Luis Corrons – Rubén, could you first tell the readers of the blog a little bit about yourself. Despite being quite young, you’ve been involved in the world of security for some years and in some circles you’re practically considered a guru.
Rubén Santamarta – Well, my first contact with the world of reverse engineering was through the study of software protection, when I was 15 or 16 years old. I started to work as a programmer when I finished high school, but then I gave it up… Some five years later I got back into it, when I started at Panda. This was when I discovered that I could make a living out of looking for vulnerabilities, among other things. This helped me gain access to interesting projects and people.
We’re now putting a lot of effort into starting up our own small enterprise, Wintercore.
Luis – For the uninitiated, could you tell us what a SCADA system is?
Rubén – These are industrial control systems, used for example in chemical plants, hydroelectric installations, water treatment facilities, etc… They were initially created with very specific characteristics: their own protocols, architectures and devices. You could say they work, and have done for many years, but times have changed. It is no longer sufficient that they can operate under controlled circumstances, we now need to ensure that they can survive all types of difficulties, including deliberate attacks.
Luis – For some time now part of your work has involved studying these SCADA systems. What drew your attention to this area?
Rubén – The truth is I was fascinated right from the outset. The idea of crossing from the “virtual” environment of the computer to controlling physical installations is a great incentive. And on the other hand, there was the challenge of researching something relatively new.
Luis – SCADA systems are involved in tasks considered critical, and so security in this area must be a priority and systems must be highly reinforced. Is that so?
Rubén – I can’t give an unequivocal answer, yet although it may be surprising, perhaps the truth is the opposite. Industrial networks were not initially created with the idea of being connected to the Internet. They were isolated networks. For this reason security was not considered.
However, the overriding trend at present is for interconnection and remote control. Networks that previously were isolated, now have to be connected, and when things are not done properly…
I’m not saying that just anyone could leave a city without electricity, or anything of the sort.
Luis – And those in charge of security on these systems, are they up to the jobs? Could we expect to find Homer Simpson in charge of security at the nuclear power plant?
Rubén – Industrial hardware and software vendors are beginning to become aware of the importance of security. This can’t be seen as just another formality, but as a fundamental part of the process, providing added value and absolutely necessary. Although there is still a long way to go.
Luis – Do these security systems vary from country to country? How does Spain compare to other countries?
Rubén – There are many common factors in many countries, in fact legislation is coming in on a European level, American level, etc. The situation in Spain is in line with other countries.
Luis – Legislation or self-regulation: Do you think it should be up to governments to have the final say with this type of security, by regulating private companies, or should they be self-regulating?
Rubén – 80% of critical infrastructure is in private hands. Yet this is something that affects the public as a whole, therefore the government should legislate and educate. This is not something that is against the public interest, but is positive for everyone.
Luis – What you think of self-evaluation activities, such as the attack simulations that have been carried out recently by the European Union? Are they genuinely useful or are these public relations exercises, so we can see that something is being done?
Rubén – I can’t go into much depth as I have not been closely involved… but everything that involves preparing for the near future is worthwhile. As it says in Sun Tzu’s “The Art of War”: “If you know the enemy and know yourself you need not fear the results of a hundred battles”.
Luis – When people talk about the security -or insecurity- of SCADA systems, they are often referring to apocalyptic scenarios, where widespread chaos could be inflicted on society through the interruption of basic services such as electricity or water supply, etc. To what extent could this be true? Is it just something from Hollywood films?
Rubén – I’m talking on the basis of my own experience but if I told you that this scenario could never happen, I would be lying. Technically it’s possible.
Luis – One of the main stories to emerge this year in the world of security has been Stuxnet, malware with unique characteristics, such as the inclusion of several 0-day exploits, or the fact that it targets certain SIEMENS systems used in nuclear power stations. Is this something that will become a trend or is it an isolated case? Are the theories credible that suggest that a government or intelligence service is behind the attack?
Rubén – Stuxnet has been a turning point. Simply put, it is a weapon made out of bytes. From there, people can draw their own conclusions. My own opinion is that anyone who has analyzed Stuxnet in this context, would have no doubt that at least one country is behind the attack.
Luis – And while on the subject, do you think that the next wars will be cyber-wars? Will SCADA systems be the target?
Rubén – Wars will still be wars. What we will see is that part of these conflicts will be fought on a battlefield that we are not accustomed to: networks and electronic devices.
Luis – Could you tell us any anecdote about SCADA systems? Something that you have seen that has made you shudder, or that has made you ask how could something like that possibly happen?
Rubén – I could tell you many stories, because there are some really concerning things. On one occasion I discovered how simple it would be to leave thousands of people without a basic service, though I won’t tell you which.
Luis – And finally, how do you see the future? It’s clear that perfect security does not exist, but will we be capable of having secure systems that meet the demands of the real world?
Rubén – There is a lot of work to do, really a lot. But I think the right steps are being taken. Time will tell.