My Point: The ICS vulnerabilities being found and trumpeted have little impact on SCADA and DCS that run the critical infrastructure. Somehow we need to get the increased effort to identify vulnerabilities focused on the critical ICS applications and components.
Post-Stuxnet there have been an exponentially increasing number of SCADA and DCS vulnerabilities disclosed by researchers of all hat colors. In 2011 the pace really quickened with Luigi Auriemma, Dillon Beresford, Rubén Santamarta and others taking the full disclosure route. In earlier entries we have noted that almost all of the vulnerabilities affect either freely available demo software, usually HMI/operator stations, or very low-end and low-cost systems.
Digital Bond has been performing DCS and SCADA Security Assessments since 2000, and we have only seen the systems listed in the ICS-CERT vulnerability reports a handful of times. They are not frequently used in the critical infrastructure such as pipeline SCADA, power plant DCS, or refinery DCS. These large, critical infrastructure systems are using more expensive, system type products.
Take the oil refinery market as an example. Three vendors dominate that market: Emerson Delta V, Honeywell and Yokogawa. It is hard to find accurate market share numbers, but those three likely represent at least 75% of the refinery installations in the world. A similar small number of systems represent pipeline SCADA and other vertical sectors. Yet these systems get little or no attention from the security community because they are very hard to get your hands on unless you are doing a customer assessment under NDA. (Note: This is one area where I agree with Eric Byres and Gary Mintchell that owner/operators have a big role to play in solving this problem by insisting security be addressed and identified vulns be fixed)
Brian Owen recently commented on our Beresford podcast entry:
Feels somewhat ironic given opinions about the nature of S7-1200 deployments (low exposure for critical infrastructure).
I wonder if it makes sense to prioritize cyber research and response capability on products intended for use as SIS.
Ralph Langner recently wrote me:
The biggest problem I’m presently having is why bother with some cheap vulns on a micro-PLC that everbody would have expected, when at the same time so much more significant stuff remains untouched.
If we look at Dillon’s research, he focused on the S7-1200 rather than the 300 or 400 for a simple reason. He only had $2,000 to spend on equipment, and most independent researchers would not even have that much to spend.
Some of the large vendors that deploy real critical infrastructure ICS are taking security very seriously. They have in-house and independent security assessments, and they are working on their security development lifecycle (SDL). They are dealing with huge legacy code issues, but they are making good progress, especially with the new systems being sold and deployed. Unfortunately, some of the vendors whose systems run the most critical infrastructures still are living life like it is the 90’s. These vendors are holding off any changes in products or process, relying on the fact the bad guys shouldn’t have access to the network, and the fact that no vulns have been published yet on their systems.
Many, if not most, of the SCADA and DCS that run the critical infrastructure have been assessed by Idaho National Labs (INL), and this has become almost like a certification despite INL’s clear warnings it is not. The problem with the INL assessments, even those partially funded by the USG, is even the key results are never made public. The vendor can choose to sit on the vulnerabilities and still say they have had an INL security assessment. As has been widely reported, Siemens was assessed in 2008 by INL and choose to do nothing about the vulnerabilities discovered and eventually exploited by Stuxnet.
Of course this all ties into the vulnerability disclosure argument. Is it a good thing that the SCADA and DCS applications and components are not available for researcher analysis and full or partial disclosure? The cost and difficulty of access will lessen certain threats, but not the more directed threats.
Hopefully the ICS and ICS security community will find a way to focus on the systems and applications running the critical infrastructure that would have a large impact if compromised — and not be distracted by the increased flow of vulns in free demo software and low cost hardware that is rarely seen in the critical infrastructure. These vulns should be addressed and fixed, but from a risk management standpoint they are not where the focus should be.
Image by me’nthedogs