Cybersecurity at power plants needs advice it can actually use

Imagine if every time you were sick, all your doctor did was tell you to take some medicine.

That's it. No prescription, no details on what to take, when to take it, where to get it, or even whether you can take it. Just, "take medicine." That'd be completely useless information.

This is essentially what vulnerability advisories for industrial controls have been like over the last year, according to a new report by Dragos. The cybersecurity company focuses on critical infrastructure, which includes everything from power plants to factories to water supplies.

Government officials have become increasingly worried about cybersecurity at critical infrastructure facilities. Attacks in recent years have shown that attackers can get access to power grids and factories. In 2016, Russian hackers causing a blackout in Ukraine. 

On Wednesday, Dragos CEO Robert M. Lee testified before Congress during a Senate Energy and Natural Resources committee hearing on cybersecurity threats to critical infrastructure. 

"I'm very confident the US government has a response if a major cyberattack were to occur," Lee said. "But what about a 30-minute power outage in DC? That's something that keeps me up at night [thinking about] how to respond."

During 2017, Dragos looked at 163 vulnerability advisories, most of which offered no real solutions.

More than 60 percent of vulnerability warnings said critical infrastructure could get hijacked, while 71 percent of reported vulnerabilities that year could disrupt a person's ability to monitor systems, according to the report.

In these warnings, up to 72 percent of the advisories told IT teams only to patch their systems. Except "patch your system" means nothing for 64 percent of critical infrastructure, according to the report.

That's because they were insecure to begin with -- applying a security patch would be like putting a Band-aid on a broken leg. Applying patches is generally fine for the average person, who only needs to update a phone or a laptop. It's different for factories, which might be running nonstop for 24 hours, said Reid Wightman, Dragos' senior vulnerability analyst.

While you can afford to have your phone off for 10 minutes while it applies the security patch, factories and power plants don't have that luxury. There are usually only one or two opportunities a year for critical infrastructure to shut down and get updates, Wightman said.

And even if they are able to get the update, by the time it's installed, it could be too late. The advisories have also urged factories to "use secure networks," but the Dragos report said that's not helpful either, as it doesn't specify which network exploits to watch for or offer other useful details.

These weaknesses in security advisories don't mean there's going to be a cyberattack causing a blackout the next day, but it certainly doesn't help prevent that, either. Critical infrastructure systems are getting warnings without any proper measures to fix things, and it means leaving open opportunities for attackers.

"[Operators] can take the advisory and think, 'oh, we can't really do anything about it,'" Wightman said. "They're vulnerable, with no ability to mitigate these risks."

Wightman recommends that advisories provide options to lower risks if critical infrastructure operators can't patch immediately.

Originally published March 1 at 3:30 a.m. PT.
Updated at 9:29 a.m. PT: Added statements from Dragos' CEO during a Senate hearing.

Security:  Stay up-to-date on the latest in breaches, hacks, fixes and all those cybersecurity issues that keep you up at night.

Blockchain Decoded:  CNET looks at the tech powering bitcoin -- and soon, too, a myriad of services that will change your life.