[caption id="" align="aligncenter" width="588"]
Shodan Network[/caption]
Eugene Kaspersky a few days ago wrote a hair-raising blog post about the reality of our Industrial Control Systems which are way more vulnerable than the network in your office. Industrial Control Systems (ICS) are the software that controls our nuclear power stations, transportation control and among many others, oil refineries. He started out with bit if background on vulnerable industrial systems and my mouth fell open.
I'm quoting Kasperksy here: "Though industrial IT systems and, say, typical office computer networks might seem similar in many ways, they are actually completely different beasts mostly in terms of their priorities between security and usability. In your average company, one of the most important things is confidentiality of data, and IT administrators are encouraged to isolate infected systems from non-infected systems to that end, among others. Thus, for example, if on the corporate file server a Trojan is detected, the simplest thing to do is disconnect the infected system from the network and then later start to tackle the problem.
In industrial systems that cant be done, since here the highest priority for them is maintaining constant operation come hell or high water. Uninterrupted continuity of production is of paramount importance at any industrial object in the world; security is relegated to second place.
Another challenge to securing an always on environment arises due to software at an industrial/infrastructural installation only being updated after a thorough check for fault-tolerance so as to make sure not to interrupt the working processes. And because such a check requires loads of effort (yet still doesnt provide a guarantee of non-failure) many companies often simply dont bother to update ICS at all leaving it unchanged for decades. (emphasis added)
Updating software might even be expressly forbidden by an industrial/infrastructural organizations safety policy. Just recently I read a nice piece about this, which listed 11 ICS security rules; rule #2 is Do not touch. Ever. What more of an illustration do you need?! [end quote]
The shodan search engine screen shot above is an illustration of the amount of this type of ICS spread all over the world, seeking out vulnerable industrial systems (including SCADA), whose owners decide to connect them to or forgot to disconnect them from the Internet.
Even if an ICS is disconnected from the Internet, they can still be penetrated by social engineering, as was shown in the Stuxnet attack in Iran, where the ICS of their nuclear enrichment facility was corrupted with a simple thumbdrive attack. All employees of these industrial facilities should be stepped through some high quality security awareness training.
It was one of the comments that caused me some thought and was the inspiration for the title of this blog post. Prof. Larry Constantine remarked: "I was talking with ICS security expert Ralph Langner yesterday. We agreed that the biggest barriers to enhancing industrial cyber-security are not so much technicalformidable though those may beas financial. In the absence of government mandates there are no economic incentives for operators to improve ICS security. The large investment has no near-term payoff; it is costly and it complicates already complex systems. Until the industrial equivalent of the Twin Towers, we are not likely to see great strides forward in terms of protecting critical infrastructure from cyber-attacks. Even then, it would not be too surprising if most of the effort went into initiatives analogous to airport securityshowplace charades more about public reassurance through the illusion of security than about the reality."
Click here for the full blog post.
Shodan Network[/caption]Eugene Kaspersky a few days ago wrote a hair-raising blog post about the reality of our Industrial Control Systems which are way more vulnerable than the network in your office. Industrial Control Systems (ICS) are the software that controls our nuclear power stations, transportation control and among many others, oil refineries. He started out with bit if background on vulnerable industrial systems and my mouth fell open.
I'm quoting Kasperksy here: "Though industrial IT systems and, say, typical office computer networks might seem similar in many ways, they are actually completely different beasts mostly in terms of their priorities between security and usability. In your average company, one of the most important things is confidentiality of data, and IT administrators are encouraged to isolate infected systems from non-infected systems to that end, among others. Thus, for example, if on the corporate file server a Trojan is detected, the simplest thing to do is disconnect the infected system from the network and then later start to tackle the problem.
In industrial systems that cant be done, since here the highest priority for them is maintaining constant operation come hell or high water. Uninterrupted continuity of production is of paramount importance at any industrial object in the world; security is relegated to second place.
Another challenge to securing an always on environment arises due to software at an industrial/infrastructural installation only being updated after a thorough check for fault-tolerance so as to make sure not to interrupt the working processes. And because such a check requires loads of effort (yet still doesnt provide a guarantee of non-failure) many companies often simply dont bother to update ICS at all leaving it unchanged for decades. (emphasis added)
Updating software might even be expressly forbidden by an industrial/infrastructural organizations safety policy. Just recently I read a nice piece about this, which listed 11 ICS security rules; rule #2 is Do not touch. Ever. What more of an illustration do you need?! [end quote]
The shodan search engine screen shot above is an illustration of the amount of this type of ICS spread all over the world, seeking out vulnerable industrial systems (including SCADA), whose owners decide to connect them to or forgot to disconnect them from the Internet.
Even if an ICS is disconnected from the Internet, they can still be penetrated by social engineering, as was shown in the Stuxnet attack in Iran, where the ICS of their nuclear enrichment facility was corrupted with a simple thumbdrive attack. All employees of these industrial facilities should be stepped through some high quality security awareness training.
It was one of the comments that caused me some thought and was the inspiration for the title of this blog post. Prof. Larry Constantine remarked: "I was talking with ICS security expert Ralph Langner yesterday. We agreed that the biggest barriers to enhancing industrial cyber-security are not so much technicalformidable though those may beas financial. In the absence of government mandates there are no economic incentives for operators to improve ICS security. The large investment has no near-term payoff; it is costly and it complicates already complex systems. Until the industrial equivalent of the Twin Towers, we are not likely to see great strides forward in terms of protecting critical infrastructure from cyber-attacks. Even then, it would not be too surprising if most of the effort went into initiatives analogous to airport securityshowplace charades more about public reassurance through the illusion of security than about the reality."
Click here for the full blog post.
