Belden Research Shows that Patching for Industrial Cyber Security is a
Tofino “Security Profiles” are an Effective Alternative
ST. LOUIS -- March 14, 2013
Belden Inc. (NYSE: BDC), a global leader in signal transmission solutions for
mission-critical applications, announces that its Tofino Security brand has
published new research showing that patching is often ineffective in providing
protection from the multitude of vulnerability disclosures and malware
targeting critical infrastructure systems today. While patching such systems
is important as part of an overall Defense in Depth strategy, the difficulties
of patching for industrial systems mean that compensating controls such as
Tofino Security Profiles are often a better method of providing immediate
Since the discovery of the Stuxnet malware in 2010, industrial infrastructure
has become a key target for security researchers, hackers, and government
agents. Designed years ago with a focus on reliability and safety, rather than
security, Supervisory Control and Data Acquisition (SCADA) and Industrial
Control Systems (ICS) products are often easy to exploit. As a result, there
has been exponential growth in government security alerts for these systems in
the past two years. In addition, they have attracted some of the most
sophisticated (Stuxnet, Night Dragon, Flame) and damaging (Shamoon)
cyberattacks on record.
Eric Byres, CTO and vice president of engineering at Tofino Security,
investigated the effectiveness of patching for protecting control systems from
vulnerability exploits and malware. His work revealed that:
*The number of vulnerabilities existing in SCADA/ICS applications is high,
with as many as 1,805 yet to be discovered vulnerabilities existing on
some control system computers.
*The frequency of patching needed to address future SCADA/ICS
vulnerabilities in both controllers and computers likely exceeds the
tolerance of most SCADA/ICS operators for system shutdowns. Unlike IT
systems, most industrial processes operate 24x7 and demand high uptime.
Weekly shutdowns for patching are unacceptable.
*Even when patches can be installed, they can be problematic. There is a 1
in 12 chance that any patch will affect the safety or reliability of a
control system, and there is a 60% failure rate in patches fixing the
reported vulnerability in control system products. In addition, patches
often require staff with special skills to be present. In many cases, such
experts are often not certified for access to safety regulated industrial
*Patches are available for less than 50% of publically disclosed
*Many critical infrastructure operators are reluctant to patch as it may
degrade service and increase downtime.
When patching is not possible, or while waiting for a semi-annual or annual
shutdown to install patches, an alternative is to deploy a workaround, also
known as a ‘compensating control’. Compensating controls do not correct the
underlying vulnerability; instead, they help block known attack vectors.
Examples of compensating controls include product reconfigurations, applying
suggested firewall rules, or installing signatures that recognize and block
Another compensating control is Tofino Security Profiles, available in
Belden’s Tofino Security product line. Tofino Security Profiles are rule and
protocol definitions that address newly disclosed vulnerabilities. They
provide a simple way for automation system vendors to create and securely
distribute malware protection. Operators benefit from a single, easy-to-deploy
package of tailored rules that can be installed without impacting operations.
The result is that critical industrial infrastructure facilities can quickly
and effectively defend themselves against new threats.
“My research highlights the multiple challenges with patching for SCADA and
ICS systems,” remarked Eric Byres. “To secure facilities, critical
infrastructure operators should pursue a Defense in Depth strategy that
includes patching when possible, and use compensating controls for protection
when patching is not possible.”
Starting today, Belden is publishing a series of blog articles on its patching
research and is accompanying them with useful documents. These documents
*“Patching for Control System Security - A Broken Model?”; a presentation
that summarizes its patching research,
*“Patching for Control System Security - A Broken Model?“ a peer reviewed
*and “Solving the SCADA/ICS Security Patch Problem”, a White Paper.
for the first blog article.
Tofino Security provides practical and effective industrial network security
and SCADA security products that are simple to implement and that do not
require plant shutdowns. Its products include configurable security appliances
with a range of loadable security modules plus fixed function security
appliances made for specific automation vendor applications. Tofino Security
products protect zones of equipment on the plant floor, and are complementary
to Belden’s Hirschmann brand, which leads industrial networking solutions.
Both groups service and secure industrial networks in the oil and gas,
utilities, transportation and automation industries. www.tofinosecurity.com
St. Louis-based Belden Inc. designs, manufactures, and sells connectivity
solutions for markets including industrial, enterprise, and broadcast. It has
approximately 6,700 employees, and has manufacturing capabilities in North
America, South America, Europe, and Asia, and a market presence in nearly
every region of the world. Belden was founded in 1902, and today is a leader
with some of the strongest brands in the signal transmission industry. For
more information, visit www.belden.com.
Belden, Belden Sending All The Right Signals, Tofino and the Belden logo are
trademarks or registered trademarks of Belden Inc. or its affiliated companies
in the United States and other jurisdictions. Belden and other parties may
also have trademark rights in other terms used herein.
VP and General Manager
Press spacebar to pause and continue. Press esc to stop.