SCADA vulnerabilities, redux?

Industrial control systems need security focus

Phil Carson | Apr 01, 2012


Industrial control systems, specifically SCADA (supervisory control and data acquisition), are increasingly a cause for security concerns. Those concerns had been with us for decades until, in the opinion of several ICS folks we've spoken to, the Stuxnet worm successfully disabled centrifuges busy enriching uranium at Natanz, Iran, in 2010.

Granted, Stuxnet, to many observers, was so sophisticated it could only be produced by one or more technologically advanced national governments and it targeted the uranium enrichment centrifuges of a rogue government. The proof point was that it succeeded, exploiting a vulnerability in Microsoft Windows and targeting Siemens industrial software and equipment, including programmable logic controllers (PLCs). Thus, the conclusion: if Stuxnet succeeded, then ICSs in anyone's hands are vulnerable and ought to be protected.

The difference between cyber security for enterprise networks that handle corporate data and securing ICSs in the power industry is, of course, that messing with the former can disrupt business and lead to lost revenue and profit. Messing with ICSs can lead to the malfunction of high voltage equipment, possibly leading to lost lives. 

We've spoken with industry gadfly Joe Weiss, principal at Applied Control Solutions, LLC, whose warnings to the industry are imbued with an urgency that tends to draw an audience. You'll find those conversations and related discussions in "Control Systems, Incident Reporting and Online News," "Cyber Security and Control Systems" and "Small World."

Weiss' urgency can be off-putting, as he himself has acknowledged. But he's hardly the only person raising the issue. I spoke briefly last week with James Collinge, who is responsible for portfolio management and strategy for Hewlett-Packard's  TippingPoint, a network security division. Maybe it's a matter of whether you consider the glass half empty (Weiss) or half-full (Collinge), but the latter capped his cautionary remarks about SCADA vulnerabilities with a few positive observations that I'll include here.

Part of the problem is motivating utility executives to action—executives who find it difficult to imagine the benefits for bad actors pursuing harm to their ICSs or the likelihood of such a Hollywood-flavored event. But many in the cyber security business typically cite the fact that the vast majority of cyber incidents are the result of unintended consequences (i.e., a mistake) or the work of a disgruntled employee. So you don't need to be a paranoid, Cold War holdout to grasp that vulnerabilities are just that, and that they can be exploited purposefully or by mistake. The result could be the same.

To Collinge's points.

"Overall, in the past year, the news is not all gloom and doom," Collinge said. "If you look at electric utilities, the application of NERC CIP guidelines is an encouraging activity."

The NERC CIP (North American Electric Reliability Corporation's Critical Infrastructure Protection) may strike some as "checklist compliance," but Collinge pointed out that countries such as Australia and Canada have seen fit to voluntarily adopt those guidelines for securing their grids.

"Whether or not it's the holy grail of security is another issue," Collinge told me. "The voluntary application of NERC CIP in other countries speaks to its usefulness."

Apart from NERC CIP compliance, what are some recommended best practices?

First, inventory your systems, Collinge suggested. One issue is that companies sometimes acquire legacy systems, perhaps through mergers and acquisitions and don't fully understand those systems' pedigrees. Scan your infrastructure for vulnerabilities. Are there unsecured access points? As utilities sometimes outsource network management, new access points—such as vendor laptops—may be introduced and they may not comply with a utility's security protocols.

Then, knowing the vulnerabilities, a utility can adopt a strategy and apply the full range of security tools, from physical security to cyber security, to mitigate those vulnerabilities. Of course, those actual strategies and tools are unique to each utility and rarely openly discussed.

The foregoing, of course, applies to retroactive security, which is less desirable than a proactive stance, possible with new systems and networks. That's where mantras such as "bake it in, don't bolt it on" come into play.

As in many areas, the cost-benefit analysis will determine how expensive and how big an effort might be required to secure ICSs, according to Collinge. Once an asset is identified, it's a straightforward process to determine the cost of its loss or disruption. Then it's possible to crunch a rational level of cost for  preventive measures.

Whether you take an alarmist stance or a calmer, pragmatic attitude, the perennial issues around protecting ICSs continue to raise their heads. The lack of a prominent incident in the United States to date says nothing about the potential cost of ICS disruption in terms of financial loss or loss of human lives. At least, that's what I'm hearing.

Phil Carson
Intelligent Utility Daily

Related Topics


SCADA redux

"Once an asset is identified, it's a straightforward process to determine the cost of its loss or disruption." If only that were the case. Where do you stop? How long is the asset out of production? As your next paragraph suggests, " the potential cost of ICS disruption in terms of financial loss or loss of human lives" makes this calculation difficult if not impossible. If you've ever been involved in one of these drills you know how they go: management says, "Give me the cost of an outage." So you multiply the hourly rate at the enterprise times the time to recover and the answer is invariably in the millions of dollars. But these aren't hard dollars, and people can be productive in other ways than using their systems.

This says nothing about the cost of lives (the real doomsday scenario). The cost of a life in the US is a lot more than the $50,000 the US recently paid relatives for the loss of each loved one after an unfortunate recent shooting spree. Perhaps even more costly is the loss of reputation a utility might face for an event that reduces public confidence (can you say PG&E San Bruno settlement?).

Points well taken

I probably should  know better than to write a sentence that includes the phrase "a straightforward process" ... (Save that for, e.g., starting the car, toasting bread, etc.)

Indeed, tomorrow's column is about utility difficulties in the Northeast in resolving outages after a tropical storm and an early snowstorm last fall. Public confidence was shaken, producing utility executive resignations, a state attorney general investigation and many communities looking for alternatives to centralized power.  

Anyone have a better model for calculating the proper cost-benefit ratio for assessing ICS protections?

Regards, Phil Carson