Stuxnet was a game changer, but control systems that run the nation's infrastructure are still at risk, reports Deb Radcliff.
For more than 10 years, they saw it coming: SCADA (supervisory control data acquisition) systems managing critical infrastructures would be targeted by cyber terrorists, activists and government-sponsored agents. The results would be catastrophic.
Working groups formed under the North American Electric Reliability Council, the International Society for Automation (ISA), ASIS (American Society of Industrial Security), and Information Sharing and Analysis Centers (ISACs). System operators needed to be educated about cyber risks, best practices needed to be formed and standards needed to be set.
Then, June 2010 came around and news of the Stuxnet worm broke. “Stuxnet immediately became a major concern in our infrastructure meetings,” says Mark Schreiber, vice chair of the critical infrastructure working group for the ASIS, and security system design engineering specialist at Fluor, a Irving, Texas-based company that provides project management to clients around the world.
As a result of Stuxnet, awareness is up at all levels. Operators, vendors, and government officials now “get” the seriousness of the threat. Security standards are maturing, and new security oversight bodies are forming, most recently through the Federal Energy Regulatory Commission (FERC). As well, the Obama administration hopes to issue a cyber security executive order similar to the Cybersecurity Act of 2012, killed by the Senate in August.
The bad news: Stuxnet was just the beginning. More sophisticated malware that includes Stuxnet-derived code is being found in the wild: over the last two years, Flame, Duqu, Madhi, Gauss, Shamoon and Wiper all bare similarities to Stuxnet.
“A growing list of malware is being discovered because organizations are finally stepping up their game in detection,” says Anthony Bargar, executive VP of cyber security solutions at Foreground Security, a Lake Mary, Fla.-based consulting firm to infrastructure operators. “Some of the threats discovered make Stuxnet look like an Atari 2600. Gauss is one example.”
Gauss, uncovered in June, has infected computers primarily throughout the Middle East, but also in the United States. It steals system information and contains a “mysterious” encrypted module, known as Godel, for attacking industrial control systems.
As threats against SCADA systems grow in sophistication and number, improvements are slow because these control systems are often too sensitive to change, even for patching and updates, according to experts.
“Some of these systems are controlling very sophisticated processes – steam and volatile chemicals, for example,” says Nate Kube (left), CTO of Wurldtech, a Canada-based security provider for embedded systems and critical infrastructures. “For systems like these, the most dangerous state to be in is off. The second most dangerous state is starting up again.”
“Even when the big control-system manufacturers provide a vulnerability patch, very few of our customers are in a position to apply that patch without causing downtime,” Kube says.
Regulations, particularly in health care-related verticals, may even forbid changing some automation systems, or make it too difficult to accommodate changes to systems, he adds.
While difficult to change, these systems also have very long shelf lives when compared to the pace of change that occurs in other IT systems.
IT changes every 18 to 24 months, whereas continuous automation systems are often designed to last 15 years or more and their plants are designed to last twice that long, says Eric Cosman, co-chair of the Industrial Automation and Control System Security Committee of the Instrumentation, Systems and Automation Society (ISA99) and security engineer at a large chemical manufacturing company.
Security teams need to recognize how their processes can impact engineering, Cosman (right) says. Too many times cyber decisions will institute information-related protections, when what's needed is to protect the availability and integrity of a critical machine system.
As with all business-critical systems, Cosman advises that operators assess their assets and apply traditional risk metrics to their cyber operations: Threat times vulnerability times consequences equals risk. That should show organizations where to prioritize their risk management efforts.
Thanks to Stuxnet, people understand that control systems run on computers and are susceptible to threats, he says. Now they need to fully understand the consequences of system failure or malicious manipulation.
“I once explained to an industry peer that there are some chemical processes that operate at pressures of tens of thousands of pounds per square inch, so the consequences of a serious plant upset can be quite dramatic.” Cosman says. “The peer said, ‘Well, if our control systems have problems, we'll just be up to our knees in ketchup.' ”
This is not far-fetched, given that Stuxnet was able to change control processes and hide its system interferences from Iranian controller operators.
“These systems are expensive to replace and insecure by design,” says Dale Peterson, president of Digital Bond, a Sunrise, Fla.-based consulting firm that performs security assessments and supports SCADA operators. “GE, Rockwell, Snyder, Siemens…If attackers can get onto these devices, they can own them, stop pipelines from working, ruin a food batch or make things blow up.”
Think of monitoring from the SCADA operator networks all the way out to the smart meters, adds Walt Sikora, VP of security solutions at Industrial Defender, a Foxborough · Mass.-based provider of automation system management.. “It's a huge challenge for these organizations, especially since many of these devices don't even have logging capability.”
SCADA: On the lookout
The production and distribution of electricity, or the smart grid, is in jeopardy. In September, Telvent Canada, which provides infrastructure management systems for utilities, reported that its firewalls had been breached and its smart grid meshing technologies had been stolen. From there, it's only a matter of time before customers using this technology become a target.
Since speedy replacement with newer SCADA systems containing logging and authentication is not practical, one has to keep its control networks segmented, monitor what one can, and deploy controls all the way to substations and the endpoints plugging into the control networks, says James Collinge, product line manager for HP Enterprise Security.
“When it comes to SCADA and other control systems, the key priorities are reliability and uptime,” he says. “So SCADA operators need to look at their own systems, set their security policies and implement controls that are specific to their networks.”