100,000 Vulnerabilities

(This article was originally published on the Digital Bond blog.)

The popular press cites an “alarming” statistic from time to time – the “dramatic” increase in cyber-security vulnerabilities being reported in industrial control system components. 129 were reported in 2011, vs only 15 in 2010 and 14 in 2009. Those of us in the industry of course groan when we read nonsense like this. We know the truth to be rather more “dramatic.”

How bad is SCADA security really? Let’s do the math.


ICS and SCADA Security Myth: Protection by Firewalls

(This article was originally published in the June, 2012 ICSJWG Quarterly Newsletter.)

In this article I am going to talk about a fairy tale. This tale doesn’t have princes or frogs in it, but instead it deals with SCADA and industrial control system security. The existence of a “firewall” between control system networks and the rest of the world has been one of the most enduring fairy tales in the field of SCADA/ICS security. The idea is that, in a properly designed system, there is a logical barrier between the control network and the business network. Since unauthorized information cannot cross such a firewall, bad things like hackers and worms can never get into critical control systems. From this, a corollary flows:


Project Basecamp: Tempest in a Teapot

I have been thinking about the DHS ICSJWG Spring Conference of a week ago, and the 2-hour debate at the conference on device security and the Digital Bond "Project Basecamp" project that was announced at January's S4 conference. The debate showed there is still resistance to device authentication, but among end users more so than among vendors. I think Jonathan Pollet's comments about this debate echoing the 1990's IT encryption debate are on the mark. That said though, I still think it will take a long time before device authentication becomes commonplace.


Air Gaps Dead, Network Isolation Making a Comeback

(This article was originally published on the Digital Bond blog.)

Eric Byres recent post claiming the #1 ICS and SCADA Security Myth is protection by air gaps struck a cord with me. I have been thoroughly distracted of late with my new role at Waterfall Security Solutions but even so I could not let this one go by. Old-school air gaps are still used occasionally, in the most sensitive control systems. The rest of the time, technologies like data diodes or unidirectional gateways provide the the most important benefits of truly air gapped control systems, while still permitting businesses to profit from access to the real-time data produced by their control systems.


Security Basics: Social Engineering

(This article was originally published on the Findings From the Field blog.)

Miles McQueen of the University of Idaho & Idaho National Laboratories had an interesting presentation in the Security track at the last ARC World Forum in Orlando some time ago. He talked about work INL had done with their own people to increase awareness of social engineering attacks. He cited pan-cultural research results about people lying as background. The research showed how many people across many cultures believed that the following traits indicated someone was lying:


CIP-002-4 “Bright Line” Secures 163 Plants, Max

(This article was originally published on the Findings From the Field blog.)

In the 2009 statistics, the latest available, NERC tracked some 10,500 generators with a nameplate capacity of 0.1 MW or higher, at about 5700 sites. The new NERC CIP-002 version 4 "bright line" rule says NERC-CIP applies to only those generating sites with "an aggregate highest rated net Real Power capability of the preceding 12 months equal to or exceeding 1500 MW in a single Interconnection." How many locations/plants is that? According to NERC, only 163 sites have a nameplate generating capability of 1500 MW or greater, and there is no word yet on how many of those plants are exempt because they feed less than 1500 MW into any one interconnection.


Vulnerabilities Not News to Experts

(This article was originally published on the Findings From the Field blog.)

Last week's announcement by Luigi Auriemma of 35 unpatched ICS vulnerabilities is no surprise to SCADA/ICS experts. If anything, the surprise in the list of vulnerabilities is that all of them were implementation flaws rather than the more serious design flaws evident in many products. Most industrial sites maintain that their hardened perimeters are doing a good job of protecting the "soft interior" of their control systems. They are mistaken.

There are enormous numbers of unpatched security vulnerabilities in control system software - most undiscovered and un-announced. Thus far few people are looking for ICS vulnerabilities - there is little profit in finding them. Many who find vulnerabilities use the Coordinated Disclosure process, but there is a large population of skillful investigators who believe strongly in Full Disclosure. Expect a steady dribble of these vulnerability announcements - indefinitely.