SCADA systems: How secure are the systems running our infrastructure?⎥Malav Vyas (Security Researcher at Palo Alto Networks)

Welcome to the Elephant in AppSec, the podcast to explore, challenge, and boldly face the AppSec Elephants in the room.

Today, we're excited to have an amazing guest, Malav Vyas, joining us.

Malav is a security researcher at Palo Alto Networks, passionate about exploiting and securing systems.

Security research is an important part of our day-to-day at Escape. That's why we were very curious when Malav reached out to us and brought up the topic of SCADA systems.

In our latest episode with Tristan Kalos, we challenged Malav about whether APIs introduce more security risks than benefits to SCADA systems, how hard it is to secure SCADA, and what their key future challenges are.

In our conversation, Malav shares:

• How far-reaching is STUXNET malware impact
• How hard it is to secure SCADA systems
• Why you must stop using default credentials
• What role government plays in the security of SCADA systems
• How organizations approach the SCADA systems risk
• Whether APIs introduce more security risks than benefits to SCADA systems
• His view on collaboration within the security field on malware reverse engineering and his perspective on the future of SCADA security
• What book he treats like a Bible and keeps on his nightstand

Let’s dive in!

Referenced:

• Stuxnet Malware
• Shodan - the world's first search engine for Internet-connected devices
• ICS-CERT
• ICS Advisory Project
• Iconics suite
• Industrial Control Systems (ICS) Cybersecurity Conference

Find the full transcript below:

Stuxnet Malware attack

Alexandra: Hi, Malav! We are very excited to have you today on our podcast. Thanks for taking the time to talk with us. Very excited about the topic! As I mentioned before, we'll talk about SCADA systems today. And I think it's something we already discussed when we met before to talk about the podcast. However, few incidents in the SCADA world have left as significant a mark as the Stuxnet malware attack.

If you go back to the early 2010s, if I'm not mistaken, it was not just any malware, but the governments actually developed it: the U.S. and the Israeli intelligence service. And it was an operation called the “Olympic Games". So, a very special name. The goal was to manipulate the SCADA systems to disable a key part of the Iranian nuclear program, right? So, and I mean, in the end, they succeeded. That's why we know it today. So, I think the impact was enormous back then. And it extends, right now and beyond the actual initial target.

And I was actually very curious to hear your perspective on that. So, from your point of view, how far-reaching, you know, do you believe this impact has extended, and what significant changes have happened, you know, since the attack?

Malav: Yes. So before, Stuxnet companies usually believed that if they isolate that network, if they take care of a few vulnerabilities, like known vulnerabilities here and there, they should be good.

But Stuxnet was the first example where attackers used a combination of seven. Seven or more than seven, zero days and gained access to those systems. So that brought up a whole new perspective that motivated attackers can also have resources and whatever means that they can get just to develop zero days.

And when you talk about SCADA security, SCADA systems, all vulnerabilities inside that system can have a great impact, so that can compromise the security of those workers, people who live around that area, and whatnot. So, it is believed that some nation-state actors utilized those vulnerabilities and conducted the Stuxnet exploit.

In addition to just attacking those PLCs, so in any industrial world, PLC is kind of like a component that you can program on your own. So engineers can program PLCs to do, let's say, open up a valve, close something, control the pressure, something like that. And, after Stuxnet, especially Mitsubishi, and Siemens, a lot of those vendors have started looking into their own applications, their programs, and just basically looking more vigilantly for the bugs.

So I believe that after Stuxnet, it's becoming more and more secure. So yes, it definitely had a good impact. But even after that, governments also started taking an interest, a deeper interest in securing their own critical infrastructure. And that's always a good thing, right?

Definition of SCADA systems

Alexandra: Yes. And more attention to security matters is always a good thing because it's not something that always happens in organizations and in the government.

You know, as well, we have a very different audience: people who are more experienced, people who are less experienced. And I think it would also be great to take a step back and maybe, if you can provide a very basic definition of the SCADA systems and what they're used for, share it with them and give a little background.

Malav: So in the early days of industries, let's say in the electrical industry or manufacturing industry, everything was manual. So, workers would have to specifically go there, set the space program, how step by step, what would happen to each component of that pipeline.

