Feeds

SCADA system makers urged to tighten security

Utility providers support new guidelines

Secure remote control for conventional and virtual desktops

The systems are being replaced more quickly as more companies understand the obvious benefits of remote management and monitoring. While SCADA systems have typically lasted anywhere from 15 to 30 years, because of the steady stream of new technology, more recent systems tend to be deployed for eight to 12 years, INL's Assante said.

Yet, without deploying proper security measures the trend toward remote management means the systems are more vulnerable, he added.

"We are still suffering from the cultural issues and that lack of understanding of, not necessarily the problems and the risks, but how to solve them," Assante said.

The threat to distributed control systems is not academic. Vulnerability researchers have started talking about the flaws in such systems at security and hacking conferences.

At the forthcoming DEFCON hacking conference in Las Vegas, independent security researcher Shawn Merdinger planned to discuss weaknesses in the network components of the critical infrastructure but cancelled his talk when his research apparently revealed that at least a handful of systems appeared to be using residential routers with known vulnerabilities to connect to the internet.

"These are the guys who are making the most secure and sensitive devices in the world, and they are using FTP and email for communication and topping it all off with a (home) router," Merdinger said. "That makes this almost as secure as my mom's computer."

He has attempted to inform the companies involved, but has not yet gotten a response, Merdinger said. Others knowledgeable about the vulnerabilities confirmed that they are not trivial issues.

"My experience is that such massive security shortcomings in critical systems are more the norm than the exception," said "FX", a well-known network vulnerability researcher. "We see this development recently all over the first world: while corporate and even personal computing devices get better and better in terms of security due to market pressure; military, SCADA and other critical systems don't."

The latest project could fix that just by adding clarity to negotiations between the buyer and the system's supplier, said Dale Peterson, CEO of SCADA security consultancy Digital Bond. The company recently asked a critical-infrastructure provider to identify all security parameters used by their product and the recommended settings. Two months later, the company is still waiting for the information.

"A large part of the reason the security requirements are missing is the asset owners are, as a rule, not sure what to require," Peterson said. "Information security is a new field for many of them."

With customers asking specifically for certain security measures, distributed control system makers should gain the expertise quickly, INL's Assante said.

"Control systems are really weighted toward reliability and availability, so we have to make sure that they understand that security is part of that and not a third competing concept," Assante said.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Beginner's guide to SSL certificates

More from The Register

next story
UK smart meters arrive in 2020. Hackers have ALREADY found a flaw
Energy summit bods warned of free energy bonanza
DRUPAL-OPCALYPSE! Devs say best assume your CMS is owned
SQLi hole was hit hard, fast, and before most admins knew it needed patching
Feds seek potential 'second Snowden' gov doc leaker – report
Hang on, Ed wasn't here when we compiled THIS document
Mozilla releases geolocating WiFi sniffer for Android
As if the civilians who never change access point passwords will ever opt out of this one
Why weasel words might not work for Whisper
CEO suspends editor but privacy questions remain
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
prev story

Whitepapers

Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.
Mitigating web security risk with SSL certificates
Web-based systems are essential tools for running business processes and delivering services to customers.