SCADA security: A real-world case study

Friend and colleague Professor Michael Miora, CISSP-ISSMP, FBCI has contributed the following interesting case study to the series of columns on the security of supervisory control and data acquisition (SCADA) systems. All of the following is entirely Miora's own work with minimal editing.

* * *

A few years ago, my consulting organization was asked to perform a security assessment of the SCADA system for a large water and power company in a large metropolitan area, with service and resources spread across an even larger geographical area. This article and the next are the story of that initial assessment, the follow-through by the organization, and the repeat assessment story of a decade later. To protect client confidentiality, any details that could identify the organization under discussion have been intentionally modified or eliminated.

Why the assessment?

The company was appropriately concerned about internal and external sabotage, system and physical failures and breaches of various sorts. Their auditors asked about the security of their SCADA systems and they could not provide good answers. As usual, the motivation for the assessment was driven in part by an honest effort to determine the security posture of the systems and in part by external forces, in this case the auditors.

Regardless of the reason, the company undertook to have an assessment done. They did some research and determined their best course was to avoid a formal solicitation, electing to do a selected source contract with a consulting company the key personnel knew well. The overall goal was to identify vulnerabilities that could cause or allow service interruption, degradation or compromise of information and then to establish potential remediation. It is important to note that this assessment was launched and completed prior to the 9/11 terrorist attack.

The assessment process

In most ways, the SCADA assessment was very similar to other types of security assessments. The process included physical and virtual inspections of systems and facilities. We reviewed code where it was practicable to do so; we inspected configurations and access tables. We also reviewed a wide variety of documents establishing policies and practices, summarizing incidents, and providing configuration information. We performed various tests, on site and off site, from inside the network and from outside the network. We attempted various types of penetrations and analyses of visibility into the network.

The assessment also had its unique characteristics. The analysis by nature included visits to water distribution and processing facilities, electrical distribution and waystations and down into manholes. We dispensed with the coat-and-tie consultant image for some of these visits. The purpose of these visits was to determine the level of protection given to computer and other equipment active at these locations. Clearly a computing element in such an environment, connected directly to the SCADA network, could be considered an important target and needed adequate and appropriate protection.

Some results

The assessment revealed some serious issues. The architecture had serious deficiencies; it did not provide infrastructure security, holding all systems and elements in one trust domain, and forcing individual elements to rely on their own configurations for security. It was shown that an attacker with no knowledge of this particular SCADA system could disable the systems from external locations.

Due to the inherent weakness of the architecture, the applications were forced to provide their own protections. Each application was therefore required to validate unique credentials and provide access based on the profile of the credentialed user. However, there was no overarching map of access control. Therefore, many applications assumed that users reaching the application had already passed through some previous, rudimentary access control mechanisms. The assessment determined that it was possible through trial and error to find a pathway through the systems without passing through any serious access control mechanisms.

More on this analysis in the next of these two articles.

About the authors

Michael Miora has designed and assessed secure, survivable, highly robust systems for industry and government over the past 30 years. Miora, one of the original professionals granted the CISSP in the 1990s and the ISSMP in 2004, was accepted as a Fellow of the Business Continuity Institute (BCI) in 2005. Miora founded and currently serves as president of ContingenZ Corporation. He was educated at UCLA and UC Berkeley, earning Bachelors and Masters Degrees in Mathematics. His published works include contributions to the definitive Computer Security Handbook, 4th and 5th Editions by Wiley & Sons. Miora is an adjunct professor in the MSIA Program at Norwich University and is a member of the editorial board of the Business Continuity Journal.


Copyright © 2010 IDG Communications, Inc.

The 10 most powerful companies in enterprise networking 2022