Digital Bond performed its first SCADA security assessment in 2000. The 9/11 attacks that supposedly changed everything in critical infrastructure security occurred in 2001. Yet as we have chronicled in this blog, the ICS community as a whole is still amazingly vulnerable ten years later. We will not get that lost decade back, but we should learn from it and adapt our approach as a community.
Ten years later we still have PLC’s, RTU’s and other field devices that have no security; the only security solution is don’t let the bad guys reach them. Control system protocol stacks while improving, still often crash if even a port scan is performed let alone intelligent fuzzing. The researcher/hacker community is showing that the ICS applications suffer from common and easily identified and exploited vulnerabilities. And a still high percentage of owner/operators are not performing Security 101 of timely patching, current malware protection, hardening configuration, least privilege firewall ruleset or user management.
This is not to say there has been zero progress. We have personal experience with asset owners whose systems SCADA and DCS are much more secure. Many SCADA application vendors have added security features to their solutions that run on workstations and servers and have begun to implement a security development lifecycle. Even the much maligned CIP standards have resulted in substation communication gateways with authentication, firewall capability and role based access control. But these success stories are all too often the exception, not the rule.
The community needs to take a serious look at why so little progress was made in the last ten years. What should we do differently to accelerate securing critical infrastructure ICS? Looking back, maybe treating ICS security differently than IT security and with kid gloves was a mistake. The mantra that ICS is different than IT led to dramatically lower expectations. A fragility was accepted for the SCADA application and network that would never be accepted in a mission critical IT system, or even in corporate email or the health benefits web app. Instead of shock and a call to action, the ICS community said control systems are different and you can’t do this or that or because it will break the ICS with catastrophic consequences. Hard to believe when you think about it.
Maybe if the ICS security guru’s had presented the findings loud and proud at events like Black Hat back in 2003 we would be much further along. There are a few data points now with 0day disclosures with exploit code, and accompanying publicity, that have caused a rapid response that quite frankly wasn’t and isn’t commonly happening when those in the ICS security community practice “responsible disclosure”.