A silver bullet for SCADA security?

Blog posted by Eric Byres on the www.tofinosecurity.com website:

If any security expert claims systems can be secured by just using antivirus products on the Windows computers in a control system, they are crazy, irresponsible or both. Antivirus (AV) technology helps protect the plant floor, but it is not enough on its own.

For the most part, AV software only works if you have a signature, which is great for dealing with well known common malware like Conficker. Unfortunately, there is no signature for a worm using a zero-day vulnerability. Stuxnet proved that - it was in the wild for a year before there were any signatures available. Antivirus software did not spot the worm for that year.

But Stuxnet is far from the only example. Far less sophisticated attacks that completely bypass the AV software appear every week.

These attacks are against fully patched systems with current AV signatures. They succeed because of the encoding capability in attack tools like metasploit which makes the payloads look unique to the AV system.

No responsible IT group would think of only using AV technology and not bother with the firewalls in their network. Even a receptionist’s computer has both antivirus and a personal firewall operating. This is the concept of defence-in-depth - no single solution can provide complete protection.

The typical PLC or DCS is a far more important asset than a receptionist’s computer. It is also a much easier target for attack. 99.99% of the control devices and protocols used today offer no robust authentication, integrity or confidentiality capabilities. They can be completely controlled by any individual or worm that gets a foothold on the network.

Nor can PLCs and DCSs be easily patched or have security features added to them, even when security vulnerabilities are discovered. For example, the Siemens S7-300 PLC vulnerabilities revealed 6 weeks ago by Dillon Beresford at Black Hat 2011 are still not patched. This leaves millions of legacy control systems open to attack from even an inexperienced hacker.

Of course, the ICS and SCADA user is limited in what is currently available to defend systems. For example, at this time PLCs and DCS CPUs can’t have antivirus software installed directly and none have built-in firewalls.

But DCS vendors like Honeywell, Emerson and Invensys do supply firewalls to be installed directly in front of critical controllers. In effect, these are acting like personal firewalls for PLCs and DCS devices.

On Windows computers, antivirus technology needs to be supplemented with white listing technology and a good patching strategy. Segregating groups of PCs into controlled security zones also really helps.

The IEC62443 and ANSI / ISA99 ICS security standards are very clear on this topic. So are the IT standards, like ISO 27001. A defense-in-depth solution is a standards requirement.

The bottom line is that you need to deploy a variety of technologies and procedures if you want a secure control system.

Depend on a silver bullet solution and the only thing likely to be shot is your foot.