessment for their systems. I think that a realistic risk appraisal by most ICS system owners would not show a high threat of terrorist attack. Critical infrastructure facilities would probably be an exception and some other facilities where a specific group would have an ax to grind with facility owner/operator (our feedlot example for instance). On the whole, however, most facility owners do not have to worry about terrorist cyber-attacks.

Two other types of outsider cyber-attacks should be considered in any reasonable risk assessment; electronic thieves and ruthless competitors. Electronic thieves may be after anything of value including ‘protection payments’ for not shutting down the control system. Ruthless competitors (and that includes some nation-states) could be after process information or be trying to compromise the integrity of the control system to put competitive production at a disadvantage.

There is one other form of outsider attacks that is probably going to become more prevalent now that the vulnerabilities of control systems and their internet accessibility are becoming better known; script kiddies. These are frequently adolescent (not necessarily age defined) individuals seeing what they can accomplish to make a name for themselves. As more ICS attack tools become generally available on the Internet, the number and exploits of these denizens of the dark side of the Internet will become more of a problem for control system owners.

The most common form of cyber-attack for most facilities is not an outsider. Most ‘attacks’ will come from within the firewall and may be deliberate attacks by employees or contractors with personal grudges or, probably more common, accidental ‘attacks’ where employees or contractors inadvertently do something that has some sort of disruptive effect on the system. The last category is probably the most common form of control system incident and needs to be better documented.

Control System Vulnerabilities

All of the control system vulnerabilities that are reported by folks like ICS-CERT, vendors (like the Siemens-CERT) and independent security researchers (white hats) make any of the above described attacks easier. As these vulnerabilities are discovered and mitigated (or mitigations are developed) it is the responsibility of the ICS owner to ensure that the mitigations and protective tools are applied to their systems.

Unfortunately, I would suspect that the vast number of control systems do not have systems engineers available to track vulnerabilities and implement protective mitigations. Large company systems probably have some level of protective services available, but most small company owners that employ the lower cost systems have no idea that the vulnerabilities exist, much less how to protect them.

The Solutions Are Not Easy

The ‘easy answer’ would be to require vendors to push vulnerability report and mitigation measures to the owners. There are a couple of problems with this. First, many systems are not sold directly by the vendor so they have no way to contact all of the owners. Systems where a direct push of new versions and updates to the ICS (and we have seen more reports of this type action lately on ICS-CERT advisories) is possible, the vendor runs the risk of disrupting the actual operation of the control system.

Finally, the long time over which an ICS is used ensures that there will be a turnover of knowledgeable employees on site and maybe even of the management team while the system still runs. There are some unknown number of systems where the current owners are just letting the system run, hoping that nothing breaks down that their routine maintenance can’t address.

The long term solution is to engineer industrial control systems with security part of the integral design. Even that won’t be a perfect solution. It just takes too long for control systems to die. That and the fact that even with security part of the design process, there will still be hole to find and exploit. Just look at how long Microsoft has been working at their security processes; they have their security updates down to just a couple of times per month…

Moving Forward

No, everyone in the ICS sector needs to be more aware of the security problems and there has to be better communications between everyone in the community. Vendors need to reach out to owners. Owners need to network to gain access to the necessary information. White Hats need to keep plugging away at problem identification. And people like me need to keep bugging the world about the problem.

1 comment:

Dale Peterson said...

Patrick - The flip side is the risk assessment might show little impact of a compromise. There are a huge number of control systems that fall into this category.

Consider a SCADA system that reads natural gas meters. If the meter has no control capability and is simply connected to a sensor or sensors taking measurements, the impact of a compromise would be one or many meter readings being incorrect.

The first reaction could be ... that could cost us a lot of money. However most of these systems have many other controls beyond the meter read via SCADA.

- they may have a physical read (a person goes out and looks at the meter) quarterly. The impact would be a loss of time value of money for those two months

- most of these billing systems have automated reasonableness checks. If the bill varies beyond a certain percentage it triggers an action, such as a manual check of the meter

- if you look at a lot of utilities terms of service you will see they have the right to extrapolate or interpolate usage if the SCADA read is not available on the billing day.

You are right on in focusing on risk. Nothing turns an Operations Team off more than a "security guru" coming in and emphasizing a vulnerability that has little impact.

/* Use this with templates/template-twocol.html */