Podcast: SCADA and ICS Security
DATA SECURITY PODCAST
In a recent podcast interview with Hillarie McClure, Multimedia Director of Cybercrime Magazine, Robert E. Johnson III, Cimcor CEO/President, discusses the latest views on SCADA & Industrial Control Systems in today's cybersecurity climate. The podcast can be listened to in its entirety below.
Welcome to The Data Security Podcast sponsored by Cimcor. Cimcor develops innovative, next-generation file integrity monitoring software. The CimTrak Integrity Suite monitors and protects a wide range of physical, network, cloud, and virtual IT assets in real-time while providing detailed forensic information about all changes. Securing your infrastructure with CimTrak helps you get compliant and stay that way. You can find out more about Cimcor and CimTrak on the web at cimcor.com/cimtrak.
Q: Welcome back Robert so great to have you on the show.
A: Thank you, Hillary I appreciate the opportunity to join you again
Q: So Robert we've heard quite a bit about integrity concerns with industrial control systems, or ICS and SCADA systems. What exactly are these types of systems and why are we hearing more about them?
A: Sure. Well industrial control systems and SCADA systems, and you know SCADA actually stands for supervisory control and data acquisition systems. These are systems that are generally designed to meet a specific purpose of monitoring and controlling either manufacturing processes or machinery.
And nowadays, these systems, whether they're ICS or SCADA systems, they are a mix of just standard windows and Linux systems oftentimes. And when they are windows or Linux systems, usually they are in some type of supervisory capacity, or they're networked in some manner to a variety of sensors, PLCs, that stands for programmable logic controllers, or embedded systems.
And these are all specialized computers designed specifically for the purpose of controlling machinery or monitoring the inputs from sensors and then taking action as result. Many of these specialized computers, because they're using these processes and they're so unique they tend not to be updated on a regular basis. So they're really kind of raises their threat profile, to be honest, and oftentimes because of that, they're running code that because it hasn't been updated in a while, it has known vulnerabilities.
So, luckily for us, unsophisticated hackers don't often target these specialized types of computers, because they typically don't have access to these types of devices in order to perfect or their attacks. However, we are seeing more and more state-sponsored actors and organized crime syndicates actually putting the resources into developing and expanding on exploits for these types of devices.
Furthermore, many of these systems, since they're just you know the supervisory systems, the HMI systems —when I say HMI, those are just the graphical screens that you may see on TV and commercials controlling a plant—they're often simply just running windows and Linux. So they're just vulnerable to the standard set of evolving threats for both of those operating systems.
So you're right, we're hearing more and more about them. The opportunity for hackers or the vulnerable state of these systems and knowledge about that isn't necessarily new and not really new information, but you are hearing more about it simply because of attacks like the colonial pipeline hack, which you know affected the East Coast. And you know, there was a hack just a few years ago where a significant percentage of the Ukraine grid in Kiev went down. That was due to some malware that was targeted specifically to electrical power grids was called Industroyer.
Q: Okay, so sounds like but correct me if I'm wrong that there's you know, there is legitimate concern for ISC and SCADA systems in regards to integrity and confidentiality?
A: Yes, to an extent. You mentioned integrity and confidentiality, so I assume you're referring to the CIA triad, which is confidentiality, integrity, and availability. And in the business world and IT world, we prioritize things in that exact order. You know, of course, confidentiality is most important, and then next is integrity, the integrity of your systems, and finally availability.
However, in the world of manufacturing, in the world of industrial control systems, those priorities are inverted, so most important is availability. The plant has to run. The manufacturing process must continue. Oil must still flow and electricity must still be delivered to where it needs to go. So availability is number one and then integrity, and finally confidentiality. So the priorities are flipped. And it's easy to see from the colonial pipeline attack why it's so important and that things such as availability, is a top priority, and then the difference between the enterprise side, the IT side, and OT side for operational technology.
However, in both cases, the center of it all is integrity. Because the bottom line is, if you can't ensure the integrity of your systems, then honestly it's difficult to ensure availability and the confidentiality of things. Both of those other legs— availability and confidentiality— just simply become a pipe dream. So integrity is the linchpin, so at Cimcor we understand control systems, and we also understand that integrity is the centerpiece for any security strategy for secure manufacturing, for the plant floor, and for operational technology.
So what we've done is we've built a platform for monitoring the integrity of software and any logic running on a wide variety of devices. Whether they are routers and firewalls, or SCADA systems, or human-machine interfaces. In many cases, we can detect those changes or deviations from integrity right away in real-time.
Our software provides control system engineers, with the feedback that they need to rapidly adjust to evolving threats and to ensure that their processes continue to run because that's the real bottom line in that environment.
So the truth is, I'm a little hesitant to say this, but the truth is many times, these manufacturing environments and the processes related to them, get neglected and they get neglected from both a technological perspective, but also a budgetary perspective. Enterprises often don't allocate the right amount of funds to the plant floor or to manufacturing.
So we get it and we understand that's the environment. So we're focused on helping those processes control engineers increase uptime, increase availability, and increase the security of their operational technology environments. In spite of this increasingly complex and evolving threat landscape.
Q: Excellent well Robert Thank you so much for joining us and I'm really glad that I got to listen to you, Tom you know share that information with us on this podcast episode, thank you.
A: Thank you, Hillary great questions, as always.
Since 1999, Jacqueline has written for corporate communications, MarCom agencies, higher education, and worked within the pharmacy, steel and retail industries. Since joining the tech industry, she has found her "home".