industry-scada

The Critical State of Industrial Control Systems Security

“Finally we are beginning to address the problem that we have already had in years.” This laconic sentence can sum up the conclusions of the first conference focused on security of industrial control systems (ICS), more commonly known as SCADAconf, which took place in Vígľaš near Zvolen on 6th October 2015. The first conference of its kind in Slovakia and Czech Republic interconnected the operators of technologies which use ICS and providers of security services and solutions in this area. Besides power supply and distribution system operators and manufacturers there were presented also companies providing security solutions (the hosting enterprise Fortinet develops high security standards hardware) and the ethical hackers from Citadelo that recently focused very intensively on this new challenge, i.e. to understand ICS in its complexity and afterwards to be able to test it for the vulnerabilities that would allow a potential attacker to dominate a system.

industry-scada

The issue of security of these systems became largely significant especially after the huge exploit in particularly sensitive area of nuclear development in 2010. The Stuxnet virus attacked alongside others mainly Iranian research centers and destroyed the whole fifth of their nuclear centrifuges. The whole attack aimed primarily at the so-called Programmable Logic Controller (PLC) which is a set of end controllers that directly communicate and manage the actual process or task. Any committal capable to affect the PLC functioning is an immense risk which effectively means that the attacker – hacker – is able to replace the management of the operation by his own commands. Despite the fact that the antiviral programs and tools for analyzing and detecting threats are quickly improving, cyber mafia is ahead and offers its clients offensive means based on the so-called zero-day vulnerabilities, i.e. yet unknown vulnerabilities and exploits which can be used for a successful penetration. It is more than naive to believe that the ICS area would remain outside the spotlight. On the contrary, at the hacker forums can be noticed further development of the tools similar to Stuxnet and one can only guess how far their development has advanced.

One would expect a high standard of security for elements of critical infrastructure in all its directions. However, the reality is considerably limping and it is necessary to seek all together ways for effective securing of critical systems. The recent trends are that ICS developers emphasize more comfortable and functional solutions based on remote access and control outside of actual operation, often via the Internet or corporate networks. In the past the standard was that critical systems remained isolated in closed circuits which significantly reduced the penetration risks. But what was common in the past, is now a rather rare phenomenon. In combination with often very outdated architecture and archaic controllers communication protocols it is a very actual and in connection with the global political situation also a highly crucial security threat. It is sufficient to become aware of at least an exemplary list of areas where the control systems are commonly being used for management of core processes: power supply production (including nuclear energy), distribution networks operation, transport infrastructure, mineral resources exploitation and distribution, telecommunications, production of heavy and light industry and many other. How do feel at the idea of someone controlling a damn gate through its tablet and communicating via an unencrypted connection?

As said at the conference it is hard to imagine that the trend of ICS interconnection with publicly accessible networks would begin radically turning, so now it is up to us – IT Security Professionals – to secure to the highest possible extent all systems inputs through which the ICS could be compromised by an uninvited guest. As a reaction to a growing demand for ICS security audits Citadelo has begun a long-term research and devoted few specialists for this area. Thus we are fulfilling our ultimate vision – providing services throughout all aspects of IT security and making the Internet into a safe place.

Verwandte Blogs

How to order a pen test

Blog | | Martin Hanic
Although people working in the IT security industry may consider this question to be as trivial as "How to order a phone charger", for many, writing a purchase order for a penetration test can be like designing a nuclear power plant.
Anzeigen

Unofficial Patch Tuesday – MSMQ Privilege Escalation Vulnerability Hotfix

Blog | | Citadelo
This security patch resolves a public vulnerability in the Windows Message Queuing Service (MSMQ) discovered by KoreLogic
Anzeigen

We found vulnerability of CMS Made Simple

Blog | | Citadelo
CMS Made Simple is a free, open source CMS to provide developers, programmers and site owners a web-based development and administration area. In 2010 it won the Packt Publishing annual award for open source content management.
Anzeigen

ExtendedMacro – BurpSuite plugin

Blog | | Citadelo
BurpSuite Proxy is one of the most used HTTP proxy application for web penetration testers. This tool is one of the best in its category, but sometimes we encounter a situation requiring additional functionality which is not provided by Burp itself.
Anzeigen