Poor SCADA security will keep attackers and researchers busy in 2013
Security researchers expect attacks against industrial control systems to increase next year
IDG News Service - An increasing number of vulnerability researchers will focus their attention on industrial control systems (ICS) in the year to come, but so will cyberattackers, security experts believe.
Control systems are made up of supervisory software running on dedicated workstations or servers and computer-like programmable hardware devices that are connected to and control electromechanical processes. These systems are used to monitor and control a variety of operations in industrial facilities, military installations, power grids, water distribution systems and even public and private buildings.
Some are used in critical infrastructure -- the systems that large populations depend on for electricity, clean water, transport, etc. -- so their potential sabotage could have far-reaching consequences. Others, however, are relevant only to their owners' businesses and their malfunction would not have widespread impact.
The security of SCADA (supervisory control and data acquisition) and other types of industrial control systems has been a topic of much debate in the IT security industry since the Stuxnet malware was discovered in 2010.
Stuxnet was the first known malware to specifically target and infect SCADA systems and was successfully used to damage uranium enrichment centrifuges at Iran's nuclear plant in Natanz.
Stuxnet was a sophisticated cyberweapon believed to have been developed by nation states -- reportedly U.S. and Israel -- with access to skilled developers, unlimited funds and detailed information about control system weaknesses.
Attacking critical infrastructure control systems requires serious planning, intelligence gathering and the use of alternative access methods -- Stuxnet was designed to spread via USB devices because the Natanz computers systems were isolated from the Internet, exploited previously unknown vulnerabilities and targeted very specific SCADA configurations found only at the site. However, control systems that are not part of critical infrastructure are becoming increasingly easier to attack by less skilled attackers.
This is because many of these systems are connected to the Internet for the convenience of remote administration and because information about vulnerabilities in ICS software, devices and communication protocols is more easily accessible than in the pre-Stuxnet days. Details about dozens of SCADA and ICS vulnerabilities have been publicly disclosed by security researchers during the past two years, often accompanied by proof-of-concept exploit code.
"We will see an increase in exploitation of the Internet accessible control system devices as the exploits get automated," said Dale Peterson, chief executive officer at Digital Bond, a company that specializes in ICS security research and assessment, via email.
However, the majority of Internet accessible control system devices are not part of what most people would consider critical infrastructure, he said. "They represent small municipal systems, building automation systems, etc. They are very important to the company that owns and runs them, but would not affect a large population or economy for the most part."
- 15 Non-Certified IT Skills Growing in Demand
- How 19 Tech Titans Target Healthcare
- Twitter Suffering From Growing Pains (and Facebook Comparisons)
- Agile Comes to Data Integration
- Slideshow: 7 security mistakes people make with their mobile device
- iOS vs. Android: Which is more secure?
- 11 sure signs you've been hacked
- The 12 PCI DSS 3.0 requirements addressed by Peer 1 Hosting This handy quick reference outlines the 12 PCI DSS 3.0 requirements, who needs to be compliant and how Alert Logic solutions address the...
- Defense Throughout the Vulnerability Life Cycle This whitepaper provides insight into how to leverage threat and log management technologies to protect your IT assets throughout their vulnerability life cycle.
- Mobile Policy Checklist Here's what to consider when putting together a mobile policy designed to support a highly productive workforce.
- Securing BYOD Mobile computing is becoming so ubiquitous that people no longer bat an eye seeing someone working two devices simultaneously. Individuals and organizations are...
- Live Webcast On-demand webinar: "Mobility Mayhem: Balancing BYOD with Enterprise Security" Check out this on-demand webinar to hear Sophos senior security expert John Shier deep dive into how BYOD impacts your enterprise security strategy...
- Live Webcast Endpoint Backup & Restore: Protect Everyone, Everywhere Arek Sokol from the bleeding-edge IT team at Genentech/Roche explains how he leverages cross-platform enterprise endpoint backup in the public cloud as part...
- Streamline Software Asset Management, Compose a software Management Symphony Keeping track of your organization's software is easy with effective software management solutions from CDW. View the videos in our software solutions channel
- Druva inSync: Endpoint Data Protection & Governance CLICK HERE to watch this video about protecting corporate data on laptops and mobile devices, sponsored by Druva. All Security White Papers | Webcasts