Security advisories for critical infrastructure like power plants often recommend patches. But in most cases, a report finds, the advice isn’t practical.
Imagine if each time you were sick, all your doctor did was instruct you to take some medicine.
That is it. No prescription, no details on what to take, when to take it, where to get it, or even whether you can take it. Simply, “take medicine.” That’d be totally futile information.
This is basically what vulnerability advisories for industrial controls have been like over the last year, as indicated by a new report by Dragos. The cybersecurity company focuses around critical infrastructure, which incorporates everything from power plants to factories to water supplies.
Government officials have turned out to be increasingly worried about cybersecurity at critical infrastructure facilities. Assaults in recent years have demonstrated that attackers can gain access to power grids and factories. In 2016, Russian hackers causing a power outage in Ukraine.
On Wednesday, Dragos CEO Robert M. Lee testified before Congress amid a Senate Energy and Natural Resources committee hearing on cybersecurity dangers to critical infrastructure.
“I’m very confident the US government has a response if a major cyberattack were to occur,” Lee said. “But what about a 30-minute power outage in DC? That’s something that keeps me up at night [thinking about] how to respond.”
Amid 2017, Dragos looked at 163 vulnerability advisories, most of which offered no genuine solutions.
More than 60 percent ofvulnerability warnings said critical infrastructure could get hijacked, while 71 percent of reported vulnerabilities that year could upset a person’s ability to monitor systems, as per the report.
In these warnings, up to 72 percent of the advisories told IT teams just to patch their systems. Except “patch your system” makes no difference for 64 percent of critical infrastructure, as indicated by the report.
That’s because they were insecure in the first place — applying a security patch would resemble putting a Band-aid on a broken leg. Applying patches is generally fine for the average individual, who just needs to update a phone or a laptop. It’s different for factories, which might be running nonstop for 24 hours, said Reid Wightman, Dragos’ senior vulnerability analyst.
While you can bear to have your phone off for 10 minutes while it applies the security patch, factories and power plants don’t have that luxury. There are typically just a single or two opportunities a year for critical infrastructure to shut down and get updates, Wightman said.
Furthermore, regardless of whether they can get the update, by the time it’s installed, it could be too late. The advisories have additionally encouraged factories to “use secure networks,” yet the Dragos report said that is not useful either, as it doesn’t determine which network exploits to look for or offer other helpful details.
These weaknesses in security advisories don’t mean there will be a cyberattack causing a power outage the following day, yet it absolutely doesn’t help keep that, either. Critical infrastructure systems are getting warnings with no appropriate measures to fix things, and it implies leaving open opportunities for attackers.
“[Operators] can take the advisory and think, ‘oh, we can’t really do anything about it,'” Wightman said. “They’re vulnerable, with no ability to mitigate these risks.”
Wightman recommends that warnings give alternatives to bring down risks if critical infrastructure operators can’t patch quickly.