Gauss, uncovered in June, has infected computers primarily throughout the Middle East, but also in the United States. It steals system information and contains a “mysterious” encrypted module, known as Godel, for attacking industrial control systems.
As threats against SCADA systems grow in sophistication and number, improvements are slow because these control systems are often too sensitive to change, even for patching and updates, according to experts.
“Some of these systems are controlling very sophisticated processes – steam and volatile chemicals, for example,” says Nate Kube (left), CTO of Wurldtech, a Canada-based security provider for embedded systems and critical infrastructures. “For systems like these, the most dangerous state to be in is off. The second most dangerous state is starting up again.”
“Even when the big control-system manufacturers provide a vulnerability patch, very few of our customers are in a position to apply that patch without causing downtime,” Kube says.
Regulations, particularly in health care-related verticals, may even forbid changing some automation systems, or make it too difficult to accommodate changes to systems, he adds.
While difficult to change, these systems also have very long shelf lives when compared to the pace of change that occurs in other IT systems.
IT changes every 18 to 24 months, whereas continuous automation systems are often designed to last 15 years or more and their plants are designed to last twice that long, says Eric Cosman, co-chair of the Industrial Automation and Control System Security Committee of the Instrumentation, Systems and Automation Society (ISA99) and security engineer at a large chemical manufacturing company.