0% found this document useful (0 votes)
91 views4 pages

2012 - SCADA A Critical Vulnerability

The document discusses vulnerabilities found in industrial control systems through a security assessment called Project Basecamp. The assessment tested several industrial devices and found critical vulnerabilities in most, showing they were not designed with security in mind. Specifically, it was found the devices were susceptible to attacks that could stop the CPU or download configuration files due to a lack of input validation and undocumented features. This poses risks to critical infrastructure that relies on these systems. More secure designs are needed to protect against modern network-based attacks targeting industrial control devices not meant for internet connectivity.

Uploaded by

Tom
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
0% found this document useful (0 votes)
91 views4 pages

2012 - SCADA A Critical Vulnerability

The document discusses vulnerabilities found in industrial control systems through a security assessment called Project Basecamp. The assessment tested several industrial devices and found critical vulnerabilities in most, showing they were not designed with security in mind. Specifically, it was found the devices were susceptible to attacks that could stop the CPU or download configuration files due to a lack of input validation and undocumented features. This poses risks to critical infrastructure that relies on these systems. More secure designs are needed to protect against modern network-based attacks targeting industrial control devices not meant for internet connectivity.

Uploaded by

Tom
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 4

FEATURE

In-network security solutions will need to messaging attacks from infecting devices Conclusion
be provided in order to control mobile- than device-based solutions. Network-
based attacks. level solutions are able to block malicious RCS has the potential to offer operators
mobile messages before they are sent to a way of maintaining a foothold in the
Data-driven analysis the device, preventing the messages from messaging space. It could deliver new
ever arriving at the device in the first and even richer ways for subscribers to
The GSMA Spam Reporting Service place. This has several benefits: communicate and collaborate through
(SRS) can assist in overcoming such a 1. The ability to protect multiple device their mobile devices, while generating
predicament. Through its provision of types. significant revenue streams for the
data-driven analysis, the GSMA SRS 2. The ability to provide protection operators that deliver them. For it to
solution can provide operators with without user involvement. be a success, however, operators need
greater visibility of their networks and 3. Having protection provided without to address the security of the channel
the attack trends affecting them, enabling device manufacturer or operating from the outset, ensuring that spam or
them to understand the nature and system vendor involvement. malicious emails are stopped before they
methods of attack and quantify their 4. Immediately protecting all subscribers get to the subscribers. In doing so, RCS
volume and impact to develop more upon deployment. will generate and maintain trust from
efficient security strategies. The GSMA This type of protection requires a end users and enable it to live up to its
SRS solution also enables operators to relatively advanced solution to be in place full potential.
share this information with their peers in the mobile network infrastructure.
within the operator community, helping We will see this become more and more About the author
to build a more collaborative defence common as a means to protect against Neil Cook is the head of technology services
against attackers. In addition, solutions attacks of this nature in the coming for EMEA at Cloudmark, a company that
that enable operators to combat ever- months and years and it will play a vital provides a collaborative spam filtration
evolving messaging threats with advanced role in ensuring that existing mobile network for stopping abusive messages
mobile anti-virus, subscriber behaviour messaging services, as well as new services across email, mobile and social networking
analysis (eg, anti-bullying and anti- such as RCS, remain clean for end users. infrastructures. Cloudmark currently
spam) as well as subscriber preference Ultimately, the network insight protects more than 850 million mailboxes
capabilities, will prove vital, particularly provided from a combination of mobile for more than 100 service providers around
when deployed in combination with the malware identification and prevention the world. Based in the UK, Cook is a
analytic information that services such as tools, real-time intelligence on ‘bad’ seasoned expert on issues of fixed line and
the GSMA SRS solution provide. senders and links, content control for mobile messaging security. He has more
Such solutions work because they spam detection and prevention and than 16 years experience in large-scale
provide messaging threat protection anti-bullying functionalities such as service provider messaging and directory
in the network infrastructure, rather blacklisting, can enable operators to solutions, with particular expertise in
than on the device. This is much more effectively address this issue and help mobile and next-generation converged
effective in stopping spam, phishing and ensure RCS is a success. services.

SCADA: a critical
vulnerability
Danny Bradbury, freelance journalist Danny Bradbury

Are we at risk of a system meltdown of Hollywood proportions? A recent Researchers scanned Programmable Logic
presentation highlighting critical vulnerabilities in some of our most popular Controllers (PLCs) from General Electric,
industrial control systems suggests so. Project Basecamp, a vulnerability Schneider Electric, Koyo, A-B Quality
assessment exercise carried out by security firm Digital Bond, assessed levels of and SEL.1 A sixth company’s controller,
security in Supervisory Control And Data Acquisition (SCADA) products. It Control Systems’ SCADApack, failed
found them badly wanting. early on during testing. GE’s device

