Thoughts on Security for Industrial Control Systems (ICS)

For years (but no longer) Industrial Control SCADA systems, controlling PLCs, were “air gapped” from the Internet and from office LANs. Sadly, these systems often permitted dial-in for remote management. While air gapped systems might be an excuse (outdated thinking since Stuxnet) for a lack of design concern about security, dial-in should have stimulated designing for security. It did not. Many others have, for years, publicly bemoaned this industry-wide negligence. This note is simply to express my personal concern on just how bad the situation is.

Here are just a few common design problems:

  • Password protection is either non-existent or easily circumvented.
  • New code, even new firmware, can easily be installed remotely in PLCs, without significant authentication.
  • Network messages are sent to and from PLCs in clear text, easily decoded, and easily spoofed by a “man in the middle” attack.
  • SCADA/ICS networks are often lacking even basic network defense-in-depth (e.g., being partitioned into Zones with SCADA/ICS-aware firewalls on the conduits between each Zone).

One would think that with vast amounts of US infrastructure controlled by PLCs, the US government would take such security flaws with as much concern as, say, commercial airline security. In 2013 there was a tiny blip of concern for the security of automated medical devices such as drug infusion pumps, but I don’t hear howls of anguish over this. Fortunately or unfortunately there has not been an attack on industrial infrastructure anywhere near the magnitude of the 9/11/2001 attacks. The many smaller attacks, proof of concept experiments, and even Stuxnet have not raised ICS security to a national crisis level. From a government organizational level, ICS is nested somewhat down in the DHS hierarchy:

  1. DHS
    1. Office of Cybersecurity and Communciations (CS&C)
      1. National Cybersecurity and Communications Integration Center (NCCIC)
        1. US CERT
        2. ICS-CERT

ICS-CERT recently published some “tips” for security of ICSs. These are mostly just good tips for any system and don’t focus on design issues such as those above. I worry about their lack of focus. On the other hand, the ICS-CERT security advisories are definitely focused on ICS, but I’ve seen complaints that ICS-CERT does not address fundamental design issues. What is also unclear as of 2015 is how fast product providers are addressing even identified vulnerabilities. It appears to me that while the ICS industry has been glacially slow, compared to the commercial computer system industry, which is tracked by US-CERT, there is some noticeable improvement in the ICS space, but I don’t have any statistical data to support my feeling..

One thing that is clear to me is that operators of industrial control systems should be demanding security from their vendors – including security vendors – and should heavily insure against cyberattacks. Of course, no one wants to bear the cost of upgrades, and no one wants to pay for more insurance. That said, what’s the cost of a cyberattack taking out your factory? One of the lessons of the recent Sony breach is that the financial loss (so far) has been mitigated substantially by Sony’s cyber-insurance. Are industrial control systems well insured for cyber-attacks?


Tags: , , , , , , , , , , ,

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: