By Gregory Hale
End users need to demand security from their suppliers and when there is an issue with a product, the lines of communication need to be open.
That was one of the outcomes from a panel discussion Tuesday on the “Key Takeaways from Digital Bond’s SCADA Security Scientific Symposium (S4) and Project Basecamp at the ICSJWG 2012 Spring Conference in Savannah, GA.
The goal of Project Basecamp was to assess the security of a set of popular industrial control system (ICS) field devices with an Ethernet interface for a common set of vulnerabilities. A field device is typically a PLC, RTU, IED or communication gateway. Researchers looked for vulnerabilities in six different PLC’s/field devices. They found and published backdoors, weak credential storage, ability to change ladder logic and firmware, command line interface, and overflows among others.
While the panelists talked about the project, they instead talked about the ways to fix some of the problems and also spent a good chunk of the two-hour panel responding to questions from the audience.
“We have a well-exercised vulnerability platform,” said Brad Hegrat from Rockwell, one of the companies that underwent testing during Project Basecamp. “Most of the vulnerabilities brought to our attention have been taken care of. We do have a process in place.”
While the methods of releasing the vulnerabilities were not questioned publically, Graham Speake from Yokogawa Electric Corp. said he understood both sides of the issue.
He now works at Yokogawa, which is a supplier in the industry, he also used to work at BP, which is an end user company.
He said at Yokogawa “our development lifecycle is 10 to 15 years and we will support it for years beyond that.” But from an end user’s perspective, he said when there was an issue with a device “for us to patch it would take a long time. When a PLC was discovered to be vulnerable, it was a problem especially when the exploit became public.”
Markus Braendle, ABB’s head of cyber security, said his takeaway from the outcome was a little different. He found “there was a lack of trust and a lot of frustration.” From a security researcher perspective, they must be thinking “even if (I) do disclose information to the vendors, they are not going to do anything.” He then added suppliers have to “create a level of trust so (researchers) feel comfortable coming to the vendor.”
Rob McComber, from Telvent, said releasing information is one thing, but “the real value of a release is if the patch or mitigation can be deployed effectively.”
One of the researches from Project Basecamp, Jacob Kitchel, from Industrial Defender, was also on the panel and said while he was ready to take the heat from the audience the vulnerabilities should not really be news to anyone.
“I still think there are tools to use to eliminate risk before you patch your system,” Kitchel said. “If you still feel you can’t eliminate risk, then talk to me.”
Jonathan Pollet, of Red Tiger Security, said these issues are not new. They have been around for over a decade. “Some of the things we were talking about in 2001, we are still talking about on 2012.”
He said systems are vulnerable no matter what and he then went on to show how he could tap into different systems remotely using an iPad.
As most devices were designed before cyber security was even an issue, so security was an afterthought. Panelists agreed security needs to be front and center when devices are in the design process.
“It is not enough to patch a system. Systems need to be secure from the beginning,” Hegrat said.
Braendle agreed. “We need to integrate security in from the beginning.”
Speake did say however, this is a two-way street. If suppliers boost the security in devices, end users have to use it.
“What ever security we add in, the end user needs to operate it in a secure way,” he said. “There has to be training and a lot of education. There needs to be a collaborative effort with a lot of groups.”
One of the other areas touched on during the discussion was the product lifecycle. Right now systems and devices can be up and running for up to 20 years or so, but those days are numbered.
“We are going to have to understand the lifecycle will not be 20 years anymore,” McComber said.
“Customers need to demand security,” Braendle said. “You can’t buy a device and have it sit there for up to 20 years. Security has changed all of that.”