There is growing concern over the security of SCADA (supervisory control and data acquisition systems), one of the Internet of Things topics discussed at the Amphion Forum conference recently held in San Francisco.
Once upon a time, SCADA systems were based on proprietary operating systems, proprietary protocols and limited connectivity. Now, many of the controls on critical infrastructure such as power plants, water treatment facilities, process manufacturing and other infrastructure have been migrated onto commercial operating systems, and are Internet-enabled so they can be monitored and tuned remotely.
Internet connectivity of both newer and legacy platforms has made these systems vulnerable. The scary scenarios include bad actors causing widespread damage by opening a dams flood gates or causing sewage discharges into drinking water supplies. It also has been speculated that related Programmable Logic Controls (PLCs) handling prison doors might be attacked with disturbing consequences.
The most famous SCADA attack to date was the Stuxnet worm which entered the controls of Iranian nuclear fuel processing centrifuges. They were not connected to the Internet. Instead, someone plugged an infected USB drive into a controlling PC on the internal network near these devices. The worm searched for specific software running PLCs not only at the nuclear facility, but also at industrial facilities such as power plants. Aided by updates, Stuxnet morphed into Flame and Duqu and spread and spread and spread, causing fun and games throughout the world. Stuxnet started in SCADA and grew to create havoc throughout the rest of the IT security world.
Who is responsible?
So who is responsible for anticipating and mitigating the implied risks at critical infrastructure facilities? Is it the IT Security manager? Doesn’t SCADA security belong in the realm of Operational Technology (OT)? After all, IT Security is busy enough with locking things down in the continuing onslaught of attacks on computing facilities. Besides, the folks over in Operations don’t necessarily welcome IT Security encroaching on their domain. According to Joe Weiss, Managing Partner of Applied Control Solutions (Cupertino, CA), who spoke at the Amphion conference: “The IT world and the OT worlds hate each other. And they hate each other more than they hate an attacker.”
Weiss also notes that the cultures of OT and IT Security are different. “You can’t have someone [from IT security] walk in at 4PM Friday afternoon saying ‘I need you to shut down now’ without realizing that the lights may go out, or that the refinery may go down. It’s a completely different mindset between mission assurance and information assurance.” Further, says Weiss, “until you can relate back to why security has impact on what it means to keep the lights on, or the water flowing, or the trains running, they’re not going to do it. Right now it goes directly against what they’re trying to do. You’re making life difficult. You’re making it more cumbersome. You’re creating problems. None of it is linked back to why they should be doing it.”
And so the charter of OT is different than that of IT Security. What’s their motivation for looking after the security of the systems they manage? Weiss says that OT staff compensation has nothing to do with security, and security is not compensated for being concerned about OT security. Regarding IT security, he says, “they get compensated if they have a firewall up and running. The fact it could bring down a SCADA system is irrelevant to them. ” And for operations? “They just want to keep the lights on. They don’t care who tries to get in.” Weiss says “Until both sides have compensation partially tied to the overall outlook, you won’t get cooperation.”
Well, there’s no reason for the two cultures to be antagonistic. As someone once asked, “Can’t we all get along?”
So what’s the solution?
Well, you can start by having the security people read a children’s book. US Air Force Air Force Cyberspace Operations Officer, Adjunct Professor at Utica College, and Director and Founder of the non-profit educational organization hackINT. Robert M. Lee’s illustrated SCADA and Me: A Book for Children and Management will explain it as simply as is implied in the title. And then upper management should take responsibility for bringing representatives of OT and IT Security together. Sure, OT is really responsible for the industrial processes and controls that keep the lights on, the water running and all the rest, but IT Security has that responsibility as well.
That message needs to be re-enforced and turf wars overcome. The two teams need to identify and codify this as the common mission, assigning staff first in task forces and study groups to scope and prioritize the tasks necessary to mitigate the risks, and work on the cultural and compensation issues, and then to build out as cooperating entities, properly resourced and chartered to keep the lights on, and to do so safely.