|
|
|
|
|
|
SCADA systems are bearing the lowest hanging fruit, comments Graeme Pinkney, head of threat intelligence for EMEA.
|
The conference itself, to which the press had not, unfortunately, been invited, attracted a total of some 80 delegates, drawn from both vendors and users and from utilities and manufacturing. Star turns were Gary Sevounts, director of Power, Energy and Utilities with Symantec in the US; Justin Lowe, principal consultant with PA Consulting Group; and Eric Byres of the British Columbia Institute of Technology. Lowe and Byres, it will be recalled, are the joint authors of â
The Myths and Facts behind Cyber Security Risks for Industrial Control Systems, the report published earlier this year which highlighted how the principal focus of cyber security measures needed to switch from internal to external threats, since the latter now accounted for 70% of cyber attacks.
Different Problems
Principal message of Sevounts presentation was that industrial systems do indeed have different security requirements and pose different problems from conventional IT systems, notably in terms of the need for high availability, and therefore require a different approach. Underlying the whole problem appears to be a basic lack of understanding and communication.
SCADA is run by operators who arent security specialists and IT doesnt understand SCADA, said Sevounts who cited a recent report in The Washington Post which quoted a representative of a major US utility as saying that We dont know if were susceptible to attack or not.
Lowes presentation, already familiar in part to attendees at such events as Emersons Manufacturing Excellence, included new data on both risks and actual attacks. Although much of the current concern about security stems from the increasing tendency to link manufacturing and corporate systems, its worth noting that, according to Lowe, only 43% of infections with worms and viruses currently gain access via the corporate network, the remaining majority come through various back doors into the manufacturing system itself. Particularly worrying trends, he believed are the growing reliance on outsourcing which results in key parts of the PC network being outsourced, although they remain physically connected, and the increasing use of wireless without adequate security precautions.
Interesting Consequences
Lowe repeated the warning that the hacker community is taking an increasing interest in industrial systems, recent hacker conferences in the UK having included presentations on industrial protocols such as Modbus. Hackers are taking an increasing interest in industrial systems because of the challenges they present and, perhaps most worryingly, because the consequences are so much more interesting.
Perhaps the most serious threat currently arises from the time which elapses between security patches being issued by Microsoft and those patches being validated and implemented on industrial systems.
According to Lowe, those wishing to exploit security loopholes are able to reverse engineer a patch and hence identify the vulnerability it is designed to address within a matter of days, while the time to implement the patch on a typical industrial system is of the order of months, during which time all such systems are open to attack. Lowe seemed to be reluctant to put the blame onto Microsoft itself, pointing out that it has never claimed that Windows is anything other than a generic computing platform, but it is clear that automation software vendors, regulatory authorities and end users need to address more effective solutions as a matter of urgency. At least one delegate to the conference from the pharmaceutical industry planned to go straight back and break the links between his organizations manufacturing and corporate systems immediately, said Lowe.
On-going Process
Stressing that cyber security is an ongoing process rather than something which can be implemented and forgotten, Lowe detailed a series of measures which should form the basis of a cyber security strategy for industrial users, beginning with a business risk assessment and the implementation of short and longer term improvements.
Organizations then need to assess their ability to respond to specific threats, to improve their awareness and skills and to identify and manage third party risks. Arguably most important is the need to establish an on-going governance framework for the management of future risk.
Andrew Bond is Editor of Industrial Automation INSIDER(UK) and can be reached at Tel +44(0)1622 858251, or by e-mail at [email protected].