Situation in Switzerland and Internationally

Extract from Federal Strategy Unit for IT FSUIT; Federal Intelligence Service FIS; Reporting and Analysis Centre for Information Assurance MELANI www.melani.admin.ch.

Since the Stuxnet worm became known in the second half of 2010, there has been an increased focus on the security of SCADA software. The basic difficulty with SCADA systems lies especially in their history: originally, they were sealed-off, independent, and proprietary systems, 24 granting external access at most to the manufacturer for maintenance purposes via a dial-up modem.

Accordingly, these systems hardly ever have functions to protect them from electronic attacks. Recently, programmable logic controllers and process control technology have become increasingly networked, increasingly use standardised protocols and technologies, and are even sometimes reachable via the Internet. Using a special computer search engine (in contrast to website search engines such as Google, Bing etc.), it has become significantly easier to find such devices.

The media presence of Stuxnet apparently awakened the interest in industrial control technology and SCADA systems among many security experts as well. Since then, various vulnerabilities in such products have been found and reported on. Methods have been discovered allowing systems to be taken over remotely, to download or upload any kind of file, to shoot down specific services or controllers, 29 to infiltrate and launch code, and to simply inject false data to which the controllers then react as if they were correct.

The big difference compared with traditional computer software is that manufacturers so far have little experience in resolving vulnerabilities, and that the software of the components is only rarely updated by the operators. In the case of continuously running processes, this can only be done during specific maintenance windows. The effects of patches on the overall process may often be tested only to a very limited extent in advance. The principle “don’t touch a running system” entails that failures and breakdowns may quickly give rise to high costs.

SCADA systems are increasingly often connected with the administration systems of companies in order to make business decisions on the basis of real-time data, and data are increasingly exchanged via the Internet. Advocating the strict separation of operational and administrative systems is probably a good idea, but is likely illusory and impractical. Instead, the associated new dangers and risks must be identified, assessed, and strategies for identification and repair in the event of an incident must be developed. However, there are various measures for avoiding interference: e.g. by using a VPN for remote access, a firewall with white listing, and signing of the control code and configuration.