A

#### Anand

Hello Everybody on the list,

Todays article on C-NET which I found interesting is

Wireless networks wide open to hackers
By Robert Lemos
Special to CNET News.com
July 12, 2001, 10:35 a.m. PT

If time permits, please visit the C-NET site and look at the article.

I have put some points regarding problems in I&C with newer technologies!

-------------------------------------------------------------------------

MAYHEM:

This article deals with the negative aspects of some of the latest
technologies that are now available.

Why Mayhem? Why believe that things will go wrong?

Simply because we are the I&C lot. We design systems to take care of the
worst possible scenarios. We are the people who deal with alarms, trips,
other such issues in the plant that ensure that in case something goes
wrong the plant is put to a safe state. We ask for redundancy and TMR so
that a calamity is avoided on failure of a device. We put intrinsic
safety barriers between our inputs/outputs and the unsafe area. We laid
procedures so that the I/P converter cannot be opened in the field
unless it is totally isolated from within the control room-MCC areas.
And because so many other "because's" we talk of Mayhem first before we
accept a system.

Today, in this Cyber-age and the forthcoming era's we will, in addition
to the present day issues, deal with safety issues from outside of the
plant. This safety will also relate to cyber crimes like:

1.. Snooping for getting our technical expertise and process
improvements.

2.. Economic attacks from competitors. Shutdown of your plants at
unexpected times can make you fail "on time deliveries" and give undue
production thereby giving the competition an edge.

3.. Economic attacks from enemies of your country.

4.. Attacks by enemies during a war or from terrorist organizations.
The attacks will be financed beyond your imagination. Someone can get
more than a million dollars for a password for a few hours! Damage
caused can be unimaginable. Ecological damage and crippling of the whole
complex, death and damage to the entire locality are some of the
consequences that are possible.

Wireless LAN and Mayhem.

The latest in the addition of gizmos to attack your control room is the
wireless LAN. Your old ISA and PCI, LAN card which use cables are going
to be replaced by newer cards with wireless Radio technology. With these
LAN cards point of sight is not a problem. "No More cable clutter", the
with no cables.

Well you are happy that you no longer need to have cables to maintain and
your computers talk without wires. But the same technology can be
used by well financed crackers to connect to your system. And to top it
all you have made their jobs even easier provided they have the right

They do not have to spend hours on decrypting your data. You are going
to be sending all the data including passwords, challenges and other
things from one computer to another on wireless and all that needs to be
done,is this radio frequency needs to be tapped.

Once this data is trapped then your entire system is laid bare open to
the perpetrator of the crime. Once this data is analyzed, then your
system can get wireless signals from the cyber-criminal, which can be
used to do any thing that the perpetrator pleases.

I doubt if you could prohibit use of radio transmitters in your city,
and if such a radio signal is emitted from a device, weather proof will
exist to catch the culprit.

Even if you analyzed your trip commands, you may find that it was the
operator in the system (because the culprit may use the same TCP/IP
address) who gave the command. You can trace the command, the operator
and the time, with logs and nail him without getting a whiff of the
actual perpetrator!

WAP and Mayhem:

Another new addition to the list of new devices are WAP enabled devices
which allow data to be shared by users carrying PDA's and mobile phones.

Mobile phones have been successfully tapped previously. In fact I
believe that that was the way, a famous betting SCAM was exposed in
India. I suppose that there is no reason why a good Scanner cannot tap
the frequency within a few moments. Once the data has been tapped, then
Mayhem can be effected.

WAP Procedures?

Another thing is that PDA's, Mobile phones and other WAP devices are
personal items that are generally used by multiple persons.

a.. What kind of procedures are you going to lay to ensure that your
"WAPped" employee's child does not play with your plant when your
employee is having his morning shave in his underwear or having a bath
without one?

b.. What procedures to protect his wife from searching for some of her
messages in his WAP device and pressing the wrong keys?

c.. If my credit card is lost and I file a complaint etc., then the
password and other things are changed and I get a insurance cover
against misuse. In case your employee loses his WAP device, what are the
procedures laid to ensure that plant access from his WAP is immediately
disabled?

d.. What are the means to track the simple minded person who finds it
and sees some good pictures, plays with these pictures and hands it over
to the competent authority, all with good intentions?

e.. What integrity checks are you going to put in place that someone
does not sell his WAP device for 250,000$on a Friday night when your I&C engineer is out of town, and reports it as lost? f.. What tactics to ensure that it is not actually stolen from him on a Friday evening bash? g.. And many such other procedures required that you can or cannot think of. Web Enabled SCADA? Anyone? I suppose that everyone is aware of how bad security on the internet is. You can load the best Operating system, tons of security tools, encrypt your data only to find that some thirteen year old kid, who stumbled into a security hole in your operating system, that you are unintelligent enough, not to understand even when explained to you, has filled your computer with junk data!!! You load the next patch or let your computer guys handle this stuff. But nevertheless, your system was open for some precious moments. That is all that is required to cause mayhem. Other Mayhem Scenes. You can create mayhem scenarios for your valves, motors and other devices that are web enabled or wireless technology based. Methods of attacks: I&C always had its skeptics. People who wanted (and some still do want) a PLC with a key-switch for putting it on Run Mode or Program mode. To them this is the ultimate safety feature and once the PLC is in run mode it is "trusted" to do its work and no one can tamper with the user program. Though theoretically, it is possible that the logic for the key-switch, is just checking for a binary "1" in some reserved area of memory, which can be successfully hacked and changed, the possibility is quite remote. Also good designs will ensure that the main program cannot be changed. Again, there are elaborate procedures for securing this "key" to the PLC, or only authorized personnel have it and it never leaves the site. Of late, it seems that I&C field has been taken over by IT personnel. Though this IT "savvy'ness" has helped a lot in lowering overall costs and also made good usage of popular software's and utilities possible, on the other hand reliability has been often left in the background. I&C and IT scenarios on failure are different. Mission critical for IT means that the web server does not fail, else several thousand people may not be able to chat, receive mails and so on. And with the best technologies available, recently, even MSN could not provide all the services for almost a week. For I&C, the scenario is entirely different. Economic loss, though a worry, is the least of the concerns on the list. Now, you may wonder how that mayhem creator halfway across the world knows your process or what are the chances that he even knows the logic and fail-safe procedures used in your system. The thing is that he does not need to know all your plant specifics. In case your PLC system can be programmed from your PC and anyone gains access to your PC, then all he needs to do is read your configuration files and turn on all your outputs or a part of them in any sequence and all your interlocks get bypassed. In most cases, even the "emergency stop" would also get bypassed. Thus on a calamity you will not even be able to stop the system. Most of your SCADA and DCS systems work on a database. Now the database for a particular system is standard which is generally ODBC etc. compliant. Now copy the data files into another computer and run another version of the application and open the application. The database shows the details of your plant, the alarm limits, the alarm messages, the comments, the item name, the access name and so on. Now these tools that help you run the process, make the system easily understandable to the cracker. In case of most SCADA systems and systems on Windows systems, there is DDE compatibility. The cracker can give a command like item name, access name and value from Excel directly to your device driver or to your SCADA application. Similar procedure may be possible for OPC. You may not even get the trip data on you logs and assume it to be a system failure. There are innumerable ways that your system can be compromised to cause economic loss to you, once access is gained to your system. The cracker can also write a command so that he blocks several commands from your system while allowing other ones. In other words, he can block your "stop" command! I&C systems like many DCS etc. have ftp and telnet enabled, which makes = even glaring uses, a simple possibility. Your entire I&C performance is based on the way safety has been implemented in your system. In some configurations care may have been taken for the remotest of failures and some may have compromised on some features due to cost or technology constraints. A standard is required to give you safe means of connecting to the big bad e World. Safe Connectivity for I&C systems. All this does not mean that you cannot share data with your higher level systems. You can make limited use of WAP systems. The Scheme below allows you to have safe connection to the e World. Divide your I&C into three Areas. 1.. The inner Ring Devices. The devices in the inner ring do not have WAP capability, are not web enabled and are not wireless in nature. 2.. The Outer Ring Devices. The Devices in the Outer ring can have as many features as required. 3.. The interface Devices. The Connection between the inner ring and outer ring is through I/O devices which are Discrete and Analog in Nature. Note that there is no intelligent path between the interface device and the inner ring, though an intelligent digital path may exist between the Interface Device and the outer ring devices. INNER RING: All the field devices that control the process should be included in the Inner ring. It is possible that due to non criticality some devices can be connected to the outer ring, but in order to have a uniform system avoid putting any I/O device on the outer ring. The PLC's, DCS, SCADA, TMR and other systems used to control and ensure safety of the plant fall in the inner ring. In case there is an APC or Database Server that is used for controls then the same can be in the inner ring. Outer Ring Devices: Outer Ring devices can be MIS devices, systems that interface to I&C systems for passing data to and from ERP systems or other higher end systems. You can put a couple of Scanners or data loggers etc. on the Outer Ring due to its non criticality, but this could one day lead to other devices coming into the outer ring. Interface Devices: Interface devices connect the inner and outer rings. One of the chief properties of the Interface Devices is that they do not connect intelligently (RS232 or RS 485 or Ethernet or such communications) to the Inner ring. The connection to the inner ring is by means of Analog signals (4 to 20 mA, 1 to 5V etc.) and Digital I/O's like contacts etc. This data is connected on the inner ring to some I/O cards and processed as per regular I/O processing. There are limits on values so that rogue values do not enter the system. The Interface devices can connect via ethernet or communication to outer ring devices, they can also be a part of the outer ring devices and do the processing of received data. With such a scheme, you can connect your plant to the outside world and the worst case scenario is limited to a plant trip or theft of data. Even internet access limits your liability to loss of data and in some cases to safer trips. Again things depend on implementation. Anand krishnan Iyer [email protected] ***************************************************************** YES! You can get digests, or limit messages by topic. See http://www.control.com/control_com/alist/ for details. Before posting, please read http://www.control.com/control_com/alist/faq_html. The Automation List is managed by Control.com Inc. A #### Alex Pavloff For another look on this topic (half amusing, half scary) at what can happen when you set things up without considering the security implications. People can drive around in San Francisco with a wireless LAN card and GPS receiver on a laptop running simple software that attempts to connect to all wireless networks. After a short drive, a nice list of wireless networks is displayed. Most wireless networks aren't even secured, and most of those are secured badly. This is done with$150.00 off the shelf hardware.

