Ensuring that ICS/SCADA isn’t our next IoT nightmare

iot

After the DDoS chaos over the last month or so caused by insecure IoT devices, you might be thinking – what about all of the other things we have simply internet-enabled over the last 20 years? Are the systems controlling the electric grid, water treatment plants and other critical infrastructure as vulnerable as that new light bulb or camera I purchased? Or if you weren’t already thinking that, perhaps you are now!

Before we dive into the details, let’s start with some definitions. SCADA is Supervisory Control And Data Acquisition, whereas ICS is an abbreviation for Industrial Control Systems. ICS covers just about everything you might think you would use to monitor and manage factories, pumps, pipelines and their ilk. SCADA is a defined subset that typically refers to wide-area implementations of smart controls.

When referring to the Internet of Things, many are now including devices that fall into these categories as just another insecure component to worry about. Personally, I beg to differ. They certainly can be very insecure and cause great harm, but the available remedies to us are far greater and hopefully will be more effective.

Among the challenges with securing the IoT world are the diversity of manufacturers, time-to-market pressures and lack of security expertise in the semiconductor space. This is one place that ICS can show an advantage as there is a reasonably small group of large companies – including the likes of Honeywell and Siemens – we can work together with to ensure new deployments follow modern security practices.

This smaller number proves to be an advantage in other ways as well. Unlike the hijacked web cameras, these manufacturers usually bid on large contracts to provide their equipment to system operators and know exactly who is using what.

When a critical firmware update or recall must be issued they know exactly who owns most of the equipment and can quickly deliver advisories to those affected parties.

Much of the risk in ICS systems stems from operators taking devices never intended to be used on a public network and connecting them to the internet. ICS vendors always seem to warn customers that this isn’t meant to be put online, but we need to acknowledge those days are over.

We need to design for the worst case and assume that the days of deploying an air gap are the exception, not the rule.

Another advantage to securing ICS is the enormous economic and contractual pressures that can be applied by the purchasers. Providing ICS gear is a highly profitable and competitive market space. If oil refineries and power plant operators demand that systems include security and are adaptable to future needs, vendors will likely take this responsibility more seriously and view it as a competitive advantage.

ICS systems that are already deployed are woefully insecure though and many of these devices have an expected lifetime of 25 years or more. This is the key challenge moving forward: tomorrow’s systems will improve quickly, but yesterday’s systems are what they are.

In the short term, securing these devices might take the use of something like the Sophos Remote Ethernet Device (RED) that can automatically encrypt data from the central control centre to a remote location where a sensor or valve needs to be controlled or monitored. Longer term, the designers of these systems must take into consideration that they will be deployed in hostile environments.

Another option for antiquated control systems that might still require software that runs on Windows 95 or XP is to use virtualization. Ensure that these systems are totally isolated from web browsing and basic network access and only allow control messages in and out. It doesn’t eliminate vulnerabilities, but it helps mitigate the risk and provides a reasonable control.

The efficiencies gained by remotely deploying control systems and using the ubiquitous TCP/IP-based networks available to us today have introduced an unplanned risk to ICS security, but that isn’t going to change. We simply need to adapt to this new world of connectivity and work together to ensure we reduce the risks as much as possible and define standards for future connectivity that provide a more solid security foundation.