SCADA security: An alternative to patching

On-line article posted by Eric Byres of Tofino Security:

When it comes to the patching of SCADA and ICS systems, just when you think you are installing all needed patches, some critical ones are getting missed. Unfortunately, I think even the phrase “installing all needed patches” is too optimistic.

In my surveys of SCADA and ICS facilities, I find that even when operating system patches are getting installed, application patches are not. For example, many HMIs are running copies of Abode PDF Reader that haven’t been patched in years. Considering that Adobe has released over 30 critical security patches for Reader in the past three years, this is a gaping security hole.

Clearly security vulnerabilities aren’t just an operating system problem. And they are not just a business application problem. We saw the number of publicly disclosed security vulnerabilities for SCADA and ICS products jump dramatically in 2011. For 2012, all indications are that the situation will be worse.
Many of these vulnerabilities are not on Windows computers, but rather critical hardware such as PLCs, DCS controllers, RTUs, switches, routers and even firewalls!

Personally, I blame the discovery of Stuxnet in July 2010 and the media attention it attracted for SCADA products. The quality of SCADA and ICS products didn’t suddenly get worse in 2011. The vulnerabilities were always there. Stuxnet just woke up security researchers to the relative ease of exploiting automation devices.

The trend of increasing SCADA/ICS public disclosures has caused a lot of difficulty for vendors. Some of them, such as our sister company GarrettCom have been credited by researchers as being proactive1 in dealing with the situation. Others, such as Advantech, have been a case study on how to not work with your customer base or ICS-CERT to address issues.

We have a patch - Now what?

But even for the most responsive vendors, the problem does not go away when the patch is released. Many operators simply fail to implement the patches. We have consistently heard from end-users how difficult it is to apply security updates to industrial control products.

The demands of continuous production, stringent safety/regulatory requirements or widely distributed devices can make patching a nightmare. As much as we would like it to be different, patching in SCADA and ICS is a slow and scattered practice.

During the early years of Tofino Security, we were asked by a major food company if Tofino could help them solve a patching problem they were facing. They had a large installation of Windows NT servers that could not be decommissioned because some critical software only ran on this old operating system. Yet Microsoft had ended support for NT, so there were no patches available.

At the time, we were not able to solve the issue, but it got us thinking. Could we use Tofino as a proxy for the direct patching of the PLC or RTU? It has taken a while, but now we can answer YES. Tofino Security Profiles is a new feature included in the 1.7 version of the Tofino Industrial Security Solution. It allows the loading of special rule sets that can be used to detect and block attempts to exploit known vulnerabilities in a product.

Critical Infrastructure such as power transmission could be interrupted if a publically disclosed vulnerability is exploited. Tofino Security Profiles provide a simple way to mitigate against such a vulnerability.

Security profiles are a simple way to protect industrial networks.

A Tofino security profile is a collection of firewall rules and protocol definitions designed to address a specific vulnerability for a specific product. It can include complex checks (such as text searches for the attempted use of a default password), that a traditional firewall cannot achieve.

The profiles are created as a joint effort between the affected vendor and the Tofino Security team, and then distributed to control system customers. Then users simply import the new Security Profile into their Tofino Security Appliances and assign them to protect the vulnerable devices.

Operators benefit from receiving a single, easy-to-deploy package of tailored rules that can be installed without impacting operations. Users can also check the new rules using Test Mode before they actually start blocking traffic. The result is that industrial facilities can defend themselves against new threats without having to rely on patches for their PLCs and switches.

As an example, Schneider utilised the Tofino Security Profile feature to defend against publicly announced vulnerabilities in its Modicon PLC product line. Doing so allowed them to provide a method of defense for their customers that was immediately effective and that did not require any changes to automation equipment or network configurations.

It is important to understand that Security Profiles are not the silver bullet to solve all security issues. For example, vulnerabilities that involve encrypted sessions (such as HTTPS) cannot be addressed with special firewall rules, because the firewall can’t typically decrypt and inspect the traffic. But for a large number of the PLC and DCS vulnerabilities we have seen, the technique works well.

It is my belief that in order to improve industrial security we need to make the processes and technologies related to security simple. Security Profiles is one way we do that with Tofino. Other aspects involve utilizing best practices such as Defense in Depth, and focusing on securing key assets.

What are your thoughts? How does your company implement security-related updates?