Patching Has Its Place in SCADA and ICS Security

Posted by on 11/04/2013

If you have read my previous blogs on patching for control system security, you might think I am completely against patching. Guess what? I’m not against them!

Actually, I think applying patches is a critical part of good security. According to US-CERT, about 95% of all network intrusions could have been avoided by keeping systems up to date with appropriate patches. If you never patch, you are leaving your system open to a decade of malware.

What I am against is patching as a knee-jerk reaction to security vulnerabilities. You can’t expect your control system to operate reliably if you don’t have a controlled process for patching.

In the words of Richard Brown, at Dow Chemical:

“Patch management is about managing the risk of change”.

Patches are changes to your system. Changes to your system need to be managed. One cannot blindly deploy new patches into the process control environment without risking disruption of operations. Thus careful policy and practice is required to balance the need for system reliability with the need for system security.

A successful patching strategy balances system reliability with system security. Image credit: A Perfect World

Read more »

Posted in Industrial Security
Tags: ,
Leave a comment

Patching in a Rush? Risky Business for SCADA and ICS Security

Posted by on 03/04/2013

In my last blog, I discussed the reasons why critical industrial infrastructure control systems are so vulnerable to attacks from security researchers and hackers, and explained why patching for such systems is not a workable solution.

But let’s now examine the good, the bad and the ugly details of patching as a means to secure SCADA and ICS systems. And to begin, let’s suppose patches could be installed without shutting down the process (for example, through the staged patching of redundant controllers)…

 “You may run the risks, my friend…” Image Credit: pictureshowpundits.com Read more »
Posted in Industrial Security
Tags: , ,
Leave a comment

Why Patching for SCADA and ICS Security is a Broken Model

Posted by on 02/04/2013

As regular readers of this blog know, after Stuxnet, security researchers and hackers on the prowl for new targets to exploit shifted their efforts to critical industrial infrastructure.

Unfortunately, the Supervisory Control and Data Acquisition (SCADA) and Industrial Control Systems (ICS) applications they are now focusing on are sitting ducks.

Up until recently SCADA and ICS systems have been designed with reliability and safety in mind; security has been a minor consideration. Products that have never faced security tests are now under attack from sophisticated vulnerability discovery tools, and major control system security flaws are being continuously exposed.

Read more »

Posted in Industrial Security
Tags: ,
Leave a comment

Tofino Security Profiles Defend Against SCADA Vulnerabilities

Posted by on 19/10/2012

Earlier this week I wrote about a serious issue in the patching of SCADA and ICS systems. Just when you think you are installing all needed patches, some critical ones are getting missed.

Unfortunately, I think even the phrase “installing all needed patches” is too optimistic. In my surveys of SCADA and ICS facilities, I find that even when operating system patches are getting installed, application patches are not. For example, many HMIs are running copies of Abode PDF Reader that haven’t been patched in years. Considering that Adobe has released over 30 critical security patches for Reader in the past three years, this is a gaping security hole.

Clearly security vulnerabilities aren’t just an operating system problem. And they are not just a business application problem. We saw the number of publicly disclosed security vulnerabilities for SCADA and ICS products jump dramatically in 2011. For 2012, all indications are that the situation will be worse. Many of these vulnerabilities are not on Windows computers, but rather critical hardware such as PLCs, DCS controllers, RTUs, switches, routers and even firewalls! Read more »

Posted in Industrial Security
Tags: , , ,
Leave a comment

SCADA Air Gaps – A Philosophy Issue not a Technology Issue

Posted by on 28/08/2012

Over the past month, I have received a number of emails and seen a number of LinkedIn articles suggesting that I was attacking the concept of data diodes when I stated that Air Gaps are a myth. Unfortunately, this is a serious misunderstanding of my message to the ICS/SCADA community.

I am not writing about technology when I say Air Gaps are impossible. Whether you use a firewall, a data diode or tin cans and string to filter and control your information flow is not my point. These are all valuable technologies (well, maybe not the last one). They are also not silver bullets, but when used intelligently in a defense in depth strategy, they can all do a lot to secure a control system. Read more »

Posted in Industrial Security
Tags: ,
Leave a comment

On Twitter