Source: SecurityFocus. The security issues of real-time control systems, best known as SCADA systems, have become a focus for both the private industry and the government, as concerns arise that such systems could be used as a vector for criminal or terrorist attacks. While companies and security researchers are tackling the crucial question of when and how to disclose vulnerabilities in such systems, cybersecurity incidents affecting them are rarely reported. Idaho National Laboratory and the New York State Cybersecurity and Critical Infrastructure Department, in conjunction with users and manufacturers of distributed control system software, have developed recommendations on how to secure key components of critical infrastructure systems. They will release a new draft this week for users and manufacturers, including a series of rules that specify requirements for SCADA system vendors. SecurityFocus has studied these rules. These rules aim to elevate system security to a prominent position in customer-supplier negotiations, with the goal of making next-generation critical infrastructure systems more secure than current systems in terms of hardware and software. “We believe we can identify common security vulnerabilities and find ways to make industrial technology security measures more robust,” said Michael Assante, an infrastructure protection strategist. “The vendor response has been surprisingly positive—while it may seem threatening, they are prepared to provide more security measures.” With growing concerns that real-time control systems could become vehicles for crime and terrorist attacks, the security of real-time control systems (most notably SCADA systems) has become a focus of attention for both private companies and governments. While companies and security researchers begin to address the thorny question of when and how to disclose vulnerabilities in such systems, cybersecurity incidents targeting these systems are rarely reported. Because cybersecurity incidents and vulnerabilities are rarely discussed in industry, three security research experts are seeking a better way for vendors to provide better security measures. These three experts—Assante from Idaho National Laboratory, William Pelgrin from the New York State Department of Cybersecurity and Critical Infrastructure, and Alan Paller, research director at SANS Research Institute—decided to develop regulations that could be included in vendor contracts, along with a control system security specification manual. The project is funded by the Department of Homeland Security. These guidelines, known as the "Acquisition Control System Security Guidelines," cover topics such as removing redundant services and schemes that burden the system, establishing a basic set of necessary firewall rules to ensure perimeter security is not compromised, prohibiting or restricting visitor access, and other common methods. Additionally, these guidelines provide mandates for companies, requiring control system manufacturers to guarantee certain code debugging capabilities, procedures for patching vulnerabilities, and the ability to detect malware running on the system. Companies supporting the project, including the New York Power Authority, New York Independent System Operators, and ConEdison, announced Wednesday that almost all customers in Queens, New York City, have had their power restored after a week-long blackout. Because the companies lacked distributed data acquisition systems, they were unable to detect which section of the transmission network was damaged and had to send technicians to conduct a comprehensive search of the area. SANS' Paller stated that detecting mechanical failures to prevent major power outages and troubleshooting production malfunctions are part of the reasons for using Supervisory Control and Data Acquisition (SCADA) systems and other distributed control systems. However, due to historical reasons, the creators of these systems did not consider network security. “These guys aren’t unaware of what they’re doing,” Paller said. “Part of the reason this is happening is because these systems were designed 20 years ago, and part of the reason is because the designers thought they were isolated systems. But—suddenly—they’re no longer isolated systems.” Assante of Idaho National Laboratory says, as more companies recognize the obvious advantages of remote management and monitoring, these systems are being updated at an even faster pace. While Supervisory Control and Data Acquisition (SCADA) systems typically last 15 to 30 years, thanks to the constant influx of new technologies, current systems tend to last only 8 to 12 years. However, without certain security measures, the trend towards remote management means systems will be more vulnerable, Assante added. “We’re still struggling with mindset issues and how to address failures and risks (rather than the inevitability of failure risks). The threat to distributed control systems is no exaggeration; vulnerability researchers are already discussing the flaws in such systems at security and hacking conferences. Shawn Merdinger, an autonomous security researcher, had planned to discuss the vulnerabilities of critical infrastructure network components at the upcoming DEFCON hacking conference in Las Vegas, but his presentation was cancelled because his research clearly showed that at least a few systems were knowingly connected to the internet via local routers. “These guys are building the most secure and sensitive components in the world, and they’re burning it all down by communicating via FTP and email through local routers,” Merdinger said. “This is utterly insecure.” "Merdinger said he had tried to notify companies with such vulnerabilities but had received no response to date. Other knowledgeable individuals familiar with the system's vulnerabilities believe these vulnerabilities are far from minor. 'My experience is that these kinds of major security vulnerabilities are very common in critical systems, not isolated incidents,' said FX, a researcher specializing in network vulnerabilities. 'We can see progress across the First World today: under market pressure, the security of network components for businesses and even individuals is gradually improving, while SCADA and other critical systems are stagnating.' Dale Peterson, CEO of Digital Securities, a SCADA security consultant, said the latest project only needs to increase the transparency of negotiations between purchasing personnel and system vendors to solve the problem. The company recently requested a critical infrastructure vendor to provide all the security parameters and recommended settings for its components. Two months later, the company received nothing. 'The main reason security requirements are ignored is that equipment owners are not clear about their needs,' Peterson said. 'For many of them, information security is a completely new field.'" “Distributed control system manufacturers must quickly become experts in addressing specific security requirements from customers,” says Assante of Idaho National Laboratory. “The reliability and availability of control systems are indeed receiving increasing attention, so we must ensure that manufacturers understand that security is also an essential, not optional, component.”