ICS vulnerabilities are still rampant

A panel of experts at the recent Security of Things Forum agreed that attackers are probably already inside the nation’s industrial control systems

To put it in somewhat technical terms, the nation’s industrial control systems (ICS) – part of its critical infrastructure – are not only vulnerable to compromise, they are likely compromised right now.

Or, in Paul Dant’s much more blunt, and less technical terms, “your sh-- is f--ked.”

Dant, chief strategist and managing principal at Independent Security Evaluators, was one of three experts on a panel titled “Securing Industrial Control Systems” at the recent Security of Things Forum in Cambridge, Mass.

He added that he believes more attacks on US critical infrastructure are inevitable. “To think that stuff is not vulnerable is a complete fallacy.”

He got no disagreement from his fellow panelists, who followed an afternoon keynote address titled, “In Praise of Junk Hacking” by Travis Goodspeed, an independent security researcher, who demonstrated how to hack much less critical devices like graphic calculators, but noted that the ways to compromise them applied to, “things we do care about.

“These are the exact same techniques that can be used to attack your ICS,” he said.

Matt Clemens, security solutions architect at Arxan, agreed. “All the things that are running parts of these bigger systems are made up of things that people work with in smaller systems every day,” he said.

The panelists agreed that owners and operators of ICSs should assume not just that their systems are vulnerable to attack, but that attackers are already on the inside.

Paul Dant, chief strategist and managing principal at Independent Security Evaluators

It is not that such attacks are new – the discussion included references to the hack of Ukraine’s power grid last December, in which about 225,000 people lost power for about three hours; the Shamoon virus attack on Saudi Aramco; and Stuxnet, the computer worm attributed to the US and Israel, used to attack and destroy a portion of Iran’s nuclear facilities.

None of these were a surprise, said Andrew Kling, director of cyber security and architecture at Schneider Electric. “I’m surprised we don’t hear about more of them,” he said.

[ ALSO: Medical devices: Many benefits, but many insecurities  ]

That, as has been widely reported, is because most ICSs were not designed with the expectation that they would be connected and remotely controllable.

It is also a matter of priorities. The acronym CIA – Confidentiality, Integrity and Availability – was mentioned more than once during the day, with most agreeing that the first two on the list were more important than the third.

But Kling said availability is the priority in ICS – if they aren’t available, people could be without electricity, water and other critical services. And until more recently, security has not even been a requirement.

The other problem, he noted, is that the ICS industry doesn’t move at a pace even close to that of technology in other fields. When a device is implemented, he said, “we’re talking about 18 years of support for that device. Just think about where we were 18 years ago – that’s how far forward we have to look.”

[ MORE: Spies planted malware on critical infrastructure, Russian security service says ]

Dant said the industry remains in denial. “We’re so far away from acknowledging the problem,” he said, adding that he thinks ICS is simply not ready to be connected to online networks.

“I would tell a client that,” he said. “Let’s postpone some of this massively quick adoption of this technology.”

Kling said industry leaders will not be convinced of the need to harden their systems simply through scare stories, however. “Fear doesn’t work,” he said. “You have to talk to them in language they understand, which is their bottom line, or damage to their brand.

“Is an incident going to make their stock fall 20% or 2%?”

Join the CSO newsletter!

Error: Please check your email address.

More about AramcoSchneider Electric

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Taylor Armerding

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts