By Kelly Jackson Higgins
April 16, 2007
Utilities and other process-oriented companies that run supervisory
control and data acquisition (SCADA) systems are starting to feel the
heat of security vulnerabilities -- and hackers.
Some of these risks -- and bugs -- are unique to their environments,
which historically weren't secured because they were built to be
isolated, closed systems, but they also share the same Microsoft
vulnerabilities as a typical enterprise does. These once-cloistered
systems and networks are increasingly using off-the-shelf products such
as Microsoft-based operating systems and IP-based networking equipment,
and require interconnection via the Internet as well, which also opens
the door to attackers from the outside in addition to the inside.
Researchers recently disclosed new vulnerabilities in the OLE for
Process Control (OPC) protocols, open source interfaces for
process-control apps. And meanwhile, some security vendors are forging
partnerships to beef up their security offerings for the SCADA market.
With critical infrastructures at risk when it comes to power (nuclear
and otherwise), water, and transportation companies running these
systems, the stakes are obviously much higher. Trouble is, these
companies aren't necessarily approaching security properly, security
"It's an industry in denial," says Robert Graham, CEO of Errata
Security. "They don't believe they have the security problems they have.
It's not a technical issue, but a political issue."
One of the biggest missing links is authentication: Many don't even
bother using authentication because they consider their systems closed
and therefore safe, he says. "They put in Windows with no intention of
ever patching it, and then they are surprised when they get hit by a
worm," Graham says. Or they avoid patching and vulnerability testing
because these processes pose risks of their own for SCADA systems --
introducing other bugs to their highly sensitive and uptime-demanding
systems, for instance. And rebooting isn't an attractive option for
these systems that absolutely must be available, either.
Many of these companies assess risk based on past experience with major
security events. "They are managed by a Pearl Harbor-type mentality,"
Graham says. "Until there's a Pearl Harbor, there is no risk as far as
they are concerned."
But that doesn't mean attacks aren't actually hitting SCADA-based
systems today. "Hacks are happening, they are just not being
publicized," he says.
OPC-based systems, for instance, typically run without usernames and
passwords, which leaves them ripe for attack, according to Graham.
Attacks exploiting the latest OPC bugs could be avoided if logins were
required in the app because the attacker needs login privileges to do
his dirty work.
Ron Gula, CEO and CTO for Tenable Network Security, says he does see
some progress in locking down SCADA-based operations. "SCADA needs work,
but it's not as bad as people think."
One problem he points to is the SCADA security auditing process,
however. Because these systems are so sensitive to change, audits
typically aren't as detailed as with Sarbox or other regulations, he
notes. "Auditing is not as in-depth in my opinion or as transparent for
SCADA" as it is for other industries.
And some security experts say commercial IDS/IPS, antivirus, and SIM
products don't really fit for SCADA. Mark Fabro, CEO of Lofty Perch,
which makes SIM solutions for the water utility industry as well as
other critical infrastructure companies, says commercial IDS/IPS and SIM
systems don't map well to industry control systems, where there are
thousands of different protocols, many of them proprietary.
"These older protocols, DNP and ICCP, for instance, were designed for
communicating with entities that were separate from the rest of the
world, so there's no authentication, and it's an insecure stack," he
says. "But if an attacker gets in, you need security to monitor and trap
him... The trigger becomes very important."
His company this month partnered with Endeavor Security, which developed
and is supplying IPS signatures specifically for SCADA systems to Lofty
Perch. "No one has ever really taken SCADA-oriented logs and generated
signatures for them," says Chris Jordan, Endeavor's CEO.
Meanwhile, SCADA security supplier Verano this month purchased the
Managed Security Services Division of e-DMZ Security LLC, and is now
offering a co-managed security service for the real-time SCADA and
There are some SCADA security initiatives underway, too. The North
American Electric Reliability Council, for instance, has come up with
the Critical Infrastructure Protection (CIP) standards, which cover
everything from attack and abuse to availability. It also tries to
balance securing SCADA without inviting trouble when installing new
security tools or fixes on SCADA systems.
Subscribe to InfoSec News