Insecure By Design

These are typical, illustrative, and sad.

Conversation 1: PLC Vendor

A PLC vendor reached out to Digital Bond and encouraged us to share any results we found on their systems with them. He said they were very interested in security and understood they needed to do better. He went on in some detail on how they were dealing with vulnerabilities that a couple of researchers had sent to them. It had caused some angst within the organization, but management was getting on board that they need to be addressed and needed to be fixed.

After mostly listening for about 15 minutes, I asked when they were going to add basic security controls to write requests, other important function codes, ladder logic transfers and firmware updates. This, according to the vendor, was a very difficult issue given legacy code, potential unhappy customers, difficulty of the fix, … This is likely to be many years away, and there was not a schedule or plan to do this.

My response was an attacker isn’t going to bother exploiting a vulnerability if he can use a product feature with even more capabilities. (As Ralph Langner would say, “That’s how the professionals do it”.) He is a nice, well meaning guy, and it was unclear how he felt about the situation he is saddled with in the PLC vendor company.

Conversation 2: Owner/Operator

We had an ICS assessment debrief with senior management — the very top. We typically get senior operations management to attend, but in this case it was top corporate management in a company that has a large number of ICS. In these opportunities you have to really focus the message and figure out what 1 or 2 things you want them to walk away understanding and ready to take action on.

Our number 1 message – if the bad guys, malware or any other attack code gets to your ICS, he or it will be able to take down or control your process. The PLCs and controllers lack basic security to stop any attack. You have to secure your perimeter to the best degree possible and prevent even legitimate external access to the ICS, because those are attack paths.

Most executives do not understand how vulnerable their ICS are. When you explain it to them they are shocked … wait you mean there is no security at all??? Not even basic security like my ATM card? Once they understand that they are much more supportive, and often lead the effort, to eliminate access that is helpful and convenient, but not absolutely necessary.

Once they have done that and their security program is more mature, they can start beefing up detection, internal segmentation, and other measures. However, none of this really changes the basic fact that an attacker who gets to the ICS can stop or control the process. It just means you might catch him sooner or make it a bit harder.

Conversation 1 / Conversation 2 Relation

The sad thing is an owner/operator that has a new ICS deployment or is willing to upgrade to secure their system has few options on the PLC/RTU/controller/field side of the solution. There is not even a cost for them to consider. And as Conversation 1 with the vendor illustrates, many vendors will not have an answer for years.

Unless … the executives in companies that buy ICS insist on it. This is the second part of the message to C-level executives, that you should expect and demand basic security from your ICS vendor. The PLC vendor indicated that Stuxnet and some ICS vulnerability disclosure in the press had caused customers to demand some action — the customers just didn’t know what to ask for or how to evaluate the answers (my analysis).

The security expectations in the ICS community are so low. Leaders in Government, Industry Organizations, Consultants, Trainers all indicate that this lack of basic security controls will be around for the next 10 or 20 years. Why would a vendor spend the money to add security and add cost to their product if the customers are not requiring it?

The insecure by design reality needs to be raised to and understood by the C-level executives. They can accept this risk if they choose to. Today most have no idea of the risk they are implicitly accepting to their core operations, to the reason they are in business.

Image by AJC1