"Thousands of legacy products out there were never tested for simple cybersecurity flaws." Red Tiger Security's Pollet on the need for continued vigilance on the cybersecurity front.Further, Pollet pointed out, there now exists a market in control systems exploits, where hackers can simply buy a way to attack a control system. In March 2011, Luigi Auriemma, an Italian security analyst (read "hacker") released 34 SCADA system vulnerabilities all at once, followed by another release in September 2011 of another bundle of exploits and vulnerabilities of six more industrial control systems.
Another example discussed by Pollet is "Project Basecamp," an attempt by an irate and frustrated Dale Peterson of Digital Bond to embarrass SCADA and control system vendors into fixing vulnerabilities that have been known for years. Peterson's team focused on six major programmable logic controller platforms and discovered "backdoors, weak credential storage, the ability to change ladder logic and firmware," and much more.
And the next threat to control system security may come through a smart phone or tablet, Pollet predicts. As mobile devices proliferate in the plant environment, hackers will attempt to access control systems using these mobile devices. The potential pathway is clear: In several instances, he's found a smart phone plugged directly into a plant's distributed control system console.
"The sky is not falling…yet," Pollet concluded, citing the need for both end users and suppliers to do much more to secure their facilities. An array of protective technologies and defense-in-depth practices can "hold back the tide," he said, encouraging his audience to get training, become informed and to establish policies and procedures that will help mitigate the risk of attack.