ShadowGeek

A couple of years ago, Firesheep created a come to Jesus moment for many of the most popular web sites on the internet.  It demonstrated for anyone interested (no skill needed) that not using SSL was bad, and that anyone’s account could be hacked.  All responsible websites have responded by increasing their security and the internet is a better place for it.

At the S4 Conference SCADA systems were put under the wire brush and found as insecure as those websites targeted by Firesheep.  Iran learned the hard way that SCADA isn’t secure with Stuxnet.

SCADA is designed by industrial engineers for industrial engineers, and not by computer security experts… and it shows.  At the conference flaw after flaw was exposed which if exploited could cost billions and even cost lives.  Unlike a Facebook account, SCADA controls physical processes and when something goes wrong, bad physical things can happen.  The conference attendees speculated that there will be a Firesheep moment for SCADA and that the industry will have to react.

I agree and disagree.  I do think that if I were to buy a new SCADA system, I’d be able to find a wide range of improved security offered.  I also think that I’d find systems that were upgradable and that could be easily patched in the future against evolving threats.  What I don’t see is any reasonable expectation that the existing fielded systems will ever be fixed.  The flaws extend beyond the server farm and into small control boxes scattered around power plants and industrial sites.  This is more like IE 6 than Firesheep.  No matter how much Microsoft has tried, IE 6 still lives on.  It will take touching every single flawed box and potentially redesigning every single system to secure them.  Firesheep was countered by using SSL at the servers.  If countering required each user to replace their laptop, we would still hear about Firesheep.

I don’t know if there will ever be an event that causes industry to touch all of those boxes and to upgrade them.  Those boxes are a sunk cost and they just work.. so why change them.  It will be easier for industry to implement procedural changes to reduce (but not eliminate) the risk.  Some industries such as nuclear power plants may make the effort, but will the dairy farm?  Additionally, I doubt that any warranty associated with these boxes included this.  They work as designed, so therefore the fact that they were designed without sufficient security isn’t something likely covered under warranty.

The people that wrote Stuxnet were targeting a specific set of SCADA controllers and intentionally prevented their software from attacking outside of a narrow set of parameters.  They were unable to prevent collateral damage, but they did go out of their way to do so.  The worse case scenario for the SCADA industry (both manufactures and users) is someone releasing a variant of Stuxnet that is as discriminating as a nuclear weapon.  Remember the Conficker virus?  You know, the one that infected 15 million windows computers.  It didn’t care who you were.  Now, put the Stuxnet payload on something as nondescript as that, and you’ll get the worlds attention.  You will also cause physical damage across a wide range of industries.

It is unlikely that the industry will recall their boxes and replace them for free.  It is also unlikely that most industries will pay to replace their SCADA systems with newer secure ones.  The best we can hope for is that industries start building response plans for when their SCADA systems are compromised.  At some point some virus is going to be released into the wild that does impact SCADA.  It may be something that was designed to target a small population, but who’s controls were poorly designed.  It may be something designed to show off the skills of some 15 year old hacker… I don’t know… but it will happen.  The question isn’t if or when, but how will industries respond and how well are those contingency plans written.