SCADA, there is a term that tends to scare the crap out of little children and small furry animals these days thanks to the FUD factories. The disconnect is often painful to read about. I have read that SCADA systems are easily hacked into and the perception that one gets from reading these stories is that all hell has broken loose and that Nero is halfway through his solo. Rather frustrating to a flaw. We hear talking heads say that the “cyberterrorists” are gunning for critical infrastructure. When they attack it will be catastrophic.
Well, piss on that.
Why? Simple. That’s the least of the problems that face critical infrastructure. We hear news reports about how insecure control systems are and how SCADA is so “hackable” but, has anyone stopped to wonder why that might be? The press has set upon critical infrastructure of late for the low hanging fruit. “If it bleeds, it leads”. Well, that much is true. The sector is bleeding but, not for the lack of a responsible crew manning the battlements. No, much more dire than that. Critical infrastructure has been taken hostage by its vendors. Often a patch set will come out for Windows, Linux et cetera and being diligent folks they try to roll out the security patches only to be thwarted by the vendors.
Why?
Because the vendors have not “certified” the patches with regards to their software. A process that can often take an exceptional amount of time. The end result being that without that nebulous “certification” they will refuse to support their customers if they forge ahead with the application of said security patches.
A sad state of affairs.
Critical Infrastructure needs to get the attention it requires. The highest levels of government need to start paying close attention to these vendors that, through negligence, indifference or apathy, are jeopardizing the security of their national infrastructures. They need to have their feet held to the fire.
Agreed on a lot of the points, but have also seen owners/operators hide behind the vendor patching issue so so many scared children behind their mothers skirts. Even when their vendor is responsible and gets a patch out reasonably quick they’ve taken the approach that the vendor will let them know when they need to patch, not just when they can.
Theres blame on both sides, and as much as I think it might take the government paying more attention to fix issues like these and others like it, I believe that while it does reach a workable solution it is often the least optimal way of getting there and is seldom the best solution.
I agree with what you’re saying, but I’m curious as to what set it off since you don’t reference any specific news in this entry. There is a lot going on right now with NERC and the updates to CIP, the CSIS report to the new President, and in case you haven’t heard a new NERC alerting system. That last one is really going to unleash a whole new set of 800 lb gorillas.
@Peck
An excellent point. As with any situation there will parties on both sides of the issue and yes, there are most definitely owners/operators that use the patching as an excuse. It’s unfortunate and it has to come to an end. While there might be a hart time finding a solution I think it is incumbent on us as a whole to dig in our heels and starting doing something about it.
The journey of a thousand steps…yadda yadda yadda.
Thanks for the comment.
cheers,
Dave
@Jerry
I deliberately didn’t reference anything in particular. It was something that was rattling around in my brain pan for a while. As to NERC I’m very well aware of them and the great work that they are trying to accomplish. The problem is that only pertains to the electricity market. I’m talking about the state of critical infrastructure as a whole.
Great comment. thanks for chiming in.
cheers,
Dave
Dave;
I agree that a lot needs to be done to protect our nations CI.
But it’s more than just operators failing to install patches when they become available.
A great deal of the “critical infrastructure” is managed by hardware and software that’s over 25 years old.
And they were built with our understanding of the threat environment 25 years ago. The networking protocols they use have implicit trust, and no verification, the hardware was not meant to be exposed to direct attack, the devices have minimal hardware capabilities, most don’t require passwords to access… You get the idea.
And updating some of those systems (modernizing) is a non-trivial task.
For example, to update a critical system at a large-scale power generator comes at a revenue cost of upwards of $1,000,000/day of downtime.
And often, those being required to implement large-scale changes are not in the position to increase their prices because of regulatory requirements.
Next, you have the situation (and this is where I think the most attention should be paid going forward) where the producers of hardware and software that run the CI are absolutely CLUELESS about security. “25 years ago, we sold you this sweet system, now, here’s the same system, but this time it’s WIRELESS enabled!!!”
Moving our nation’s critical infrastructure from where it is now to where it needs to be will not happen over night. But as mentioned by Jerry, NERC has a long-term roadmap that seems very attainable, and the NRC is about to issue a formalized Cyber Security rule for Nuclear. The energy sector is moving that direction.
Water, gas, and other critical infrastructure components will likely be next.
Where do I think the biggest changes can be made?
The most important thing I’d like to see happen is for the federal government to say: Every new system (software/hardware) we buy must meet the following performance and security requirements out of the box… And list em out.
That’ll force slackers like Microsoft to quit pushing out systems that have 15 year old bugs in them :/ Microsoft “Secure Coding Initiative” is a frigging JOKE. Maybe it’s good in principle, but MS08-067? WTF.
And SCADA implementers might chose to write their systems on secure operating systems, like OpenBSD, rather than on Winblows/Linux, so they can leverage the built-in security features of the OS to increase their own product’s security.
Bill
Bill Gross has contibuted a number of additional factors that complicate the issue. It is one thing to protect legacy systems and another to mandate security built-in looking forward. For the legacy systems, what is in it for the vendors? Fulfilling patriotic duty at the expense of squeezing the profit out of operations?
One thing for sure. An extra big helping of what is failing everywhere else is not going to work for critical infrastructure anyway.