In what is becoming worrying regularity more SCADA vulnerabilities were discovered last week at Exodus Intelligence, 23 more to be precise. The vulnerabilities have been reported to ICS-CERT, so we don’t know their exact details yet. Like most recent SCADA issues, they don’t sound particularly pleasant.
Having worked on networks utilised by these systems I have found the engineers on the SCADA side of the fence simply do not have a security mindset. So it’s paramount you secure the network, more so than for any other application that I have come across.
If you have the unfortunate joy of running a network for SCADA I recommend you sign up to ICS-CERT. It is a valuable resource.
If for some depraved reason you have an interest in reading security bulletins, go through some of the ICS-CERT archives. You may notice a slight worrying trend in the ICS-CERT notifications. Unlike other more well known security advisories such as say Microsoft, Cisco or Java where the remedy is often applying the latest patch – or in the interim disabling a feature while you wait for the patch. No, no, no. Here we have another strategy – simply block that traffic from the network. Industrial control suppliers don’t seem too keen on patching their software.
Take as an example this security alert. This alert was chosen at random, it involves control traffic being neither authenticated nor encrypted. We’re off to a great start already.
Ironically right beneath a suggestion of reading some Defence-in-depth strategies, it suggests simply blocking all traffic on the network to TCP/UDP port 102 to remove the vulnerability. That is not defence in depth, that is one hell of a crunchy M&M. Complete with yummy-tastic depleted uranium core.
Fantastic, assuming you have a single point of entrance to this network and the threat does not come from within your organisation. Can you assume either one of the above is true?
The alert also suggests using a VPN for remote connections. Thanks guys. Helpful. Otherwise your unauthenticated unencrypted control traffic could come from the Internet right? That would be bad, right?
Suggestion: over engineer the absolute shiz out of the network security for a SCADA network. You must assume the end points are completely vulnerable. Only allow protocols that are absolutely required. Consider deploying ACLs or possibly link encryption all the way out to the access layer. At least that will be good for the job security.
 Disclaimer, M&M may not actually contain Uranium.