'Best practice' on critical security is not enough
Maitland Hyslop gives his view on protecting SCADA systems after Stuxnet
The Stuxnet virus specifically targeted supervisory control and data acquisition (SCADA) systems, and has heralded a new era in virus attacks that brings the threat of true cyber-warfare much closer.
Stuxnet is a Windows-specific worm first found in June, by Belarussian IT security firm VirusBlokAda. It is the first discovered worm that spies on and reprogrammes industrial systems.
It was specifically written, I believe, to attack SCADA systems used to control and monitor industrial processes. Stuxnet can reprogramme programmable logic controllers (PLCs) and hide its changes. It is the first worm to include a PLC root kit. It is also the first known worm to target critical industrial infrastructure.
Furthermore, I have heard that the worm's target may have been costly infrastructures in Iran using Siemens control systems. An infestation might have damaged Iran's nuclear facilities in Natanz and eventually delayed the start-up of Iran's Bushehr nuclear power plant.
Siemens has claimed, however, that the worm has not in fact done any damage.
Stuxnet usually gets in via USB memory stick. Many industrial computers are unsupervised but still have USB ports supporting memory sticks.
SCADA systems are also often more connected to the web than people realise.
SCADA security is much more than a set of technical controls. It demands a comprehensive approach dealing with governance, management, risk assessments, information security planning (including both physical and personnel security), and operational options.
How important is the SCADA system? If, as in Die Hard 4.0 , the SCADA system controls large parts of a critical infrastructure, governance must be by political and defense governors (perhaps legislation).
In commercial, public, or third-sector operations that use and operate SCADA systems it is absolutely necessary that SCADA system protection is a main board agenda item. This board item should be seen in the same way as compliance with Sarbanes-Oxley is seen in the business community, with equivalent penalties.
And 'best practice' is simply not good enough when it comes to critical infrastructure. 'Best practice' is a pejorative term often leading to a lowest common denominator, lowest cost, approach which may, or may not, represent excellent commercial practice. Excellence normally carries a cost, but it is more what is required here.
Maitland Hyslop is managing director at Internet Central