PUNTA CANA–Here’s how nuts the world of ICS security is: Jonathan Pollet, a security consultant who specializes in ICS systems, was at a Texas amusement park recently and the ride he was waiting for was malfunctioning. The operator told him the ride used a Siemens PLC as part of the control system, so he went home, got his laptop, returned and was able to debug the software, find the problem and fix it and get the ride going again.
And here’s how nuts the state of building automation security is: Terry McCorkle, an ICS and automation security researcher, was doing an assessment of a building’s security and was able to access its automation system over the Internet. He accessed the HVAC system and from there was able to pivot to the lighting and surveillance system. He then found the access control and energy management system and was eventually able to unlock the doors, turn off the IP cameras, open the parking garage door modify the access-control database.
“It’s like hacking in the 1980s and 1990s,” said Pollet, founder of Red Tiger Security, in a talk at the Kaspersky Security Analyst Summit here Tuesday.
Security researchers like McCorkle, Billy Rios and others have been hammering ICS, SCADA and PLC vendors on the abject lack of security in their products and systems for a few years now. Some vendors have responded, but in many cases, problems such as complete lack of authentication, failure to use encryption and lack of monitoring go unaddressed, even after researchers report them. In that way, it’s much like the way IT software and hardware vendors handled security and vulnerability reports in the 1990s. Many would ignore them, hoping the researchers would move on.
That didn’t turn out very well for the large software vendors, and it’s not going so well for their counterparts in the ICS and automation worlds, either. Pollet said that the reasoning he hears from manufacturers about why they don’t have better security in their hardware and applications don’t really add up. Saying that protocols aren’t ready or that security is difficult to build in aren’t legitimate excuses.
“All these excuses aren’t really excuses,” he said. “With the current software and hardware we have, there’s no reason we can’t have these systems secured.”
Pollet said that in the PLC and ICS world, what might drive better security is demands from users. That’s what accelerated the process in the desktop software world for vendors such as Microsoft, and Pollet said users need to speak up now in order to get vendors motivated to improve their security.
“All the changes we’ve gotten over the years have been user-driven. Now the users have to ask for security,” he said. “The first vendor that starts to offer some of these security features, there will be a domino effect. So it’s up to us to make sure we ask for it. The market will respond.”
McCorkle, who spoke after Pollet’s talk at SAS, said there’s a need for some standard practices for security in that world. Talking about the response to the Target breach, which began with the compromise of an HVAC automation system at the company, McCorkle said the vendor’s answer that it complies with standard industry practices doesn’t ring true.
“I’ve never seen a standard from any integrator of any kind that’s about security,” he said. “There are no standards or practices.”