SCADA systems security issues

SCADA systems are used to monitor and control critical installations in oil and gas refineries, water and power distribution plants, manufacturing plants and other industrial facilities. There has been a lot of discussion about malware and security in industrial automation systems after Stuxnet. Widely viewed as the most complex piece of computer malware ever created, Stuxnet is believed to have been designed to sabotage uranium enrichment centrifuges at the Iran’s Natanz nuclear plant. If nasty malware can do that, other similar malware can do something else nasty as well.

Attacks against SCADA systems can have potentially very serious consequences. I think that we have been quite lucky that we have not seen any big disasters yet. Even though the attacks are rare at the moment, security researchers are confident that their number will increase, especially since the Stuxnet industrial sabotage worm set a successful precedent. And now there are many news on Dugu worm.

News around one month ago told that SCADA hack shut down a US water plant at 8 November 2011. This hacking attack at a US water plant has been credited to an unknown attacker (handle “pr0f” took credit) who according to hacker sources managed to access a SCADA controller and take over systems. Once again caused security experts to question the security of SCADA systems. Hacker Says Texas Town Used Three Character Password To Secure Internet Facing SCADA System. “This was barely a hack. A child who knows how the HMI that comes with Simatic works could have accomplished this,” he wrote. “You know. Insanely stupid. I dislike, immensely, how the DHS tend to downplay how absolutely (expletive) the state of national infrastructure is. I’ve also seen various people doubt the possibility an attack like this could be done,” he wrote in a note on the file sharing Web site pastebin.com. On the other hand Federal officials said there’s no evidence to support a report that hackers destroyed a pump used by an Illinois-based water utility after gaining unauthorized access to the computer system it used to operate its machinery. What is the truth in this case it is hard to say.

What is known that many industrial systems are vulnerable. Siemens Simatic is a common SCADA product and has been the subject of other warnings from security researchers according to Siemens industrial control systems are vulnerable to attack that can cause serious problems. The US Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) warned earlier that Siemens’ SIMATIC S7-1200 programmable logic controllers (PLCs) are vulnerable to so-called replay attacks that can interfere with the normal operations. An attacker with access to the PLC or the automation network could intercept the PLC password and make unauthorized changes to the PLC operation. ISO-TSAP protocol is functioning to specifications; however, authentication is not performed nor are payloads encrypted or obfuscated.

White Paper On Industrial Automation Security In Fieldbus And Field Device Level is an interesting white paper (from Vacon, Nixu and F-secure) that focuses on presenting a generic overview about security in industrial automation. Security aspects of traditional fieldbuses, Ethernet-based networks and wireless communication technologies are presented. Challenges regarding data security in the field of industrial automation are discussed. The properties of industrial automation devices are described with a focus on security, tampering possibilities, and risk mitigation methods.

Many protocols used in industrial control systems were intentionally designed to be open and without security features. As long the the networks that run those protocols are kept physically separate from public network you are quite safe. For the most part SCADA systems are not necessarily designed to be connected to the internet, but engineers can put in workarounds for remote access. Anytime you do this you put in a pathway where someone can get in. And there are often case where remote devices are accessed using those non-secure protocols though unsafe networks (public telephone network, cellular network, radio waves, even Internet).

There has been long time the belief that SCADA systems have the benefit of security through the use of specialized protocols and proprietary interfaces (security through obscurity), networks are physically secured and disconnected from the Internet. Today those beliefs all do not hold anymore. There are nowadays you can find many tools on Internet to work with standard SCADA protocols (for example Wireshark can be used to decode several commonly used SCADA protocols).

The move from proprietary technologies to more standardized and open solutions together with the increased number of connections between SCADA systems and office networks and the Internet has made them more vulnerable to attacks. Modern SCADA systems should be designed so that they can be withstand the situation they are accidentally connected to Internet (it will happen sooner or later). In addition to making SCADA system itself secure, you should separate it from Internet (no connection at all or very strictly configured series of firewalls). FACT CHECK: SCADA Systems Are Online Now article tells at nearly everything is connected now. Nearly all SCADA systems are online. The addition of a simple NAT device is far from bulletproof security access control.

