2012 - SCADA A Critical Vulnerability
2012 - SCADA A Critical Vulnerability
In-network security solutions will need to messaging attacks from infecting devices Conclusion
be provided in order to control mobile- than device-based solutions. Network-
based attacks. level solutions are able to block malicious RCS has the potential to offer operators
mobile messages before they are sent to a way of maintaining a foothold in the
Data-driven analysis the device, preventing the messages from messaging space. It could deliver new
ever arriving at the device in the first and even richer ways for subscribers to
The GSMA Spam Reporting Service place. This has several benefits: communicate and collaborate through
(SRS) can assist in overcoming such a 1. The ability to protect multiple device their mobile devices, while generating
predicament. Through its provision of types. significant revenue streams for the
data-driven analysis, the GSMA SRS 2. The ability to provide protection operators that deliver them. For it to
solution can provide operators with without user involvement. be a success, however, operators need
greater visibility of their networks and 3. Having protection provided without to address the security of the channel
the attack trends affecting them, enabling device manufacturer or operating from the outset, ensuring that spam or
them to understand the nature and system vendor involvement. malicious emails are stopped before they
methods of attack and quantify their 4. Immediately protecting all subscribers get to the subscribers. In doing so, RCS
volume and impact to develop more upon deployment. will generate and maintain trust from
efficient security strategies. The GSMA This type of protection requires a end users and enable it to live up to its
SRS solution also enables operators to relatively advanced solution to be in place full potential.
share this information with their peers in the mobile network infrastructure.
within the operator community, helping We will see this become more and more About the author
to build a more collaborative defence common as a means to protect against Neil Cook is the head of technology services
against attackers. In addition, solutions attacks of this nature in the coming for EMEA at Cloudmark, a company that
that enable operators to combat ever- months and years and it will play a vital provides a collaborative spam filtration
evolving messaging threats with advanced role in ensuring that existing mobile network for stopping abusive messages
mobile anti-virus, subscriber behaviour messaging services, as well as new services across email, mobile and social networking
analysis (eg, anti-bullying and anti- such as RCS, remain clean for end users. infrastructures. Cloudmark currently
spam) as well as subscriber preference Ultimately, the network insight protects more than 850 million mailboxes
capabilities, will prove vital, particularly provided from a combination of mobile for more than 100 service providers around
when deployed in combination with the malware identification and prevention the world. Based in the UK, Cook is a
analytic information that services such as tools, real-time intelligence on ‘bad’ seasoned expert on issues of fixed line and
the GSMA SRS solution provide. senders and links, content control for mobile messaging security. He has more
Such solutions work because they spam detection and prevention and than 16 years experience in large-scale
provide messaging threat protection anti-bullying functionalities such as service provider messaging and directory
in the network infrastructure, rather blacklisting, can enable operators to solutions, with particular expertise in
than on the device. This is much more effectively address this issue and help mobile and next-generation converged
effective in stopping spam, phishing and ensure RCS is a success. services.
SCADA: a critical
vulnerability
Danny Bradbury, freelance journalist Danny Bradbury
Are we at risk of a system meltdown of Hollywood proportions? A recent Researchers scanned Programmable Logic
presentation highlighting critical vulnerabilities in some of our most popular Controllers (PLCs) from General Electric,
industrial control systems suggests so. Project Basecamp, a vulnerability Schneider Electric, Koyo, A-B Quality
assessment exercise carried out by security firm Digital Bond, assessed levels of and SEL.1 A sixth company’s controller,
security in Supervisory Control And Data Acquisition (SCADA) products. It Control Systems’ SCADApack, failed
found them badly wanting. early on during testing. GE’s device
11
April 2012 Computer Fraud & Security
FEATURE
12
Computer Fraud & Security April 2012
FEATURE
Enter Stuxnet
What can people do with infected
PLCs? The best example is Stuxnet,
the virus that infected Windows
computers and was used to inject code
via a computer connected to a particular
type of Siemens PLC. Stuxnet was able
to spread via Step7 projects. Step7 is
a programming tool for the Siemens
SIMATIC PLC, and is used to upload
code for execution by the device.2 When
the software found a Step7 project, it
was able to inject its own malicious
code into the device that would look Figure 3: Example of a SCADA system. Source: Guide to Industrial Control Systems (ICS) Security,
for more than 33 frequency controllers,
operating within a particular frequency SCADAgeddon in which a failure in a single part of the
window. The operational footprint grid quickly propagated across multiple
of the controllers it was looking for That’s an interesting alternative to electrical networks. “The complexity of
suggested devices used to manipulate the ‘SCADAgeddon’, the Hollywood scenario communications and power networks
high-speed centrifuges found in uranium in which a malicious attack on a PLC means that you don’t really know who’s
enrichment facilities. would release whole lakes through dams, backing up who and who’s connected,”
The code would monitor events turn off all of the electricity everywhere points out Ron Gula, CEO at Tenable
carried out by the PLC and, after seeing and flood Manhattan’s streets with raw Network Security, which makes the
suitable conditions for around 13 days, sewage. Hollywood hasn’t made that Nessus vulnerability scanner.
