SCADA system makers urged to tighten security
Utility providers support new guidelines
Idaho National Laboratory and the New York State Office of Cyber Security and Critical Infrastructure have teamed up with utilities and makers of distributed control system software to offer advice on how to make system security a major part of the critical infrastructure.
Later this week, the group will release the latest draft of a set of guidelines for utilities and manufacturers that offers specific requirements for suppliers of supervisory control and data acquisition (SCADA) systems, SecurityFocus has learned.
The guidelines aim to elevate system security to an explicit part of negotiations between customer and supplier with the goal of making the next generation of critical infrastructure systems more secure than today's software and hardware.
"We think we can identify the common weaknesses in regards to security and also identify places where the technology's security can be tightened up," said Michael Assante, infrastructure protection strategist for Idaho National Laboratory.
"The response from vendors has been surprisingly good - this could be seen as a threatening thing, but they are prepared to provide more security."
The security issues of real-time control systems, of which the best known are SCADA systems, has become a focus of both private industry and the government as worries mount that such systems could be used as the vector for a criminal or terrorist attack.
While companies and security researchers are starting to tackle the ticklish issue of when and how to disclose vulnerabilities in such systems, cybersecurity incidents that affect such systems are rarely reported.
Because incidents and vulnerabilities are rarely talked about in the industry, three security professionals sought a better way to convince vendors to provide better security.
The three - INL's Assante, William Pelgrin from the New York State Office of Cyber Security and Critical Infrastructure, and Alan Paller, director of research for the SANS Institute - decided to create a catalog of security requirements for control systems along with language that could be inserted into a supplier's contract. The initiative is funded by the Department of Homeland Security.
The guidelines, known as the Cyber Security Procurement Language for Control Systems, cover topics including the removal of unnecessary services and programs to harden the system, furnishing the minimum firewall ruleset necessary for operation so that perimeter security is not weakened, and disabling or modifying guest and other well-known accounts.
Moreover, the guidelines offer companies language to mandate that the control system maker provide guarantees of certain coding practices, a process to remediate flaws and the ability to detect malicious software running on the system.
Among the companies supporting the initiative are the New York Power Authority, the New York Independent System Operator, and ConEdison, which announced on Wednesday that power had been restored to almost all customers in Queens, NY, following a week-long outage. The company had technicians going manhole to manhole in that district because it lacked distributed data gathering systems to detect which parts of its local grid had burned out.
Detecting physical failures to avert major power outages and finding manufacturing problems are some of the reasons SCADA systems and other distributed control systems are installed. However, the creators of such systems, historically, have not paid attention to cybersecurity, said SANS' Paller.
"It's not that these guys don't know what they are doing," Paller said. "Part of it is that these systems were engineered 20 years ago, and part of it is that the engineers designed these things assuming they would be isolated. But - wham! - they are not isolated anymore."
The systems are being replaced more quickly as more companies understand the obvious benefits of remote management and monitoring. While SCADA systems have typically lasted anywhere from 15 to 30 years, because of the steady stream of new technology, more recent systems tend to be deployed for eight to 12 years, INL's Assante said.
Yet, without deploying proper security measures the trend toward remote management means the systems are more vulnerable, he added.
"We are still suffering from the cultural issues and that lack of understanding of, not necessarily the problems and the risks, but how to solve them," Assante said.
The threat to distributed control systems is not academic. Vulnerability researchers have started talking about the flaws in such systems at security and hacking conferences.
At the forthcoming DEFCON hacking conference in Las Vegas, independent security researcher Shawn Merdinger planned to discuss weaknesses in the network components of the critical infrastructure but cancelled his talk when his research apparently revealed that at least a handful of systems appeared to be using residential routers with known vulnerabilities to connect to the internet.
"These are the guys who are making the most secure and sensitive devices in the world, and they are using FTP and email for communication and topping it all off with a (home) router," Merdinger said. "That makes this almost as secure as my mom's computer."
He has attempted to inform the companies involved, but has not yet gotten a response, Merdinger said. Others knowledgeable about the vulnerabilities confirmed that they are not trivial issues.
"My experience is that such massive security shortcomings in critical systems are more the norm than the exception," said "FX", a well-known network vulnerability researcher. "We see this development recently all over the first world: while corporate and even personal computing devices get better and better in terms of security due to market pressure; military, SCADA and other critical systems don't."
The latest project could fix that just by adding clarity to negotiations between the buyer and the system's supplier, said Dale Peterson, CEO of SCADA security consultancy Digital Bond. The company recently asked a critical-infrastructure provider to identify all security parameters used by their product and the recommended settings. Two months later, the company is still waiting for the information.
"A large part of the reason the security requirements are missing is the asset owners are, as a rule, not sure what to require," Peterson said. "Information security is a new field for many of them."
With customers asking specifically for certain security measures, distributed control system makers should gain the expertise quickly, INL's Assante said.
"Control systems are really weighted toward reliability and availability, so we have to make sure that they understand that security is part of that and not a third competing concept," Assante said.
This article originally appeared in Security Focus.
Copyright © 2006, SecurityFocus