ICS-CERT, SCADA Patching Under The Microscope
Existing process of vulnerability reporting, patching doesnt go far enough in improving the overall security of critical infrastructure systems, SCADA experts say
Third installment in an occasional series on SCADA security
The U.S. Department of Homeland Securitys ICS-CERT has been regularly issuing vulnerability advisories for SCADA products over the past couple of years, and vendors increasingly have been issuing patches, but the gaping and easily exploitable design flaws inherent in many products remain.
Some renowned SCADA security experts contend that the current process of reporting bugs, patching bugs, and issuing alerts via ICS-CERT falls short. The bigger ICS/SCADA systems that control power plants or chemical plants are not typically the subject of ICS vulnerability alerts, they say, and most vendors still arent fixing features in their products that were created prior to the networked environment, or that just dont factor in security (think lack of authentication).
ICS-CERT has been lauded for helping raise awareness of security problems in the systems and software that run power plants, as well as for as other services it provides to the ICS industry, including incident response and free tools. ICS-CERT responded to 177 cyberattack incidents reported by industrial control system operators last year, according to its
newly published annual report
(PDF).
Ralph Langner of Langner Communications, a security expert who was one of the first to discover Stuxnet, says the current ICS vulnerability advisory process covers only smaller flaws that can be patched, while the bigger security holes lay within the design features of the products. The reality is that the most serious vulnerabilities in control systems are deliberate design features, not bugs, Langner says. And ICS-CERT doesnt handle insecure design features, he notes.
ICS-CERT doesnt deal with insecure design features and is even reluctant to call those vulnerabilities -- quite a stretch because, by any definition, a vulnerability is a system property that an attacker can exploit, no matter if it came into existence by oversight or by poor design, Langner says.
The focus on bugs in micro-PLCs and human machine interface (HMI) software is missing the mark, he says. Big DCS products that are used to control power plants or chemical plants, for example, dont make it into ICS-CERT publications, no matter how easily they can be exploited, Langner says.
Dale Peterson, CEO of SCADA security consultancy Digital Bond, says the advisories issued by ICS-CERT dont do much to improve overall security of SCADA systems. Most of the vulnerabilities [in the alerts] have little impact on the security of the systems, says Peterson, who has been blogging recently on building a better ICS-CERT process.
He says that instead of vulnerability coordination, ICS-CERT should provide support to US-CERT in that regard. ICS-CERT should prioritize vulnerabilities based on how the vulnerability affects a system on their critical infrastructure list AND the vulnerability affects the security posture of the system, which would give ICS-CERT the breathing room to drill down on fewer but more relevant security flaws, Peterson
wrote in a blog post
earlier this week. The second requirement is important and often leads to misallocation of ICS-CERT effort. Does it really matter if there is a CSRF or buffer overflow vulnerability in a device that you can connect to and take complete control using a feature?
But other SCADA experts say ICS-CERT is getting a bad rap. Eric Byres, CTO and vice president of Tofino Security, a division of Belden, says its not ICS-CERTs mandate to deal with the systemic problems in control systems. Its the elephant in the room. Yeah, these systems were never designed with security in mind; some were designed 20 to 30 years ago. Vendors are aware of the problem, Byres says.
It will take major players, such as Exxon and Duke Energy, among other corporations, with the ICS purchasing power, he says, to force vendors to step up and fix the systemic security issues. Its not ICS-CERTs mandate to stand on the bandwagon and scream and yell and advocate. Its [mandate is] information dissemination, testing, and training, he says.
Byres says ICS-CERT is making a difference in SCADA security -- as a mechanism for researchers to disclose vulnerabilities responsibly, and its DHS-backed status gives it a higher level of visibility at the executive board level of SCADA vendors. Schneider gets railed on, but the size of their security team was zero two years ago, and now its about 20, he says. [Vendors] are dumping tens of millions of dollars into this problem.
Doug Powell, a security expert who works for Canadas third largest utility, says ICS-CERT is doing exactly what it was created to do. Is that adequate or enough to tell people a patch is required even if the patch is not relevant or if its not applicable? Thats not ICS-CERTs problem, says Powell. Its got to be some responsibility for the vendor or owner-operator to take that information handed to them and do something with it.
That means risk analysis and evaluation, he says. What could happen to me if I patch this miniscule [flaw] or if I dont do it? Those discussions happen in utilities, he says. Theres always a risk calculation being done in the background [for patching].
[Industrial control systems vendors are starting to patch security bugs, but actually installing the fixes can invite more trouble. See
The SCADA Patch Problem
.]
ICS-CERTs official mission is to issue alerts and advisories on cyberthreats and vulnerabilities that affect critical infrastructure. The organization is charged with analyzing malware, vulnerabilities, and new exploits, as well as to conduct incident response for critical infrastructure owner-operators, and to help coordinate risk management in the industry, according to information in its recent report.
A DHS National Protection and Programs Directorate (NPPD) spokesperson said in a statement in response to inquiries for this article: Protecting critical infrastructure against growing and evolving cyber threats requires a layered approach. DHS actively collaborates with public and private sector partners every day to respond to and coordinate mitigation in the face of attempted disruptions to the Nation’s critical cyber and communications networks and to reduce adverse impacts on critical network systems, he said. Last [fiscal] year, the Department’s Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) responded to 177 incidents while completing 89 site assistance visits and deploying 15 teams with US-CERT to respond to significant private sector cyber incidents.
No Locks
True ICS security isnt about patches, Langner Communications Langner says. Its kind of like telling a home owner to fix a broken wire frame on a window in order to keep burglars out, while not telling him that there is no lock on his front door, he says.
ICS-CERT as such is a good idea, and they have a lot of good talent on board, Langner says. But Langner says it could be better deployed.
Digital Bonds Peterson says he and his team have stopped submitting bugs they find to ICS-CERT. Instead, Peterson says they work directly with the SCADA vendors they think will actually fix the flaws they find. If [the vendor is] not going to fix it, we just keep it. We dont feel like its going to make a difference reporting it to ICS-CERT or a nonresponsive vendor, he says. When we do report it, its a fair amount of work on our side.
And patching is sometimes just window dressing: One SCADA vendor that Peterson declined to name talked up its new security team and that it had patched some bugs in its products. He says he asked them when they would begin authenticating the uploads of new software and firmware, and the company admitted they wouldnt be starting on that fix for two to three years.
Fixing a few bugs but not the real security risks that are simplest for attackers to exploit is the wrong answer, according to Peterson.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.
Tags:
ICS-CERT, SCADA Patching Under The Microscope