Tuesday, August 27, 2013

SCADA Systems and Java Security Concerns: Is it time to dump Java?

A guest blog by Suman Singh


Following the serious zero-day vulnerabilities discovered in Java early this year, the U.S. Department of Homeland Security (DHS) advised users to disable Java in their web browsers. DHS in its updated alert said, “This and previous Java vulnerabilities have been widely targeted by attackers, and new Java vulnerabilities are likely to be discovered. To defend against this and future Java vulnerabilities, consider disabling Java in web browsers until adequate updates are available. As with any software, unnecessary features should be disabled or removed as appropriate for your environment." This advisory strengthens the claims put forth by experts regarding Java vulnerabilities and its usefulness in the browser. 

What makes Java an attractive target?
  • Widespread deployment: Java has become a key target for hackers simply because of its wider reach.  Over 1.1 billion desktops and 3 billion mobile phones run Java. From personal computers and smartphones to supercomputers, cutting-edge medical instruments to enterprise applications, Java runs on virtually every device and system under the sun.
  • Cross-platform nature: Java’s cross-platform nature has made it an attractive target for malware exploits because malware can be written to infect virtually any system, be it Windows, Mac or Linux based systems.
  • Constant security holes: Oracle took an awfully long time identifying vulnerabilities in Java plug-ins and releasing timely security updates. Experts believe that there are still a number of vulnerabilities in Java, which are relatively easy to find and exploit.

How to overcome Java security flaws and protect your HMI/SCADA system?

We must understand that there is nothing wrong with Java as a language or Java applications; the key problem lies with the plug-in that is running in your browser. Some of the steps that can be taken to address Java security issues are as follows:
  • Disabling Java applets and Java Web Start (JWS). However, this would mean that you must be ready to lose some functionalities of your SCADA software.
  • Raising the default security settings for Java Applets from low or medium to high. This will prevent web-based Java applications from executing inside the browser without the user’s approval.
  • Disabling Java plug-ins in all web browsers. One can do without Java plug-ins in browsers like many popular social media sites do.
  • Keeping Java up-to-date by applying security patches released by Oracle.
  • Using two different web browsers on the plant floor – one with Java disabled for general tasks while a dedicated browser with Java enabled for trusted websites that need Java support.

The way forward

Web applications designed to access SCADA API or systems should be developed from the ground up to work without Java plug-ins. This is primarily to ensure that the security loopholes Java plug-in inadvertently introduces are not exploited by hackers, malwares and phishing websites.

Hence, to achieve security and also independence from Java plug-in (as these days people access plant data from mobile devices such as tablets and smartphones), HMI/SCADA software should be designed and developed to leverage great features of HTML5, JavaScript advanced libraries and web services to achieve most of features and functionality they offer to users.

What are your concerns regarding Java? How do you plan to mitigate Java vulnerabilities within your organization? Please share your thoughts in the comments section below.

For more insight on HMI and SCADA Systems and to learn more about us, follow these links:

Suman Singh, is a Product Marketing Specialist at Invensys where he supports marketing activities for Wonderware's HMI and SCADA software solutions, including InTouch and System Platform. Based in Bangalore - the IT hub of India - Suman has over 6 years experience in product and content marketing. He is most interested in technology, social media, and sustainable development.