Industrial Control Systems The Next Twin Towers?

Eugene Kaspersky a few days ago wrote a hair-raising blog post about the reality of our Industrial Control Systems which are way more vulnerable than the network in your office. Industrial Control Systems (ICS) are the software that controls our nuclear power stations, transportation control and among many others, oil refineries. He started out with bit of background on vulnerable industrial systems and my mouth fell open.

I’m quoting Kaspersky here: “Though industrial IT systems and, say, typical office computer networks might seem similar in many ways, they are actually completely different beasts – mostly in terms of their priorities between security and usability. In your average company, one of the most important things is confidentiality of data, and IT administrators are encouraged to isolate infected systems from non-infected systems to that end, among others. Thus, for example, if on the corporate file server a Trojan is detected, the simplest thing to do is disconnect the infected system from the network and then later start to tackle the problem.

In industrial systems that can’t be done, since here the highest priority for them is maintaining constant operation come hell or high water. Uninterrupted continuity of production is of paramount importance at any industrial object in the world; security is relegated to second place.

Another challenge to securing an “always on” environment arises due to software at an industrial/infrastructural installation only being updated after a thorough check for fault-tolerance – so as to make sure not to interrupt the working processes. And because such a check requires loads of effort (yet still doesn’t provide a guarantee of non-failure) many companies often simply don’t bother to update ICS at all – leaving it unchanged for decades.(!) (emphasis added)

Updating software might even be expressly forbidden by an industrial/infrastructural organization’s safety policy. Just recently I read a nice piece about this, which listed 11 ICS security rules; rule #2 is “Do not touch. Ever.” What more of an illustration do you need?! [end quote]
You might prescription drugs that you are taking that could could affect the libido, mental health or depression issues, relationship stress or chronic stress, and physical issues, like thyroid problems, childbirth or menopause. purchase cialis online The new users may likely to doubt the efficiency of this tadalafil australia solution has been cached during resulting the beneficial remedial actions even in case of diabetic patients. Lifestyle for rising risk of ED* Smoking * Inactive lifestyle* Excessive Drinking Alcohol* Stretch * Relationship issues * Mental issues Emotional Disorders To accomplish an erection, a man discount viagra online should first experience what’s known as an energy stage. A person who leads an unhealthy lifestyle can also get disturbed. cialis online sale
The shodan search engine screen shot above is an illustration of the amount of this type of ICS spread all over the world, seeking out vulnerable industrial systems (including SCADA), whose owners decide to connect them to – or forgot to disconnect them from – the Internet.

Even if an ICS is disconnected from the Internet, they can still be penetrated by social engineering, as was shown in the Stuxnet attack in Iran, where the ICS of their nuclear enrichment facility was corrupted with a simple thumbdrive attack. All employees of these industrial facilities should be stepped through some high quality security awareness training.

It was one of the comments that caused me some thought and was the inspiration for the title of this blog post. Prof. Larry Constantine remarked: “I was talking with ICS security expert Ralph Langner yesterday. We agreed that the biggest barriers to enhancing industrial cyber-security are not so much technical–formidable though those may be–as financial. In the absence of government mandates there are no economic incentives for operators to improve ICS security. The large investment has no near-term payoff; it is costly and it complicates already complex systems. Until the industrial equivalent of the Twin Towers, we are not likely to see great strides forward in terms of protecting critical infrastructure from cyber-attacks. Even then, it would not be too surprising if most of the effort went into initiatives analogous to airport security–showplace charades more about public reassurance through the illusion of security than about the reality.”

Click here for the full blog post with all links: http://blog.knowbe4.com/industrial-control-systems-the-next-twin-towers/

This entry was posted in Cyber Security. Bookmark the permalink.