Rechercher
Contactez-nous Suivez-nous sur Twitter En francais English Language
 

Freely subscribe to our NEWSLETTER

Newsletter FR

Newsletter EN

Vulnérabilités

Unsubscribe

EU cyber security Agency ENISA argues that better protection of SCADA Systems is needed

December 2013 by ENISA

How long can we afford having critical infrastructures that use unpatched SCADA systems, the EU’s cyber security Agency ENISA asks? ENISA argues that the EU Member States could proactively deploy patch management to enhance the security of SCADA systems.

Much of Europe’s critical infrastructure resides in sectors such as energy, transportation, water supply. These infrastructures are largely managed and controlled by SCADA (Supervisory Control and Data Acquisition) systems (a subgroup of Industrial Control Systems (ICS). In the last decade SCADA technology has gone from being isolated systems into open architectures and standard technologies that are highly interconnected with other corporate networks and the Internet.

A consequence of this transformation is the increased vulnerability to outside attacks. One way to enhance the security of SCADA is through the application of patches.
At the moment, two of the key important issues with patching are the failure rate of patches (60%)[1] and the lack of patches; less than 50% of the 364 public vulnerabilities had patches[2] available for SCADA.

We have identified several best practices and recommendations regarding patching that can improve the security posture of SCADA environments, from which we would like to mention the following:

Compensating Controls :

o Increase in depth defence through network segmentation to create trusted zones that communicate using access controls ;

o Hardening the SCADA systems by removing unnecessary features;

o Usage of techniques such as Application White Listing and Deep Packet Inspection
Patch management program and service contract:

o Asset owners should also establish a patch management service contract to define on the responsibilities of both the vendor and the customer in the patch management process;

o Asset owners should always conduct their own tests. This can be done virtually or by maintaining separate systems to test on.

o Certified systems should be re-certified after a patch is applied.

The Executive Director of ENISA, Professor Udo Helmbrecht remarked: “Although patch management is not a silver bullet to resolve the security issues of SCADA systems it is nevertheless important that organisations establish a patch management policy. The European Union or the Member States could increase the awareness of patches through enforcing patch management when new requirements for devices are established.“

For full report


[1] “In 2011, ICS-CERT saw a 60% failure rate in patches fixing the reported vulnerability in control system products.”(Kevin Hemsley –ICS-CERT)

[2] Less than 50% of the 364 public vulnerabilities recorded at ICS-CERT had patches available at that time.” (SCADA Security Scientific Symposium (S4) in January 2012, Sean McBride)


See previous articles

    

See next articles


Your podcast Here

New, you can have your Podcast here. Contact us for more information ask:
Marc Brami
Phone: +33 1 40 92 05 55
Mail: ipsimp@free.fr

All new podcasts