TORONTO–The months-long hysteria over Stuxnet and its hyper-sophistication and passel of unknown vulnerabilities has had the effect of creating a secondary wave of panic about the vulnerability of industrial control and SCADA systems. But the concern about spontaneous utility outages and surreptitiously poisoned food supplies are overblown and largely misplaced, an expert says.
In a talk at the SecTor conference here this week, James Arlen, a security consultant and frequent speaker at conferences on a variety of topics, looked closely at the stories and commentary on SCADA security coming out of the Stuxnet episode and found that there seemed to be a fundamental misunderstanding of the way that these complex systems work. The idea that a remote attacker, no matter how sophisticated or well-funded, could cause mass chaos in a water plant or food-production facility by compromising one or two control systems just doesn’t wash, he said.
“There are safety systems in place, and they’re not connected to the control systems. They can’t be,” Arlen said. “Even if you somehow compromise the right machine and you’re somehow able to access the bleach-injection system that they have sitting around in the cookie plant but just never use, and you change the recipe and make some bleach cookies, they’re going in the garbage. They have product testing. They have safety.”
Industrial-control and data-acquisition systems are designed to tolerate failures, which happen constantly without most people ever noticing. Water continues to flow, the electricity stays on and food and medicine are produced every day. Large-scale failures are not only common, they are expected.
“They planned for this, because stuff breaks all the time,” Arlen said. “Systems are designed to handle two simultaneous major failures and you don’t even notice. You feel minor little things, but the system doesn’t break. There’s no zombies wandering the streets looking for food. When was the last time you didn’t have water? Right now, there’s some significant piece of Ontario’s power grid that’s broken and it’s being fixed. You don’t notice.”
Because Stuxnet was designed to target a specific operating system produced by Siemens that’s used in industrial control systems, many people made the leap and assumed that attackers have a backlog of undisclosed bugs in proprietary operating systems like Siemens’ WinCC system. And that leaves our utilities and factories and other critical systems vulnerable to attackers with sophisticated tools and tactics.
But, as Arlen pointed out, few people outside of the industries in question have any understanding of the proprietary protocols used in these applications, let alone how they operate in real-world settings and what a compromise of a particular machine might get you. He pointed to the staged demonstration earlier this year of a generator destroying itself after the Aurora exploit was used against its computer control system as an example.
“The idea that your garden-variety Def Con attendee can do this, it isn’t going to happen. That’s why they had to stage it and couldn’t just point to an incident,” Arlen said.
Arlen did not discount the sophistication of Stuxnet; in fact, he acknowledged that it’s one of the more interesting pieces of malware to date. But, he encouraged security professionals to take a deep breath and assess the situation rationally.
“Stuxnet is the first time we’ve seen an intelligent piece of malware. It’s the first generation,” Arlen said. “It’s an engineered artifact that was designed to do something specific. It’s an awesome piece of malicious code. Most infosec people are running around screaming and control systems people are wondering what to do.”