We posted over two years ago about the trend we saw in Industrial Control System security. To explore this idea in more detail, take a look at the controllers below.
The reality is, modern Industrial Control Systems and Supervisory Control (SCADA) devices share more in common with the cellphone in your pocket than they do with their recent ancestors. This trend led manufacturers to create products with features like remotely-accessible web servers, SDCard readers, and USB Ports, just like your average wifi camera. For example, watch this trout farmer gush about how he can connect his iPhone to his seemingly esoteric Siemens industrial controller.
How did critical devices become so similar to consumer devices?
Historically, electronics were made with Application Specific Integrated Circuits (ASICs), chips generally designed to do only one thing for their entire lifespan. The chip’s job was set into it as instructions executed by electromechanical gears physically burned into the chip, like music was scratched into the grooves of a vinyl record. The music of a record is unchangeable without creating a whole new record, similarly, the only way to change an ASIC's functionality is to create a new chip.
And Programmable Logic Controllers (PLCs) now use them too.
And historically, they did. Manufacturers used to rely on custom-built ASICs, but the last 20 years brought a quiet tidal shift. Industrial controllers now have more in common with “Internet of Things” devices than controllers of a decade ago.
To further accentuate the similarities PLCs have with traditional consumer devices, Industrial Control Systems based on RaspberryPis and Arduinos have recently come to market.
One benefit that SOCs bring is the ability to update them with new firmware, but this is, unfortunately, of minimal value to industrial automated systems. Controllers tend to be on longer refresh cycles because the cost, effort, and downtime required for an update are expensive. Companies, unlike consumers, don’t buy the next version as soon as it becomes available.
Additionally, their safety and compliance burden requires new code to be checked ad nauseam before release. A recent study from Southwest Airlines discovered the safety and compliance process cost them $1 million for every single line of code changed in their airplanes.
This high cost to patch compounds the security challenge for safety-critical systems.
Here’s why we’re worried: Looking through vulnerabilities discovered in PLCs on ICS-CERT turns up the same kinds of vulnerabilities we see in consumer devices, like classic stack overflows, hardcoded credentials, and unsecured SNMP servers. That means they're using the same coding standards as consumer devices as well
Excerpt from http://iot.security/infographic
If they’re using the same chips, firmware, standards, and protocols, and the same vulnerabilities are turning up, then there isn’t much of a difference, except that controllers are in critical positions. A vulnerability in a consumer, or even enterprise, wifi camera is a nuisance. A vulnerability in a controller, that costs millions to patch and affects multiple companies across multiple industries, is a serious hazard.