- Email: [email protected]
Special systems: Overlooked sources of security risk?
c o m p u t e r s & s e c u r i t y 2 5 ( 2 0 0 6 ) 155
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
From the Editor-in-Chief
Special systems: Overlooked sources of security risk?
After the events of September 11, 2001 increasing attention is being paid to security in special types of automated systemsd systems that provide physical access control, SCADA systems, plant process control systems, and so on. The consequences of any security breach in these types of systems are, after all, potentially catastrophic. Consider, for example, the consequences of a compromise of a physical access control system in a nuclear power plant. If a saboteur were able to gain unauthorized physical access, untold damage and loss of life could easily occur. Information security professionals and auditors generally focus on the security risk associated with these types of systems, as they rightfully should. At the same time, however, I sometimes wonder if their risk analyses for such systems are sufficiently complete. These types of systems for the most part were originally developed for and deployed in nonnetworked environments. Risk analyses in past decades thus did not need to consider the risks accruing from network connectivitydthe only plausible attack scenarios involved perpetrators who were able to gain physical access to the systems. Today, however, the situation has changed considerably in that nearly all such systems are connected to some type of network, potentially exposing these systems to all kinds of remote attacks. Worse yet, many of these systems are not connected to some kind of air-gapped network that insulates internal traffic from the outside world and vice versa. Many are instead Internet connected, resulting in far greater levels of security-related risk than were previously ever envisioned. It has been my experience that security and other professionals are generally not oblivious to the perils of special systems being connected to the outside world. Yet at the same time, I have learned of incidents in which these systems have been accessed over the Internet without authorization, resulting in highly negative outcomes. In one case a remote perpetrator broke into a system that controlled lighting levels in a building; the perpetrator had a heyday changing the lighting levels back and forth until one of the administrators of this system finally determined what the problem was and cut off the perpetrator’s access. Needless to say, neither the owner nor the administrator of this system had anticipated that this kind of thing could happen.
There is, however, another facet of the risk associated with SCADA, process control, physical security and other systems that is lamentably almost universally overlookeddthe relationship of these special systems to security risk associated with other networked systems and devices. It is almost as if imagined security breach scenarios end, i.e., the ‘‘game is over,’’ so to speak, if a perpetrator breaks into one or more of these systems, yet ‘‘the game will only have begun’’ in many cases. Perpetrators could easily use systems such as process control systems that they have compromised to launch vulnerability scans, perpetrate denial of service attacks, intrude into other networked systems, steal valuable and sensitive data from databases and files, and so on. The ‘‘bottom line’’ is that risk analysis performed on special systems must take into account not only the risk associated with the outcomes of these systems themselves becoming compromised, but also the potential risk of these systems being used against other networked systems and devices. To do anything less is to perform an incomplete risk analysis. At the same time, however, no one would rightfully expect that the few paragraphs in this editorial would persuade the majority of security professionals and auditors to expand their view and focus when they assess risks associated with special systems. ‘‘War stories,’’ case studies of real-life incidents in which these systems have been used without authorization to launch attacks against other systems and network devices, will in contrast have a much greater effect. I thus invite and encourage readers to submit papers that describe these kinds of war stories (without attribution or references to the organizations in which they have occurred, of course) to Computers & Security. E. Eugene Schultz Ph.D., CISSP, CISM Editor-in-Chief E-mail address: [email protected] 4 March 2006 0167-4048/$ – see front matter ª 2006 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2006.03.003
available at www.sciencedirect.com
journal homepage: www.elsevier.com/locate/cose
From the Editor-in-Chief
Special systems: Overlooked sources of security risk?
After the events of September 11, 2001 increasing attention is being paid to security in special types of automated systemsd systems that provide physical access control, SCADA systems, plant process control systems, and so on. The consequences of any security breach in these types of systems are, after all, potentially catastrophic. Consider, for example, the consequences of a compromise of a physical access control system in a nuclear power plant. If a saboteur were able to gain unauthorized physical access, untold damage and loss of life could easily occur. Information security professionals and auditors generally focus on the security risk associated with these types of systems, as they rightfully should. At the same time, however, I sometimes wonder if their risk analyses for such systems are sufficiently complete. These types of systems for the most part were originally developed for and deployed in nonnetworked environments. Risk analyses in past decades thus did not need to consider the risks accruing from network connectivitydthe only plausible attack scenarios involved perpetrators who were able to gain physical access to the systems. Today, however, the situation has changed considerably in that nearly all such systems are connected to some type of network, potentially exposing these systems to all kinds of remote attacks. Worse yet, many of these systems are not connected to some kind of air-gapped network that insulates internal traffic from the outside world and vice versa. Many are instead Internet connected, resulting in far greater levels of security-related risk than were previously ever envisioned. It has been my experience that security and other professionals are generally not oblivious to the perils of special systems being connected to the outside world. Yet at the same time, I have learned of incidents in which these systems have been accessed over the Internet without authorization, resulting in highly negative outcomes. In one case a remote perpetrator broke into a system that controlled lighting levels in a building; the perpetrator had a heyday changing the lighting levels back and forth until one of the administrators of this system finally determined what the problem was and cut off the perpetrator’s access. Needless to say, neither the owner nor the administrator of this system had anticipated that this kind of thing could happen.
There is, however, another facet of the risk associated with SCADA, process control, physical security and other systems that is lamentably almost universally overlookeddthe relationship of these special systems to security risk associated with other networked systems and devices. It is almost as if imagined security breach scenarios end, i.e., the ‘‘game is over,’’ so to speak, if a perpetrator breaks into one or more of these systems, yet ‘‘the game will only have begun’’ in many cases. Perpetrators could easily use systems such as process control systems that they have compromised to launch vulnerability scans, perpetrate denial of service attacks, intrude into other networked systems, steal valuable and sensitive data from databases and files, and so on. The ‘‘bottom line’’ is that risk analysis performed on special systems must take into account not only the risk associated with the outcomes of these systems themselves becoming compromised, but also the potential risk of these systems being used against other networked systems and devices. To do anything less is to perform an incomplete risk analysis. At the same time, however, no one would rightfully expect that the few paragraphs in this editorial would persuade the majority of security professionals and auditors to expand their view and focus when they assess risks associated with special systems. ‘‘War stories,’’ case studies of real-life incidents in which these systems have been used without authorization to launch attacks against other systems and network devices, will in contrast have a much greater effect. I thus invite and encourage readers to submit papers that describe these kinds of war stories (without attribution or references to the organizations in which they have occurred, of course) to Computers & Security. E. Eugene Schultz Ph.D., CISSP, CISM Editor-in-Chief E-mail address: [email protected] 4 March 2006 0167-4048/$ – see front matter ª 2006 Elsevier Ltd. All rights reserved. doi:10.1016/j.cose.2006.03.003