Byres, who set out a decade ago to make himself the world's leading authority on process control security, and who has put lowly little British Columbia Institute of Technology on the map for politicians, regulators, process control experts, standards bodies, and the entire hacker community, returned for a second straight year to talk turkey about cybersecurity. He brought new data with him, too.
When he started, Byres remembered, it was really about "separating fact from fiction. We needed a realistic assessment of risk; what was urban myth, how urgent was the risk, what vulnerabilities, what threat sources were there, and how serious were the consequences of the threats."
So BCIT created the ISID, the industrial security incident database, which now has tracked over 100 incidents from 17 contributor companies all around the world, and across all industry verticals where process automation systems are used.
The data shows a sharp change in the number of incidents between 2000 and 2001, continuing through 2003 at a very high level, and tailing off slightly through 2005. Byres believes that the number of incidents will never return to pre-2000 levels. He also noted that the nature of the problems shifted radically beginning in 2001.
From 1982 to 2001, accident accounted for over 58% of incidents, while external threats accounted for 28% and inside jobs accounted for 15%
But since 2001, external attacks have climbed to 61% of threats, a major increase, while accident has remained stable at about 32%, and inside jobs drastically declined to 2%, while audits and other incidents rose to 5%.
Why the shift, Byres asks.
"Well, it is not a reporting artifact," he insisted. "We've checked that out thoroughly and it is a real issue."
Byres thinks there are three possibilities:
1. The nature of malware changed in 2001/2002
2. Widespread adoption of TCP/IP and Ethernet technologies
3. SCADA is now on the hacker and public radar since 9/11
What does this mean? The landscape has permanently changed, Byres insists, and companies who are using pre-2001 solutions are in deep danger. Companies need new solutions to these new risks, or "you're throwing money away."
According to Byres, malware is now accouting for 2/3 of incidents in recent years. This, he noted, seems to match IT trends. "What has been surprising," he said, "is the high level of sabotage reported, over 13%!"
Worms are the real problem, over 88% of incidents are involvement with a worm. "Slammer" is still the number one problem on the plant floor.
However, malware may be the most common threat, but it is not the most expensive. Incidents where the cost exceeds $100k are comprised almost 79% of accidents and 21% sabotage, Byres reported.
Where are the attacks coming from? 56% of attacks are remote, with only 2% being physical. Local attacks comprise about 27% of the total, with "other" amounting to about 15%, Byres claims.
Nearly half the problems came "from the business system right through the firewall!" Byres exclaimed. "I am not happy," he continued, "with the state of firewalls."
Even though people have been warned against this practice for years, approximately 17% of attacks actually still come from direct connection to the Internet. This is seen a lot in water SCADA systems, Byres reported.
Byres pointed out that there are many infection vectors, and many "back doors."
New challenges, according to Byres, include the fact that hacking is no longer fun and script kiddies. It is now a business with significant ties to worldwide organized crime.
Targeted worms are now becoming common, and info-spying is becoming the principal goal of hacking. "We might recently have seen a custom process control worm recently," Byres confided. "We're still studying it."
Byres reported on a "grey hat/black hat" convention held very recently called TOORCON7, and quoted from "Talk #16: SCADA Exposed" and noted that this talk revealed a great many vulnerabilities in all the most common SCADA and DCS systems.
____________________________________________________________________________________________________________
A Special SidebarFrom Dale Peterson's SCADA SECURITY blog:
2005-09-28
*Defense in depth: the bad guys will still get in
*Harden the plant floor
*Best Practices Guides for patch management, domain management and group policies and objects (ACL)
*Quickly find/create a secure DCOM replacement
In addition, Byres notes that there are huge embedded system weaknesses in such devices as PLCs, DCS controllers, RTUs, etc. PLCs fail when scanned, indicating extremely bad TCP/IP implementation; RTUs violate basic TCP standards, and so forth.
We also need, he proclaimed, a complete suite of Quality Assurance testing tools for security so that we can find vulnerabilities before we deploy the software. These tests are required for even a baic level of assurance.
BCIT has developed software suite called Achilles. Achilles is a GUI-based security test platform to coordinate multiple Linux testing tools. It automates most vulnerability testing.
Concluding, Byres said that a key issue going forward will be how to get the word out safely. "We need to encourage," he said, "companies to share to the database, find a secure method of reporting and reading vulnerability information, and methods to fairly and legitimately get vulnerability information to vendors." He also recommended that the first step in creating standards for industry was to generate 'best practices' and recommendations for how to handle legacy systems. He also called for improvements to the QA standards in the industry.
SCADA Exposed and Other Fare from Toorcon7
I did not attend Toorcon7, but presentation materials were posted over the weekend, including those for SCADA Exposed, an interesting presentation by Mark Grimes. Although much of the background material has been seen at previous venues, this talk provided among the most detailed (if not entirely comprehensive) treatment of SCADA protocol vulnerabilities discussed in a public forum, let alone at a non-industrial security conference. Whether we will continue to more of this type of research presented at IT security conferences such as BlackHat or Cansecwest, only time will tell.
Two talks on threat vectors that I wish I could have seen were You are the Trojan which outlined non-traditional (primarily hardware) means of exploitation and The Web Vector: Exploiting Human and Browser Vulnerabilities, which (among other things) described the use of honey clients to find malicious web sites.
_________________________________________________________________________________________________________________
One of the biggest security challenges in process automation, Byres claims, is DCOM. Someone shouted out from the audience, "DCOM is evil!" Byres seemed to agree, and noted, "DCOM is the foundation for OPC, which makes DCOM a vector now!" Byres continued, "This is a big problem, because OPC is NOT SECURE!" This is a huge issue, he insisted, and must be addressed real soon or it will bloom into big big trouble.
"Companies still don't understand the risk," he said, "and it is very hard to show ROI...and beyond that, most companies do not have an enterprise wide coherent security policy for the corporation."
A recent IEEE report concluded that 80% of all firewall installations in industry have major holes, Byres reported. Out of the 37 firewalls studied, 5 were good. "What 'good' means," Byres elucidated, "is that they had three or less major holes." He continued, "If IT departments have this much trouble, what about the poor, lowly Process Control Network?"
Byres' advice:
Two talks on threat vectors that I wish I could have seen were You are the Trojan which outlined non-traditional (primarily hardware) means of exploitation and The Web Vector: Exploiting Human and Browser Vulnerabilities, which (among other things) described the use of honey clients to find malicious web sites.
Check them out!