it would increase the frequency used movie yet, but it’s only a matter of time. On the other hand, that can also
by the controllers to more than their “It’s going to take that before people get make the effect of an attack very
normal upper limit for 15 minutes, serious about it,” Peterson says. difficult to predict. A cyber-terrorist
before then dropping the frequency to One of the biggest threats when such or nation state attempting to take
normal. It then it would wait roughly a thing occurs is the cascading effect down large parts of a nation’s national
27 days before dropping the frequency of attacks. The US East Coast power infrastructure through a SCADA attack
to far below their lower operating limit, blackout in 2003 was a good example, would be shooting in the dark. “It’s
and then once again returning it to
normal. Then it would wait another 27
days, and repeat these processes again.
“They changed the way that the
centrifuges acted so that they would
damage them. They caused failures over
time rather than rip them apart,” says
Peterson. What made the system even
more devious was that it sent false data
back to the operators, making it look
as though everything was operating
normally. “There’s nothing worse
than a problem you can’t reproduce,”
he muses. The likely outcome is that
systems within a uranium enrichment
facility would have to be replaced more
frequently than expected, and scientists
would not be able to solve the problem.
Peterson thinks that the attackers wanted Figure 4: Percentage of Stuxnet-infected hosts with Siemens software installed. Source: W32.Stuxnet
Dossier, Symantec.
this situation to persist for years.
13
April 2012 Computer Fraud & Security
FEATURE
very difficult to gather that information disciplines. Telemetry departments including the Guardian, the Independent,
in advance,” Gula adds. tend to want to focus on reliability the Financial Times, and the National
and security in operation, whereas IT Post. He also works as a documentary film
No quick fix departments concentrate on making maker and writing coach.
information openly available and
Workarounds for SCADA vulnerabilities getting everything on the network, he References
are difficult. Simply asking for a fix isn’t argues. 1. Project Basecamp at S4, Digital
going to work, says Peterson, who points “If you take away all the experts that Bond, 12 January 2012. www.
out that vendors were slow to respond know about SCADA and replace them digitalbond.com/2012/01/19/
to the Basecamp results. Regulation with IT people, then all of the natural project-basecamp-at-s4/.
is another potential route, and there gates that are put in place to protect 2. Nicolas Falliere; Liam O Murchu;
is already some regulation of security people are removed,” Notman warns. Eric Chien. ‘W32.Stuxnet Dossier’.
controls in the US electrical utilities “I’ve seen this happen in utilities in the Symantec, February 2011. www.
sector. The problem here is that such UK and I expect that it’s happening all symantec.com/content/en/us/
regulation is rarely granular enough to around the world. The old experts – the enterprise/media/security_response/
get down to the PLC level. people that we used to sell equipment whitepapers/w32_stuxnet_dossier.
Perhaps the onus should come from to – are not there anymore. It’s a skill pdf.
the customer? Changes in procurement set that we’re losing.”
policy could put pressure on the vendors We can continue to explore this Resources
to up their game. But that’s problematic, problem, but as we do so, the ‘Internet UÊ iÌ
Ê-ÌÕvviÀÆÊiÊ>VÆÊ>ÀiÊ
too. The problems associated with of things’ is developing. Millions Scarfon’ ‘Guide to Industrial
these deployments are also depressingly of devices are becoming Internet Control Systems (ICS) Security’.
human, and have as much to do connected, and industrial control NIST Special Publication 800-82,
with profit and loss as they do with systems are among them. We have June 2011 http://csrc.nist.gov/
programmable logic, argues Grant limited time to bring our SCADA publications/nistpubs/800-82/
Notman of specialist wireless company infrastructure up to scratch – and if we SP800-82-final.pdf.
Wood and Douglas. don’t, the results could be catastrophic. UÊ >iÃÊ`ÀiÜÊiÜðʼ/
iÊ
iVÌÀV>Ê
Accountants in utility networks have Grid as a Target for Cyber Attack’.
merged telemetry and IT departments About the author Center for Strategic and International
together to save money. “That’s a Danny Bradbury is a freelance technology Studies, March 2010. http://csis.org/
massive mistake,” says Notman, writer with over 20 years’ experience. He files/publication/100322ElectricalGri
arguing that they come from different has written extensively for publications dAsATargetforCyberAttack.pdf.
Interview: BYOD
and the enterprise
network Steve Mansfield-
Devine
Bring Your Own Device (BYOD) is a trend that many organisations are Consumer age
confused or concerned about. In this interview, Frank Andrus, CTO at The consumer age has hit enterprises in
Bradford Networks, explains that data leaks, malware and hacking aren’t the a big way. It wasn’t so long ago that the
only issues. There are more fundamental concerns with how your networks company provided you with the tools you
are managed. And the solution might be to work with your users, rather than needed to do your job. Now, the chances
simply trying to control them. are that you bring your own. People
14
Computer Fraud & Security April 2012