http://www.theregister.co.uk/content/8/18285.html
Now my question: Do you guys using radio or other wireless devices in your
plants and machines out there give any thought to security? Do you ask your
vendor this, do you do any research on this? You should.

Alex Pavloff
Software Engineer
Eason Technology

T

#### Timr

Good Day, Any wireless access should require password authentication each time a user logs on with an automatic lockout and alarm with too many invalid entrys. This is as much protection as any remote or local network connection can provide, wired or wireless. VPN and other security measures are always evolving and improving. There is too much potential benefit with the new low cost wireless networking equipment to ignore. Bluetooth I/O and wireless LANs were the most impressive products at the Industrial Automation Show. These new wireless devices from Zoom can connect a line of site connection up to a mile. No license required. Timr.
up to 1 mile (1.6km) point-to-point unobstructed line of sight at 2 MBps
http://www.zoom.com/zoomair/zaaops.shtml

M

#### Michael Griffin

Anand wrote:
<clip>
>Today, in this Cyber-age and the forthcoming era's we will, in addition
>to the present day issues, deal with safety issues from outside of the
>plant. This safety will also relate to cyber crimes like:
>
> 1.. Snooping for getting our technical expertise and process
>improvements.
> 2.. Economic attacks from competitors.
<clip>
> 3.. Economic attacks from enemies of your country.
> 4.. Attacks by enemies during a war or from terrorist organizations.
<clip>
You could also add to the list attacks by hackers who are not
interested in your plant. Rather, they just want to take over your computers
to use them to attack their real target. The article on the GRC web site
(which was the subject of a recent discussion here) mentioned that the
hacker who was attacking GRC used (if I remember correctly) approximately
175 computers belonging to various other people around the world to launch
the attack.

**********************
Michael Griffin
**********************

S

#### Seib, Larry

I would not worry about terrorists,
they would rather attack market places or downtown areas,
rather than injure or kill a few people in a remote factory.

In war time situations, how is the "enemy" going to drive around
and collect all this data, let alone disrupt it. Bombs are pretty
disruptive too.

T

#### timr

I totally agree that a critical industrial process with safety issues
should not be controllable from a wireless network. The local process
should run stand alone by PLC or dedicated PC control. The wireless
network is for information delivery directly to managers fingertips
anywhere they may be, providing real time information to help make more
intelligent decisions from anywhere in the world. The interbuilding
wireless links are for information gathering, not for controlling local
process. However a manager could use that information to send an instant
message to a plant floor operator to quickly adjust a process. Any
wireless sensor usage should be reliable and secure and not used where
there are critical safety issues.

