Beware of Agents?
Here is an interesting blog entry from Thomas Ptacek at Matasano for you to chew on this weekend.
Many management and security solutions deploy agents on workstations and servers and offer tremendous benefits, but is there a dark side to this? Thomas says emphatically yes.
Agent-based architectures are a severe security risk. Risk is amplified as more agent-based products are deployed. In enterprises with pervasive agent deployments, attacks on agents are more threatening than attacks on underlying operating systems.
I highly encourage you to read his entire blog entry on this topic, as well as the comments and links to contrary opinions, where he discusses the agent attack surface, threats and some evidence to bolster his contention.
SCADA vendors and asset owners are reluctant to certify or deploy any external software, including agents, because of concern the software will be incompatible and impact the SCADA application. Increasing the attack surface is another reason to be cautious with software including agents.
I’m aware of one SCADA security vendor, Verano, that has agents for a variety of control systems that communicate back with their Industrial Defender product.
The most common agents deployed in SCADA systems are patch management and anti-virus agents. (I know somewhere Jake is smiling). There are real benefits to central management and monitoring, but the recommendation people on both sides of the argument seem to agree on is to limit deployment to a very small number (preferably one) of well tested agents.
Author: Dale Peterson
Posted: December 9th, 2006 under Big Picture, Security Vendor.
Comments: 2
Comments
Comment from Jake Brodsky
Time: December 11, 2006, 8:30 am
Actually Dale, it sounds to me like you’re not advocating a wariness of agents as much as you are trying to say “know your software does” and “don’t run anything you don’t need.” These are good rules to live by.
And in one sense, Agents are very dangerous. So are drivers. So is the actual application software itself. All can be compromised, replaced, spoofed, etcetera. We like to focus on the techie side of things because it looks good and it sells. However, we also get bitten by some very low tech assaults too.
The solution is to reduce the bloat in SCADA software to a comprehensible set of software elements. Remove anything in the OS that doesn’t have to be there. Make the whole thing easy to recompile and reinstall. Secure all configuration software. These are easy to say, but very hard to implement.
I think that it will take a whole new “clean sheet” of SCADA software before these things become reality. In the mean time there will be plenty of work for anyone who knows what a SCADA system needs to have running, and what can be safely disabled or removed from the OS.
Comment from Justin Weddington
Time: December 15, 2006, 3:10 pm
Many of the complaince vendors are offering agent and agentless based technologies in there products. I am currently using symantec’s ESM product (agent based) which will be merging with bindview in 2008 (agentless) to offer both technologies. I have just attended presentations on Security Expressions by Altiris (agent and agentless) and Hercules by Mcafee fomerly Citadel(agent based).
Agent’s are a pain to manage but often times offer more reporting capabilities.
None of these vendors have any specific SCADA checks. Altough Symantec has some built in NERC/CIP policy templates. Seems like this may be a good area to delve into. I know Symantec is probably looking at this right now. And now that the two big security vendors/acquireres have compliance management products im sure they are both looking at aquiring a industrial defender or alike type of product to integrate with there current solutions.
If you do go with an agent based technology ask a few questions about the update process. “How quickly to do you respond to vulnrabilities found in your products?” “How easy is it to upgrade an agent?” “Can you do it through a central console” etc.
Write a comment