SCADA systems security issues

SCADA systems are used to monitor and control critical installations in oil and gas refineries, water and power distribution plants, manufacturing plants and other industrial facilities. There has been a lot of discussion about malware and security in industrial automation systems after Stuxnet. Widely viewed as the most complex piece of computer malware ever created, Stuxnet is believed to have been designed to sabotage uranium enrichment centrifuges at the Iran’s Natanz nuclear plant. If nasty malware can do that, other similar malware can do something else nasty as well.

Attacks against SCADA systems can have potentially very serious consequences. I think that we have been quite lucky that we have not seen any big disasters yet. Even though the attacks are rare at the moment, security researchers are confident that their number will increase, especially since the Stuxnet industrial sabotage worm set a successful precedent. And now there are many news on Dugu worm.

News around one month ago told that SCADA hack shut down a US water plant at 8 November 2011. This hacking attack at a US water plant has been credited to an unknown attacker (handle “pr0f” took credit) who according to hacker sources managed to access a SCADA controller and take over systems. Once again caused security experts to question the security of SCADA systems. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System. “This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site pastebin.com. On the other hand Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery. What is the truth in this case it is hard to say.

What is known that many industrial systems are vulnerable. Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers according to Siemens industrial control systems are vulnerable to attack that can cause serious problems. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned earlier that Siemens’ SIMATIC S7-1200 programmable logic controllers (PLCs) are vulnerable to so-called replay attacks that can interfere with the normal operations. An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation. ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.

White Paper On Industrial Automation Security In Fieldbus And Field Device Level is an interesting white paper (from Vacon, Nixu and F-secure) that focuses on presenting a generic overview about security in industrial automation. Security aspects of traditional fieldbuses, Ethernet-based networks and wireless communication technologies are presented. Challenges regarding data security in the field of industrial automation are discussed. The properties of industrial automation devices are described with a focus on security, tampering possibilities, and risk mitigation methods.

Many protocols used in industrial control systems were intentionally designed to be open and without security features. As long the the networks that run those protocols are kept physically separate from public network you are quite safe. For the most part SCADA systems are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access. Anytime you do this you put in a pathway where someone can get in. And there are often case where remote devices are accessed using those non-secure protocols though unsafe networks (public telephone network, cellular network, radio waves, even Internet).

There has been long time the belief that SCADA systems have the benefit of security through the use of specialized protocols and proprietary interfaces (security through obscurity), networks are physically secured and disconnected from the Internet. Today those beliefs all do not hold anymore. There are nowadays you can find many tools on Internet to work with standard SCADA protocols (for example Wireshark can be used to decode several commonly used SCADA protocols).

The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Modern SCADA systems should be designed so that they can be withstand the situation they are accidentally connected to Internet (it will happen sooner or later). In addition to making SCADA system itself secure, you should separate it from Internet (no connection at all or very strictly configured series of firewalls). FACT CHECK: SCADA Systems Are Online Now article tells at nearly everything is connected now. Nearly all SCADA systems are online. The addition of a simple NAT device is far from bulletproof security access control.

Most of SCADA systems in use are are old computer systems. They are usually horribly patched (“if it ain’t broken, don’t fix it”) and often run very old operating system version. Windows is very commonly used operating systems on SCADA applications, because only few SCADA-packages support other than Windows operational systems. It seems that there are many people who are not happy with the security stance being taken within their organizations around SCADA hosts. Even if you have patches up to date and current anti-malware on a host, all you have done is eliminated some of the risk (and maybe created new risks caused by fact that anti-malware software can sometimes disturb normal system operation). Add a firewall and you have reduced some of the risk. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable.

I wish no one had to worry about hackers in any application, but we do. Unfortunately, data security is never a non-issue.

FACT CHECK: SCADA Systems Are Online Now article mentions an interesting story on Boeing 747 (For those who do not know, modern 747′s are big flying Unix hosts with lots of Ethernet). They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. The security researchers managed to break the VLANs and access other systems (including Engine management systems). The issue here is that all that separated the engine control systems and the open network was VLAN and NAT based filters.

209 Comments

  1. Tomi Engdahl says:
    Super Stuxnet’s SCADA slaves: security is atrocious
    153 computers, six SCADA systems, most C&C points to Iran
    http://www.theregister.co.uk/2015/06/11/super_stuxnets_scada_slaves_security_is_atrocious/

    Botnet boffin Peter Kleissner says at least 153 computers are still slaves to Stuxnet.