So let's say you are building a car. Each of those components would require a lot of manual effort. A lot of workers would put their lives at risk. To ensure that manufacturing is done optimized, at proper speed, and everything. But after the age of the internet, everyone raced towards making all those processes automated.

So, a lot of manufacturers started utilizing the Internet to control their processes. That's where the SCADA system comes in.

So most of those, you can program a PLC, a programmable logic controller, to do a specific action.

So let's say you want a production line to move forward; you'll just program the PLC to specifically take those actions at a set of times and combine those PLCs with multiple PLCs specifically designed for each goal, that becomes a complete pipeline. And that's where the SCADA system comes in.

So if you look at it this way, any piece of code, no matter how trivial, can have a significant impact. Let's say there is a bug, some really obscure bug that won't affect normal computers, not normal anything, but if it goes into a SCADA system, the risk becomes significantly higher.

So let's say any system is compromised or even a system, and even if a controller stops working, it's directly associated with a physical device. And those physical devices are really huge and, of course, powerful. So, that poses a danger to people around those devices and in the facility. So that's the importance of SCADA security right now. 

How hard is it to secure SCADA systems?

Alexandra: Yes. And I've actually worked in manufacturing for more than two years in my career to help develop, you know, big controller power panels, so I know what PLC is. But I think it's embarrassing to say, but I've never actually thought about the security aspect of it.

So I think that the question is, how good do you think it is right now from the security point of view? And, actually, is it hard to secure the SCADA systems?

Malav: Definitely. It's much harder to secure SCADA devices compared to your normal devices. So let's take two different perspectives.

A simple IT company that works in software and has a normal attack surface. They have computers, mobile phones, and various servers. So they only need to worry about these three things. And these devices are highly researched compared to SCADA. You regularly get CVEs, and a lot more researchers are actually looking for those vulnerabilities. You can actually look for known vulnerabilities and secure your environment to some extent.

But if you look at SCADA security, you can't even get your hands on most of those applications until you purchase a device. So let's say you want to find a vulnerability in a Siemens Step 7 PLC. Basically, to get the best chance of finding all vulnerabilities, you need to get your hands on that specific PLC model.

And if you find a vulnerability in that, that won't apply to anything else. So initial efforts to acquire a specific piece of code or hardware, both are needed. It's significantly higher in SCADA systems than in normal IT. So due to that, a lot of low-hanging vulnerabilities, a lot of easily spotted vulnerabilities are not even on the radar of novel security researchers.

So that way, even when a motivated attacker or even someone who's just in a basement sitting, just trying to get in, get their hands on whatever they can get, and if they start poking around the system, it's much easier to find any bug. And scale our system compared to it. So that's why you're for the defensive side.

It gets hard.

Tristan: Are some of those connected to the internet? 

Malav: Most of those are not, but sometimes they just slip and get on the system. So you can, you can actually go to Shodan and, specifically, search for industrial control systems.

Some also say that they use default credentials. So, if you are using one of those, please stop. 

Government's role in SCADA systems security

Tristan: Kind of like security cameras and those devices that are directly connected to the internet, even if they should not be.

It seems that these kinds of systems are connected to vast cyber-physical devices. They manage the electrical infrastructure, including the power grid, as well as all pipelines—water pipelines and more. These systems are of utmost importance; they are a matter of national security. At the same time, they're highly vulnerable because it's challenging to manage and fix vulnerabilities within the SCADA system.

So do you think the solution can come from the government? Do you think this is a matter of national security and the government should create rules and regulations? To enforce securing SCADA systems?

Malav: Yes. So the government should definitely take a good interest in each of those industries, look into the equipment and how vendors are securing it.

So a shout out to the US government for that. After Stuxnet, they have surprisingly put up a really good set of regulations and rules that all those industries and companies operating within them should follow and comply with. One really good project they have come up with, in addition to that, is an ICS-CERT advisory.

Regularly, every month, each team puts up an advisory stating that they observed these CVEs (Common Vulnerabilities and Exposures) and that these vulnerabilities can pose a certain level of risk. Essentially, they distill security information into a concise paragraph for quick digestion by executives. This allows them to promptly take action and secure their environment against the latest threats. So, good work is happening in that regard. I'm not familiar with any other countries implementing such measures.

Tristan: And do you think this is efficient? 

Malav: Yes, definitely. It's better than nothing, but there's still a long way to go. 

