Despite Stuxnet, Duqu, control system flaws still overlooked
Most efforts to fix infrastructure threats are wrongly focused, security pros say
Computerworld - Efforts to strengthen critical infrastructure targets continue to focus on front-end systems rather than on underlying industrial control systems where the real problems exist, security experts warned this week.
The Stuxnet worm that last year showed how flaws in control systems can be exploited to cause damage to physical assets, but it hasn't yet led to significant security upgrades, they contended.
"Everyone keeps focusing on PCs while PLCs (programmable logic controllers) are still in the same state they were 10 years ago," said Dale Peterson, CEO of Digital Bond, a consulting firm specializing in control system security.
The issue has been longstanding within the industrial control system (ICS) community, and surfaced again this week with the release of a Symantec report that the new Duqu Trojan has links to Stuxnet.
According to Symantec, the Duqu worm appears have been built to steal critical information from vendors of industrial control systems.
Unlike Stuxnet, Duqu does not directly target industrial control systems though information it gathers could be used to create the next Stuxnet, Symantec warned.
The report reignited fears about cyberattacks targeted at the control systems behind equipment at critical infrastructure such as power plants, water treatment facilities and chemical plants.
The problem, though, is that the concerns so far have focused on the front-end, mostly Windows-based Human Machine Interface (HMI) systems that are used to interact with control systems, Peterson said.
Many flaws that have been described as control systems flaws have really been at the front-end engineering workstation layer.
For example last month, Italian researcher Luigi Auriemma disclosed several zero-day vulnerabilities in Supervisory Control and Data Acquisition (SCADA) products from multiple vendors including Rockwell Automation, Cogent Datahub, Measuresoft and Progea.
Earlier this year, Auriemma had disclosed similar flaws in products from Siemens, Iconics, 7-Technologies and Datac. Most of the flaws were at the HMI layer.
"There are vulnerabilities in all components but HMI [flaws] are the easiest for researchers to get their hands on," Peterson said.
While addressing such flaws is vital, it is equally important to address flaws in the control systems themselves, said Joseph Weiss, managing partner at Applied Control Systems LLC and author of the book Protecting Industrial Control Systems from Electronic Threat. "These are the flaws that can cause things to go boom at night."
"If you haven't protected HMI's, shame on you," Weiss said. But the bigger threats really are the control system flaws that allow attackers to send commands that cause physical equipment to shut down, overheat or blow-up, he added.
Stuxnet showed how programmable logic controllers could be overwritten to send commands that caused equipment to fail, he said. Despite that warning, little has changed. "Prior to Stuxnet there were zero programs for securing PLCs. To this day there are no programs for securing PLCs," Weiss said.
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts