FEATURE

In-network security solutions will need to
be provided in order to control mobile-
based attacks.
Data-driven analysis
The GSMA Spam Reporting Service
(SRS) can assist in overcoming such a
predicament. Through its provision of
data-driven analysis, the GSMA SRS
solution can provide operators with
greater visibility of their networks and
the attack trends affecting them, enabling
them to understand the nature and
methods of attack and quantify their
volume and impact to develop more
efficient security strategies. The GSMA
SRS solution also enables operators to
share this information with their peers
within the operator community, helping
to build a more collaborative defence
against attackers. In addition, solutions
that enable operators to combat ever-
evolving messaging threats with advanced
mobile anti-virus, subscriber behaviour
analysis (eg, anti-bullying and anti-
spam) as well as subscriber preference
capabilities, will prove vital, particularly
when deployed in combination with the
analytic information that services such as
the GSMA SRS solution provide.
Such solutions work because they
provide messaging threat protection
in the network infrastructure, rather
than on the device. This is much more
effective in stopping spam, phishing and
messaging attacks from infecting devices
than device-based solutions. Network-
level solutions are able to block malicious
mobile messages before they are sent to
the device, preventing the messages from
ever arriving at the device in the first
place. This has several benefits:
1. The ability to protect multiple device
types.
2. The ability to provide protection
without user involvement.
3. Having protection provided without
device manufacturer or operating
system vendor involvement.
4. Immediately protecting all subscribers
upon deployment.
This type of protection requires a
relatively advanced solution to be in place
in the mobile network infrastructure.
We will see this become more and more
common as a means to protect against
attacks of this nature in the coming
months and years and it will play a vital
role in ensuring that existing mobile
messaging services, as well as new services
such as RCS, remain clean for end users.
Ultimately, the network insight
provided from a combination of mobile
malware identification and prevention
tools, real-time intelligence on ‘bad’
senders and links, content control for
spam detection and prevention and
anti-bullying functionalities such as
blacklisting, can enable operators to
effectively address this issue and help
ensure RCS is a success.
Conclusion
RCS has the potential to offer operators
a way of maintaining a foothold in the
messaging space. It could deliver new
and even richer ways for subscribers to
communicate and collaborate through
their mobile devices, while generating
significant revenue streams for the
operators that deliver them. For it to
be a success, however, operators need
to address the security of the channel
from the outset, ensuring that spam or
malicious emails are stopped before they
get to the subscribers. In doing so, RCS
will generate and maintain trust from
end users and enable it to live up to its
full potential.
About the author
Neil Cook is the head of technology services
for EMEA at Cloudmark, a company that
provides a collaborative spam filtration
network for stopping abusive messages
across email, mobile and social networking
infrastructures. Cloudmark currently
protects more than 850 million mailboxes
for more than 100 service providers around
the world. Based in the UK, Cook is a
seasoned expert on issues of fixed line and
mobile messaging security. He has more
than 16 years experience in large-scale
service provider messaging and directory
solutions, with particular expertise in
mobile and next-generation converged
services.

SCADA: a critical
vulnerability
Danny Bradbury, freelance journalist Danny Bradbury

Are we at risk of a system meltdown of Hollywood proportions? A recent Researchers scanned Programmable Logic
presentation highlighting critical vulnerabilities in some of our most popular Controllers (PLCs) from General Electric,
industrial control systems suggests so. Project Basecamp, a vulnerability Schneider Electric, Koyo, A-B Quality
assessment exercise carried out by security firm Digital Bond, assessed levels of and SEL.1 A sixth company’s controller,
security in Supervisory Control And Data Acquisition (SCADA) products. It Control Systems’ SCADApack, failed
found them badly wanting. early on during testing. GE’s device

11
April 2012 Computer Fraud & Security
 FEATURE
Figure 1: A summary of the results of vulner-
ability tests on five industrial control devices.
Source: Digital Bond.
showed critical vulnerabilities in most
of the areas tested, while Schneider’s did
only moderately better. In fact, all of the
devices other than SEL’s had at least one
critical vulnerability.
Industrial landscape
The test raises questions about the
security of the SCADA devices that
monitor and control our entire industrial
landscape. PLCs and Distributed
Control Systems (DCSs) are used to run
electrical grids, control water supplies,
move bridges and operate factories.
Many of the facilities and utilities they
Figure 2: Example of typical industrial control systems operations. Source: Guide to Industrial Control
Systems (ICS) Security, NIST.
12
Computer Fraud & Security
control are classed as critical national
infrastructure. So how much of a
security risk do they represent? And why
are the flaws in some of our SCADA
products so rudimentary that they would
make a high school IT student weep?
One reason is that many of these
systems were designed an age ago, says
Dale Peterson, CEO at Digital Bond.
“They were designed in an age before
they would connect to other networks,”
he says. “When you sent them a
command, they would always work
correctly, but they expected nothing else.”
Subsequently, SCADA devices were
configured to connect to conventional
networks via transport protocols such
as Ethernet, and suddenly became part
of a broader infrastructure. Product
designers had trouble transitioning
securely from the old model to the
new one. Devices still respond poorly
to unexpected inputs, which makes
them susceptible to ‘fuzzing’ attacks,
in which an attacker deliberately sends
malformed or inappropriate traffic to
a device. Not knowing what to do, the
device fails – or worse, enters a mode
that enables arbitrary commands to be
executed.
So delicate are these devices that even
standard network scans can bring them to
a halt. “We have run scans that if we had
scanned the whole network, would have
crashed things,” Peterson says.
New features
What makes the problem worse is that
SCADA devices often come equipped
with new features that can be exploited
easily, with far-reaching effects on the
system, Peterson explains. In one device,
there is a command specifically designed
to stop the CPU. And a device from GE
that Digital Bond analysed included a
feature allowing someone to download
the entire configuration file with all of
its usernames and passwords.
Fuzzing and the use of undocumented
features in a product were the two
vulnerabilities most prevalent among the
test devices in Project Basecamp. However,
possible attacks on SCADA systems are
many and varied. The Basecamp study
outlined several types of attack, including
uploading custom firmware to the device,
and the use of backdoors into a PLC.
Vulnerabilities in web servers built into
a product were also considered, as were
spoofed authentication and failure of the
device due to resource exhaustion.
These attacks can be directed against
devices in several ways. One is through
direct physical access to the unit. People
could directly access the device and use a
physically connected computer with the
right control software to upload PLC logic.
Another is across the network, either via a
USB stick or a TCP connection.
The insecurities are baked into the
protocols used to control the PLCs,
Peterson warns. The most popular ones
start out as a vendor protocol and then
get spun out as an industry standard,
although some, such as the Siemens S7
protocol, are still proprietary.
“After the 9/11 wakeup call, the various
committees and companies should
have said ‘we need to add these security
features to this protocol’,” he says. “In the
case of the Rockwell protocol that they’re
using, it hasn’t even begun.”
Even when these problems are ironed
out, the refresh cycle is still glacially slow,
meaning that in-the-field deployments
are infrequent. The average lifecycle for a
SCADA system or DCS is 15 years.
April 2012
 FEATURE

Enter Stuxnet
What can people do with infected
PLCs? The best example is Stuxnet,
the virus that infected Windows
computers and was used to inject code
via a computer connected to a particular
type of Siemens PLC. Stuxnet was able
to spread via Step7 projects. Step7 is
a programming tool for the Siemens
SIMATIC PLC, and is used to upload
code for execution by the device.2 When
the software found a Step7 project, it
was able to inject its own malicious
code into the device that would look Figure 3: Example of a SCADA system. Source: Guide to Industrial Control Systems (ICS) Security,
for more than 33 frequency controllers,
operating within a particular frequency SCADAgeddon in which a failure in a single part of the
window. The operational footprint grid quickly propagated across multiple
of the controllers it was looking for That’s an interesting alternative to electrical networks. “The complexity of
suggested devices used to manipulate the ‘SCADAgeddon’, the Hollywood scenario communications and power networks
high-speed centrifuges found in uranium in which a malicious attack on a PLC means that you don’t really know who’s
enrichment facilities. would release whole lakes through dams, backing up who and who’s connected,”
The code would monitor events turn off all of the electricity everywhere points out Ron Gula, CEO at Tenable
carried out by the PLC and, after seeing and flood Manhattan’s streets with raw Network Security, which makes the
suitable conditions for around 13 days, sewage. Hollywood hasn’t made that Nessus vulnerability scanner.
it would increase the frequency used movie yet, but it’s only a matter of time. On the other hand, that can also
by the controllers to more than their “It’s going to take that before people get make the effect of an attack very
normal upper limit for 15 minutes, serious about it,” Peterson says. difficult to predict. A cyber-terrorist
before then dropping the frequency to One of the biggest threats when such or nation state attempting to take
normal. It then it would wait roughly a thing occurs is the cascading effect down large parts of a nation’s national
27 days before dropping the frequency of attacks. The US East Coast power infrastructure through a SCADA attack
to far below their lower operating limit, blackout in 2003 was a good example, would be shooting in the dark. “It’s
and then once again returning it to
normal. Then it would wait another 27
days, and repeat these processes again.
“They changed the way that the
centrifuges acted so that they would
damage them. They caused failures over
time rather than rip them apart,” says
Peterson. What made the system even
more devious was that it sent false data
back to the operators, making it look
as though everything was operating
normally. “There’s nothing worse
than a problem you can’t reproduce,”
he muses. The likely outcome is that
systems within a uranium enrichment
facility would have to be replaced more
frequently than expected, and scientists
would not be able to solve the problem.
Peterson thinks that the attackers wanted Figure 4: Percentage of Stuxnet-infected hosts with Siemens software installed. Source: W32.Stuxnet
Dossier, Symantec.
this situation to persist for years.

