Interview: Andrea Carcano, Nozomi Networks

Written by

Industrial control systems (ICS) and the SCADA technology which powers them have little in the way of security capabilities.

Talking to chief product officer and co-founder of Nozomi Networks Andrea Carcano, he said that even after the lessons learned from Stuxnet, there is little in the way of authentication or encryption in modern SCADA systems. Particularly once inside the network, he said that the only thing you need to know is the language of the programmable logic controller (PLC) or remote terminal in order to gain access.

“What Stuxnet was doing was attacking one of these (PLC) and it is connected on one side to the physical plant and the PLC opens an instruction to the plant,” he said. “They have to work 24 hours a day and the latency is crucial, so the point here is that you don’t have authentication or encryption and if you are able to speak its language you can ask the system to do whatever you want.

“Once you are inside the network it is much easier to perform attacks on a database or in a data center, as here there is no protection.”

Asked why there is no protection, he explained that plans for refineries and plants were made around 30 years ago, and then there were devices talking to each other but monitored by people. Then 10 years ago, businesses wanted to be more efficient and moved technology to use the TCP/IP protocol, but added the MODBUS communications protocol too so it could be monitored 24 hours a day. It worked, but lacked basic security.

“Still we are in a situation like that,” he added. “Standard IT technology would fail to protect this type of system so as soon as you land on a standard computer, you can get in. You find standard computers in these networks.”

Carcano, who said that he had been interested in cybersecurity since high school and subsequently doing a masters degree, spotted a scholarship in the mid 2000s to create malware for the SCADA system. “SCADA at that point was not really known and my big point was on IT, and what I am seeing now is it is hard to find people who know both of the spaces because universities teach people IT security or automation,” he said.

“I come from an IT background so I applied for this and won the scholarship for one year and worked in the EC laboratory. I studied automation and SCADA and came out after a few months with the first virus for SCADA systems in 2007, and it was the first example of SCADA malware as an academic proof. We did all of the tests in the laboratory and in my PhD I focused on the same topic on the offensive side.”

Carcano explained that he later moved to the defensive side, and by this time Stuxnet had appeared. “It was sophisticated, but the logic behind the malware was behind what we used years before in our approach, so for me it was a confirmation that I thought was great, but by using the technique in our laboratory we were able to detect Stuxnet pretty quickly.”

Carcano acknowledged the differences between IT and operational technology specialists, where there is a need for availability of access to data for the latter, but he claimed that people who look at SCADA systems solely for functionality would probably not understand a standard attack on the IT level.

In his work for an oil and gas company ahead of the foundation of Nozomi Networks in October 2013, Carcano said that research using Shodan had found more than 2000 SCADA systems connected to the internet. “When you learn how to build a virus targeting a SCADA system, trust me it is not that hard to build something targeting it and you don't have to reach the complexity of Stuxnet, you can build something much more simpler.”

Asked what the solution is, Carcano said that while Nozomi Networks' solution offers a visibility capability, disabling USB keys in the plant was one way forward. “However, five years ago it was hard to get in front of an industrial engineer but now they know that there is a problem and it is not easy to solve,” he argued. “Still there are legacy systems that were installed 20 years ago, so you need a solution to mitigate the risk but now when you work and talk with people, there is a different knowledge about it.”

What’s hot on Infosecurity Magazine?