Protecting the security of critical infrastructure, much of which is controlled by supervisory control and data acquisition (SCADA) systems, has become a point of concern in recent years, with new reports of vulnerabilities surfacing on a regular basis. In early February, President Obama made cybersecurity an explicit national priority during his State of the Union speech. Yet even as attention turns toward protecting the industrial control systems (ICS) that form the backbone of much of the nation's critical infrastructure, the challenge of instituting change in the software itself remains significant.
A recent Dark Reading article highlighted the low rate of patch adoption among many SCADA system operators, explaining that efforts to correct vulnerabilities with updates are often stalled by fears that implementing these changes will harm overall system performance. Rather than face the risk of downtime at a power plant, for instance, operators would prefer to continue running facilities as they have historically done. To address this problem, software vendors may need to respond by building more secure programs, making use of tools such as source code analysis to strengthen SCADA systems.
The SCADA security problem
In the wake of the high-profile Stuxnet worm, renewed attention has been paid toward SCADA security. The number of flaws found in SCADA systems from 2010 to 2012 was 20 times that of the period from 2005 to 2010, according to a 2012 study by security firm Positive Technologies. Half of the vulnerabilities discovered enabled remote code execution, and more than 40 percent of systems accessible from the internet could be hacked even by unprofessional attackers.
The study found that one in five vulnerabilities took more than 30 days to patch following detection. Additionally, it noted that many systems with in-the-wild exploits remained unpatched.
"If there is a vulnerability and a fix has not been issued, the risk that the system can be compromised is rather high, as an attacker does not need deep knowledge and a protracted period to prepare for the attack," researchers wrote.
Trouble with patching
According to Dark Reading, even the SCADA systems receiving patches remain at risk in practice, as the rates of patch adoption are staggeringly low. The publication reported that many industry experts estimate that just 10 to 20 percent of organizations actually install the patches offered by SCADA vendors. Unlike patching employee PCs or enterprise servers, updating power plant or factory-floor systems comes with a number of major challenges. In these contexts, installing a patch can be complicated by the need to continue operation uninterrupted, as well as by the longevity of the systems in question.
While end user workstations might be refreshed every three to five years anyway, process control equipment is often decades old, and is essentially impossible to patch, according to Dark Reading. Even if patches to security issues were released, operators would likely be hesitant to install them, given the risk of tampering with such a fragile environment.
"I can tell you flat out that the people who run the equipment will not pursue patching aggressively," Andres Andreu, chief architect and vice president of engineering for Bayshore Networks, told Dark Reading. "There are a lot of controllers out there from the 1960s and '70s that can't handle sophisticated security. I've dealt with a PLC [programmable logic controller] with bytes of memory – you can't even put anything on there. To actually patch at that level is unrealistic … There's legacy code written 30 years ago, and no one wants to touch that."
Although SCADA vendors reported pursuing aggressive strategies to encourage patching, some companies may wait several years to make installations if they make them at all, Dark Reading reported. One SCADA security expert told the publication that the best the industry can hope for may be that updates get installed during annual or semiannual maintenance cycles, noting that no engineer is going to risk accidentally shutting down a plant to fix something that is not clearly broken.
Some vendors noted they might push especially hard if a patch is particularly important. However, the best option SCADA manufacturers have is delivering secure software in the first place. By using tools such as static analysis, they can minimize the likelihood of common vulnerabilities and reduce the danger of low patch adoption rates.
Software news brought to you by Klocwork Inc., dedicated to helping software developers create better code with every keystroke.