With each assessment that we perform on live operational SCADA systems, we continue to see themes or trends in the security findings. Some of the security issues that always makes the top 10 list are missing patches and hotfixes and outdated web browsers. While most of the SCADA and ICS community are well aware of the patching problems that continue to be an issue in operating and maintaining secure SCADA systems, the outdated web browser issue is often overlooked and misunderstood.
Older legacy SCADA and Process Control Systems used thick client applications installed on servers and workstations that were purpose-built and engineered for the SCADA application suite. As these systems evolve they become more like traditional IT systems. The IT community has long realized the benefits of moving from thick client to thin client architectures, and now most Enterprise IT applciations are browser based. As with most technology evolution in the SCADA market, the adoption of browser-based applications started to become mainstream several years ago.
About ten years ago, many of the SCADA and Control System vendors began to offer browser-based SCADA HMI, alarm, data historization, and data trending applications. They were marketing this capability as a way for Operations to easily access the data and information that they need to make decisions about the operation of their plant, all from the convienience of a simple web browser. The vendors started by implementing web servers in the SCADA servers, database servers, and view nodes. Eventually this adoption of web technology made its way down into the embedded devices, and even as early as 2001 several PLC and RTU vendors were shipping with embedded web servers running in their hardware. They also began using the term "web" in the name of their products, with examples like the "PlantWeb" system from Emerson - just to name one.
Although browser-based computing provide a greater ease of use for operations, this proliferation of web technologies deep in the SCADA environments creates a challenge for security. Many forms of malware and attack exploitation techniques leverage brower weaknesses, so while web-based SCADA systems are attractive to operations, it opens up the system to a much larger range of cyber attacks than when these systems were based on thick client applications.
We often find SCADA view nodes, HMI consoles, and data trending portals running with Internet Explorer 6, and in some cases we have found they have updated to IE 7, but it is extrememly rare to find a fully patched environment with up-to-date browsers. When we bring this issue up in our briefing sessions with our client's technical teams, the engineering and operations team often downplay the risk and say that they are not using the web browsers to go onto the Internet, so the risk is low. However, they miss the point that even if these older browsers are only used in a closed SCADA-Intranet purpose, just having the older browsers installed on the client and server systems leaves them open to malware and other attacks that can leverage the older browser framework to exploit the host.
I find this a timely issue, and in fact just today Robert Lemos, Contributing Editor from Dark Reading posted an article about how outdated web browsers are still leaving many organizations vulnerable to attack. His article builds on this issue, and you can find it at the following link:
I suggest giving his article a quick read, and while you are reading the article, think about how this relates to SCADA and ICS systems. If you are a systems administrator for a SCADA environment that utilizes browser-based applications, you may want to take a quick inventory of your systems. It would be a great time to clean house, update all of the OS and security patches, and update those old vulnerable browsers.