Control systems are vulnerable to hackers but vendors don't deliver the same level of security for control systems or related devices as would be expected in a computer centre because the industry doesn't demand it, delegates were told yesterday at the 4SICS (Stockholm International summit on Security in Industrial Control Systems) conference.
Talking to SCMagazineUK.com, keynote speaker Dr Stefan Lueders, CERN computer security officer, head of computer security, explained: “There has been a revolution as we have moved away from proprietary hardware and control systems to more IT based systems, taking the cherries from the IT world cake: Windows PCs, data storage, HMIs, TCP/IP for communications, web protocol, emailing – because there is a use-case for them.
"However (despite the benefits), there was no incentive to look at the security side because the old paradigm was – we have an air gap, we're disconnected, everything is proprietary, obscure, nobody will attack us. But this is no longer the reality today.”
The event itself provided plenty of back-up evidence that the new reality is one where controls systems are now visible on the network, and are being attacked.
John Matherly demonstrated the Shodan system using tools that scan the internet for control systems, and producing maps to show graphically the distribution of some 550 million devices, commentating that the human to human internet was just the tip of the iceberg. It was also made clear that there are attackers looking for vulnerabilities in these control systems, so we do have to worry about their security.
The biggest problem identified was, how do you create an incentive for control system vendors to build more secure products? It was recognised that the big vendors need an incentive, to be paid to make the systems secure: there are no laws forcing them to produce more secure products, or as Lueders put it: “Too few laws and too many guidelines.”
Utilities don't want to pay extra fees – and when you look at the legal systems and regulations in Europe, there's no one saying that your car plant must be more secure. It's your business interest but for government - that's not their concern. So there is no legal system, no obligatory certification, utilities don't have an infinite amount of money to pay extra, so there is a lack of incentive to fix the problem. The situation was compared by Lueders to the drug industry, as possibly the only other case where the vendor takes no responsibility for flaws in their product.
Ruben Santamarta not only demonstrated the vulnerability of satellite navigation systems and how to hack a satellite and potentially cause harm, but showed the comment received from the satellite vendor was remarkably complacent, saying, “This is not a safety risk. We are not going to fix it.”