Air-gapping SCADA systems won’t help you, says man who knows
Faizel Lahkani sounds bleak warning over future Stuxnet-style attacks.
Faizel Lakhani, a pioneer of SCADA technology, told El Reg that air-gapping such systems would be a quixotic endeavour, at best.
“Most SCADA systems are theoretically air gapped but not really disconnected from the network” Lakhani explained. “There are ways to get around isolation either because systems are not set up properly or because that’s a test link in there or someone bridged the Wi-Fi network, to name a few examples.”
20 years ago, Faizel Lakhani used a PDP-11 and created electric utility company Ontario Hydro’s first SCADA system. The technology has since become ubiquitous, but it’s only since the appearance of the nuclear centrifuge-busting Stuxnet worm back in 2010 that anybody has paid serious attention to the security of the technology.
“Power control systems were never designed with security in mind,” Lakhani explained. “They were designed to manage regulators and voltage flow and that’s still what they do.”
The technology was originally based on archaic protocols and communications technologies. Systems were designed to be connected together but never designed with the open internet in mind. However the incredible success of TCP/IP internet networking protocols over the last 15 year or so has swept all before it, including SCADA systems.
“In the world of the internet almost anything is connected,” Lakhani said.
SCADA started off with archaic protocols such as FDDI, Token Ring but “good luck building a network with anything other than TCP/IP now,” Lakhani added.
Even with the best of intent, controls will be eroded and hence you need a layer of visibility to detect, according to Lakhani.
El Reg spoke to Lakhani, who is president and COO of lawful interception technology firm SS8, to accompany the firm’s launch of a breach detection technology, targeted at enterprises instead of its traditional carrier and government customer base.
Many enterprise systems, much like SCADA devices, are not built to withstand today’s threats. SS8’s BreachDetect communications analytics technology can be used to identify potential anomalies and compromised devices. This, so SS8 claims, offers a better chance of earlier breach detection when compared to other approaches to tackling much the same problems source as intrusion detection (e.g. Cisco SourceFire) or SIEMs and BIG Data analytics tools.
Even as more traffic on enterprise networks is encrypted SS8’s approach can still provide crucial insights, according to Lakhani.
“Encryption technologies do make content inspection hard, however it is the combination of deep packet inspection with behaviour with context (device/user) that represents the opportunity,” he explained.