Aiming to protect critical infrastructure
against attacks
Industrial Control System (ICS) security was
ramped up at Black
Hat USA – with packed sessions ranging from specific attacks to vulnerable
hardware – all with the aim of protecting critical infrastructure, whose
security shortcomings so frequently hit the headlines these days.
While industrial control protocols themselves
are horribly insecure, there is an attempt to bolt on security hardware and
software to check for anomalous communication patterns. But while this is
certainly progress, it’s only part of the whole picture.
In my experience, the communication to the
industrial equipment wasn’t malicious at the packet level. The equipment was
following legitimate commands, albeit for a malicious purpose. This is why
security is difficult.
Think of it as a rogue insider, but a digital
one. Once attackers gained access to the network, the limited ICS/SCADA (supervisory
control and data acquisition) defenses didn’t stop legitimate commands
emanating from legitimate – but compromised – workstations.
Also at Black Hat, we saw critical networks
strapping on remote communication devices over cellular networks to monitor
systems, and those devices often had critical misconfiguration errors allowing
attackers to gain access and mine data that would inform future attacks. Again,
these entry points were protectable, but weren’t protected.
Industries controlled by ICS, sit at an
interesting junction where the practitioners who are best able to keep the
machinery running have been around long enough to have not grown up digital,
and there seems to be a natural resistance.
I recently interviewed a senior engineer for
a critical infrastructure firm. He explained there was little incentive to
stray beyond his areas of expertise, into network security or other digital
domain issues. He wouldn’t receive a pay raise, as he was already at or near
the top of his pay scale, and he felt nervous about making mistakes that could
get him in trouble. In short, there was a lot of risk for him and little
perceived reward.
This experience seems systemic throughout the
ICS world. In some cases, it will take the next generation of engineers and
operators who grew up with, and/or understand the context of, digital security
running this critical machinery, before the tide will change.
Meanwhile, it was encouraging to see so much
effort amongst security practitioners at Black Hat being focused on protecting
critical infrastructure. After all, this same infrastructure directly controls
the ability to do what we do in the security world. If the lights go out, the
water stop flowing soon too and things snowball into a situation no one wants.
As so much of the infrastructure that our modern societies take for granted
depends on ICS-managed systems, they are definitely worth protecting.