Security Experts:

Connect with us

Hi, what are you looking for?


Security Architecture

Industrial Control Systems Security One Year After Stuxnet: Got Vulnerabilities? Deal with it.

SCADA, Industrial Control Systems Security

Got Vulnerabilities? Deal with it.

SCADA, Industrial Control Systems Security

Got Vulnerabilities? Deal with it.

There’s been a lot of recent reflection on SCADA and Industrial Control Systems cyber security in the year following Stuxnet. Sadly, a lot of this reflection has been unnecessarily (and unjustly) negative. Some are saying that nothing has changed. Others lament that even more vulnerabilities are exposed today than a year ago. Blame continues to be pointed at Siemens and other DCS vendors for allowing their control systems to be exploitable. I find these opinions interesting because they are counter to one of the most basic principles of information security: that Security is a process, not a product. In other words: you find vulnerabilities, and you deal with them. There are still hundreds of collective, well-known, exploitable vulnerabilities for the Macs and PCs that we all use day by day. Some are patched; new ones are found. No matter how diligent Microsoft, Apple and others might be, there will always be vulnerabilities present. Code is complex and hackers are clever: end of story.

Critical Infrastructure SecuritySo why is the current state of SCADA and ICS security the fault of Siemens, Alstom, Rockwell Automation, or any other control system vendor? I work with many of these companies day to day, and I know that they are all diligent. They also represent a product install base that can often be measured in millions of units, which are deployed in real-time environments with limited (and very controlled) maintenance windows. In addition, discovering vulnerabilities within these systems hasn’t really been a focus until Stuxnet scared the industry, just a little more than one year ago—it’s only logical that new vulnerabilities are being found at a high rate. To think that there wouldn’t be any vulnerabilities to find is naive. To think that these vendors can remove all instances of all vulnerabilities within moments of their discovery is equally unrealistic. And, even if patches were released with immediacy, these patches would go largely unapplied due to the strict uptime requirements of a control system.

So how is this positive? It’s positive because the control system vendors are working hard to secure their systems. Even more importantly, they’re also being realistic, and in many cases are investing in compensating security controls to protect open vulnerabilities from being exploitable. This is encouraging, and it’s also smart. Knowing that there will always be new vulnerabilities, and known how hard it is to remediate them within an ICS product, the strategy of preventing exploitability outside of the ICS is one that would make Sun Tzu proud.

So, forget security being a product, and think about it as a process again. It’s a familiar process: assess networks and systems for vulnerabilities. Patch what can be patched. Compensate for what can not. Monitor everything to find any indication that some other new threat is about to surface. In other words, maintain a state of situational awareness: perceive, assess, and react. Lather, rinse, repeat. It’s no different from what most SOC teams deal with every day, only with a larger focus on compensatory measures because of a lower dependence of patching.

Compensatory measures can be firewalls, intrusion prevention systems, whitelisting systems, protocol filters … in many cases the same tools that we’ve used successfully to secure our PCs and laptops against all of those OS vulnerabilities. It takes awareness, and diligence, and energy—but that’s what cyber security is all about. So to those who continue to place the blame on an asset vendor because they have an open vulnerability, I say put down your binky, and pick up your mouse. Run your VA scanner. Patch or compensate. Pen test your effort—and share your successes and failures with the industry. We’re all actively working on this problem, after all, and there’s strength in numbers.

It does put some of the burden back on the shoulders of control system operators, and it also puts an equally daunting burden on the shoulders of ‘enterprise’ security vendors, who now have to tweak and tailor products and technologies to function in a new world, full or new protocols. Actually—make that “old” protocols; many the field bus and SCADA protocols I wrote about in my last column have been around longer than Ethernet and TCP/IP. However, it’s new to the realm of cyber security, and it’s made it a very interesting (and busy) time to be a security vendor.

The good news is that the control systems vendors, the security vendors and their customers are shouldering those burdens. A year ago, I heard a control system operator adamantly insist that his network was 100% secured. Today, I hear operators arguing over whether new measures are strong enough, and what can be done to make it even stronger. To me, that’s progress, and a positive outlook on the state of control system security, one year later.

Related Reading: Bridging the Air Gap: Examining Attack Vectors into Industrial Control Systems

Related Reading: Are Industrial Control Systems Secure?

Related Reading: How to Make the Smart Grid Smarter than Cyber Attackers

Related Reading: The Increasing Importance of Securing The Smart Grid

Related Reading: Stuck on Stuxnet – Are Grid Providers Prepared for Future Assaults?

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


Less than a week after announcing that it would suspended service indefinitely due to a conflict with an (at the time) unnamed security researcher...

Risk Management

The supply chain threat is directly linked to attack surface management, but the supply chain must be known and understood before it can be...


Apple has released updates for macOS, iOS and Safari and they all include a WebKit patch for a zero-day vulnerability tracked as CVE-2023-23529.

Application Security

Drupal released updates that resolve four vulnerabilities in Drupal core and three plugins.

Cloud Security

VMware vRealize Log Insight vulnerability allows an unauthenticated attacker to take full control of a target system.


Patch Tuesday: Microsoft warns vulnerability (CVE-2023-23397) could lead to exploitation before an email is viewed in the Preview Pane.

IoT Security

Lexmark warns of a remote code execution (RCE) vulnerability impacting over 120 printer models, for which PoC code has been published.

Application Security

A CSRF vulnerability in the source control management (SCM) service Kudu could be exploited to achieve remote code execution in multiple Azure services.