13
April 2012 Computer Fraud & Security
 FEATURE

very difficult to gather that information
in advance,” Gula adds.
No quick fix
Workarounds for SCADA vulnerabilities
are difficult. Simply asking for a fix isn’t
going to work, says Peterson, who points
out that vendors were slow to respond
to the Basecamp results. Regulation
is another potential route, and there
is already some regulation of security
controls in the US electrical utilities
sector. The problem here is that such
regulation is rarely granular enough to
get down to the PLC level.
Perhaps the onus should come from
the customer? Changes in procurement
policy could put pressure on the vendors
to up their game. But that’s problematic,
too. The problems associated with
these deployments are also depressingly
human, and have as much to do
with profit and loss as they do with
programmable logic, argues Grant
Notman of specialist wireless company
Wood and Douglas.
iVÌÀˆV>Ê
Accountants in utility networks have
merged telemetry and IT departments
together to save money. “That’s a
massive mistake,” says Notman,
arguing that they come from different
disciplines. Telemetry departments
tend to want to focus on reliability
and security in operation, whereas IT
departments concentrate on making
information openly available and
getting everything on the network, he
argues.
“If you take away all the experts that
know about SCADA and replace them
with IT people, then all of the natural
gates that are put in place to protect
people are removed,” Notman warns.
“I’ve seen this happen in utilities in the
UK and I expect that it’s happening all
around the world. The old experts – the
people that we used to sell equipment
to – are not there anymore. It’s a skill
set that we’re losing.”
We can continue to explore this
problem, but as we do so, the ‘Internet
of things’ is developing. Millions
of devices are becoming Internet
connected, and industrial control
systems are among them. We have
limited time to bring our SCADA
infrastructure up to scratch – and if we
don’t, the results could be catastrophic.
About the author
Danny Bradbury is a freelance technology
writer with over 20 years’ experience. He
has written extensively for publications
including the Guardian, the Independent,
the Financial Times, and the National
Post. He also works as a documentary film
maker and writing coach.
References
1. Project Basecamp at S4, Digital
Bond, 12 January 2012. www.
digitalbond.com/2012/01/19/
project-basecamp-at-s4/.
2. Nicolas Falliere; Liam O Murchu;
Eric Chien. ‘W32.Stuxnet Dossier’.
Symantec, February 2011. www.
symantec.com/content/en/us/
enterprise/media/security_response/
whitepapers/w32_stuxnet_dossier.
pdf.
Resources
UÊ iˆÌ…Ê-̜ÕvviÀÆÊœiÊ>VœÆÊ>Ài˜Ê
Scarfon’ ‘Guide to Industrial
Control Systems (ICS) Security’.
NIST Special Publication 800-82,
June 2011 http://csrc.nist.gov/
publications/nistpubs/800-82/
SP800-82-final.pdf.
UÊ >“iÃÊ
˜`ÀiÜÊi܈ðʼ/…iÊ
Grid as a Target for Cyber Attack’.
Center for Strategic and International
Studies, March 2010. http://csis.org/
files/publication/100322ElectricalGri
dAsATargetforCyberAttack.pdf.

Interview: BYOD
and the enterprise
network Steve Mansfield-
Devine

Steve Mansfield-Devine, editor, Computer Fraud & Security

Bring Your Own Device (BYOD) is a trend that many organisations are Consumer age
confused or concerned about. In this interview, Frank Andrus, CTO at The consumer age has hit enterprises in
Bradford Networks, explains that data leaks, malware and hacking aren’t the a big way. It wasn’t so long ago that the
only issues. There are more fundamental concerns with how your networks company provided you with the tools you
are managed. And the solution might be to work with your users, rather than needed to do your job. Now, the chances
simply trying to control them. are that you bring your own. People

14
Computer Fraud & Security April 2012