The recent CitectSCADA vulnerability disclosure and the associated discussion on various control system mailing lists, blogs and forums raises some interesting assertions. Assertions that have piqued my interest in the past when following other discussion on various forums in regards to control system (be it ICS, SCADA, DCS, etc) security. What is this assertion? Namely that control systems aren’t connected to the internet, and as such are inherently secure.

The initial response from Citect in regards to verifying the vulnerability on their [Citect’s] end (according to the time-line proffered by Core Security) was basically a “meh, so what?” Meaning, yes the issue exists, thanks for making us aware of it, but if our asset owners/users are following best practices and/or our security guidelines then it is not an issue as there is no connectivity to the outside, so we aren’t going to do anything about it.

Is this lack of connectivity actually the case in the real world?

Being of aware of the findings of multiple on site assessments at asset owner installations, I would have to conclude…… no. To say that control systems are completely isolated is at best a misnomer and at worst… well I’ll avoid categorizing the worst.

In every case that I am aware of some form of connection exists. Generally so that management can garner metrics about system production and performance, but ease of use and other issues can also motivate connectivity.

Connections on these systems run the gamut from; (the most common) a connection to a data historian slave on a corporate LAN, or DMZ, paths for system management, patching and repairing by vendors and system engineers, to allowing operators to run web browsers and e-mail clients from their HMI workstations.

If a connection exists between the corporate LAN, or DMZ and the control system environment, and the corporate LAN or DMZ has internet connectivity, then an indirect connection exists between the control system and the internet. It involves more hops, and more effort for an attacker to exploit, but it is a connection.

Despite this I have seen too many arguments that these systems are effectively isolated and therefore safe from cyber intrusions. What occurs in the real world is most often at odds with what is suggested in best practices or vendor guidelines. The real world is driven by ROI and this drive demands connectivity, which opens the possibility for vulnerability.