Feeds

SCADA system makers urged to tighten security

Utility providers support new guidelines

Boost IT visibility and business value

The systems are being replaced more quickly as more companies understand the obvious benefits of remote management and monitoring. While SCADA systems have typically lasted anywhere from 15 to 30 years, because of the steady stream of new technology, more recent systems tend to be deployed for eight to 12 years, INL's Assante said.

Yet, without deploying proper security measures the trend toward remote management means the systems are more vulnerable, he added.

"We are still suffering from the cultural issues and that lack of understanding of, not necessarily the problems and the risks, but how to solve them," Assante said.

The threat to distributed control systems is not academic. Vulnerability researchers have started talking about the flaws in such systems at security and hacking conferences.

At the forthcoming DEFCON hacking conference in Las Vegas, independent security researcher Shawn Merdinger planned to discuss weaknesses in the network components of the critical infrastructure but cancelled his talk when his research apparently revealed that at least a handful of systems appeared to be using residential routers with known vulnerabilities to connect to the internet.

"These are the guys who are making the most secure and sensitive devices in the world, and they are using FTP and email for communication and topping it all off with a (home) router," Merdinger said. "That makes this almost as secure as my mom's computer."

He has attempted to inform the companies involved, but has not yet gotten a response, Merdinger said. Others knowledgeable about the vulnerabilities confirmed that they are not trivial issues.

"My experience is that such massive security shortcomings in critical systems are more the norm than the exception," said "FX", a well-known network vulnerability researcher. "We see this development recently all over the first world: while corporate and even personal computing devices get better and better in terms of security due to market pressure; military, SCADA and other critical systems don't."

The latest project could fix that just by adding clarity to negotiations between the buyer and the system's supplier, said Dale Peterson, CEO of SCADA security consultancy Digital Bond. The company recently asked a critical-infrastructure provider to identify all security parameters used by their product and the recommended settings. Two months later, the company is still waiting for the information.

"A large part of the reason the security requirements are missing is the asset owners are, as a rule, not sure what to require," Peterson said. "Information security is a new field for many of them."

With customers asking specifically for certain security measures, distributed control system makers should gain the expertise quickly, INL's Assante said.

"Control systems are really weighted toward reliability and availability, so we have to make sure that they understand that security is part of that and not a third competing concept," Assante said.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Gartner critical capabilities for enterprise endpoint backup

More from The Register

next story
Microsoft: We plan to CLEAN UP this here Windows Store town
Paid-for apps that provide free downloads? Really
Snowden on NSA's MonsterMind TERROR: It may trigger cyberwar
Plus: Syria's internet going down? That was a US cock-up
Who needs hackers? 'Password1' opens a third of all biz doors
GPU-powered pen test yields more bad news about defences and passwords
e-Borders fiasco: Brits stung for £224m after US IT giant sues UK govt
Defeat to Raytheon branded 'catastrophic result'
Hear ye, young cyber warriors of the realm: GCHQ wants you
Get involved, get a job and then never discuss work ever again
Chinese hackers spied on investigators of Flight MH370 - report
Classified data on flight's disappearance pinched
Microsoft cries UNINSTALL in the wake of Blue Screens of Death™
Cache crash causes contained choloric calamity
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
7 Elements of Radically Simple OS Migration
Avoid the typical headaches of OS migration during your next project by learning about 7 elements of radically simple OS migration.
BYOD's dark side: Data protection
An endpoint data protection solution that adds value to the user and the organization so it can protect itself from data loss as well as leverage corporate data.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?