Got Vulnerabilities? Deal with it.
There’s been a lot of recent reflection on SCADA and Industrial Control Systems cyber security in the year following Stuxnet. Sadly, a lot of this reflection has been unnecessarily (and unjustly) negative. Some are saying that nothing has changed. Others lament that even more vulnerabilities are exposed today than a year ago. Blame continues to be pointed at Siemens and other DCS vendors for allowing their control systems to be exploitable. I find these opinions interesting because they are counter to one of the most basic principles of information security: that Security is a process, not a product. In other words: you find vulnerabilities, and you deal with them. There are still hundreds of collective, well-known, exploitable vulnerabilities for the Macs and PCs that we all use day by day. Some are patched; new ones are found. No matter how diligent Microsoft, Apple and others might be, there will always be vulnerabilities present. Code is complex and hackers are clever: end of story.
So why is the current state of SCADA and ICS security the fault of Siemens, Alstom, Rockwell Automation, or any other control system vendor? I work with many of these companies day to day, and I know that they are all diligent. They also represent a product install base that can often be measured in millions of units, which are deployed in real-time environments with limited (and very controlled) maintenance windows. In addition, discovering vulnerabilities within these systems hasn’t really been a focus until Stuxnet scared the industry, just a little more than one year ago—it’s only logical that new vulnerabilities are being found at a high rate. To think that there wouldn’t be any vulnerabilities to find is naive. To think that these vendors can remove all instances of all vulnerabilities within moments of their discovery is equally unrealistic. And, even if patches were released with immediacy, these patches would go largely unapplied due to the strict uptime requirements of a control system.
So how is this positive? It’s positive because the control system vendors are working hard to secure their systems. Even more importantly, they’re also being realistic, and in many cases are investing in compensating security controls to protect open vulnerabilities from being exploitable. This is encouraging, and it’s also smart. Knowing that there will always be new vulnerabilities, and known how hard it is to remediate them within an ICS product, the strategy of preventing exploitability outside of the ICS is one that would make Sun Tzu proud.
So, forget security being a product, and think about it as a process again. It’s a familiar process: assess networks and systems for vulnerabilities. Patch what can be patched. Compensate for what can not. Monitor everything to find any indication that some other new threat is about to surface. In other words, maintain a state of situational awareness: perceive, assess, and react. Lather, rinse, repeat. It’s no different from what most SOC teams deal with every day, only with a larger focus on compensatory measures because of a lower dependence of patching.
Compensatory measures can be firewalls, intrusion prevention systems, whitelisting systems, protocol filters … in many cases the same tools that we’ve used successfully to secure our PCs and laptops against all of those OS vulnerabilities. It takes awareness, and diligence, and energy—but that’s what cyber security is all about. So to those who continue to place the blame on an asset vendor because they have an open vulnerability, I say put down your binky, and pick up your mouse. Run your VA scanner. Patch or compensate. Pen test your effort—and share your successes and failures with the industry. We’re all actively working on this problem, after all, and there’s strength in numbers.
It does put some of the burden back on the shoulders of control system operators, and it also puts an equally daunting burden on the shoulders of ‘enterprise’ security vendors, who now have to tweak and tailor products and technologies to function in a new world, full or new protocols. Actually—make that “old” protocols; many the field bus and SCADA protocols I wrote about in my last column have been around longer than Ethernet and TCP/IP. However, it’s new to the realm of cyber security, and it’s made it a very interesting (and busy) time to be a security vendor.
The good news is that the control systems vendors, the security vendors and their customers are shouldering those burdens. A year ago, I heard a control system operator adamantly insist that his network was 100% secured. Today, I hear operators arguing over whether new measures are strong enough, and what can be done to make it even stronger. To me, that’s progress, and a positive outlook on the state of control system security, one year later.
Related Reading: Bridging the Air Gap: Examining Attack Vectors into Industrial Control Systems
Related Reading: Are Industrial Control Systems Secure?
Related Reading: How to Make the Smart Grid Smarter than Cyber Attackers
Related Reading: The Increasing Importance of Securing The Smart Grid
Related Reading: Stuck on Stuxnet – Are Grid Providers Prepared for Future Assaults?