    Of those, six are tied to supervisory control and data acquisition (SCADA) systems which the malware is designed to exploit to destroy the attached machinery.

    Kleissner told a presentation at an information security conference in Vienna last week that half of all infections stem from Iran, where the super worm was first targeted.

    “The amount of unique identifiers basically equals to unique Stuxnet infections; it is safe to say that in 2013 and 2014 there were at least 153 distinct infected machines with Stuxnet,” Kleissner says in the paper Internet Attacks Against Nuclear Power Plants [PDF].

    “It is inevitable that existing malware infections lower the overall security of the particular machines and the entire networks and therefore make it easier (or possible at all) for anyone else to intrude the system.”

    The infected boxes appear to be isolated puppets no longer being controlled by the United States attackers, but are nonetheless exposed to hijacking by anyone in control of those servers.

    “… any capable intelligence service (or individual with the knowledge and skills) could seize control and potentially cause considerable damage leveraging the remaining infection,” Kleissner says.

    Reply
  2. Tomi Engdahl says:
    Config file wipe blunder caused deadly Airbus A400M crash – claim
    Probe insiders indicate engine shutdown due to missing data
    http://www.theregister.co.uk/2015/06/10/airbus_a400m_probe_torque_data/

    A dodgy software installation that deleted vital files caused last month’s Airbus 400M transport plane crash in which four people died, it is claimed.

    On May 9, a test flight of the A400M, intended to replace the aging Hercules as a mainstay of NATO’s air mobility fleet, crashed in Spain, killing four of the six crew. According to Reuters today, a faulty software installation on the aircraft’s systems deleted configuration information, and caused three of the four turboprop engines to shut down after takeoff.

    People familiar with the investigation said the torque calibration parameters for the engines were wiped during the installation. This data is needed to measure and interpret information coming back from the A400M’s engines, and is crucial for the Electronic Control Units (ECU) that control the aircraft’s power systems.

    Without that sensor data, the ECU automatically shut down the engines, or at least put them into the lowest power settings. According to safety documentation, the pilots would only get a warning from the ECUs when the aircraft is 400 feet (120 metres) off the ground.

    “Nobody imagined a problem like this could happen to three engines,” a person familiar with the 12-year-old project said.

    The crashed A400M was being tested before delivery to the Turkish Air Force.

    On May 20, Airbus warned A400M customers to conduct “specific checks of the Electronic Control Units (ECU) on each of the aircraft’s engines.”

    Reply
  3. Tomi Engdahl says:
    7 benefits of integrating human-machine interfaces, historians
    http://www.controleng.com/single-article/7-benefits-of-integrating-human-machine-interfaces-historians/b0af693d17b5432443846018d1ca61b5.html

    Cover story: Human-machine interfaces (HMIs) and historians differ but need to be tightly integrated to provide company operations with optimal value. Big data has little value without analysis and access in real time. Seven application examples explain HMI-historian integration benefits, including troubleshooting, analysis, and regulatory compliance.

    Human-machine interfaces (HMIs) and historians differ in purpose but need to be tightly integrated to provide great value to companies’ operations. HMIs provide effective control and interactions between humans and machines. Historians collect high-speed time-series data to maintain a chronology of events.

    Oriental Motor

    With today’s PC standard technology and capabilities, a typical historian system should be able to store and access more than 10 years of raw data. Aggregated manufacturing big data is good for certain reports, and historians should have the features to get access to this data, but it should not be stored as aggregates. Raw data streams are needed for true analysis. A well-performing historian should be able to easily exceed 1 million updates per second when storing data while retrieving more than 3 million updates per second at the same time. Users become quickly frustrated if they cannot get access to the data they need for analysis within a few seconds.

    Reply
  4. Tomi Engdahl says:
    SCADA systems can be old because “it it works don’t fix it”

    The ancient Amiga been on for 30 years – 19 schools fully dependent on it

    If it works, do not fix it. The ancient Amiga has been responsible for 19 of the American school ventilation and heating for 30 years, says WoodTV.

    The device has to be renewed for a long time, but so far it has not been successful due to lack of money. Responsible for real estate management Tim Hopkins, the spare parts are hard to find.
    Hopkins describes the device “as a unique product.”

