CADA and process control people are very immature in the technology theyre introducing," commented Graeme Pinkney, head of threat intelligence for Europe, Middle East and Africa (EMEA) with cyber security specialists Symantec at the press conference following the one day Industrial Cyber Security Conference organized in London by Symantec and PA Consulting Group in mid March.
SCADA systems are bearing the lowest hanging fruit, in terms of vulnerability to cyber attack, he added. Pinkney contended that industrial automation vendors and users have been happy to accept the benefits of adopting IT technologies, specifically in the form of Windows and Ethernet, but have been naÃ¯ve in their failure to adopt IT standards of security and best practice. Process control people need to ask themselves Do you know where youre going? in terms both of the technology that is being adopted and the strategies that are being developed to protect industrial systems from current and future threats, said Pinkney.
You have to do a risk assessment of what youre doing.
In Pinkneys view responsibility for cyber security in manufacturing organizations will increasingly devolve on IT and it may in many cases be necessary for process control people to report into IT, a view which may not meet with immediate enthusiasm in process control circles.
SCADA systems are bearing the lowest hanging fruit, comments Graeme Pinkney, head of threat intelligence for EMEA.
Principal message of Sevounts presentation was that industrial systems do indeed have different security requirements and pose different problems from conventional IT systems, notably in terms of the need for high availability, and therefore require a different approach. Underlying the whole problem appears to be a basic lack of understanding and communication.
SCADA is run by operators who arent security specialists and IT doesnt understand SCADA, said Sevounts who cited a recent report in The Washington Post which quoted a representative of a major US utility as saying that We dont know if were susceptible to attack or not.
Lowes presentation, already familiar in part to attendees at such events as Emersons Manufacturing Excellence, included new data on both risks and actual attacks. Although much of the current concern about security stems from the increasing tendency to link manufacturing and corporate systems, its worth noting that, according to Lowe, only 43% of infections with worms and viruses currently gain access via the corporate network, the remaining majority come through various back doors into the manufacturing system itself. Particularly worrying trends, he believed are the growing reliance on outsourcing which results in key parts of the PC network being outsourced, although they remain physically connected, and the increasing use of wireless without adequate security precautions.
Lowe repeated the warning that the hacker community is taking an increasing interest in industrial systems, recent hacker conferences in the UK having included presentations on industrial protocols such as Modbus. Hackers are taking an increasing interest in industrial systems because of the challenges they present and, perhaps most worryingly, because the consequences are so much more interesting.
Perhaps the most serious threat currently arises from the time which elapses between security patches being issued by Microsoft and those patches being validated and implemented on industrial systems.
According to Lowe, those wishing to exploit security loopholes are able to reverse engineer a patch and hence identify the vulnerability it is designed to address within a matter of days, while the time to implement the patch on a typical industrial system is of the order of months, during which time all such systems are open to attack. Lowe seemed to be reluctant to put the blame onto Microsoft itself, pointing out that it has never claimed that Windows is anything other than a generic computing platform, but it is clear that automation software vendors, regulatory authorities and end users need to address more effective solutions as a matter of urgency. At least one delegate to the conference from the pharmaceutical industry planned to go straight back and break the links between his organizations manufacturing and corporate systems immediately, said Lowe.
Stressing that cyber security is an ongoing process rather than something which can be implemented and forgotten, Lowe detailed a series of measures which should form the basis of a cyber security strategy for industrial users, beginning with a business risk assessment and the implementation of short and longer term improvements.
Organizations then need to assess their ability to respond to specific threats, to improve their awareness and skills and to identify and manage third party risks. Arguably most important is the need to establish an on-going governance framework for the management of future risk.
Andrew Bond is Editor of Industrial Automation INSIDER (UK) and can be reached at Tel +44(0)1622 858251, or by e-mail at firstname.lastname@example.org.