SCADA vulnerabilities, redux?
Industrial control systems need security focus
Industrial control systems, specifically SCADA (supervisory control and data acquisition), are increasingly a cause for security concerns. Those concerns had been with us for decades until, in the opinion of several ICS folks we've spoken to, the Stuxnet worm successfully disabled centrifuges busy enriching uranium at Natanz, Iran, in 2010.
Granted, Stuxnet, to many observers, was so sophisticated it could only be produced by one or more technologically advanced national governments and it targeted the uranium enrichment centrifuges of a rogue government. The proof point was that it succeeded, exploiting a vulnerability in Microsoft Windows and targeting Siemens industrial software and equipment, including programmable logic controllers (PLCs). Thus, the conclusion: if Stuxnet succeeded, then ICSs in anyone's hands are vulnerable and ought to be protected.
The difference between cyber security for enterprise networks that handle corporate data and securing ICSs in the power industry is, of course, that messing with the former can disrupt business and lead to lost revenue and profit. Messing with ICSs can lead to the malfunction of high voltage equipment, possibly leading to lost lives.
We've spoken with industry gadfly Joe Weiss, principal at Applied Control Solutions, LLC, whose warnings to the industry are imbued with an urgency that tends to draw an audience. You'll find those conversations and related discussions in "Control Systems, Incident Reporting and Online News," "Cyber Security and Control Systems" and "Small World."
Weiss' urgency can be off-putting, as he himself has acknowledged. But he's hardly the only person raising the issue. I spoke briefly last week with James Collinge, who is responsible for portfolio management and strategy for Hewlett-Packard's TippingPoint, a network security division. Maybe it's a matter of whether you consider the glass half empty (Weiss) or half-full (Collinge), but the latter capped his cautionary remarks about SCADA vulnerabilities with a few positive observations that I'll include here.
Part of the problem is motivating utility executives to action—executives who find it difficult to imagine the benefits for bad actors pursuing harm to their ICSs or the likelihood of such a Hollywood-flavored event. But many in the cyber security business typically cite the fact that the vast majority of cyber incidents are the result of unintended consequences (i.e., a mistake) or the work of a disgruntled employee. So you don't need to be a paranoid, Cold War holdout to grasp that vulnerabilities are just that, and that they can be exploited purposefully or by mistake. The result could be the same.
To Collinge's points.
"Overall, in the past year, the news is not all gloom and doom," Collinge said. "If you look at electric utilities, the application of NERC CIP guidelines is an encouraging activity."
The NERC CIP (North American Electric Reliability Corporation's Critical Infrastructure Protection) may strike some as "checklist compliance," but Collinge pointed out that countries such as Australia and Canada have seen fit to voluntarily adopt those guidelines for securing their grids.
"Whether or not it's the holy grail of security is another issue," Collinge told me. "The voluntary application of NERC CIP in other countries speaks to its usefulness."
Apart from NERC CIP compliance, what are some recommended best practices?
First, inventory your systems, Collinge suggested. One issue is that companies sometimes acquire legacy systems, perhaps through mergers and acquisitions and don't fully understand those systems' pedigrees. Scan your infrastructure for vulnerabilities. Are there unsecured access points? As utilities sometimes outsource network management, new access points—such as vendor laptops—may be introduced and they may not comply with a utility's security protocols.
Then, knowing the vulnerabilities, a utility can adopt a strategy and apply the full range of security tools, from physical security to cyber security, to mitigate those vulnerabilities. Of course, those actual strategies and tools are unique to each utility and rarely openly discussed.
The foregoing, of course, applies to retroactive security, which is less desirable than a proactive stance, possible with new systems and networks. That's where mantras such as "bake it in, don't bolt it on" come into play.
As in many areas, the cost-benefit analysis will determine how expensive and how big an effort might be required to secure ICSs, according to Collinge. Once an asset is identified, it's a straightforward process to determine the cost of its loss or disruption. Then it's possible to crunch a rational level of cost for preventive measures.
Whether you take an alarmist stance or a calmer, pragmatic attitude, the perennial issues around protecting ICSs continue to raise their heads. The lack of a prominent incident in the United States to date says nothing about the potential cost of ICS disruption in terms of financial loss or loss of human lives. At least, that's what I'm hearing.
Intelligent Utility Daily