What does "fairly well" mean? "These companies started working on this topic pre-Stuxnet and have bolstered their programs since," Cusimano continues. "They generally have, or are working on, written policies and procedures specifically for ICS security; have firewalled their ICS networks from their business networks; and have conducted internal security assessments of their critical facilities."
Yet Dr. Erik Johansson, senior affiliated researcher at the Dept. of Industrial Information and Control Systems, Royal Institute of Technology (KTH) in Sweden, when asked the same question said, "I do hope so."
Joe Weiss, principal at Applied Control Solutions, and ControlGlobal.com's security blogger says, "ICS systems in process industries are NOT secure [his emphasis]. The degree of insecurity ranges, depending on the end user. It is not clear if they are more secure than last year, as there are now more identified vulnerabilities and more people aware of ICS cyber vulnerabilities. ICSs in the electric industry are no more secure than in any other industry. In fact, an argument can be made that the NERC CIP process with all its exclusions has made the electric utilities less secure than other industries."
Marcelo Branquinho, executive director of TIsafe, a security consultant in Brazil with more than 15 years experience in ICS and SCADA systems, piles on. "No, they aren't secure at all." But he goes on, "In Brazil, things are becoming more secure now due to some new government regulations and new government publications such as the 'blue book,' the Guia de Referência para a Segurança das Infraistruturas Críticas da Informação, (Safety Reference Guide for Critical Infrastructure Information), a guide for security in ICS that government corporations are starting to follow."
David Mattes, a former end user from the Boeing Co. and now founder of Asguard Networks, says, "I don't have direct experience with the process industries, but I've been paying a lot of attention to the various voices speaking out about ICS security in the different industrial sectors. From what I've heard, not much is being implemented by way of security solutions, but a lot more connectivity is being added, and torrents of vulnerabilities are being disclosed. The sum of the parts then is that process industries are not, in general, secure, and they are less secure than they were last year."
Richard Guida, who retired in 2011 as vice president, worldwide information security at Johnson and Johnson Inc. and is now a part-time consultant in enterprise security, says that control systems are, "less secure, because more PLCs and SCADA systems are being put on internal networks. Hence, they may become accessible over the Internet. So, while the vulnerabilities have not changed, the threats are much worse, given the higher exposure. The risks are much higher now and getting worse every year as more systems get exposed. The attack surface is growing far more quickly than any efforts at securing the systems."
Who Is Attacking? How Do We Defend?
Byres says that there are "Two kinds—dumb mistakes and well-designed advanced persistent threats (APTs). I still see a lot of down time from issues that are caused by simple mistakes—the infected laptop on the plant floor, the consultant connecting in remotely from an insecure home computer, and so on. These are expensive and obvious."
Byres goes on, "Now some people claim that APTs are just marketing hype, but Shamoon, Flame, Stuxnet, Nitro, Night Dragon and Duqu are all good examples of APTs. Trying to wish away APTs as hype is a clear case of sticking one's head in the sand."
Clint Bodungen, security analyst with Amor Group LLC, says, "Operators should defend against any attack that has a relatively significant chance of success of impact to operations where the consequence is greater than what the operator is willing to accept."
Bodungen goes on, "What does that translate to in terms of attack types? Well that could be different between operators. Operations with Windows machines on the process control network, especially those that allow USB media, should be concerned with APTs such as viruses and worms more so than some 'überhacker' cracking through layers of enterprise security and the DMZ to finally get through to the production network."
Ultimately, and more realistically, Bodungen believes that it is much more likely that a cyber breach will occur as a result of an ill-trained user or poor security procedures rather than some sophisticated targeted attack.
"That being said," he continues, "I don't think there are too many hackers that would say, 'I want to attack this SCADA network, but I hope it's a real challenge with a risk of being caught.' Therefore, any common 'low-hanging fruit' could also be threat. Such threats would be any published vulnerability with a known and working exploit in circulation, especially if it has been released as a Metasploit exploit."
Metasploit is open-source security software that is the result of a collaboration between the open source community and Rapid7. Metasploit software helps security and IT professionals identify security issues, verify vulnerability mitigations and manage expert-driven security assessments.