In a slide presentation from the January 2006 BlackHat Federal Conference, David Maynor, was who was at that time an R&D research engineer for Internet Systems Security (ISS) X-Force and colleague Robert Graham from ISS (both are now founders and top executives at Errata Security) presented an analysis of supervisory control and data acquisition (SCADA) system security that included anonymized evidence from many penetration tests for many organizations using SCADA systems, including power companies. Some of their results even resulted from first encounters with company executives who were foolishly confident that their SCADA systems were not at risk.
Maynor and Graham summarized the basic architecture of SCADA systems as multi-tier, with physical measurement and control endpoints that serve as sensors and actuators. The processors for these sensors and actuators generally run on ordinary commercial operating systems such as VMS, Unix, Windows and Linux and the human interfaces often run on MS-Windows systems.
Maynor and Graham stress that despite blithe assertions by non-technical power-industry executives, the SCADA networks and protocols do not isolate SCADA data from human intervention and administrative networks. At the most fundamental level, they argue, "Data flows up to humans, commands flow down." If the human operators also have access to the Internet on the same devices through which they control the human-machine interfaces (HMI), the threat of penetration of the SCADA networks increases. Furthermore, many SCADA networks lack effective identification, authentication and authorization schemes to control access to the control systems. Firewalls are often missing because they slow down network throughput and therefore harm response time for critical actions in cases of trouble.
In practice, SCADA systems lack authentication, are not patched at all (because there never seemed to be any need for patches), and are generally viewed as unconnected to the Internet. However, the authors' experience shows that on the contrary, SCADA systems are typically subject to multiple undocumented, uncontrolled interconnections. The problem is worsened by inadvertent interconnections when security-unaware users connect mobile devices such as notebook computers to SCADA systems while they are simultaneously connected to other networks – including direct connections to the Internet – through wireless connections.
Maynor and Graham offer a series of real-world examples that must alert the power industry to the discrepancy between comfortable assumptions and reality. The ISS X-Force penetration team specialists used simple, widely-available tools and techniques for their analyses, including:SQL) injectionPort scanningMIB) walkingFTP), Server Message Block (SMB) null sessions, and Telnet with no passwordSniffingBackdoors and Trojans.
• Simple password guessing
• Structured Query Language (
• Simple Network Management Protocol (SNMP) Management Information Base (
• Anonymous File Transfer Protocol (
• Old and common exploits on unpatched systems
In the next of this two-part summary, I'll conclude with some simultaneously awful and hilarious SCADA-security case studies by these penetration-testing experts.