| Industrial computer
systems are typically far less secure than they should be, experts say.
By Robert Lemos
For the last few months, a sophisticated computer
worm has wriggled its way between some of the most critical control systems
in the world.
Security experts say that critical infrastructure firms need to respond quickly in order to protect their systems from Stuxnet, and warn that its spread may mark the beginning of increased cyber espionage and sabotage.
Dale Peterson, CEO of Digital Bond, a consultancy specializing in industrial security, says others will attempt to replicate and improve on the Stuxnet attack. "Before, it was just a theory--it was the geeky guys who knew control systems that said you could do these things," Peterson says. "Now they have a real example to point to as a technical demonstration."
Unfortunately, most industrial companies may not be quick to react. Manufacturers and utilities have an installed base of controllers that are normally upgraded only every 10 or 15 years, and sometimes less frequently. Most PLCs allow unauthenticated uploads--anyone who can connect to the network is considered an administrator. "If you can ping the PLC, you can do whatever you want to it," Peterson says.
System manufacturers and utilities have always considered low cost, reliability, and safety to be the most important aspects of their control systems. Security has amounted to limiting physical and Internet access to control devices, and many systems do not have the most recent security patches. Some systems cannot be patched because they are running older operating systems that are no longer supported, says Sikora.
"Microsoft released a security patch for the vulnerability used by Stuxnet, but they didn't release it for Windows NT," he says.
The embedded controllers that monitor, and sometimes control, power in households as part of the U.S. smart grid initiatives are actually more secure than the programmable logic controllers. Security researchers and hackers have already tested many smart grid devices, showing manufacturers some significant flaws. By the time these devices are widely installed in homes, they should be far more secure.
But a lack of regulations and security expertise is slowing efforts to secure industrial systems, Sikora says. At a recent conference, he asked technical managers responsible for critical infrastructure systems if they had heard of Stuxnet. Few had. "From what I see, nothing is going to change, even though everything should," he says.