Most of SCADA systems in use are are old computer systems. They are usually horribly patched (“if it ain’t broken, don’t fix it”) and often run very old operating system version. Windows is very commonly used operating systems on SCADA applications, because only few SCADA-packages support other than Windows operational systems. It seems that there are many people who are not happy with the security stance being taken within their organizations around SCADA hosts. Even if you have patches up to date and current anti-malware on a host, all you have done is eliminated some of the risk (and maybe created new risks caused by fact that anti-malware software can sometimes disturb normal system operation). Add a firewall and you have reduced some of the risk. Pile on as much security as you want and people are going to find ways to disable it and make themselves vulnerable.

I wish no one had to worry about hackers in any application, but we do. Unfortunately, data security is never a non-issue.

FACT CHECK: SCADA Systems Are Online Now article mentions an interesting story on Boeing 747 (For those who do not know, modern 747′s are big flying Unix hosts with lots of Ethernet). They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 – VLANs. The security researchers managed to break the VLANs and access other systems (including Engine management systems). The issue here is that all that separated the engine control systems and the open network was VLAN and NAT based filters.

165 Comments

  1. Security trends for 2013 « Tomi Engdahl’s ePanorama blog says:
    [...] SCADA security was hit hard in 2012. Some of the big manufacturers hit hard have learned their lessons and test their devices more now. But how are some smaller manufacturers security testing? Metasploit has special category for SCADA devices. Good idea to test your devices against it. [...]
    Reply
  2. Danial Putz says:
    I think it’s better not to provide social security number.Do they called you ans ID?
    Reply
  3. Tomi Engdahl says:
    CanSecWest Presenter Self-Censors Risky Critical Infrastructure Talk
    http://threatpost.com/cansecwest-presenter-self-censors-risky-critical-infrastructure-talk/104687

    A presenter at this week’s CanSecWest security conference has withdrawn his scheduled talk for fear the information could be used to attack critical infrastructure worldwide.

    Since his lab is under supervision of the French government, he was required to review his findings with authorities.

    “They told me that this presentation was unsuitable for being public,” Filiol said in an email

    Filiol said his methodology—a combination of information gathered through open source intelligence means, mathematical modeling and infantry techniques—could damage critical infrastructure in the United States, and likely worldwide.

    “With a small unit of around 10 people, it is possible in an invisible way to cause major national disruptions,” Filiol said.

    Filiol said his research is now classified.

    Reply
  4. Tomi Engdahl says:
    Lack of US Cybersecurity Across the Electric Grid
    http://hardware.slashdot.org/story/14/04/15/2032239/lack-of-us-cybersecurity-across-the-electric-grid

    “Meghan McGuinness of the Bipartisan Policy Center writes about the Electric Grid Cybersecurity Initiative, a collaborative effort between the center’s Energy and Homeland Security Projects. She points out that over half the attacks on U.S. critical infrastructure sectors last year were on the energy sector.”

    “Cyber attacks could come from a variety of sources, and ‘a large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.’ “

    Reply
  5. Tomi Engdahl says:
    A new organization for cybersecurity across the electric grid
    http://thebulletin.org/new-organization-cybersecurity-across-electric-grid7046

    Cyber attacks are an increasing risk for the US electric sector and have eclipsed terrorism as the primary threat, according to the Federal Bureau of Investigation. The Industrial Control Systems Cyber Emergency Response Team responded to 256 incidents that targeted critical infrastructure sectors in fiscal year 2013, and 59 percent of those incidents involved the energy sector.

    A large-scale cyber attack or combined cyber and physical attack could lead to enormous costs, potentially triggering sustained power outages over large portions of the electric grid and prolonged disruptions in communications, food and water supplies, and health care delivery.

    It is probably impossible to protect the electric grid from all cyber attacks, particularly given the rapid pace at which cyber threats evolve. Therefore, industry and policymakers must consider how to most effectively manage the risks, taking steps to reduce the likelihood of cyber attacks and to limit the impacts of a successful attack.

    Beyond mandatory standards. In many ways, the electric power sector is in a stronger position than other critical infrastructure sectors to address cyber threats, because it already has mandatory, federally enforceable standards: The North American Electric Reliability Corporation, with oversight from the Federal Energy Regulatory Commission, develops and enforces standards that apply to the bulk power system (generally, generation and transmission), and the Nuclear Regulatory Commission develops and enforces standards for nuclear power plants. However, while these standards provide a useful baseline level of cybersecurity, they do not create incentives for the continual improvement and adaptation needed to respond effectively to rapidly evolving cyber threats. Furthermore, focus on compliance with standards may draw attention and resources away from comprehensive security.