How organizations approach the SCADA systems risk

Tristan: Of course. And, do you think among the companies themselves or the organizations, because like it can have such big consequences if one of the systems is compromised, and especially from an ethical point of view, do you think they really understand what the risk is? Do they feel the need to secure and mitigate this risk?

Malav: Yes, definitely. There are also a lot of energy-related companies that actually try to look for those vulnerabilities and try to fix them, but sometimes it gets really complicated, especially when you put the CVSS factor into a vulnerability.

So let's say we have integrity, confidentiality, and availability in it, right? And that's due to those. We determine how severe a bug is. So mostly, if it's just modifying some files, if the vulnerability can only do certain limited things, it's considered classified as a low-risk vulnerability.

But if you put that same vulnerability, the same effect, onto a SCADA system, then those impacts need to be revisited. Because even if you can modify even a simple flag, even a simple register inside a SCADA system, that can mean, to a safeguard system: enabled or disabled.

Yes. And that's critical. 

Tristan: Like in a nuclear power plant, for instance. 

Malav: Definitely. 

Tristan: What you mean is, even if technically the vulnerabilities can be the same or can be very common vulnerabilities that we find anywhere, the consequences of the exploitation can be huge? Even if it's a small modification, a small registry somewhere in a system that could otherwise be very fancy?

Malav: Yes, definitely.

Do APIs introduce more security risks than benefits to SCADA systems?

Alexandra: Our podcast is still very focused on application security. And if we talk about application security and SCADA systems, we can get back to the APIs that are at the core of Escape. So while APIs enhance communication, do you think they introduce more security risks than benefits to SCADA systems? And what's their role? And, actually, should we rethink their role in critical infrastructure?

Malav: So, benefit versus risk, I think should be evaluated on a case by case basis.

So, it might be more viable to use APIs in cases where you are not dealing with some really critical infrastructure. But most of those PLCs, most of those applications, so let's say, Iconics Suite, is a really useful tool that helps you program PLCs.

They have API interfaces. So that helps programmers conveniently control these applications and control the logic basically for a flow of programs. But at the same time, it introduces a different set of attack surfaces. So, whenever you are introducing APIs into your SCADA system, I think it should be evaluated on how much risk that is adding on top of your current SCADA vulnerabilities.

So definitely, whenever you introduce a new API, it's vulnerable to whatever bugs or misconfigurations that rely on normal applications. So that's something to be evaluated, of course. 

Open source vs commercial tools for SCADA systems security

Tristan: Of course. At Escape, we are very fond of open source tools. We produce open-source tools.

We secure some open-source tools as well. We are very involved in the community. Are there open-source solutions in SCADA systems, or is it only proprietary from specific vendors? 

Malav: Not that I'm aware of any open-source tools for protecting those. So, there are really critical challenges when it comes to securing SCADA, and it requires a huge amount of capital to manage those. Because all those applications inside this data environment, all those PLC management, configuration, software, programmers, everything is proprietary. So you won't be able to find any source code or a way to secure those. You need to get a better understanding of those proprietary software and applications.

And that requires a lot of effort. I'm not sure that you can always rely on an open-source community for that. 

Tristan: So you mean, following even cyber security research on SCADA, you need to be involved already with companies that are actually using SCADA systems in production, and you need to have simulators or labs where you can try to hack into SCADA systems? Or is it only in live environments that you can do your experiences and your research? 

Malav: Well, there are really good simulators as well as labs available as part of open-source projects that you can locally set up and spin up virtual servers to test it locally. However, that set of devices is sometimes limited. So, let's say you are focused on a specific environment, a particular industry, then you won't always find simulators for that application inside those labs.

Sometimes, it's a combination of using simulators and labs alongside actual devices. You don't need a complete environment to test at the same time; it would be really helpful if you had a physical Programmable Logic Controller (PLC) that is being used.

Tristan: Yes, of course. And I suppose that having the physical environment is not very affordable for just testing. Right, I get it.

Malav: Because some of those devices also go up to 50, 000, 100, 000 and I don't think it would be possible to raise those. 

What's the future of the security of cyber-physical systems and SCADA systems?

Tristan: Of course. So for you, as a researcher in the field, if we take a step back and forecast: What is the future of the security of cyber-physical systems and SCADA systems? What do you think it looks like? Is the security improving? Is it getting worse because the attackers are better at finding bugs?

