Cyber Security Institute

§ Current Worries

Top 3 Worries

  • Regulations
  • Old Firewall Configurations
  • Security Awareness

§ Listening

For the best information

  • The underground
  • Audible
  • Executive Excellence
  • Music (to keep me sane)

§ Watching

For early warnings

  • 150 Security Websites
  • AP Newsfeeds
  • Vendors

Monday, April 16, 2007

SCADA State of Denial

Utilities and other process-oriented companies that run supervisory control and data acquisition (SCADA) systems are starting to feel the heat of security vulnerabilities—and hackers.  Some of these risks—and bugs—are unique to their environments, which historically weren’t secured because they were built to be isolated, closed systems, but they also share the same Microsoft vulnerabilities as a typical enterprise does.  These once-cloistered systems and networks are increasingly using off-the-shelf products such as Microsoft-based operating systems and IP-based networking equipment, and require interconnection via the Internet as well, which also opens the door to attackers from the outside in addition to the inside.  With critical infrastructures at risk when it comes to power (nuclear and otherwise), water, and transportation companies running these systems, the stakes are obviously much higher.  One of the biggest missing links is authentication: Many don’t even bother using authentication because they consider their systems closed and therefore safe, he says.

“They put in Windows with no intention of ever patching it, and then they are surprised when they get hit by a worm,” Graham says.  Or they avoid patching and vulnerability testing because these processes pose risks of their own for SCADA systems—introducing other bugs to their highly sensitive and uptime-demanding systems, for instance.  “They are managed by a Pearl Harbor-type mentality,” Graham says.

Attacks exploiting the latest OPC bugs could be avoided if logins were required in the app because the attacker needs login privileges to do his dirty work.

“Auditing is not as in-depth in my opinion or as transparent for SCADA” as it is for other industries.  And some security experts say commercial IDS/IPS, antivirus, and SIM products don’t really fit for SCADA.

Mark Fabro, CEO of Lofty Perch, which makes SIM solutions for the water utility industry as well as other critical infrastructure companies, says commercial IDS/IPS and SIM systems don’t map well to industry control systems, where there are thousands of different protocols, many of them proprietary.

http://www.darkreading.com/document.asp?doc_id=121887

Posted on 04/16
News • (0) CommentsPermalink