Control Systems Leave Manufacturers Vulnerable

Manufacturers' inability to patch their computers against every newly discovered virus and worm leaves their systems highly exposed

What would happen if you couldn’t patch your organization’s computers against every newly discovered virus or worm?

That’s the dilemma facing much of the manufacturing industry, and other industries relying upon control systems, including supervisory control and data acquisition (SCADA) systems. These systems control everything from electricity to petroleum to nuclear power production, as well as many facets of the transportation and communications infrastructure.

Today many of those control systems run on common computing platforms and thus are vulnerable to today’s viruses and worms. Yet while IT managers can test PC builds before rolling them out, very often control systems—which may be controlling the smelt temperature in a steel plant or the hatch on a chemical plant’s centrifuge—simply cannot be patched after they’re in use, unless the upgrade is first rigorously tested in a test environment or issued by the device manufacturer. Analysts, however, say manufacturers release few security upgrades.

To secure control systems, organizations have been rethinking the role of information security, which can’t just be fitted onto many control systems. The needs of plant safety, for example, may trump such things as two-factor authentication on key systems.

Given the difficulty of securing control systems, how widespread are attacks against them today? In 2003, there were only 10 reported information security attacks against control systems. Still, “industry estimates indicate that between 100 and 500 unreported industrial cyber attacks occur every year,” says the British Columbia Institute of Technology (BCIT). The report BCIT released with PA Consulting Group (PA) found a ten-fold increase in the number of control system attacks between 2000 and 2004.

Those attacks have financial repercussions, especially when systems get knocked offline. “Of those organizations that put a figure on the impact of cyber attacks on their process control and automation systems, 50 percent experienced financial losses of more than $1 million,” BCIT and PA note.

BCIT and PA’s research was driven by several high-profile examples of control systems being compromised by vulnerabilities. The Slammer worm, for example, affected an Ohio nuclear plant as well as power utilities, in some cases even bypassing firewalls.

Getting Manufacturers to Disclose Information

More is needed besides good will within companies employing control systems. Security experts charge the device manufacturers provide few patches and little information about how their systems work.

To help on that front, the U.S. Department of Homeland Security (DHS) is trying to coordinate information about how today’s control systems function and how they can be improved.

In general, DHS says control systems today recall the level of security of information security systems from 10 years ago. Furthermore, it says, “due to economic and competitive concerns, control systems are increasingly implemented with remote access, open connectivity, and connections to open networks, such as corporate intranets and the Internet, rather than the closed and isolated networks employed in the past.”

So rather than being closed, relatively unknown environments, for cost-control reasons many control systems run on common, off-the-shelf hardware and software, including Windows and Unix operating systems.

This cost control pervades device security as well. “Control system units are often manufactured with limited, but specific processing capabilities to reduce costs, and often do not include adequate security features such as encryption, authorization, and authentication,” says DHS.

DHS also tapped the U.S. Department of Energy’s Idaho National Engineering and Environmental Laboratory (INEEL) to help develop new technologies for securing control systems. “Ensuring the security of the control systems that operate our nation’s critical infrastructures is a top priority,” says Paul Kearns, director of the INEEL Laboratory.

Defending Control Systems

To defend control systems, BCIT researcher Eric Byres says organizations need to recognize the actual threat. “The real threat is coming from outside the organization, rather than from within, as most of us originally believed.”

Forget quick fixes, he says; control systems are just too complicated. “We can’t just throw in a firewall and hope all our security problems will be solved. It is going to require a disciplined, multi-layer defense if we are going to get the security our critical infrastructures under control.”

To address the problem, PA consultant Justin Lowe says organizations have to bring “both their engineering and IT employees” together, “to undertake security risk assessments of all their control systems and ensure effective protection measures are deployed.”

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.