How should you react to news of PLC security vulnerabilities?
Project Basecamp was an exercise conducted at the S4 Security Conference that was held last month in Miami, Florida. At the event, six security researchers reported their findings on the security vulnerabilities found after testing several PLCs and field devices from several companies. With relative ease, the security researchers were able to discover, verify and in many cases exploit basic security vulnerabilities such as backdoors, weak or no authentication, buffer overflows, etc.
Dale Peterson of Digital Bond, the organizer of the event, recently blogged asking, “Where is the outrage?” Dale had expected industry to respond to the news with outrage that after ten years of efforts to improve control system security that PLC manufacturers have seemingly done nothing to improve the inherent security of their products. He was disappointed with apparent “indifference” from industry to the news. Eric Byres of Tofino Security, who attended the event, blogged that it is “Time for a Revolution.”
Dale’s response is understandable but I suspect, whether he is aware of it or not, the results of Project Basecamp as well as the unprecedented number of control systems advisories and alerts published by the ICS-CERT in 2011 is the topic of many meetings at both suppliers and end-users. The control system community as a whole can be a conservative, slow moving group which often frustrates people who are passionate about driving improvements (myself included). Topics such as fieldbus, batch management, safety instrumented systems, and alarm management are all examples of standards driven efforts that have yielded big benefits but have taken decades to become mainstream.
It is my opinion that cyber security has created a major disruption in the industrial automation market that will have a dramatic impact on the major players over the next 3 – 5 years. Some automation companies get this and are working hard to integrate software security assurance practices into their product development lifecycle and are getting their products independently tested and certified for security to programs such as ISASecure. At the same time there are other companies who are indifferent and have elected to only pay “lip-service” to the topic in the hopes that it will go away. I believe these companies will ultimately regret their decision because, while it may not manifest itself as “outrage” today, I predict the real reaction to news of PLC security vulnerabilities and how manufacturer’s choose to respond will be reflected in long-term procurement decisions.