11
April 2012 Computer Fraud & Security
FEATURE

control are classed as critical national New features


infrastructure. So how much of a
security risk do they represent? And why What makes the problem worse is that
are the flaws in some of our SCADA SCADA devices often come equipped
products so rudimentary that they would with new features that can be exploited
make a high school IT student weep? easily, with far-reaching effects on the
One reason is that many of these system, Peterson explains. In one device,
systems were designed an age ago, says there is a command specifically designed
Dale Peterson, CEO at Digital Bond. to stop the CPU. And a device from GE
“They were designed in an age before that Digital Bond analysed included a
they would connect to other networks,” feature allowing someone to download
he says. “When you sent them a the entire configuration file with all of
command, they would always work its usernames and passwords.
correctly, but they expected nothing else.” Fuzzing and the use of undocumented
Subsequently, SCADA devices were features in a product were the two
configured to connect to conventional vulnerabilities most prevalent among the
Figure 1: A summary of the results of vulner-
ability tests on five industrial control devices. networks via transport protocols such test devices in Project Basecamp. However,
Source: Digital Bond. as Ethernet, and suddenly became part possible attacks on SCADA systems are
of a broader infrastructure. Product many and varied. The Basecamp study
showed critical vulnerabilities in most designers had trouble transitioning outlined several types of attack, including
of the areas tested, while Schneider’s did securely from the old model to the uploading custom firmware to the device,
only moderately better. In fact, all of the new one. Devices still respond poorly and the use of backdoors into a PLC.
devices other than SEL’s had at least one to unexpected inputs, which makes Vulnerabilities in web servers built into
critical vulnerability. them susceptible to ‘fuzzing’ attacks, a product were also considered, as were
in which an attacker deliberately sends spoofed authentication and failure of the
Industrial landscape malformed or inappropriate traffic to device due to resource exhaustion.
a device. Not knowing what to do, the These attacks can be directed against
The test raises questions about the device fails – or worse, enters a mode devices in several ways. One is through
security of the SCADA devices that that enables arbitrary commands to be direct physical access to the unit. People
monitor and control our entire industrial executed. could directly access the device and use a
landscape. PLCs and Distributed So delicate are these devices that even physically connected computer with the
Control Systems (DCSs) are used to run standard network scans can bring them to right control software to upload PLC logic.
electrical grids, control water supplies, a halt. “We have run scans that if we had Another is across the network, either via a
move bridges and operate factories. scanned the whole network, would have USB stick or a TCP connection.
Many of the facilities and utilities they crashed things,” Peterson says. The insecurities are baked into the
protocols used to control the PLCs,
Peterson warns. The most popular ones
start out as a vendor protocol and then
get spun out as an industry standard,
although some, such as the Siemens S7
protocol, are still proprietary.
“After the 9/11 wakeup call, the various
committees and companies should
have said ‘we need to add these security
features to this protocol’,” he says. “In the
case of the Rockwell protocol that they’re
using, it hasn’t even begun.”
Even when these problems are ironed
out, the refresh cycle is still glacially slow,
meaning that in-the-field deployments
Figure 2: Example of typical industrial control systems operations. Source: Guide to Industrial Control are infrequent. The average lifecycle for a
Systems (ICS) Security, NIST.
SCADA system or DCS is 15 years.

12
Computer Fraud & Security April 2012
FEATURE

Enter Stuxnet
What can people do with infected
PLCs? The best example is Stuxnet,
the virus that infected Windows
computers and was used to inject code
via a computer connected to a particular
type of Siemens PLC. Stuxnet was able
to spread via Step7 projects. Step7 is
a programming tool for the Siemens
SIMATIC PLC, and is used to upload
code for execution by the device.2 When
the software found a Step7 project, it
was able to inject its own malicious
code into the device that would look Figure 3: Example of a SCADA system. Source: Guide to Industrial Control Systems (ICS) Security,
for more than 33 frequency controllers,
operating within a particular frequency SCADAgeddon in which a failure in a single part of the
window. The operational footprint grid quickly propagated across multiple
of the controllers it was looking for That’s an interesting alternative to electrical networks. “The complexity of
suggested devices used to manipulate the ‘SCADAgeddon’, the Hollywood scenario communications and power networks
high-speed centrifuges found in uranium in which a malicious attack on a PLC means that you don’t really know who’s
enrichment facilities. would release whole lakes through dams, backing up who and who’s connected,”
The code would monitor events turn off all of the electricity everywhere points out Ron Gula, CEO at Tenable
carried out by the PLC and, after seeing and flood Manhattan’s streets with raw Network Security, which makes the
suitable conditions for around 13 days, sewage. Hollywood hasn’t made that Nessus vulnerability scanner.
it would increase the frequency used movie yet, but it’s only a matter of time. On the other hand, that can also
by the controllers to more than their “It’s going to take that before people get make the effect of an attack very
normal upper limit for 15 minutes, serious about it,” Peterson says. difficult to predict. A cyber-terrorist
before then dropping the frequency to One of the biggest threats when such or nation state attempting to take
normal. It then it would wait roughly a thing occurs is the cascading effect down large parts of a nation’s national
27 days before dropping the frequency of attacks. The US East Coast power infrastructure through a SCADA attack
to far below their lower operating limit, blackout in 2003 was a good example, would be shooting in the dark. “It’s
and then once again returning it to
normal. Then it would wait another 27
days, and repeat these processes again.
“They changed the way that the
centrifuges acted so that they would
damage them. They caused failures over
time rather than rip them apart,” says
Peterson. What made the system even
more devious was that it sent false data
back to the operators, making it look
as though everything was operating
normally. “There’s nothing worse
than a problem you can’t reproduce,”
he muses. The likely outcome is that
systems within a uranium enrichment
facility would have to be replaced more
frequently than expected, and scientists
would not be able to solve the problem.
Peterson thinks that the attackers wanted Figure 4: Percentage of Stuxnet-infected hosts with Siemens software installed. Source: W32.Stuxnet
Dossier, Symantec.
this situation to persist for years.

13
April 2012 Computer Fraud & Security
FEATURE

very difficult to gather that information disciplines. Telemetry departments including the Guardian, the Independent,
in advance,” Gula adds. tend to want to focus on reliability the Financial Times, and the National
and security in operation, whereas IT Post. He also works as a documentary film
No quick fix departments concentrate on making maker and writing coach.
information openly available and
Workarounds for SCADA vulnerabilities getting everything on the network, he References
are difficult. Simply asking for a fix isn’t argues. 1. Project Basecamp at S4, Digital
going to work, says Peterson, who points “If you take away all the experts that Bond, 12 January 2012. www.
out that vendors were slow to respond know about SCADA and replace them digitalbond.com/2012/01/19/
to the Basecamp results. Regulation with IT people, then all of the natural project-basecamp-at-s4/.
is another potential route, and there gates that are put in place to protect 2. Nicolas Falliere; Liam O Murchu;
is already some regulation of security people are removed,” Notman warns. Eric Chien. ‘W32.Stuxnet Dossier’.
controls in the US electrical utilities “I’ve seen this happen in utilities in the Symantec, February 2011. www.
sector. The problem here is that such UK and I expect that it’s happening all symantec.com/content/en/us/
regulation is rarely granular enough to around the world. The old experts – the enterprise/media/security_response/
get down to the PLC level. people that we used to sell equipment whitepapers/w32_stuxnet_dossier.
Perhaps the onus should come from to – are not there anymore. It’s a skill pdf.
the customer? Changes in procurement set that we’re losing.”
policy could put pressure on the vendors We can continue to explore this Resources
to up their game. But that’s problematic, problem, but as we do so, the ‘Internet UÊ iˆÌ…Ê-̜ÕvviÀÆÊœiÊ>VœÆÊ>Ài˜Ê
too. The problems associated with of things’ is developing. Millions Scarfon’ ‘Guide to Industrial
these deployments are also depressingly of devices are becoming Internet Control Systems (ICS) Security’.
human, and have as much to do connected, and industrial control NIST Special Publication 800-82,
with profit and loss as they do with systems are among them. We have June 2011 http://csrc.nist.gov/
programmable logic, argues Grant limited time to bring our SCADA publications/nistpubs/800-82/
Notman of specialist wireless company infrastructure up to scratch – and if we SP800-82-final.pdf.
Wood and Douglas. don’t, the results could be catastrophic. UÊ >“iÃʘ`ÀiÜÊi܈ðʼ/…iÊ iVÌÀˆV>Ê
Accountants in utility networks have Grid as a Target for Cyber Attack’.
merged telemetry and IT departments About the author Center for Strategic and International
together to save money. “That’s a Danny Bradbury is a freelance technology Studies, March 2010. http://csis.org/
massive mistake,” says Notman, writer with over 20 years’ experience. He files/publication/100322ElectricalGri
arguing that they come from different has written extensively for publications dAsATargetforCyberAttack.pdf.

Interview: BYOD
and the enterprise
network Steve Mansfield-
Devine

Steve Mansfield-Devine, editor, Computer Fraud & Security

Bring Your Own Device (BYOD) is a trend that many organisations are Consumer age
confused or concerned about. In this interview, Frank Andrus, CTO at The consumer age has hit enterprises in
Bradford Networks, explains that data leaks, malware and hacking aren’t the a big way. It wasn’t so long ago that the
only issues. There are more fundamental concerns with how your networks company provided you with the tools you
are managed. And the solution might be to work with your users, rather than needed to do your job. Now, the chances
simply trying to control them. are that you bring your own. People

14
Computer Fraud & Security April 2012

You might also like