New report warns of SCADA CYBERGEDDON* The industrial control system fright machine is getting another kick along today, via a survey by Russian vendor Positive Technologies. The company’s study makes some startling claims: 40 percent of SCADA systems “available from the Internet” can be easily hacked, half of the vulnerabilities the company found allow the …
When these things were designed, nobody thought any customer in their right mind would ever expose them to the Internet.
Then they started going online using good VPNs to firewall.
Anybody who puts this kind of kit out naked on the Internet is clearly asking for trouble - yet it happens.
Although Stuxnet got in by compromising the programming PCs then going the last mile to the SCADA systems via sneakernet, and I don't think there's anything the likes of Siemens et al can really do against that route.
40% "Of those available to the internet" are vulnerable.
Then don't make them available to the internet? Surely the proportion of SCADAs that ARE available to the internet is extremely low (and decreasing!!). If anyone has any sense, they keep their process controllers as disconnected as they possibly can, for when the Cylons attack, right?
it can be extremely useful for remote support if something connected to the system can be accessed over the internet, even if that's just an HMI, for support purposes. If I get a text from a machine at work, I can often fix it without having to get out of bed. We have a rather bodged system using remote desktop but somewhere with more significant plant would probably have a better way of doing it.
Nuke: well, worst case scenario?
Looking at the linked report, it's intriguing to see the big differences between the percentage of accessible systems by country. So the UK economy is very similar in size to Italy and France, yet the UK has 1.4% of the sample of accessible SCADA systems, Italy has 6.8%, France 3.9%. The US economy is about five times the size of the UK, yet they have over 20x more accessible systems. Bear in mind that we're talking about SCADA, which mostly isn't not rocket science, so you'd expect the volume of gear (and thus vulnerabilies) to broadly track the size of the economy.
China's looks to be doing very well, although from the vendor names it would appear that the authors focused on Western SCADA brands.
So, IT security types, do these country differences mean anything? Is the UK doing as well (or less badly) as the report suggests, or is the report talking tosh?
The company’s study makes some startling claims: 40 percent of SCADA systems “available from the Internet can be easily hacked”
These numbers are for systems that have an internet connection, presumably the easiest set to patch. If 60% of these machines are patched, it seems reasonable to assume that a much smaller percentage of those that are not interwebbed are patched. I would therefor guess that these un-surveyed machines utilize the crab system of security (a hard shell on the outside, with nothing but soft flesh once an attacker is past the initial defense). Logically, if my assumptions are correct, the majority of SCADA systems are vulnerable to anything that touches them from the outside world, especially if they grew up inside a bubble.
Kaspersky would do well to get a move on (http://www.theregister.co.uk/2012/10/16/kaspersky_os_announced/).
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
