ICS-CERT recently issued a report (PDF) confirming that several attacks, including one targeting an unnamed public utility that was breached by a sophisticated threat actor who gained unauthorized access to its control systems (more details here).
The software used by the utility to administer the control system assets were accessible through its Internet facing hosts, and the systems were configured with remote access capabilities through a simple password mechanism, and the authentication method was susceptible to brute force techniques.
The disclosures highlight how security in the industrial world has similar challenges to those we face in securing other sectors, and yet it also has many specific and unique challenges because vulnerable systems tend to live on in the networks much longer than average.
“Industrial control systems (ICS) are very expensive and they are designed to last for many years, so they tend to live on within networks much longer than you would see for similar assets in the rest of the technology-based world,” said Aaron “Rony” Lerner, Vice President of Engineering at Tripwire. “The side effect of this is that many of them get forgotten, or the firmware is never updated ‘because they just work.'”
Lerner will be discussing ICS security challenges at the Latin American Congress of Industrial Cybersecurity organized by the Industrial Cybersecurity Center (ICC), where security professionals, fabricators, engineers, consultants, integrators, end-users and critical infrastructure professionals will gather to exchange knowledge, experiences and further develop relationships in the field.
The event will be held at the Hotel Dann Carlton in Bogota, Colombia on May 27-28, 2014, and will include a series of pre- and post-conference workshops that complement the topics covered as well as featuring speakers from around the world, including the United States, Europe, Latin America, the Middle East and Japan, among others.
“Asset discovery is the biggest problem most companies in the industrial world face, so many organizations never have a clear picture of how many devices they have and what software or firmware versions they are running. Heartbleed sent many companies scrambling to try to figure out where all the devices were located and what they were actually running,” Lerner said.
“By design, engineers in those industries were proud to have built very robust and open systems that will last decades, but today that openness and a lack of ability to harden and secure them is a critical risk in the infrastructure.”
Lerner says we have to find the proper balance because the infrastructure supported by these industries are so very critical for the modern world, and any interruption in their operations could have terrible consequences – political, economic and social. However, it is not realistic to think that we can just swap-out all of these vulnerable devices and controls simply because they are not secure.
“And companies usually do not have an updated inventory of their devices – on average they have found around 20% more devices than they thought they had once they thoroughly scanned their environments with our discovery products – those devices are in places that are sometimes not easy to find,” Lerner said.
“Furthermore, updated firmware does not always exist, and those devices are critical in certain workflows or processes, so changing anything could destabilize those environments or processes, and so there is also a big risk there… As I said, we need to have balance and improve the situation incrementally.”
At the Latin American Congress of Industrial Cybersecurity, Lerner will be presenting more information on these issues to a large group of practitioners in industry, information that he believes is critical for them to be able to influence decisions in a way that will help find solutions.
“The status quo is not desirable, but is an easy way out – until a catastrophe happens. It is important for practitioners to recognize the risks, push back on the industry for more consolidated solutions that allow them to not have to change everything, but will secure certain aspects while rest continue working normally,” Lerner said.
“They need to adopt best practices and make them standard in all environments – like the 20 Critical Security Controls – and they must fight complacency, old excuses, and other reasons for not doing what needs to be done, because one day soon the status quo will not be enough.”
Lerner says the status quo is an easy path simply because the money keeps flowing to these companies, everything seems fine, and security is generally a ” second class citizen,” so it is easy to push for making improvements later because it seems like there is no impetus now, that is until an event occurs that has serious repercussions, and then even now is too late.
“Regulations, enforcement, fines and penalties are causing some movement. These are businesses – critical infrastructure, yes – but still just businesses at the core, and as businesses we know that financial motivations and balance sheets will drive behaviors,” Lerner said.
“Therefore, I expect that financial incentives or huge fines will create an environment where industries will start paying more attention and initiating remediations. It will be difficult and expensive, but not doing anything could be even more costly still.”
Lerner notes that as with any other segment in the security industry, the gap between the bad guys and the good guys is continually growing, and it doesn’t matter how much we invest in security for detection and prevention, the data shows that the time it takes to detect a breach is growing in comparison to the time that it takes an attacker to penetrate a system, so we need to raise the bar and make it harder for them to be successful.
“We need to drive the cost up for the attacker and make them go after an easier target. They have the same motivations as any business – to make money – so we need to force them to go somewhere else besides your systems to do it,” Lerner said.
“Our aim is to help industries institutionalize known best practices, and Tripwire offers a comprehensive set of controls that can help make that a reality.”
- Locating ICS and SCADA Systems on .EDU Networks with SHODAN
- Fred Cohen on Simplifying Security Assessments for Critical Infrastructure
- Where Do You Stand with NERC CIP v5?
- Building Trust Among Cyber Tribes
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Title image courtesy of ShutterStock