Feeds

SCADA system makers urged to tighten security

Utility providers support new guidelines

Protecting against web application threats using SSL

The systems are being replaced more quickly as more companies understand the obvious benefits of remote management and monitoring. While SCADA systems have typically lasted anywhere from 15 to 30 years, because of the steady stream of new technology, more recent systems tend to be deployed for eight to 12 years, INL's Assante said.

Yet, without deploying proper security measures the trend toward remote management means the systems are more vulnerable, he added.

"We are still suffering from the cultural issues and that lack of understanding of, not necessarily the problems and the risks, but how to solve them," Assante said.

The threat to distributed control systems is not academic. Vulnerability researchers have started talking about the flaws in such systems at security and hacking conferences.

At the forthcoming DEFCON hacking conference in Las Vegas, independent security researcher Shawn Merdinger planned to discuss weaknesses in the network components of the critical infrastructure but cancelled his talk when his research apparently revealed that at least a handful of systems appeared to be using residential routers with known vulnerabilities to connect to the internet.

"These are the guys who are making the most secure and sensitive devices in the world, and they are using FTP and email for communication and topping it all off with a (home) router," Merdinger said. "That makes this almost as secure as my mom's computer."

He has attempted to inform the companies involved, but has not yet gotten a response, Merdinger said. Others knowledgeable about the vulnerabilities confirmed that they are not trivial issues.

"My experience is that such massive security shortcomings in critical systems are more the norm than the exception," said "FX", a well-known network vulnerability researcher. "We see this development recently all over the first world: while corporate and even personal computing devices get better and better in terms of security due to market pressure; military, SCADA and other critical systems don't."

The latest project could fix that just by adding clarity to negotiations between the buyer and the system's supplier, said Dale Peterson, CEO of SCADA security consultancy Digital Bond. The company recently asked a critical-infrastructure provider to identify all security parameters used by their product and the recommended settings. Two months later, the company is still waiting for the information.

"A large part of the reason the security requirements are missing is the asset owners are, as a rule, not sure what to require," Peterson said. "Information security is a new field for many of them."

With customers asking specifically for certain security measures, distributed control system makers should gain the expertise quickly, INL's Assante said.

"Control systems are really weighted toward reliability and availability, so we have to make sure that they understand that security is part of that and not a third competing concept," Assante said.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Reducing the cost and complexity of web vulnerability management

More from The Register

next story
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story

Whitepapers

Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.