Heads up, manufacturers: Hackers might be setting their sights on the systems that control and monitor your critical processes.

And relying on software patches to prevent cyber attacks isn't as effective as you might think.

That's the message from Eric Byres, CTO and vice president of engineering at Tofino Security, a business unit of St. Louis-based Belden Inc.

In a March 14 blog post, Byres asserts that the discovery of Stuxnet malware — the first known computer virus used to attack industrial operations — has set the stage for hackers to target manufacturers.

"Unfortunately, the supervisory control and data acquisition (SCADA) and industrial control systems (ICS) applications they are now focusing on are sitting ducks," Byres declares.

SCADA and ICS applications were designed with an emphasis on reliability and safety — not necessarily security — he says, which makes them vulnerable to cyber attacks.

"In recent years, we have seen a staggering growth in government security alerts for these systems, and have witnessed some of the most sophisticated cyber attacks on record," Byres explains in his blog post.

60 Percent Failure Rate

Byres asserts that patching isn't an ideal solution for manufacturers, as "the frequency of patching needed to address future SCADA/ICS vulnerabilities in both controllers and computers is likely to exceed the tolerance of most SCADA/ICS operators for system shutdowns." Another reason, according to Byres: Patches are available for fewer than 50 percent of publicly disclosed vulnerabilities.

Even when patches can be installed, there is a 60 percent failure rate in patches designed to shore up vulnerabilities in control-system products, according to Byres.

"To secure facilities, critical-infrastructure operators should pursue a 'defense-in-depth' strategy that includes patching when possible, and use compensating controls for protection when patching is not possible," Byres says in a news release.  

He notes that a compensating control is a workaround, which means it doesn't correct the underlying vulnerability. Instead, it helps block "known attack vectors."

Examples of compensating controls include product reconfigurations; applying suggested firewall rules; or installing signatures that recognize and block malware.

Tofino's product portfolio includes a compensating control called Tofino Security Profiles, which the company describes as "rule-and-protocol definitions that address newly disclosed vulnerabilities."

"They provide a simple way for automation-system vendors to create and securely distribute malware protection," the company explains in a news release. "Operators benefit from a single, easy-to-deploy package of tailored rules that can be installed without impacting operations."

Belden, a manufacturer of industrial-connectivity products, acquired Tofino Security (formerly known as Byres Security) in 2011.