Skip Links

SCADA security and terrorism: The X-Force Report

Security Strategies Alert By M. E. Kabay, Network World
November 15, 2010 12:05 AM ET
Sign up for this newsletter now!

The long view of security strategies for your network.

In a slide presentation from the January 2006 BlackHat Federal Conference, David Maynor, was who was at that time an R&D research engineer for Internet Systems Security (ISS) X-Force and colleague Robert Graham from ISS (both are now founders and top executives at Errata Security) presented an analysis of supervisory control and data acquisition (SCADA) system security that included anonymized evidence from many penetration tests for many organizations using SCADA systems, including power companies. Some of their results even resulted from first encounters with company executives who were foolishly confident that their SCADA systems were not at risk.

Maynor and Graham summarized the basic architecture of SCADA systems as multi-tier, with physical measurement and control endpoints that serve as sensors and actuators. The processors for these sensors and actuators generally run on ordinary commercial operating systems such as VMS, Unix, Windows and Linux and the human interfaces often run on MS-Windows systems.

Maynor and Graham stress that despite blithe assertions by non-technical power-industry executives, the SCADA networks and protocols do not isolate SCADA data from human intervention and administrative networks. At the most fundamental level, they argue, "Data flows up to humans, commands flow down." If the human operators also have access to the Internet on the same devices through which they control the human-machine interfaces (HMI), the threat of penetration of the SCADA networks increases. Furthermore, many SCADA networks lack effective identification, authentication and authorization schemes to control access to the control systems. Firewalls are often missing because they slow down network throughput and therefore harm response time for critical actions in cases of trouble.

In practice, SCADA systems lack authentication, are not patched at all (because there never seemed to be any need for patches), and are generally viewed as unconnected to the Internet. However, the authors' experience shows that on the contrary, SCADA systems are typically subject to multiple undocumented, uncontrolled interconnections. The problem is worsened by inadvertent interconnections when security-unaware users connect mobile devices such as notebook computers to SCADA systems while they are simultaneously connected to other networks – including direct connections to the Internet – through wireless connections.

Maynor and Graham offer a series of real-world examples that must alert the power industry to the discrepancy between comfortable assumptions and reality. The ISS X-Force penetration team specialists used simple, widely-available tools and techniques for their analyses, including:
• Simple password guessing
• Structured Query Language (SQL) injection
Port scanning
• Simple Network Management Protocol (SNMP) Management Information Base (MIB) walking
• Anonymous File Transfer Protocol (FTP), Server Message Block (SMB) null sessions, and Telnet with no password
• Old and common exploits on unpatched systems
Sniffing
Backdoors and Trojans.

In the next of this two-part summary, I'll conclude with some simultaneously awful and hilarious SCADA-security case studies by these penetration-testing experts.

Read more about security in Network World's Security section.

M. E. Kabay, PhD, CISSP-ISSMP, specializes in security and operations management consulting services and teaching. He is Chief Technical Officer of Adaptive Cyber Security Instruments, Inc. and Associate Professor of Information Assurance in the School of Business and Management at Norwich University. Visit his Web site for white papers and course materials.

Our Commenting Policies
Latest News
rssRss Feed
View more Latest News