Project Basecamp highlights the fragility and insecurity in most PLC’s and provides tools so anyone can demonstrate and prove it. There should be no doubt that after ten years the ICS community needs to deal with this, but how?
This article finishes the series with what Government and Standards Organizations should do.
I’m going to focus on the US Government, but much of this applies to governments around the world. In the US, the government is not responsible for securing the private critical infrastructure — at least not yet. So they cannot be directly blamed for the lack of progress over the last ten years.
The US Government does however have tremendous influence on the conversation and what C-level executives feel they need to pay attention. For the past ten years, INL and the other labs under contract to the US Government have performed security assessments of most of the major DCS and SCADA systems. They have known that the PLC’s and field devices were fragile and insecure. They were unsuccessful in making any progress in this area, as was everyone else in the community. An argument for keeping the problem quiet so the bad guys don’t know about it was reasonable, albeit a mistake with 20-20 hindsight.
This is now over. Stuxnet and Beresford were eye openers to anyone, including the bad guys, looking. Project Basecamp took it the next step by providing easy proof of concept tools to exploit PLC’s. There is no reason for the INL/DHS/USG to be reticent any more.
Which is why the latest ICS-CERT Alert is so unfortunate. It appropriately covers the risk of PLC attacks (Basecamp and others) and Shodan type searches. But nowhere does it actually address the root cause, fragile and insecure PLC’s and other field devices. When is the US Government going to come out and say these are a significant risk and that critical infrastructure Asset Owners should be working on a near term plan (1 to 3 years) to replace them?
As Chris Jager tweeted, perhaps an ICS-CERT Alert is not the place for a major policy change. Wherever they choose to announce this obvious conclusion, it is time. If the US Government, who is supposedly the expert in all things ICS security, refuses to state this as a necessary and urgent step, it is much easier for a C-level executive to continue inaction. They can point to there efforts to follow the ICS-CERT alerts and DHS guidance, and still ignore the PLC problem.
DHS and other government agencies are political arms with political skills. How about flexing those political muscles and get the vendors a bit of heat? When you think of all the Congressional hearings and Presidential edicts, it is always pointed at the Asset Owners. It’s not hard to generate heat at a Senate hearing:
Mr. Vendor, how is it possible that your state of the art PLC that you are selling today for use in power plants, pipelines and chemical plants, that costs 10x more than a laptop computer, doesn’t even have basic security features that prevent an attacker from shutting down the critical infrastructure by sending the simple message ‘turn off’? Why does my ATM card, home PC and smartphone have more security than your product? …