Bad SCADA Security Statistics

I’ve been a vocal skeptic on information sharing, particularly the US legislative emphasis on information sharing’s criticality to make progress in ICS and SCADA security. Yesterday provided a lot of ammunition for my argument.

All too often programs are destined to be labeled a success regardless of the outcome (Cyberstorm is a great example; LOGIIC is another). Kim Zetter of Wired showed another example where the comedy of errors in the Illinois Water Pump Non-Hack event was called a success. From Kim’s article:

Officials behind the false claims told Senate investigators that such reports weren’t meant to be “finished intelligence” and that despite their report’s inaccuracies and sloppy wording they considered it to be a “success.”

“[It did] exactly what it’s supposed to do – generate interest,” DHS officials told Senate investigators.

As hard as it is to believe, this is not isolated behavior. The recent ICS-CERT Incident Response Summary Report that covered 2009-2011 activity has been widely mischaracterized as demonstrating some massive increase in cyber attacks on SCADA and DCS. These were mainly attacks on companies that ran the critical infrastructure not attacks on SCADA and DCS. The same types of attacks, SSH brute force password cracking, spear phishing, etc., that any large company is subject to. In addition, ICS-CERT was just ramping up in 2010 and a sizeable portion of the increase is due to the fact they were better known and more active in 2011.

Nevertheless various government and industry leaders have jumped on these numbers as evidence of a huge increase in ICS critical infrastructure attacks, without correction or clarification by DHS. This is obviously another success because it generated interest in SCADA security.

Which brings us back to the information sharing canard. Another Wired article from yesterday, DHS Counterterror Centers Produce ‘A Bunch of Crap’ Senate Finds discusses a Senate report that “found no evidence that DHS’ 70-plus fusion centers — places where state, local and federal law enforcement analyze and share information – uncovered a single terrorist threat between April 1, 2009 and April 30, 2010.”

Information sharing proponents could argue that these fusion centers are just not doing it right, but they are supposedly one of the main accomplishments in connecting the dots since 9/11. And DHS is the focal agency in many of the enhanced information sharing proposals in the proposed legislation or Executive Order.

It is a bit frustrating to repeatedly write it, and probably read it, but why can’t the ICS security community emphasize actually applying basic security controls such as authentication, security event logging, security coding, …, to critical infrastructure SCADA and DCS? When will governments, industry organizations and ICS security gurus just say straight out that critical infrastructure ICS need to replace or upgrade to secure systems now?

Image by zigazou76