It's probably not a big surprise, if you stop and think about it, but recent research from Belden Tofino Security confirms that patching is often ineffective in protecting from the multitude of vulnerability disclosures and malware targeting critical infrastructure systems today.
Not patching obviously is not an option, but it's easy to understand why companies, especially with the emergence of Ethernet as a single network within manufacturing plants, are moving to revamp their industrial automation network infrastructures to make them more bulletproof.
Eric Byres, CTO and vice president of engineering at Tofino Security, investigated the effectiveness of patching for protecting control systems from vulnerability exploits and malware. In a recent press release , he summarized the results of this work and revealed that:
- Vulnerabilities existing in SCADA/ICS applications are high, with as many as 1,805 yet to be discovered vulnerabilities existing on some control system computers.
- The frequency of patching to address future SCADA/ICS vulnerabilities exceeds the tolerance of most operators for system shutdowns. Most industrial processes operate 24/7 and demand high uptime, and weekly shutdowns for patching are unacceptable.
- Even when patches can be installed, they can be problematic. There is a one in 12 chance that any patch will affect the safety or reliability of a control system, and there is a 60 percent failure rate in patches fixing the reported vulnerability in control system products. In addition, patches often require staff with special skills to be present. In many cases, such experts are often not certified for access to safety regulated industrial sites.
- Patches are available for less than 50 percent of publically disclosed vulnerabilities.
- Many critical infrastructure operators are reluctant to patch as it may degrade service and increase downtime.
In June 2010, the Stuxnet worm triggered a worldwide sensation as the first publicly known root-kit attack targeted at industrial plants. According to Innominate Security Technologies, it infected tens of thousands of PCs, abusing and manipulating Windows-based automation software for its own purposes to ultimately infiltrate malicious code into the controllers of specific real-world industrial installations.
A white paper titled "Post-Stuxnet Industrial Security" from Innominate concludes that after Stuxnet, the threats in automation networks can no longer be ignored. But the real danger is not from Stuxnet itself, but from mutations created by imitators who could circulate other arbitrary, malicious code utilizing the same basic techniques.
Apart from the fact that PCs in industrial use often are not (and cannot be) equipped with antivirus software, Stuxnet has also made it clear that conventional virus scanners do not provide protection against attacks of this caliber. The retrospective analysis of Stuxnet has shown that the worm had been out in the wild unnoticed for at least 12 months before its discovery and had not been detected by antivirus programs during that period for lack of any known signatures for the malware.