    Reply
  6. Jayne says:
    І appreciate, lead to Ӏ discovered just what I was having a
    look fοr. You have ended mmy 4 day lengthy hunt!

    God Bless you man. Have a nice day. Bye

    Reply
  7. boca raton cpa's sum says:
    This small window of time is simply not enough for you
    to study all your materials from beginning
    to end, so be sure you have a complete set of study notes that you can memorize during the last few valuable days before
    your exam. yet with an Internet-age spin that he describes is like “putting lipstick on a pig. But if the church or religious institution is providing accommodation, then the Parsonage is calculated as the market value of the home, yard, furnishings and other utilities.
    Reply
  8. Tomi Engdahl says:
    Machine safety labeling standards can lower manufacturing risk
    http://www.controleng.com/single-article/machine-safety-labeling-standards-can-lower-manufacturing-risk/3bfa28c7c0e770044bb7386bcecd8575.html

    Creating effective product safety labels can dramatically reduce accidents and improve safety communication while poorly designed product safety labels can increase the dangers and hazards for both the worker and the company, according to safety standards.

    If your company manufactures machinery which has potential hazards associated with its transportation, installation, use, maintenance, decommissioning, and/or disposal, you most likely have a very strong need to create effective product safety labels. This task must be done right. Simply put, the stakes are too high for this job to be done incorrectly-people’s lives and your company’s financial well-being are on the line. Based on standards committee experiences over the past 25 years, safety labels can do one of two things:

    If properly designed, they can dramatically reduce accidents. This improves a machine or other product’s overall safety record and adds to a company’s bottom line by reducing product liability litigation and insurance costs.
    If poorly designed, needed safety communication does not take place and this can lead to accidents that cause injuries. When such accidents happen, companies spend hundreds of thousands (if not millions) of dollars settling or fighting lawsuits because their products lacked “adequate warnings.”

    Tool number one: The standards
    Tool number two: Risk assessment
    Tool number three: Global warnings that use symbols
    Lower risk, save lives, avoid litigation

    Reply
  9. Tomi Engdahl says:
    Trojan variant making big attack push
    A wave of attacks pushing a new variant of Pushdo Trojan compromised more than 11,000 systems in just 24 hours.
    http://www.controleng.com/single-article/trojan-variant-making-big-attack-push/0b1485ad372eda7ec974122fa524f230.html

    Indian PCs lead in terms of attacks, but systems in the UK, France and the U.S. have also suffered hits, according to security software firm Bitdefender. As one case in point, the Romanian firm said 77 machines suffered infection in the UK via the botnet in 24 hours, with more than 11,000 infections reported worldwide in the same period. Other countries heavily affected by the Pushdo variant include Vietnam and Turkey.

    The Pushdo Trojan also distributed secondary malware strains such as ZeuS and SpyEye, but over the years its main use has been for spam distribution.

    Reply
  10. copper repiping pompano beach real estate says:
    Check the maker’s site for further information and tips on the appliance in your home.
    ” I asked my friend who’s got a busy family and a full-time people-oriented job. With conscientious use, a programmable thermostat can save about $150 year in energy costs.
    Reply
  11. b&b vaticano says:
    Appreciating the hard work you put into your site and detailed information you present. It’s great to come across a blog every once in a while that isn’t the same old rehashed information. Wonderful read! I’ve saved your site and I’m adding your RSS feeds to my Google account.
    Reply
  12. Ongoing says:
    Hi, I believe your web site may be having internet browser compatibility problems.
    Whenever I look at your blog in Safari, iit looks
    fine however when opning in Internet Explorer, it’s got some overlapping issues.
    I simply wanted too provide you with a quick heads up!
    Aside from that, excellent blog!
    Reply
    • Tomi Engdahl says:
      What is your specific problem with IE and which version do you have this?
      I have tested the my site with IE and I have not seen any issues on using the site with it.
      Reply

Leave a Comment

Your email address will not be published. Required fields are marked *

*

*