“These are older systems so they are harder to control. And for convenience and cost savings, people have connected them to the internet in order to control them from remote locations. So this is almost a perfect storm in terms of vulnerability because the nation is so dependent on these systems”, Purdy said in an interview with Infosecurity at last week's RSA Conference in San Francisco.
Before joining CSC, Purdy was a member of the White House staff team that drafted the US National Strategy to Secure Cyberspace report and served as a member of the Department of Homeland Security cyber tiger team.
Purdy noted that while he was at DHS he worked on control system vulnerability for over a year with a consortium of critical infrastructure organizations. “This is a significant security issue for the United States and frankly for the world”, he said.
As part of the effort to address control system security, DHS set up the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) to provide a focus on control system security. According to DHS, ICS-CERT cooperates with US-CERT to respond to and analyze control systems related incidents, conduct vulnerability and malware analysis, provide onsite support for incident response and forensic analysis, provide situational awareness in the form of actionable intelligence, coordinate the responsible disclosure of vulnerabilities/mitigations, and coordinate vulnerability information and threat analysis through information products and alerts.
“We need to understand what are the requirements for [industrial control system] security given what the technologies are and given the resources….We need to have some idea of what we need to worry about, what we need to do about it, and where we are in accomplishing our goals. We need to apply resources, track progress, and remove obstacles to improve security”, Purdy stressed.
Purdy warned that many groups now have access to the Stuxnet code, and they can carry out attacks on critical infrastructure even if they do not have the resources available to the Stuxnet developers. “The threat becomes much greater because of that reality. So the vulnerability of systems to potential attacks that can do those kind of things has gone up”, he observed. The original Stuxnet worm was able to disrupt industrial control systems of Iran’s nuclear fuel enrichment plant at Natanz.
The former DHS official said that independent researchers who expose industrial control system vulnerabilities to encourage companies to fix them are “exacerbating” the security problem in the short term because more people have access to information about the flaws. “In the longer term, the thinking is that it creates a perverse incentive for companies to do more in order to avoid the embarrassment of not doing more. I can’t answer what is the right approach on that issue”, Purdy said.
Just last month, Digital Bond, a group of researchers dedicated to exposing industrial control system flaws, released exploits of programmable logic controllers that regulate critical infrastructure. The group said that they released the exploits because companies have not fixed the vulnerabilities, even though they have had “forever-and-a-half” to do so.