Vulnerabilities and architectural considerations in industrial control systems
The reason SCADA security is so controversial stems primarily from the intense consequences that come from a compromise in this area. In this podcast, Andrew Ginter, VP of Industrial Security at Waterfall Security Solutions, and Edward Amoroso, CEO of TAG Cyber, talk about SCADA vulnerabilities in ICS architectures.
Here’s a transcript of the podcast for your convenience.
Andrew Ginter: Hello everyone. Thank you for joining us. I’m Andrew Ginter, the vice president industrial security at Waterfall Security Solutions. I’m here with Ed Amoroso, the CEO of TAG cyber and the former CSO at AT&T. Hello Ed.
Edward Amoroso: Hi Andrew!
Andrew Ginter: So, Ed and I are here today because we put together a five-part series on industrial control systems security, topics and issues. This is number three in this series, and we’re going to be talking about vulnerabilities and architectural considerations in industrial control systems. Ed, did you want to start us out?
Edward Amoroso: I certainly can. You know, I think a common theme Andrew, that you I both agreed on very strongly, is that OT designers are no dummies, these are smart people, and could build up industrial equipment. But to build an automobile for example, takes considerable skill and practice and knowledge, apprenticeships and years of building up an experience base. So, it’s not that you know when hackers find exploits into something like an automobile that it was just pure negligence, it just hasn’t been a consideration. I think what you and I and others have noticed is that over the years the design process for industrial control has begun finally to evolve the things that are consistent with the principles that we all understand.
For example, it makes absolutely no sense from a hacking perspective to build a “bus” that connects up you know open IT connected or internet-facing like entertainment type things in a car to the safety control systems in an automobile that might be remotely managed in some center. Maybe in the beginning when people first got that idea it sounded like a great convenience, but we all know now that it violates about every tenet of cyber security architecture that we built up over 20 years.
So, what we wrote about in the articles is this idea that it is time now, to really examine and focus on and improve the architecture of the systems that either control, or operate, or provide safety for, somehow integrated into an industrial control environment. One of these you write about was kind of the famous exploit that was demonstrated by Charlie Miller and Chris Valasek in 2015 where they used a zero-day to break into a Jeep. I personally didn’t approve that they’ve done it on a live highway, but it is what it is. It did raise a lot of awareness.
Learning is an important initiative at this point, it’s that design considerations consistent at least privilege with segregation of duty, with separation architecture, with minimizing trust between different components – all the things that we learn in IT security 101 are now finally moving into SCADA and industrial control environments. and I think we’re finally seeing some of these designs improved.
Right now, putting things like for example, Waterfall, your team built a wonderful device that separates and segregates one environment from another on the premise that you know there might be some dangerous stuff there. I think commensurate with that, it would make sense also for the things in that IT environment could be less natively accessible because insiders working in that environment are not going to be separated. You’re gonna have that problem – if somebody goes bad who administers locally some equipment, so it can be malware to catch it, could be somebody who just won’t got paid offering compromise.
I think we can look at it holistically. You want good network architecture, and I think you will have improved design for these components. I think that’ll help everything.
Andrew Ginter: I think that’s a great summary Ed, thank you. What we see in the control system world really is reflecting what’s happening in the greater world with as we said in the first piece – a different emphasis – what we see forever in the world of computers and connectivity more generally is that there’s more and more computers everywhere which means there’s more and more software everywhere. We see more and more software control in the control system space every year and we see greater and greater connectivity. Everything’s being connected together, has been for 30 or 40 years out in the world, and it has been increasingly so in the control system space as well.
The essential problem is this: all software has bugs, some bugs or vulnerabilities so all software can be hacked. This is very bad, one software controlling dangerous processes is hacked and every communication path that lets data flow also lets attacks flow. All cyber-attacks are information, and so this trend is, we’re seeing serious investment on the control systems based on hardening the software, hardening the endpoints, but in the end it’s all still software.
The fundamental problem is that all of this software, encrypted or not, hardened or not, still has bugs, still has zero days and is still vulnerable to this increased connectivity to the increased information flows. In a sense, this is the essential problem of control systems, the world of control systems. In the IT world the priority is to protect the data. In the control system world, every piece of information, every piece of data is a threat. The priority in the control system world is to protect us from the data that we find everywhere now.
Edward Amoroso: Yeah, the emphasis is different but to your point the software theme is the same, deja vu all over again when software was introduced to business environments years ago everybody freaked out, it was the beginning of IT security and now you see more or less the same thing. I mean like all that stuff you’re saying about software and connectivity, that’s to save money, right? I mean it’s about to make it easier to run these environments, that’s more convenient, flexible, interoperable, cheaper and then the cycle times are shorter, so that’s going to happen. Nothing you know anybody can do to stop that train, that’s out of the station. So, now it’s imperative that the security corresponding security catch up so Andrew it’s good summary.
Andrew Ginter: Thank you Ed and thank you everyone for joining us. Tune in for our next installment in a little bit.