Industrial Control System (ICS) security was ramped up at Black Hat USA – with packed sessions ranging from specific attacks to vulnerable hardware – all with the aim of protecting critical infrastructure, whose security shortcomings so frequently hit the headlines these days.
While industrial control protocols themselves are horribly insecure, there is an attempt to bolt on security hardware and software to check for anomalous communication patterns. But while this is certainly progress, it’s only part of the whole picture.
In my experience, the communication to the industrial equipment wasn’t malicious at the packet level. The equipment was following legitimate commands, albeit for a malicious purpose. This is why security is difficult.
Think of it as a rogue insider, but a digital one. Once attackers gained access to the network, the limited ICS/SCADA (supervisory control and data acquisition) defenses didn’t stop legitimate commands emanating from legitimate – but compromised – workstations.
Also at Black Hat, we saw critical networks strapping on remote communication devices over cellular networks to monitor systems, and those devices often had critical misconfiguration errors allowing attackers to gain access and mine data that would inform future attacks. Again, these entry points were protectable, but weren’t protected.
Industries controlled by ICS, sit at an interesting junction where the practitioners who are best able to keep the machinery running have been around long enough to have not grown up digital, and there seems to be a natural resistance.
I recently interviewed a senior engineer for a critical infrastructure firm. He explained there was little incentive to stray beyond his areas of expertise, into network security or other digital domain issues. He wouldn’t receive a pay raise, as he was already at or near the top of his pay scale, and he felt nervous about making mistakes that could get him in trouble. In short, there was a lot of risk for him and little perceived reward.
This experience seems systemic throughout the ICS world. In some cases, it will take the next generation of engineers and operators who grew up with, and/or understand the context of, digital security running this critical machinery, before the tide will change.
Meanwhile, it was encouraging to see so much effort amongst security practitioners at Black Hat being focused on protecting critical infrastructure. After all, this same infrastructure directly controls the ability to do what we do in the security world. If the lights go out, the water stop flowing soon too and things snowball into a situation no one wants. As so much of the infrastructure that our modern societies take for granted depends on ICS-managed systems, they are definitely worth protecting.