Industrial control systems and supervisory control and data acquisition (SCADA) systems are low-hanging fruit for hackers, said Pollet, who is founder and principal consultant for Red Tiger Security, in part because they do not go through the same rigorous security testing that commercial IT systems do.
"On average, Microsoft will put its software through 100,000 various fuzzing loops and debugging processes to test for crashes and bugs—yet we still find plenty of Microsoft vulnerabilities being discovered and reported," said Pollet. And because industrial control practices typically lag IT practices by five to 10 years, control system suppliers have only recently begun testing their products for security flaws, Pollet said. "Thousands of legacy products out there were never tested for simple cybersecurity flaws like buffer overflows."
Another example discussed by Pollet is "Project Basecamp," an attempt by an irate and frustrated Dale Peterson of Digital Bond to embarrass SCADA and control system vendors into fixing vulnerabilities that have been known for years. Peterson's team focused on six major programmable logic controller platforms and discovered "backdoors, weak credential storage, the ability to change ladder logic and firmware," and much more.
And the next threat to control system security may come through a smart phone or tablet, Pollet predicts. As mobile devices proliferate in the plant environment, hackers will attempt to access control systems using these mobile devices. The potential pathway is clear: In several instances, he's found a smart phone plugged directly into a plant's distributed control system console.
"The sky is not falling…yet," Pollet concluded, citing the need for both end users and suppliers to do much more to secure their facilities. An array of protective technologies and defense-in-depth practices can "hold back the tide," he said, encouraging his audience to get training, become informed and to establish policies and procedures that will help mitigate the risk of attack.