Penetrating SCADA systems reduced to a video game
Potpourri blog September 22-26
There is a significant lack of understanding by many in the water industry about control systems and control system security. The water industry touts the Recommendations of the CIPAC Metrics Work Group for Water dated June 2008 as the definitive work on security metrics. The Recommendations contain only one metric for SCADA (control system) cyber security:
The measure for SCADA protection capability: percent of SCADA transmission networks that are segregated from telephony or Internet networks. The specific questions are: What percent of your SCADA data transmission network is segregated from public telephony or Internet networks? What was the percentage on date X?
This metric is limiting and vague and is not adequate to assure security. Water is a significant user of microwave, radio, and other forms of wireless yet they aren’t even addressed. The metric doesn’t address other critical issues with securing control systems. The answer from a water industry representative about why the metrics are so limiting for control systems is “we have to start somewhere”. This is almost the same mantra from the electric industry about the NERC CIPs.
Another measure of the water industry’s need to better understand control system cyber security are the questions from the Roadmap to Secure Control Systems in the Water Sector that were asked at a water SCADA security conference:
- How long could our utilities be operated manually?
- How would our operations change if we did not have SCADA working?
The right questions are:
- What would you do if your operators were provided the wrong information?
- What would you do if your pumps or valves were not operating as expected?
Until you can ask the right questions, you cannot answer the third question that was posed:
- How sure are we that our SCADA systems are secure?
Many of the attendees at the water meeting did not know what was meant by the term “SCADA”. It was just a ubiquitous term. The attendees from the IT organizations generally felt it was simply a Microsoft HMI and treated it accordingly. Generally, the Operations attendees treated SCADA as a system including field devices. With rare exception, the presentations at this week’s conference focused on the Microsoft HMI to the exclusion of the field devices. When one water utility was asked about penetration testing SCADA and possibly impacting control system field devices, the answer was it was OK because you can always restart the PLC. They even had controllers on their city LAN. The point is these presentations were viewed as best practices just as Patrick Ellis was specifically identified as an expert. It was mentioned at this meeting that water is now ahead of electric in securing control systems. Electric may not be very far, but water is still far behind.
How useful are the NERC CIPs? At least two utility executives have been given a list of potential NERC Critical Assets by their technical staff. In both cases, the executives didn’t like the list (too many) and told the technical staff to justify their number (which was significantly less). Additionally there are utilities that have deferred transmission upgrades, pulled black start capabilities, and pulled IP connections just to avoid the NERC CIPs. The net result is making the grid less reliable. Is that really the intent? There also is a concern that the nuclear utilities may try to play the same game the non-nuclear utilities have by using the loopholes in CIP-002 to exclude their generation assets. Hopefully, FERC and NRC will close that loophole and define all nuclear plants with electronic connections as critical assets that require meeting CIPs 003-009.
Tuesday, a meeting was held in Washington with approximately 60 high level utility executives including many CEOs. Congress, FERC, and DOD laid out the need for adequately securing electric utility control systems. Let’s hope the executives get it.
There has been a continuing blogathon on control system cyber vulnerabilities. It is starting to get dangerous with what is being openly discussed with the hacking community directly monitoring or participating in the discussions. In fact, this week’s SANS Bytes (Vol. 10, Num. 76):
--Cyber War Games - You Are Invited
Come see this year's Integrated Cyber Exercise II (ICE II) October 1-3 at SANS Network Security 2008 ICE II will feature Paul and Larry of pauldotcom.com in a Hacker throw-down to see who is the best network attacker and defender. Paul and Larry will each have a major network to defend while they also attack each other. The event is open to all SANS Las Vegas attendees. Players can pick a side, defend their own network, attack at will or view and snipe from a distance. This year's event will feature more hardware including VoIP and SCADA. Enhanced scoring visualization and 3D graphics and even a complete traffic generator to hide the attackers. Come hang out in the spectator room and be eligible for random prize drawings sponsored by ThinkGeek, AirScanner, Syngress, CACE Technologies and Lone Pine Embroidery. Watch as phones, servers, cameras and even our own power grid are attacked and defended across three nights of fun, education and mayhem. Fortinet will be providing complete IDS monitoring and reporting while Core Security and Immunity will be demonstrating in the Red Cell room. I find this disturbing in the least. SANS should not be addressing SCADA in this manner for any number of reasons. Joe Weiss