Two top cybersecurity experts today painted a unsettling scenario regarding the state of cybersecurity in energy and other industrial control systems, with both in agreement that little to no effective measures of securing critical infrastructure are in place. "On the SCADA (supervisory control and data acquisition) side, these systems do not have the basic security systems built into them," Jonathan Pollet, Founder and Principal Consultant of Red Tiger Security said during a webinar.
Most of the time, key security controls, such as encrypted passwords, that apply to corporate IT networks do not apply to industrial networks that operate critical infrastructure. Even basic testing of software for bugs, a routine procedure for corporate IT networks, is not applied to industrial systems, with system vendors implementing only about 5% of the kind of testing that Microsoft, for example, puts its software through, according to Pollet.
As a consequence, it's no surprise that over the past year there has been a 753% increase in vulnerability disclosures to ICS-CERT (Industrial Control Cybersecurity Emergency Response Team). Ironically, this known volume of vulnerability exploits has been parlayed into businesses by vendors who are selling exploits for the purposes of hacking industrial systems.
And nation-states are clearly in the energy sector hacking business. Pollet visited clients in the Fortune 50 energy, oil and gas business who experienced attacks originating from China. The rootkit malware infiltrated the industrial systems through corporate IT networks and resided on the companies' systems for 18 months, extracting emails, financial information, blueprints of plants and factories and more.
The failure of corporate IT departments to consider how malware and other exploits flow from corporate systems into the relatively unprotected industrial systems is a major source of vulnerability for the energy sector. "You almost have to treat the corporate network as the Internet…and then view the SCADA and industrial control systems as a sub-network," Pollet said.
One of the biggest problems is that industrial systems "have embedded items inside embedded items inside embedded items where we have forgotten what we embedded," Patrick Miller, Founder, Director and President Emeritus of energy security consortium EnergySec said. "But the bad guys know they are there."
"The vulnerability is quite high. Most industrial control systems weren't designed for what we have today.
Frankly it’s almost child’s play to get into these systems," Miller said.
For the time being, however, there is no need to fear a widespread electricity outage because utility systems have evolved over time with a diversity of technology that varies from utility to utility. "If you look at things like power, gas and even water systems, there is such a diversity of technology. It’s not easy to cause a widespread, long-term outage," Miller said.