The industrial control system fright machine is getting another kick along today, via a survey by Russian vendor Positive Technologies. The company’s study makes some startling claims: 40 percent of SCADA systems “available from the Internet” can be easily hacked, half of the vulnerabilities the company found allow the execution …
Its no surprise they're vulnerable
When these things were designed, nobody thought any customer in their right mind would ever expose them to the Internet.
Then they started going online using good VPNs to firewall.
Anybody who puts this kind of kit out naked on the Internet is clearly asking for trouble - yet it happens.
Although Stuxnet got in by compromising the programming PCs then going the last mile to the SCADA systems via sneakernet, and I don't think there's anything the likes of Siemens et al can really do against that route.
40% "Of those available to the internet" are vulnerable.
Then don't make them available to the internet? Surely the proportion of SCADAs that ARE available to the internet is extremely low (and decreasing!!). If anyone has any sense, they keep their process controllers as disconnected as they possibly can, for when the Cylons attack, right?
1) Don't connect SCADA's to the Internet.
2) Don't buy SCADA software written by Microsoft.
I see you have a hard time thinking about security vulnerabilities and resisting the urge to bash MS.
I feel it would be pertinent to point out that Microsoft do not write SCADA software.
it can be extremely useful for remote support if something connected to the system can be accessed over the internet, even if that's just an HMI, for support purposes. If I get a text from a machine at work, I can often fix it without having to get out of bed. We have a rather bodged system using remote desktop but somewhere with more significant plant would probably have a better way of doing it.
Nuke: well, worst case scenario?
A whole SCADA problems, then?
"Then don't make them available to the internet? Surely the proportion of SCADAs that ARE available to the internet is extremely low"
Here's three ...
Big country differences
Looking at the linked report, it's intriguing to see the big differences between the percentage of accessible systems by country. So the UK economy is very similar in size to Italy and France, yet the UK has 1.4% of the sample of accessible SCADA systems, Italy has 6.8%, France 3.9%. The US economy is about five times the size of the UK, yet they have over 20x more accessible systems. Bear in mind that we're talking about SCADA, which mostly isn't not rocket science, so you'd expect the volume of gear (and thus vulnerabilies) to broadly track the size of the economy.
China's looks to be doing very well, although from the vendor names it would appear that the authors focused on Western SCADA brands.
So, IT security types, do these country differences mean anything? Is the UK doing as well (or less badly) as the report suggests, or is the report talking tosh?
Re: "isn't not"
Double negatives really went out of vogue after Shakespeare's time, man. Try to keep up...
Re: "isn't not"
That's called a "typo". But good of you to raise this important point - slack day at the ranch?
There's also this arcane technique called "reading" that I think it would be valuable for you to employ.
Percent Online vs. Total Numbers
The company’s study makes some startling claims: 40 percent of SCADA systems “available from the Internet can be easily hacked”
These numbers are for systems that have an internet connection, presumably the easiest set to patch. If 60% of these machines are patched, it seems reasonable to assume that a much smaller percentage of those that are not interwebbed are patched. I would therefor guess that these un-surveyed machines utilize the crab system of security (a hard shell on the outside, with nothing but soft flesh once an attacker is past the initial defense). Logically, if my assumptions are correct, the majority of SCADA systems are vulnerable to anything that touches them from the outside world, especially if they grew up inside a bubble.
Kaspersky would do well to get a move on (http://www.theregister.co.uk/2012/10/16/kaspersky_os_announced/).