Here are a few stories that turned our heads in Operational Technology (OT)/ Industrial Control Systems (ICS) security over the past few days:
There have been more than 30 bills brought up in state legislatures across the United States addressing threats to critical infrastructure, according to Dan Shea, a policy associate with the National Conference of State Legislatures — almost double the number introduced in each of the past two years. Many of the bills are aimed at restricting public disclosure of certain information that could leave systems like the power grid vulnerable to attack, he said. Ten would have set up task forces to examine critical infrastructure cybersecurity, though none of those has passed, Shea added.
Our Take: We applaud the rising focus on critical infrastructure security, the growing awareness and what appears to be an ever louder drumbeat towards action. That said, we can’t help but be somewhat cynical of the latest wave of legislative discussions surrounding it. We feel we might be caught in a bit of an insanity cycle on this issue…haven’t we been hearing about “cyber pearl harbor” for years now up on the Hill? Haven’t we seen countless hours of testimony, the commissioning of study after two-year long study? When is the rubber going to meet the road on real action? Surely it has to happen before we’re face to face with the consequences of “all talk” – right? States definitely have a core role to play in critical infrastructure security – so kudos for this level of focus...but more “task forces to examine critical infrastructure cybersecurity?” We don’t need more analysis – we need immediate action. With respect to some of the bills focused on restricting public disclosure…it is a double edged sword discussion. We definitely believe that transparency helps to drive understanding/place pressure on action – but we also agree that we shouldn’t be disclosing major gaps to adversaries in the name of transparency.
Infosecurity Magazine: SCADA HMI Devs Take 150 Days to Release Patches
Trend Micro analyzed all the now-patched bugs listed in 2015 and 2016 ICS-CERT advisories as well as 250 zero days purchased by its own ZDI program to see where the main weaknesses lie in HMI systems. On the plus side, it found that most were easily preventable with better coding and fit in four main categories. These are memory corruption (20%), credential management (19%), authentication issues (23%) and code injection (9%).
Our Take: We’ve written extensively on the vulnerability/patch management issue in ICS/OT/Critical Infrastructure. In fact, you’ll soon see a Dark Reading contributed article that tackles the subject in depth. The length of time for patch release detailed by Trend is no surprise to anyone with a deep understanding of the nature of these systems…and the fact that even when those patches are released, they are seldom applied is of no surprise either. We need to understand that we can’t apply IT network hygiene constructs to the OT domain – and we need to make sure we’re working hard and fast to implement security controls that help us overcome this fact.
An excerpt from our Dark Reading article here:
Another reality is that many ICS environments are so outdated because of the long asset lifecycles these plants operate on–often twenty or more years between major overhauls. This is compounded by the long design/release lifecycles for the ICS software runing these plants. In many cases, these systems simply can’t be fixed from a vulnerability perspective. Patching these systems can be IT equivalent to rearranging the deck chairs on the Titanic. We have customers that are still running industrial control software on Windows XP or NT–even a perfectly patched XP system is highly vulnerable since Microsoft ended support years ago. And don’t forget “zero days” which can be a dime a dozen for many industrial assets.
The far-flung U.S. power grid relies on a similar web of interconnected devices and control systems. But its counterpart in gas transmission is fundamentally less vulnerable to a crippling cyberattack, according to Terry Boss, senior vice president for operations, safety, environment and security at the Interstate Natural Gas Association of America.
Electric power races at near light speed across tightly synchronized paths programmed to disconnect when damaging instability occurs. Gas comparatively crawls along at 20 miles an hour through the pipeline matrix, giving operators more time to react, Boss said. "The natural gas pipeline business was built before they had computers. We are essentially a mechanical system."
The SCADA system may sit on top, but operators can go back and turn on valves by hand if necessary, he added. "If somebody wanted to attack the infrastructure in the U.S. and make a big impact, we would not be a good target."
But pipelines' defensive advantage is steadily eroding as more automated monitoring and control systems are installed, widening exposure to cyberattacks, industry officials and analysts agree.
Sempra Energy said in a recent SEC filing that "deployment of new business technologies represents a new and large-scale opportunity for attacks on our information systems and confidential customer information, as well as on the integrity of the energy grid and the natural gas infrastructure."
Schneider Electric, a major vendor for the electricity sector, has warned that pipeline control systems are becoming more sophisticated and connected, and thus more vulnerable to attack. Sensors and controllers are increasingly linked to utility networks, and even the internet, to make operations more convenient and efficient. "This convenience, however, is not without substantial risk," the company noted in a blog this year.
Our Take: We agree completely with Sempra and Schneider that as the implementation of interconnectivity strategies grows, the threat landscape changes considerably. Adversaries of all types have interest in all levels of critical infrastructure. Clearly the energy grid would be a more attractive target to nation-states than pipelines…but only in order of priority. We must assume that they or other nefarious actors (terrorists/hacktivists/criminals) have an interest in/are always looking for ways to penetrate all aspects of critical infrastructure. As we adopt new strategies that change the exposure calculus, we need to be mindful of these changes, slow down, think about cybersecurity as a core element of our strategies as opposed to an after thought.