Norman Safeground Blogs

insight, opinion & information


SCADA Environments Lack Sufficient Information Security

The technicians at a local chemical manufacturing plant have discovered that a virus has disabled their temperature monitoring controls. Although they are unsure of when the virus compromised the systems, they do know several vats are overheating. Alarms are signaling that an immediate evacuation is required. The warning isn’t limited to the plant; all individuals within a two-mile radius must leave. This may sound like the carefully crafted plot of a movie; but, unfortunately, this is not fiction. The incident could easily occur at any hour, on any day, at almost any plant around the globe.

In 2010, the Stuxnet worm exploited flaws in SCADA software from Siemens and used the vulnerabilities to inject malicious code into systems controlling the uranium enrichment centrifuges in Iran’s Natanz nuclear facility. Unfortunately, this incident was not an anomaly. Attacks on SCADA and industrial control systems (ICS) are growing in volume and frequency. The publicity surrounding these attacks is driving significantly more interest in how to secure these systems. SCADA, which is an acronym for supervisory control and data acquisition, is software designed to monitor and control devices in an industrial or manufacturing setting. SCADA systems are typically found in environments such as

  • Power and water plants
  • Nuclear facilities
  • Oil and gas industries
  • Maritime environments
  • Public transportation systems
  • Manufacturing facilities

The software usually excels in areas of performance, reliability and flexibility. To date, security has not been a primary focus for SCADA software creators despite the sobering implications of a breach – millions of dollars of damage, significant risk to human safety and countless hours of lost service. The recent increases in attacks have been somewhat of a shock to the industrial sector, which it seems never anticipated SCADA systems would be the target of digital criminals.

Industry researchers at a security conference earlier this month very candidly said,

“Ultimately, what we found is the state of security is kind of laughable. The bugs were straight out of the ‘90s, and for the most part were blatantly obvious.”

Researchers at the SCADA Security Scientific Symposium only a month before had similar findings. Their testing found undocumented features that attackers could abuse for malicious purposes. However, the issues did not end with hidden features. Testing of  the most popular and frequently used SCADA systems uncovered multiple back door accounts, outdated firmware, inadequate security controls, easily comprisable configuration files, susceptibility to  buffer overflows, remotely exploitable vulnerabilities and various authentication problems,

Analysts at Gartner categorize SCADA and ICS systems as “Operational Technology.” They point out that many organizations have very different governance and management processes for computers and servers as compared to operational technology. Gartner’s John Pescatore stated,

“Even though those things are increasingly CPU and software driven, they are still treated like machines vs. computers in many cases — meaning that security has been focused on physical security, not information security, and there has been an over dependence on security through obscurity.”

It’s not just teams of hackers sponsored by nation-states and elite attackers that can penetrate SCADA systems; average digital criminals have all the tools and information necessary to breach the important but poorly protected software.

At Norman, we feel that SCADA environments are one of the biggest challenges in security industry today. Many SCADA systems have no built-in security, which leaves the industries that rely on them poorly protected against cyber threats to their infrastructure. In fact, according to Sean McBride, Director of Analysis at Critical Intelligence, a firm dedicated to threat intelligence services for industrial control systems, more breaches of SCADA systems were publically reported in 2011 than in the entire previous decade. This is especially alarming when you consider that public disclosures probably only represent a fraction of actual occurrences.

Unlike IT vendors, makers of SCADA systems don’t seem to be taking their security issues very seriously, and often respond inadequately even when their products have critical public exploits. Data shows that over half of the vulnerabilities detected in SCADA systems don’t have patches available. Even when patches are available, data from the Industrial Control System Cyber Emergency Response Team (ICS-CERT) shows a 60% failure rate in the patches.

Just because vendors ignore the problem, attackers won’t, which means you can’t – unless you enjoy being a public example of how badly things can go wrong. Leading security vendors like Norman are stepping forward to address the vast gaps in the SCADA market. Norman has just added Norman SCADA Protection (NSP) to its family of Norman Network Protection (NNP) enterprise security products. The solution protects SCADA systems against attacks from trojans, worms, viruses and other forms of malware that can cause substantial financial, reputation, physical and even human damage.

NSP can be installed at the network perimeter to prevent ICS and SCADA systems from being compromised by malware transferred across the network. NSP can also protect these systems again unsecured portable storage devices (e.g. USB memory stick) that carry malicious code. Like other solutions in the NNP product line, Norman has placed an extra emphasis on making NSP easy to install and use. The product also has a price point that is significantly less than competing solutions.

Has your organization experienced any attacks on SCADA or ICS systems? Does your organization have formal controls in place to prevent breaches? Let us know your thoughts.

Tags: , , ,

One Response to SCADA Environments Lack Sufficient Information Security

  1. ed gelbstein says:

    We seem to have forgotten all the “embedded systems” when trying to sort out Y2K that were not even known to the IT departments. SCADA is more of the same – none of the good things that IT people learned how to do (change and configuration management, access controls and all the things listed in ITIL, COBIT, SWEBOK, DMBOK, PMBOK, NIST SP800 and the rest) may or may not be done, and if done, well or not so well. The wakeup call has perhaps not been heard?

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>



The Author:

Made up of various contributors' opinions and insights - the power of the collective.

Security Exposed Bloggers

Norman Safeground Blogs Archive