Control System Security Threats, Security / Reliability Incidents, Useful Industrial Cyber Security Tips
When you hear the words “defense–in-depth” do you immediately think of layers of firewalls?
If so, you are not alone – most of us immediately think of security concepts in traditional physical security terms. For example, we imagine “more defense” as being more moats and castle walls around the crown jewels. But that is not the only way (or even the best way) to create secure ICS or SCADA systems.
The publication of numerous SCADA vulnerabilities by L. Auriemma last month, on top of the game-changing Stuxnet malware revealed last year, has exposed many security weaknesses in Industrial Control Systems (ICS). The weaknesses occur on two fronts: technology and human factors.
As mentioned in a blog article we wrote earlier this week, an Italian “Security Researcher” named Luigi Auriemma published thirty-four SCADA product vulnerabilities against four SCADA products (the complete list of vulnerabilities and companies is provided in the earlier article).
One of the unfortunate facts about security is that if you can find one vulnerability, you can usually find lots more. Vulnerabilities are not just bad luck – they are caused by a poor Software Security Assurance (SSA) process (or a complete lack of one). Next in line for blame are experienced professionals who do little in terms of security assessments prior to commissioning systems in actual production facilities.
Selling the concept of security for SCADA and ICS might still be struggling, but publishing vulnerabilities for SCADA and ICS equipment seems to be a growth industry.
On Monday an Italian “Security Researcher” published a raft of vulnerabilities (34 in all) against four SCADA products. Below are the affected products with links to the US-CERT announcements: