Feeds

SCADA system makers urged to tighten security

Utility providers support new guidelines

Using blade systems to cut costs and sharpen efficiencies

The systems are being replaced more quickly as more companies understand the obvious benefits of remote management and monitoring. While SCADA systems have typically lasted anywhere from 15 to 30 years, because of the steady stream of new technology, more recent systems tend to be deployed for eight to 12 years, INL's Assante said.

Yet, without deploying proper security measures the trend toward remote management means the systems are more vulnerable, he added.

"We are still suffering from the cultural issues and that lack of understanding of, not necessarily the problems and the risks, but how to solve them," Assante said.

The threat to distributed control systems is not academic. Vulnerability researchers have started talking about the flaws in such systems at security and hacking conferences.

At the forthcoming DEFCON hacking conference in Las Vegas, independent security researcher Shawn Merdinger planned to discuss weaknesses in the network components of the critical infrastructure but cancelled his talk when his research apparently revealed that at least a handful of systems appeared to be using residential routers with known vulnerabilities to connect to the internet.

"These are the guys who are making the most secure and sensitive devices in the world, and they are using FTP and email for communication and topping it all off with a (home) router," Merdinger said. "That makes this almost as secure as my mom's computer."

He has attempted to inform the companies involved, but has not yet gotten a response, Merdinger said. Others knowledgeable about the vulnerabilities confirmed that they are not trivial issues.

"My experience is that such massive security shortcomings in critical systems are more the norm than the exception," said "FX", a well-known network vulnerability researcher. "We see this development recently all over the first world: while corporate and even personal computing devices get better and better in terms of security due to market pressure; military, SCADA and other critical systems don't."

The latest project could fix that just by adding clarity to negotiations between the buyer and the system's supplier, said Dale Peterson, CEO of SCADA security consultancy Digital Bond. The company recently asked a critical-infrastructure provider to identify all security parameters used by their product and the recommended settings. Two months later, the company is still waiting for the information.

"A large part of the reason the security requirements are missing is the asset owners are, as a rule, not sure what to require," Peterson said. "Information security is a new field for many of them."

With customers asking specifically for certain security measures, distributed control system makers should gain the expertise quickly, INL's Assante said.

"Control systems are really weighted toward reliability and availability, so we have to make sure that they understand that security is part of that and not a third competing concept," Assante said.

This article originally appeared in Security Focus.

Copyright © 2006, SecurityFocus

Boost IT visibility and business value

More from The Register

next story
Secure microkernel that uses maths to be 'bug free' goes open source
Hacker-repelling, drone-protecting code will soon be yours to tweak as you see fit
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
Four fake Google haxbots hit YOUR WEBSITE every day
Goog the perfect ruse to slip into SEO orfice
Putin: Crack Tor for me and I'll make you a MILLIONAIRE
Russian Interior Ministry offers big pile o' roubles for busting pro-privacy browser
prev story

Whitepapers

Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Consolidation: The Foundation for IT Business Transformation
In this whitepaper learn how effective consolidation of IT and business resources can enable multiple, meaningful business benefits.
Application security programs and practises
Follow a few strategies and your organization can gain the full benefits of open source and the cloud without compromising the security of your applications.
How modern custom applications can spur business growth
Learn how to create, deploy and manage custom applications without consuming or expanding the need for scarce, expensive IT resources.
Securing Web Applications Made Simple and Scalable
Learn how automated security testing can provide a simple and scalable way to protect your web applications.