J

#### Jiri Baum

Anand:
> There are no solid passwords or encryptions which are guaranteed "break
> proof".

Technically, there is an exception (one-time pad), but in general that's
true. And one-time pad is seriously inconvenient.

> With changing technologies, these encryptions and password protections
> will be valid only for a brief period of time till someone breaks it.

Yes. However, using best-available encryption will delay this (and provide
evidence of reasonable care).

Keeping up with encryption is, of course, a problem.

Jiri
--
Jiri Baum <[email protected]>
http://www.csse.monash.edu.au/~jiribvisit the MAT LinuxPLC project at http://mat.sourceforge.net

C

#### Curt Wuollet

I would merely add that the people pushing this stuff should be viewed with extreme skepticism. They are the same folks that want all your data on their machines. I can't imagine a worse scenario for mission critical systems.

Regards

cww

A

#### Anand

Hello Timr,

When you talk of evolving, Well, that exactly is my issue. We are talking of evolving and improving technologies. The C-NET article clearly states that what exists today is not secure.
Now for a Software network, an office or for an ISP the loss is in economic terms and there is harrasment. But for I&C, the loss is Ecological and human lives in addition to economic and harrasment.

I am not denying that there will be cost benefits, but in most automation solutions, the implementations deal with handling hazardous materials, toxic materials, and there are risks to the operators. Compare this cost against the total cost or the cost resulting due to an
outage because of weak security. Will that be beneficial? In these processes, the I&C engineer cannot take a chance that someone may penetrate the network and intentionally or otherwise cause damage to personnel, environment or neighbourhood.

In fact I&C cannot afford to connect safety systems to a public network. The connection should have a non intelligent bridge for the sake of safety.

Anand

T

#### timr

I totally agree that a critical industrial process with safety issues should not be controllable from a wireless network. The local process should run stand alone by PLC or dedicated PC control. The wireless network is for information delivery directly to managers fingertips anywhere they may be, providing real time information to help make more intelligent decisions from anywhere in the world. The interbuilding wireless links are for information gathering, not for controlling local process. However a manager could use that information to send an instant message to a plant floor operator to quickly adjust a process. Any wireless sensor usage should be reliable and secure and not used where there are critical safety issues.

A

#### Anand

There are no solid passwords or encryptions which are guaranteed "break proof". With changing technologies, these encryptions and password protections will be valid only for a brief period of time till someone breaks it.

The article on C-NET a few days back (reference given in the first Mayhem mail) infers that even 124 bit eth card is not totally safe.

Anand

J

#### Jim Pinto

timr wrote :

>critical industrial process with safety issues
>should not be controllable from a wireless network.

I don't agree that a wireless network is NOT safe.
These days, people trade-stocks and update bank-accounts with wireless connections.

With the right level of encryption, a wireless connection can be made as safe as any hard-wired connection.

Yes, I know - it "feels" insecure.

Cheers:
jim
----------/
Jim Pinto
email : [email protected]
web: www.JimPinto.com
San Diego, CA., USA
----------/

A

#### Anand

Hello Larry Seib,

A good I&C engineer would worry about everything. If you enter a good process industry then you will find procedures for everything. getting
to do a 15 minute work may have three hours of procedures preceeding it and following it. this could be due to standards that have been
established due to previous accidents etc.

Toxic and hazardous plants can cause extensive damage to ecology, human life and economics. Their being targets cannot be ruled out. In the
present circumstances, the presence of security guards, the isolation of the complex from the external world offers security to the
neighbourhood, ecology and economy.

In 1985, a toxic release from the Union carbide plant in Bhopal in India killed thousands and even till this day people suffer its after affects
like miscarriages, physical deformities etc. Please visit suitable websites of this holocaust, to know the damage that is possible.

Attacking a market place with a bomb involves a lot of risk to the terrorist. Attacking your plant is a simple task of carying a radio or
being on the internet or any means of entering your network. On the internet the terrorists could be blocked or traced but on wireless i
doubt if there will be means of even tracing their whereabouts!

Again in War, America is safeguarded because the enemy planes have to cross a long distance to reach America. But if a toxic plant is unsafe,
then an enemy agent with a radio or internet access could do what a few bombs may not be able to do!