Malav: It's always a cat-and-mouse game, anything related to cyber security, but it's going in a good direction.

Either way, whenever we talk about cat and mouse game, we always say that attackers will find a new box. But we also forget that in that race, defenders will always prevent low-hanging books, but they will always prevent script kiddies. So someone won't be just out there spraying, trying to get something, and I think that's really huge protection.

So you can always be secure, but at the same time, if you say that 99% of attacks can also even be stopped, then that's a good thing. Yeah, I think that's the direction security is going towards: governments that are taking really huge interest. And so the cybersecurity industry is going towards that.

So if you talk about the bond to own our ICS conferences, everything is going towards that. 

Collaboration within the security field

Tristan: And do you think the vendors are collaborating more and more with each other and also with the security researchers? Is there a clear ambition to solve the security problem in the industry?

Malav: Ambition for sure, but I don't see companies collaborating for security, like providing security services. But, I heard that a lot of security companies collaborated to get to the bottom of Stuxnet malware. So malware reverse engineering - the amazing work for collaboration across the industry.

Tristan: Okay, yes. And, speaking about the conferences, if you want to learn more about the state of the art in terms of SCADA security, what are the conferences that you should attend and that you should not miss at all? 

Malav: So I'll divide that into two parts. one would be highly technical and less technical.

Alexandra: What's your favorite type? 

Malav: Definitely 2nd. It's a really good conference where they provide participants with actual hardware. And give them a live environment to test and develop zero-day exploits. So, at one of those conferences, they had a Tesla car right on the campus.

And whoever can hack that, they can take that home.

Alexandra: Did you succeed? 

Malav: No, I'm just an observer. 

Malav's recommendations to the younger generation

Tristan: It's a hackathon idea too. I love it. Anyway, nice. So there are a lot of young cybersecurity researchers that are super excited about the security of cyber-physical systems and SCADA systems because, you know, it's cybersecurity that has an actual real impact on the world, on the physical world.

And this is super impressive. If you had advice, a book, and a tool to give to those young people trying to get into cyber security and scatter security, what would it be? One advice, one book, and one tool. 

Malav: Fun book: "Hacking the Art of Exploitation" by John Erikson. I consider that to be a Bible.

Alexandra: Do you have it on your nightstand?

Malav: Yes.

Malav: It goes away from really basic to really complex stuff. So even if you are really new to the industry, you can learn something from that book no matter where you are on your journey. It's a really old book but still applies to a lot of concepts right now. Oh, have you read it?

Tristan: Yes, a long time ago.

Malav: So one advice would be to just network, and meet the amazing people that we have in this industry. You'd be surprised that, whatever little I know, 90 percent of it I got from pointers from other people. You can hear their stories, and their experiences. so it's always useful.

Tristan: Do you know, this is a very good one because very often when we ask this question, we have a lot of advice that is very relevant about technical skills, and it is very relevant to be good at security. You need to have good technical skills, but actually, this is very good advice from you: networking is also something very important. Cyber security is a community. And the more people you know, and the more, more ideas you share, the better you get at cybersecurity. So I really agree with that one as well. 

Malav: Any of those conferences and meetups. For example, there is an OWASP meeting going on every month here.

I can approach, or anyone can approach anyone, and we can have a really great conversation. And even if you walk away after 10 minutes, You'd be wiser. 

Alexandra: Yes, here it's the same. I'm based in Paris, and we have OWASP meetups as well, and we're going to actually organize one next month.

So, very excited about that! And yes, the presentations and the workshops. I think, our team actually quite often participates in workshops. I think we have five people that go there and exchange, it's super nice. Awesome. Thanks a lot for your conversation today and for the feedback.

I think it was very interesting for everyone to learn about SCADA systems, their importance, and their challenges, the future. Really appreciate having you today, and thanks for being on our podcast.

Malav: Thank you. Thanks a lot for inviting me.

💡 Prefer reading over listening? Check out other podcast transcripts:

• Threat modeling: the future of cybersecurity or another buzzword⎥Derek Fisher (author of The Application Security Handbook)
• Security experience: top-down vs bottom-up⎥ Jeevan Singh
• Lack of effective DAST tools ⎥ Aleksandr Krasnov