(This article was originally published on the Findings From the Field blog.) I just finished looking through two government reports from earlier this year on cyber security vulnerabilities: the DHS Control Systems Security Program (CSSP) Common Cyber Security Vulnerabilities Observed in DHS Industrial Control Systems Assessments and the Idaho National Laboratories (INL) National Security Test Bed (NTSB) Assessments Summary Report: Common Industrial Control System Cyber Security Weaknesses. The reports have a lot of similarities and are useful, to a degree. A casual reading of the reports however, suggests that we've made no progress in securing important control systems. This is incorrect - much progress has been made. What we really need to measure ICS security progress is not lists of high-priority vulnerabilities, but rather reports quantifying deviations from best practices and defense-in-depth postures. The INL Report The INL report describes the results of some 24 evaluations of control systems on the INL ICS testbed. Since the evaluations were of "vanilla" systems provided by vendors for testing, the scope of the vulnerabilities is limited to what vendors can do to make their systems stronger. The INL top-ten findings are:
The two interesting items are the remote display protocols finding and a discussion of proprietary protocols. The remote display protocols finding is surprising because I did not realize that product offerings made routine use of remote desktop tools. Industrial Defender's own security assessors routinely find weak remote desktop tools and protocols in use, but I had assumed these tools were set up by systems integrators or end users, not set up as a standard part of control systems offerings. The discussion of plain text protocols was interesting as well. INL observed that proprietary protocols are not significantly more secure than open, widely documented protocols. INL researchers were able to manipulate even proprietary protocols after only a little study of packet traces, without serious reverse-engineering efforts. The CSSP Report The CSSP report describes the result of some 15 security assessments, both of a small number of vendor-supplied setups in a lab, and of control systems in the field. As expected, the vendor findings are less comprehensive than the INL report and I won't go into them. The value of the CSSP report is their configuration and network findings. The findings are: Configuration:
Lies, Damned Lies, ... These findings differ very little from findings security assessors discussed informally in presentations as long as 5-7 years ago, though back then no reports this systematic were easily available. Some of the apparent lack of progress is understandable - the problem of patching control systems and their operating systems is one of the most costly security problems to solve, both for vendors and for owners / operators. The same is true of the use of plain text protocols to communicate with field equipment - these protocols will take decades to eliminate completely. I think this is misleading. The reports really do not reflect the many changes that have occurred in this field in the last half decade:
To see progress in this field, what we need is regular, quantitative summary reports of how sites differ from security standards or from established best practices, rather than summaries of serious vulnerabilities. For example, a quantitative summary of NERC-CIP audit findings would be a step in this direction, since the NERC-CIP regulations describe a complete security program. Vulnerability severities and vulnerability counts are only one measure of a security program. If you patch everything, encrypt everything, configure everything correctly, and thus reduce the known vulnerability count to zero, you still may not have a strong defense-in-depth posture. Defense-in-depth includes intrusion detection, intrusion prevention, event monitoring, a strong security program and other measures, not just the elimination of vulnerabilities. We need better yardsticks if we are to measure progress in securing control systems. |
NEWS, TECHNOLOGIES, PRACTICES, AND EXPERIENCE
Note: Comments in this blog are blocked for any posting 14 days old, or older
2010-12-30
ICS Security Progress Masked by Vulnerability Reports |
Subscribe to:
Post Comments (Atom)
It is also important to remember that the systems have inherent vulnerabilities, but there are also additional vulnerabilities that are introduced by those responsible for programming/integrating these control systems.
ReplyDelete