The Enemy will not collect data at the time of attack, but data will be collected and used at the time of attack. In other words, if your network has been breached, then nothing needs to
be done till the time the breach is to be used.

Anand

A

#### Anand

Hello Jim,

It is not just an insecure feeling, but a fact that even the best encryptions get broken and you have to be continually abreast of the trends and there is always the time lag between a breach of code and a fix. Cases like Lion worms for Linux, and the countless worms, trojans, viruses on MS etc., establish this trend.

People do exchange stocks and bank online and mind you there are online frauds which may or may not get reported. While these frauds are generally economic in nature, a breach network of
a toxic process could lead to ecological and human damage which cannot be accepted.

I&C never takes any kind of intentional or unintentional risk due to this reason.

Wireless though a option in economic applications is a strict no-no for I&C.

The skill levels of I&C engineers in commercial IT and Security issues is quite less. Mind you, more than 70% of I&C engineers world wide may not be able to configure firewalls, or update them in time, while they may keep themselves abreast of developments in I&C, updates on IT and regular upgrades in I&C systems may not be possible.

Can you upgrade your encryption? Imagine a system which cannot be shutdown even once in a year (maybe once in two years), upgrade of the
encryption may not be possible for 2 years if a reboot is required!

Anand

T

#### Timr

The safety issues do not apply only to wireless. It is the same with a wired network. Remote controlling a process from a distance can be dangerous.

T

#### Timr

Proven technologies are reliable but new technologies can provide a
competitive edge. Which is more important for a business to succeed?
Timr.

E

#### Ed Mulligan

Knowing _when_ to make the jump from proven to new in actual production use.
Too soon and you fight too many problems. Too late and you get left behind.

Ed

Speaking for me, not for Starbucks. . .

A

#### Anand

O Progress! My Progress!

But e or i,
those two vowels are the letters,
of the day.
We need to wake up,
the manager sleeping with spouse,
Interest lost in all present activities,
manager now,before sleep prays,
"Almighty god, let my plant, not trip
well, at least till dawn."

The Control engineer,
in his fishing trip,
needs to solve the issue,
"Transmitter X to be calibrated,
Transmitter out of range."
The fish so near his hooks,
He now picks his mobile,
spends some money on air,
"Calibrate Transmitter X,"
he tells his technician.
remember procedure 123654
of SOP manual XXIV"

We arm these personnel,
"Press red button here, and the
arrow key pointing to heaven,
And the valve is bypassed,
you could do it from Mars too!"
Or that someone else,
Agent of the two horned fellow,
With a tail too,
from the burning hot place,
who could emulate it for you.

A few thousands reach god,
and thousands the devil,
A few thousand exit the journey,
to earth and join swarg(heaven),
Others reborn as earthworms or people still.
And the city a ghost town now,
soil with toxic waste spilled,
air gone all foul,
And water is now a chemical compound.

near the plant it was.
connected to the e and i vowels,
misused by some,
in a proxy war.
The innocent are dead and war goes on,
Two more cities, of theirs, have been raized,
In retribution.
But the dead do not come out alive.

Oh Progress! My Progress!
What do we spend our energies on,
More and beter sensors,
better connectivity between our networks,
cost reduction in our final prices,
better safety standards so
workperson's are not injured,
better MTBF and MTTR,
better waste treatment strategies,
so the world is a better place.
or on e and i.

Anand

I am very happy since no one has denied any merit on the write up. Every one believes that it can be done, but what is disputed is weather anyone will have the will to do it.

Well i won't be doing it and i can rest assured that no one else in the list may do it. In fact most of us in the List may not be expert hackers or crackers to make this possibility a reality.

Anyway,
Very recently, there was an article in a leading journal of automation field in this part of the world, on network security.
The good natured person who had written it and his fellow engineers connect to the net, to surf for hot jobs and some news and some pictures and download their e mail.
half of them do not know what port 8080 stands for.
The article, perhaps the handiwork of notes and study, seemed confused at places between cryptography and firewalling.
Well This is not to say that the article was bad, it was well recieved.

I am not sure weather this person had the fortune to meet that 17 year old, two time flunkie, who can enter the most secure networks and exit
without a trace, or create a false trail pointing elsewhere.

I am not here to stop progress.
But every new technology needs to be critically analyzed before it becomes a member of our control systems.
More so for processes that are hazardous or toxic or both.
In processes where only loss of information or economic loss is a final possibility, well .....

Anand