There have been reports in the news recently that the American CIA spy organisation has claimed that there have been a number of successful recent hacker attacks on SCADA systems conducted via the Internet. This claim was made at a computer security conference in New Orleans USA on the 16th of January.

The CIA claimed: "We have information, from multiple regions outside the United States, of cyber intrusions into utilities, followed by extortion demands. (...) We have information that cyber attacks have been used to disrupt power equipment in several regions outside the United States. In at least one case, the disruption caused a power outage affecting multiple cities. We do not know who executed these attacks or why, but all involved intrusions through the Internet."

http://www.informationweek.com/news/showArticle.jhtml?articleID=205901631 http://www.theregister.co.uk/2008/01/21/scada_threat_warning/ http://www.sans.org/newsletters/newsbites/newsbites.php?vol=10&issue=5&rss=Y

However, there has not been a single piece of evidence to support this, or even a report from a credible source. I find it difficult to credit any of these claims, considering the source and the lack of supporting evidence.

Questions:

1) Has anyone seen credible news reports to support these claims?

2) Does anyone find these claims at all believable? By this I mean that this has actually taken place on a number of occasions involving electric utilities and wide spread blackouts.

 

There has been A FLURRY of recent blog activity on the topic of SCADA security. I've worked in too many industrial facilities with grossly inadequate security measures to be skeptical about this - maybe this attack wasn't the one, but we're NOT well protected.

----
Nathan Boeger
http://notanotherindustrialblog.blogger.com
"Design Simplicity Cures Engineered Complexity"

 

Joe Weiss (http://www.controlglobal.com/unfettered) and I believe the CIA report to be credible. Why we believe that is not for this public forum. Sorry to be mysterious. CIA is not the only agency of the US Government that takes this position.

And much of the US Government is apolitical, in case you want to go there.

There are in fact documented cases of cyber incidents in power, water, and wastewater utilities. There have been documented cases of cyber incidents in a variety of process and discrete manufacturing industry verticals.

Is this issue real? Yes.

Joe will again hold his Realtime ACS Cyber Security Conference this August (the 8th since he started doing it, the second since he left KEMA and started ACS). For info, see http://www.realtimeacs.com.

You can also read Joe's testimony before the congressional committee that held hearings late last year on the subject. Just search "Unfettered"
(http://www.controlglobal.com/unfettered) for the blogposts where we published it.

It is real enough that in April of 2006, a group of vendors and end users including Honeywell, Invensys, ABB, Siemens, Exxon, Chevron, Shell, and
others (myself, Eric and Joanne Byres of Byres Security, etc.) formed an ad hoc group to work on creating a consortium to produce compliance testing in parallel with ISA's SP99 Cyber Security Standard Committee and NIST. This has become the ISCI (http://www.isa.org/ISASecure/) ISA Security Compliance Institute.

In fairness, it must be said that the CEOs of the North American power utilities disagree with Joe, myself, Eric Byres, the CIA and others. It remains to be seen whether we are alarmists or they are ostriches.

Walt Boyes
Editor in Chief
Control magazine
www.controlglobal.com
blog:Sound OFF!! http://www.controlglobal.com/soundoff
_________________

Putman Media Inc.
555 W. Pierce Rd. Suite 301
Itasca, IL 60143
630-467-1301 x368
[email protected]

 

The security is laughable now with virtually
every system dependent on the World's most hacked and penetrated Operating Systems. But the situation is well deserved for even thinking of Microsoft dependence in the first place. It's gross negligence and a far cry from due diligence by any measure.

Yet people will continue this madness with their heads firmly stuck in the sand, (or other
places). fiercely defend those decisions,  and
diligently avoid more diverse and secure alternatives. It's easy to see where the problem
lies. Go ahead and flame :^) It's indefensible.
At least the military is catching on.

Regards
cww

 

In reply to Walt Boyes: I had two questions. The first was whether anyone had seen any credible news reports supporting these alleged incidents. At this point, apparently not.

The second question was whether anyone believed this actually happened. You seem to be saying you believe that it did, but cannot provide any evidence. I don't doubt your sincerity, but I'm not convinced that these specific incidents really occurred without at least some sort of proof. By "specific incidents", I mean the alleged large scale blackouts in several (unspecified) areas which were mentioned.

As to whether this possibly *could* happen some time in the future, I could believe that. In fact, if you examine the following posts, you will see that I have raised this issue a number of times in the past. The following three are postings that I initiated on this subject.

An interesting article on a SCADA security vulnerability. 19 June, 2006 - 10:53 pm http://www.control.com/thread.php?id=1026223307

SCADA Security Developments 29 July, 2006 - 2:09 pm http://www.control.com/thread.php?id=1026224413

More Scada Security News 20 May, 2007 - 2:53 pm http://www.control.com/thread.php?id=1026235247

There was also an extensive discussion (over 100 posts) with many of the replies touching on matters related to this under:

SCADA Control room management 28 November, 2006 - 11:38 pm http://www.control.com/thread.php?id=1026229082

As far as SCADA security in general is concerned, from what I have read on the subject it appears to me that the utilities are trying to put the responsibility for security on the automation vendors, while the automation vendors are trying to throw it back on the utilities.