    Computer software encoded in due course local high school student. If you have any problems with software, the school asks for help from the same person, who still lives in the community.

    If the device is broken up, all schools systems should be switched on and off manually.

    Source: http://www.tivi.fi/Kaikki_uutiset/2015-06-15/Ikivanha-Amiga-ollut-p%C3%A4%C3%A4ll%C3%A4-jo-30-vuotta—19-koulua-t%C3%A4ysin-riippuvaisia-siit%C3%A4-3323706.html

    1980s computer controls GRPS heat and AC
    http://woodtv.com/2015/06/11/1980s-computer-controls-grps-heat-and-ac/

    A 30-year-old computer that has run day and night for decades is what controls the heat and air conditioning at 19 Grand Rapids Public Schools.

    The Commodore Amiga was new to GRPS in the early 1980s and it has been working tirelessly ever since. GRPS Maintenance Supervisor Tim Hopkins said that the computer was purchased with money from an energy bond in the 1980s. It replaced a computer that was “about the size of a refrigerator.”

    The computer is responsible for turning the heat and the air conditioners on and off for 19 school buildings.

    “The system controls the start/stop of boilers, the start/stop of fans, pumps, [it] monitors space temperatures, and so on,” Hopkins explained.

    Parts for the computer are difficult to find, Hopkins said. It is on its second mouse and third monitor.

    “It’s a very unique product. It operates on a 1200-bit modem,” said Hopkins. “How it runs, the software that it’s running, is unique to Commodore.”

    Hopkins said the system runs on a radio frequency that sends a signal to school buildings, which reply within a matter of seconds with the status of each building. The only problem is that the computer operates on the same frequency as some of the walkie-talkies used by the maintenance department.

    “Because they share the same frequency as our maintenance communications radios and operations maintenance radios — it depends on what we’re doing — yes, they do interfere,” Hopkins said.

    If the computer stopped working tomorrow, a staff person would have to turn each building’s climate control systems on and off by hand.

    A new, more current system would cost between $1.5 and 2 million.

    Reply
  5. Tomi Engdahl says:
    MicroLogix 1400 PLC Teardown
    http://steelcityelectronics.com/2015/02/09/micrologix-1400-plc-teardown/

    Introducing the MicroLogix 1400 PLC (1766L32BXBA) from Allen Bradley.

    Taking a close look at the large PCB reveals that this is where all the grunt work takes place. The hardware for this PLC was probably designed about 5-6 years ago – the date stamps for the ICs suggest their manufacture was in 2010. Onboard is an Altera Cyclone 2 FPGA and this is where I expect the user’s logic is executed. An FPGA would allow the user to include many more hardware based timers, counters and math operations than is possible with a microcontroller or microprocessor.

    Located underneath the FPGA on the other side of the PCB is 16Mbit of Flash memory. This would be where the FPGA’s bit file resides and is loaded from each time the FPGA is reset.

    Additionally there is a Freescale ColdFire MC5275 microprocessor. A quick check of this device’s datasheet reveals that it is a respectable piece of hardware. My thoughts are this is the device that performs the overall operation of the hardware, where your programming PC interfaces to when monitoring, loading new ladder logic or performing ladder logic online edits. Your new PLC code would some how pass through this device before it is executed in the FPGA.

    The IO interface is handled with the following board. The 2x white ICs are opto-isolators manufactured by Toshiba and used for regular digital inputs.

    Reply
  6. Tomi Engdahl says:
    Increasingly large numbers of unprotected automation systems

    29.06.2015 at 14:23

    Finnish Communications Regulatory Authority Kyberturvallisuuskeskus is concerned about the large number of unprotected automation equipment. Mapping the Finnish networks doing during the Kyberturvallisuuskeskus spring 2015 is still found in thousands of different types of unprotected automation equipment. The survey discovered devices and device correspond to those observed in previous similar studies unit quantities.

    The largest group consists of a single real estate related automation equipment on which thousands were observed even in this survey. Automation equipment affect the physical world, which can make security incidents related particularly serious. Unprotected automation device can be a threat to other Internet users, for example, if an attacker to harness easily frangible devices denial of service attacks. The owner may not notice inducing addition to their own vulnerability harm to others.

    Source: https://www.viestintavirasto.fi/kyberturvallisuus/tietoturvanyt/2015/06/ttn201506291423.html

    Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*