Most of us have heard the story that if you are caught in the woods by a bear you do not have to outrun the bear, just outrun the other guy you are with. You never want to be the most vulnerable choice for the attacker. Unfortunately, this is exactly the case with SCADA and ICS systems. Because of many factors including delayed patch cycles, inability to implement sound cyber security controls, push-back from operations, confusion as to security ownership, and an overall lact of awareness within the control systems industry, these mission critical systems continue to be the low hanging fruit for hackers.

Based on our own work conducting SCADA Security assessments in the field, we can easily confim that SCADA systems are much more vulnerable than typical business computers. For instance if you gave our penetration testing team two computers next to each other – one was a Corporate IT desktop and the other was an Operator Console – the team wouldn’t even waste any time with the Corporate IT desktop and go directly into hacking the Operator Console.

Corporate IT desktops are typically patched on a more routine manner, they have end point security such as AV, HIDS, HIPS, etc, and are generally much more locked down than Operator Consoles. Most of the Operator Consoles that we have assessed are running as Adminstrator, most likely have not been patched within the past year, usually have no requirements to change the password, no password complexity rules, and usually do not have any end point security on them.

As recent as this year. we are still finding critical SCADA and ICS ssytems with no passwords, or passwords set to “Operator” – we are also finding default usernames and passwords in critical firewall and network infrastrucutre. You would think that with the advent of Stuxnet, along with the focused and targeted attacks on energy companies, that we would start to see a change in the industry. I hope in the end that our nation’s critical infrastructure is not the lowest hanging fruit.

Jonathan