What is more important - cyber vulnerabilities or actual cyber incidents?

Feb. 13, 2012

The recent S4 Conference has shone a light on the cyber vulnerabilities of many industrial controllers.  The vulnerabilities identified are generally textbook IT vulnerabilities - use of weak passwords, use of Telnet, cross-site scripting weaknesses, buffer overflows, etc. To at least

"

The recent S4 Conference has shone a light on the cyber vulnerabilities of many industrial controllers.  The vulnerabilities identified are generally textbook IT vulnerabilities - use of weak passwords, use of Telnet, cross-site scripting weaknesses, buffer overflows, etc. To at least some of us in the control systems community these vulnerabilities are not unexpected.  The fact that many of these systems are also connected to the Internet as Eireann Leverett demonstrated is also not new even though the numbers of control system connected to the Internet are striking.

What is unexpected and most disconcerting are the inherent design vulnerabilities of the controllers. As Ralph Langner mentioned, it is the design vulnerabilities that the pros will go after such as Stuxnet.

There are other design vulnerabilities besides Stuxnet that don't seem to be addressed by the researchers, vendors, and end-users. These are not IT vulnerabilities but "security design" vulnerabilities in the controllers or the systems where they are used. These deficiencies were not identified as they were not vulnerabilities in performance or safety. However, when maliciously exploited, they become vulnerabilities in performance and safety. These vulnerabilities include Aurora (as demonstrated by INL in 2007) which is a "design vulnerability" in the grid itself, design issues that affected the San Bruno natural gas pipeline failure, design issues that affected the 2008 Florida outage, etc. These design deficiencies have no IT patches and can be exploited by malicious intruders. With no guidance or fixes, these incidents continue to recur sometimes with devastating results. 

These deficiencies are essentially engineering vulnerabilities and therefore must be addressed by both Engineering and IT. To date, getting the two communities together has been difficult. An example was a note on the Cyber Security Forum Initiative on 2/12/12. One individual wrote the following: "There is NOTHING unique about industrial controls, they are just like any other computer system, or network. To think any differently, you have your head in the sand."

Hopefully, Congress will address the unique control system issues, especially the need for control system cyber security training, as they move forward on their proposed cyber security legislation.

Joe Weiss

Sponsored Recommendations

Make Effortless HMI and PLC Modifications from Anywhere

The tiny EZminiWiFi is a godsend for the plant maintenance engineers who need to make a minor modification to the HMI program or, for that matter, the PLC program. It's very easy...

The Benefits of Using American-Made Automation Products

Discover the benefits of American-made automation products, including stable pricing, faster delivery, and innovative features tailored to real-world applications. With superior...

50 Years of Automation Innovation and What to Expect Next

Over the past 50 years, the automation technology landscape has changed dramatically, but many of the underlying industry needs remain unchanged. To learn more about what’s changed...

Manufacturing Marvels Highlights Why EZAutomation Is a Force to Be Reckoned With

Watch EZAutomation's recent feature on the popular FOX Network series "Manufacturing Marvels" and discover what makes them a force to be reckoned with in industrial automation...