Bit9

Security industry has exploded in the last 10 years, with a huge quantity of products and approaches. Yet for most people security is a singular concept that demands a single solution. For the first ten years of Anti-Virus protection, it was just that: one approach with few competing vendors. Then came the network connectivity, firewalls, exploitation for economic benefit, and the top has exploded.

 

The point here is that the market has quickly developed from generic to specific methodology for protection. Solutions are being built to address one or very few use case scenarios, and never all possible cases. For example, Vanja Svajcer of Sophos, among a long list of security researchers, warns users against relying solely on their anti-virus protection. It cannot work for every case. In today's landscape of Sql Injection attacks and custom botnet infiltration, AV tools that are built under one-size-fits-all model will not protect your data and property.

Microsoft has been so successful in pushing its Personal Computer Operating System that it now protects among others: Point-Of-Sales Terminals, Cash Registers, ATMs, Gambling Machines, Voting Stations, and not to mention TVs and mobile phones. These end points cannot and should not have the same security posture as a typical Personal Computer. For starters, many of specialized devices have a very controlled execution environment. So now, why should they have a security product that assumes that a user will want to run all the unknown code?

According to hype, Anti-Malware protection is viewed as a stale incumbent with a little life left in it. Yet no one is really recommending that we do away with it. Actually, according to Alex Eckelberry, CEO of Sunbelt Software, a typical user is quite satisfied with it, with Enterprise users a bit less. We still want protection from the known attacks while we dream of a silver bullet that would make all of our bits and bytes behave. And for those who dream, industry has a plethora of endpoint and network based offerings to fit their budget. It is really not all that important if your IDS or HIPS product is disabled or logs are never ever reviewed.

But that's not the point. Anti-Malware suites rightfully assume that there is a physical freedom loving rebel behind each end point. That's their target audience. Purpose-built terminals that perform only a set of very specific tasks require a different, more tightly controlled, environment. Needless to say, Anti-Malware suites were never meant to protect them against unknown attacks.

Check out the Rogue Anti-Virus gallery at Sunbelt Blog. Somehow it appears that the bad guys are investing more in User Interface design than the legitimate Anti-Malware vendors. Compare these rogue UI's: Rapid Antivirus, Antivirus 2010, XP AntiSpyware 2009 to our legitimate Anti-Malware product beauty contest.

At last week's VirusBulletin in Ottawa, Peter Allor of IBM gave a bit of an untraditional talk for VB, discussing security issues with SCADA systems. The list of fears and problems is long and wide. After all, most of the SCADA systems are designed to be working for 10-20 years. You do not expect to be changing power generation equipment whenever Microsoft releases a major OS upgrade. Yet what struck me was how little U.S. Government, amidst all the activity surrounding SCADA security, discusses the specific ways that these systems are exposed or could be improved. There's much to talk about when some of these systems are built on top of Windows 95, do not have encrypted command & control protocols, and can be damaged by simple operator error. Try starting and stopping turbines 10 times in a row. It will not look good. It runs over IP. Adding security software to some of these systems is absolutely out of question as they have been timed and tuned to do one thing only.

Is it simply that the situation is so hopeless that retrofitting security into these systems is too futile? Do we hope that noise raised will force the legislators to mandate that old and insecure software are replaced by newer more up to date variety? Economic chaos on the Wall Street will not help us in the short run. Still, SCADA vendors and Government users should be open to specific discussions surrounding threat exposures in their systems. That's the only way to devise a meaningful set of policies and requirements that a future of SCADA should be implementing. This has to go beyond encryping communications protocols, logging of all the activities and investing in negative QA testing cycles. Security infrastructure has to be required from security code inspection and review (think of Fortify or Veracode) to actually locking down software execution policies on each SCADA system.