With regards to the "compliance testing" that you mentioned, I read the web site and its associated documents that you linked to. I can see a limited use for standard testing for some simple devices (security gateways, switches, etc.), but that's not an overall solution. In the IT industry, a lot of the security problems come from combinations of components, or from new kinds of attacks that were not tested for when the system was deployed. Security isn't something that you do once and then it's done. It's an ongoing process like quality.

On the other hand, security certifications (e.g. Common Criteria Evaluation) haven't really done much for the IT industry. In fact, outside of certain government markets where certification is a check-list item, nobody is interested in certification because it has little relevance to real world security problems.

The most difficult security problem that I see is with the SCADA/MMI workstations and controllers themselves. At present, most of these seem to consist of components from various parties which are put together by an integrator for a specific project. The customer is then left with something they can't readily maintain (from a security perspective) and none of the original vendors will take responsibility for the software system as a whole. I have developed this argument in more detail in the past (see the above mentioned posts), so I won't repeat it here other than to say that I think that customers and SCADA vendors need to rethink their current business models if they want to have SCADA systems that are both secure and maintainable.

 

In reply to Nathan Boeger: When you see a flurry of writing on a subject that would normally interest few people, that is usually a sign that someone is working quite diligently to see that it gets talked about. This is a standard PR technique.

Do you remember the video clip of the generator that was destroyed as part of a test last year? I suspect that the recent statements are just a follow-up.

I am not saying that there is no problem. I don't however believe that making claims without evidence to support them is helping the situation.

 

My dear God. Twice in one month! (wicked grin)

Although it ain't just the operating system, I completely agree with you. It is also the mindset...because for this kind of penetration, Linux or any -Nix based OS is penetrable...you just have to work a little harder.

No flame.

Walt

Walt Boyes
Editor in Chief
Control magazine
www.controlglobal.com
blog:Sound OFF!! http://www.controlglobal.com/soundoff
_________________

Putman Media Inc.
555 W. Pierce Rd. Suite 301
Itasca, IL 60143
630-467-1301 x368
[email protected]

 

Not "cannot," I will not provide that information in a public forum to you or anyone else. Sorry.

ISCI is starting with simple compliance tests for hardware. As SP99 improves the ISA99 security standard, they will begin tackling the complexities, exactly as you noted.

And I agree wholeheartedly with your last paragraph.

Walt

 

Yes, almost anything can be penetrated by the right people. The number of those people for Linux is far less than the "any angry 12 yr old" who can get into Windows, especially if there isn't a full time administrator as in most automation cases. Or if a 10 yr. old version is used, as in many automation installations. But one of worst aspects of the status quo is that whole enterprises and even governments all use the same OS, providing the best possible propagation environment for worms and viruses and making certain that cracking one machine is sufficient to wreck havoc on the whole entity. If every third machine required a different approach or was immune to the technique used on the last machine, it would become far more difficult to cause widespread chaos. But is is entirely predictable what automation systems run on at present and every facet can only be done in the MS allowed fashion, You couldn't possibly engineer a less secure practice if you tried.

These incidents are hushed up quickly because the choices made mean that the same thing will probably work again tomorrow or a month from now. You can't change anything, really. Gives you a warm fuzzy feeling. :^) I won't mention what the most viable solution is, you can ask DOD and NSA.

Regards

cww

 

Toooo often; managers require that the control systems are available to others over the corporate LAN.

I am soooo tired of designing graphics that are "pretty" for "managers" instead of designing graphics for operators with "real" troubleshooting information.

The REAL point is that these "systems" are available on a "corporate" LAN that is NOT SECURE!!!

I have "screamed extreme" to ensure that our systems -although corporate LAN accessable- are secure. VLAN and FIREWALL are words spoken softly, yet enfored with the greatest importance.

I have found that "in my contractor days", these subjects were ignored because a viable IT department did NOT exist.

Too many systems still use the manufacture given password available in any internet available manual for that system.

I have given too much information!

 

Sure - fair enough. I was simply stating that this topic is in the spotlight of security professionals. I believe that's a good thing regardless of the credibility of the alleged event.

I was also stating that, in my experience, "security" tends to be an afterthought at industrial facilities - even inherently dangerous sites like ammonia refrigeration sites. More specifically, things like (authentication, confidentiality, integrity, non-repudiation, etc.) ALL play second fiddle to availability. Production and profit is king.

----
Nathan Boeger
http://notanotherindustrialblog.blogger.com
"Design Simplicity Cures Engineered Complexity"

 

Let nobody assume the fault is only an OS, or an application. Process systems MUST have defense in depth, similar to when the process is designed. For critical systems there should be no single point of failure.

