Blog / Industrial control equipment vulnerabilities
IT Security is much like any other industry; sometimes there are good days, sometimes there are dull days, and sometimes there are bad days. Now, because I work in IT security my definitions of good, bad, and dull may not be what you would expect.
A “good day” is one where a new major vulnerability gets reported with useful information like a patch, mitigation strategy or some kind of clear path for dealing with the situation. For example, not too long ago there was a major vulnerability discovered in Exchange. This was the start of what I would call a “good day” (that lasted about 2 weeks). Don’t get me wrong! The issue was massive and the impact was huge, but the resolution was also crystal clear. There was no question about what needed to be done or how much work it was going to be; it was simply a matter of how quickly we could make it happen.
A “dull” day, on the other hand, is one where nothing happens. No new exploitable issues are reported, and nothing goes wrong other than a few minor issues. These sorts of days are great for catching up on all the things you’ve missed (due to having good days, usually).
And then, alas, there are the “bad days”, and even though they’re thankfully rare, they’re as inevitable as in any other sector. Like any good managed services provider (or business, really), we make it a point to stay up-to-date about all things IT, and I specifically keep an eye out for new vulnerabilities. On this particular “bad day” I received several back-to-back alerts from the Canadian Centre for Cyber Security and all for the same category, Industrial Control. Worse, I started to get that sinking feeling as I read through the details.
Usually when I get an alert in the Industrial Control category it’s about some new critical patch that a vendor like Siemens or Rockwell has released an update for certain model(s) of their equipment. This time, however, things were different. The alerts weren’t that specific, which got me thinking about the water treatment plants that are operated by many TRINUS clients.
A little while ago I wrote a newsletter about water treatment plant security. I focused on remote access, and access to the computer that has the control software installed. SCADA devices are not typically managed by IT companies, but by engineering firms instead. This is because that sort of equipment is highly specialized and high risk. Water treatment plants deal with people’s drinking water which relates directly to their health, so no managed services provider is going to touch them.
However, those SCADA devices are still part of the computer network, and that network is provided by the whoever built the water treatment plant. This means that part (though not all) of the responsibility for protecting that equipment lies with the organization. The engineering companies that manage these devices tend to go with the hands-off approach and bar the local IT people from any kind of access. While I understand the reasons, these policies create problems for people like me that can be demonstrated by asking a few simple questions.
- What hardware and model of equipment is installed?
The municipalities usually don’t know. - Is it running the most up to date firmware?
Updating is the responsibility of the engineering firm, so again, the municipalities don’t know. - What is the engineering firm’s policy in regards to firmware updates?
The municipality has probably never asked and probably doesn’t know.
So, is water treatment equipment as secure as it reasonably can be?
The only answer I can provide is to gesture vaguely. It’s a good thing I’m not talking about a critical piece of infrastructure that people rely on in their daily lives…oh, wait.
Sarcasm aside, the problem is the amount of unknown information in this situation.
- The municipality should know exactly what equipment has been installed.
- The municipality should monitor the vendor of that equipment for updates.
- The municipality should know the engineering firm’s update policy.
Having all this information means you’ll be able to reasonably know if your equipment is up to date or not and you can give a more accurate answer in regards to it’s security. Critical updates should always be installed as soon as reasonably possible. It really doesn’t make a difference if you’re talking about software like Exchange or firmware for a piece of control equipment. Updates that are ranked as ‘Critical’ were done so for good reason.
Engage with your engineering contract company and find out what their approach is. Find out how they monitor for equipment updates, how those updates are prioritized, and what the expected timeframes are for installation. You’ll get an idea of what to expect in the event an update is made available for your equipment. Get involved with the update monitoring and pay special attention to anything that is considered critical or important.
Todays slice of Shakespearean culture comes from the play ‘No Fear’, Act 4 scene 2 when Duke Vincentio says “All difficulties are easy, when they are known”.
If you have any questions about water treatment plant security, please reach out to your TRINUS Account Manager for some stress-free IT.
By Kind, Courtesy of Your Friendly Neighbourhood Cyber-Man.