The danger of SCADA vulnerability exposure

Dave Kresse

Let’s face it -- Active Supervisory Control and Data Acquisition (SCADA) attacks are going on right now against critical infrastructure. And the cyber security protection in place to protect it is so minimal that it is quite feasible for cyber criminals to cause chaos.

It is well documented that critical infrastructure is vulnerable to attack and, although the effects of some of them have been publicized, the general concern is that it is a matter of time until one or more major attacks occur.

The Stuxnet worm acted as a catalyst, but most of us knew this was impending. Now that some of the first documented breaches are on record, let’s hope critical infrastructure providers and government agencies alike will take meaningful action to ensure critical infrastructure security and civilian safety.

“Government agencies, in particular the Department of Defense (DoD), Department of Homeland Security (DHS) and many civilian government contract agencies, have a serious problem,” states Greg McDermott, director of federal operations at Mu Dynamics, Inc. “The challenge is that SCADA systems that control critical infrastructure, such as nuclear power plants, electrical power transmission systems and water treatment plants, are increasingly connected to IP networks. The result is a dramatic increase in their exposure to attacks.”

In short, we have a huge need to ensure that SCADA developers and the service providers who are deploying these industrial control systems focus on mitigating the risk of cyber security attacks.

The critical infrastructure challenge

Adversaries are targeting vulnerabilities in SCADA systems with increasing frequency and sophistication. Not only are manuals on how SCADA systems operate rampant and publicly available for use by cyber criminals, but many of the control systems are connected to other networks that are not secure, thus dramatically increasing the risk to homeland security and civilian attack.

SCADA represents a move in the right direction. In spite of its critical nature, though, it is well known that limited Information Assurance (IA) policies for managing vulnerabilities associated with these systems are available. Moreover, specific Certification and Accreditation (C&A) guidance for these limited IA policies are in place.

As a result, the availability, integrity and confidentiality for SCADA systems is recognized as critical, yet often overlooked.

This begs the questions: Why hasn’t guidance been put in place to validate that SCADA systems are aligned with traditional information assurance best practices? And why is government reliance on limited IA policies, even certification in such policies, when the use of best practices in securing IP networks and leveraging technology to do so are readily available and frequently used in civilian enterprises?

New methodologies required

Simply put, a methodology capable of identifying vulnerabilities in an accurate and efficient way has not previously been available. In addition, the capability to do conformance testing of applicable IA policies is relatively new.

Key guidelines for SCADA network administrators and developers include:

• Consider cyber security attacks in your network risk assessment/vulnerabilities tests;
• Leverage a SCADA certification plan and team;
• Plan on SCADA attacks (to be forewarned is to be forearmed);
• Leverage the latest network testing technologies that simulate real application and network traffic, as a means to mitigate security risks.

As government agencies move to more application-aware network infrastructure, and SCADA systems move out of “special purpose” roles and into the open corporate infrastructure, it is imperative that government organizations and their contractors develop in-depth testing and assessment programs that can identify and secure application and infrastructure vulnerabilities before they are exploited by cyber criminals and organizations.

Tom Parker, the CTO of FusionX, said, “As a leading security consulting services company who has worked in every critical infrastructure-related sector, the availability of in-depth testing and assessment technologies that enhance our capabilities to provide more accurate testing and in-depth analysis are critical to the success of our operation.”

Conclusion

Given the increasingly open SCADA networks, security risks leave them vulnerable to service disruptions and outages that could result in public safety hazards, as well as causing havoc to the nation’s critical infrastructure.

Government agencies, contractors and SCADA suppliers must continue to invest in defensive security measures to mitigate the risk of cyber attack. Implementing a multi-pronged strategy is required to systematically improve security, using a combination of people, process and tools.

Dave Kresse is CEO of Mu Dynamics, Inc. He can be reached at:

davek@mudynamics.com