>Not "cannot," I will not provide that
>information in a public forum to you or
>anyone else. Sorry. <

There is no need to help the attackers. I doubt that the utility(ies) that was attacked would like to release information and details about the attacks.

Understand all interconnected systems are under attack from inside and outside.

Please study how attacks have changed in the last 3 years. Now most attacks are targeted, and silent. It is only the non-professional attackers that leave trails where they are caught. Understand, the internet is a job for these attackers, not a hobby.

>ISCI is starting with simple compliance
>tests for hardware. As SP99 improves the
>ISA99 security standard, they will begin
>tackling the complexities, exactly as
>you noted. <

The Standards are a good start. Accurate risk analysis needs to be performed by an outside party, and compared to the internal risk analysis.

>And I agree wholeheartedly with your
>last paragraph. <

Only through joint efforts to secure the process from Developers, Integrators, Engineering (Process, Instrument, Control, and IT), and Utilities. This includes the Utilities IT/Process policies, Operational procedures.

We need to avoid pointing fingers--we have a problem, we must find a solution and build it.

 

Amen, brother. I say again, Amen.

Walt Boyes
Editor in Chief
Control magazine
www.controlglobal.com
blog:Sound OFF!! http://www.controlglobal.com/soundoff
_________________

Putman Media Inc.
555 W. Pierce Rd. Suite 301
Itasca, IL 60143
630-467-1301 x368
[email protected]

 

In reply to Nathan Boeger: Just in case there was any confusion about my previous reply to your message, the "making claims without evidence" was referring to the CIA's statements. Your own statements were right in the mark.

As for the actual state of security, we need only look at the regular postings on this list where we see people asking "how do I connect my plant to the internet?" several times per month. Doing this properly is very hard for people who do it for a living. Doing it when you are not even sure how internet protocols work is certainly for the adventurous.

 

In reply to Curt Wuollet: The "diversity" approach to security has some validity in slowing the spread of automated attacks such as viruses, but it doesn't by itself offer a solution. Almost all SCADA systems rely on some sort of network, and if this network can be accessed by computers which are vulnerable, then the network can be brought down even if some of the computers on it are themselves not vulnerable.

A good example is the case which I referenced in one of my previous postings. In early 2003 the SQL Slammer worm (which operated through the Microsoft SQL Server database) got into the control system for a nuclear power plant in the USA via connections with the business network. The worm then caused several SCADA related servers to "crash" (this was the description used in the reports), including the "Safety Parameter Display System" and the "Plant Process Computer". Fortunately, the reactor was already shut down for unrelated reasons. It reportedly took operators over six hours to restore the network to operation.

The SQL Slammer worm was a very aggressive scanner and was known for clogging up networks. It is possible (although not mentioned in reports) that this is what caused the control network problem. A DOS (Denial Of Service) attack is a fairly standard problem, and the only defence against it is to block the source at a gateway. That doesn't work however if the source is *inside* your network.

The SQL Slammer worm wasn't deliberately DOSing it's targets. That was just a side effect of a poorly designed worm in combination with a brand of database that was inherently wide open to attack. It was none the less very effective in bringing down a lot of systems.

 

Yes, but it wouldn't have propagated through the
first Linux machine in line. And DOS attacks or
network overloading usually occur because there
are many infected machines happily mailing each
other because their "address book" is easily tapped. Non-homogeneous machines would greatly reduce the multiplicative viral effect. Perhaps to levels less than overwhelming. Of course, systems with secured address books and directories would be even better.

Regards

cww

 

I don't know if the CIA's claims are true or not. But assuming the claims are true, the protocol should have been that all of the vendors and at least some of the owners of the leaky equipment be informed of the problem right away and be given some time to fix the leak and test its solution. I don't think the CIA should have announced anything about it until then. With a solution in hand, the leak should have been widely publicized so that anyone affected by it could deploy the fix.

As it stands now, only the CIA and some cyberspace malcontents know what the alleged security leak is and no one has a fix for it.

 

It needs to be widely publicized so people find out about the problem and fix it. Hiding the information has never ever solved anything.

 

In reply to Bob Peterson: I agree that transparency is the best way to deal with computer security problems. The problems with computer viruses are a good example with this. Many of the large software vendors advocate what they call "responsible disclosure" of problems. This seems to involve telling the software vendor about a problem and then letting them sit on it and do nothing for years until a virus exploiting it starts going around. "Full disclosure" (telling everyone about it) on the other hand usually seems to get more immediate action on a problem because it becomes a PR problem for the company.

If there is real evidence of a serious problem with SCADA systems, the only way it's going to get fixed is if everyone knows about it. If it's just a hypothetical problem, then it's going to end up down near the bottom of a very long list of problems competing for budget and manhours.