To many in the IT community, the gap in understanding industrial control system cyber security is gaping. I was drawn to a May 29th Dark Reading article titled “Large Electric Utilities Earn High Security Scores”, http://www.darkreading.com/vulnerabilities---threats/large-electric-utilities-earn-high-security-scores/d/d-id/1269299? - as the title seemed to be at odds with what I have seen. Selected snippets from the article are below, along with my responses:
"I was looking for utilities to do poorly. But what we learned here is it's mostly SCADA systems that have their [security] issues. The largest utilities in the S&P 500 are pretty high-performing" when it comes to securing their networks, says Stephen Boyer, founder and CTO of BitSight, which tracks malicious traffic on the Internet. Beyond those small utilities that have a lot of problems, the larger ones are pretty sophisticated. They are pretty good at segmentation and responding very quickly to threats, he says.”
Response: This lack of understanding of the importance of control systems keeps recurring in IT circles. The statement, “it’s mostly the SCADA systems that have security issues” demonstrates Stephen Boyer’s lack of understanding of utility (industrial) operations. “SCADA” (industrial control systems) are what industrial organizations use to produce or distribute products. Making a statement about size is also inappropriate as utilities are interconnected – big and small. There are more than enough small facilities (power plants and substations) that are not being addressed for cyber security (i.e., the NERC CIPs) to cause a very significant impact on the overall grid. Moreover, the only two utilities acting as test beds for Aurora and control system cyber security are small utilities, not big ones. Since there are minimal control system cyber forensics or training to compensate for the lack of cyber forensics, it is difficult to respond to a threat they don’t even know exists.
"Large investor owned utilities have fairly sophisticated security practices. Like large financial institutions, they have significant security budgets and cyber risk has executive level visibility," said Dave Dalva, vice president of security science at Stroz Friedberg, in a statement in BitSight's report, published this week.”
Response: Dave’s statement may make sense for the large investor-owned utilities business IT systems. However, all anecdotal information I have seen indicates there is not enough resources or attention being paid to control systems (in almost all industries). This past February I gave a presentation at a utility industry conference for insurers and risk managers. It was evident at that conference that the attendees did not understand the control system cyber security risk to their companies.
“ICS/SCADA systems notoriously suffer from security shortcomings mainly due to plant operators' priority of operations and safety, rarely patching and updating software for fear of disrupting the power supply or manufacturing process, for instance.”
Response: The implication is that plant operators are too focused on safety and reliability. Where is the problem!? The real question is why isn’t IT focused on this also?
BitSight gathered the data for its analysis via its global sensors on the Internet that detect botnet and other malicious traffic, and tracks malware and the duration of its presence on systems for its customers.”
Response: IT views security as Windows, the Internet, malware, botnets, etc. While these may also be issues for control systems, there are others that are more significant. Moreover, the real issues are what is happening on the control system networks, not just the Corporate networks. BitSight (and others) aren’t even looking there. That is why a Wall Street Journal article of several years ago claiming that China was in the utilities’ networks didn’t make sense as the control system networks weren’t instrumented. How would anyone know? The utility control system cyber security test bed is instrumenting the control system network. The results of what is really happening there should be interesting.
Utilities are mostly plagued by a family of Trojans called Redyms (26%), which redirect search engine results, Zeus (15%), Zero Access (13%), Cutwail (8%), and Confickr (8%).
Response: These are IT Trojans. Why wasn’t Stuxnet, Aurora, HART vulnerabilities, etc addressed? These are the control system cyber security issues.
When people complain that operators are too focused on safety and reliability I don’t know whether to laugh or cry.