Full Disclosure mailing list archives
SCADA makes you a target for terrorists
From: "Bernie, CTA" <cta () hcsin net>
Date: Mon, 18 Aug 2003 20:12:05 -0400
Back in the 1998 the warnings were out there but no one wanted to hear it. I tried to get people to listen and there reply was we have security guards with guns to take care of security. Now to be fair to SCADA and the Power Plants, there are other similar instrumentation monitoring solutions, and some installations are secure and well thought out. However, I believe that many are not and more importantly management does not understand that its all about integrated System Security Engineering (or the lack thereof). Anyone still think the Blackout was an isolated incident? SCADA makes you a target for terrorists ......Correcting the problem doesnt have to cost you anything but knowing what to do. by Jared R.W. Smith Institute of Gas Technology Your SCADA system makes you an easy target for sophisticated terrorists. If you dont take corrective actions, current trends will make you a far more attractive target within the year. Welcome to the world of high-speed transactional efficiency, where you have to protect your biggest assets through new cyber security measures. Cyber security relates to protecting the communication and computer networks of your whole company, including transactional and operating controls, against hackers, disgruntled employees, and some foreign nationals. It means ensuring that once traders or marketers come onto your system through the Web, or hackers break into your SCADA system, they cant read, alter, or destroy your records or physical operating controls. Cyber assaults can be made against your system not just from within your company walls, but from thousands of miles away. They are electronic attacks, guided by computer-driven programs, and empowered by the steps our industry has taken to automate and cut costs in todays highly competitive world. The attacks can be launched not only against the gas industry in fact, the gas industry has unique safeguards that make it less vulnerable than many vital industries but against any essential industry infrastructure. These infrastructures include banking and finance, telecommunications, electric power, transportation, and government services, among others. Because these infrastructures are now linked with your natural gas system and your service territory by automated links, all infrastructures are at risk due to each others vulnerabilities. Skilled assailants can go through the existing system of passwords and firewalls to break into information systems. This same procedure could permit an attacker to give incorrect directions to automated units on your SCADA network. The U.S. Intelligence Community is aware that it can be done, as are the Institute of Gas Technology and the Gas Research Institute. Foreign nationals in other countries also know that it can be done. Gas companies have detected attempts by unknown outside parties to enter utility networks. Presumably, those attempts at break-ins are currently just hackers trying to have fun. But not necessarily. There is reason to believe that your computer systems are vulnerable. According to the Washington Times, National Security Agency officials have run a simulated attack on SCADA systems controlling the U.S. power grid as well as military systems. They believe they can shut down the electric power grid in a number of U.S. cities within days as well as disrupting important military communications worldwide by using tools available on the Web. This exercise, called Eligible Receiver, was performed by a dedicated group, but the NSA and the Department of Defense think this may be exactly what industry will confront in the coming years. The U.S. Intelligence Community believes that the next major war could be fought largely through breaking into and taking over the automated systems that hold a countrys infrastructures together. Further examples can be given. There were computer intrusions into high- level unclassified military computer systems by high school students operating out of California and Israel during a 1998 Iraq weapons inspection crisis. During Desert Storm, according to the London Telegraph, Dutch hackers successfully hacked 34 U.S. military systems, acquiring U.S. plans, weapons capabilities, and order of battle. They then tried to sell that information to Sadam Hussein. He did not buy the information, thinking it had to be a trick. Pentagon computers have been significantly strengthened against assault since that time, but even before that incident they were better protected against assault than todays SCADA systems. Yet these Pentagon computers are linked and communicate via the same electronic overlays that your SCADA system operates on. Do you need SCADA? Despite that, SCADA is essential to modern business. In fact, developing SCADA systems normally allows your company to function far more efficiently and safely and at far lower cost than a simple manually adjusted pneumatic system. These systems provide the near real-time data flows needed to operate efficiently in a deregulated environment. SCADA provides reporting of all transactions to provide permanent financial paper trails, and can dynamically adjust the pressure at regulator stations and other locations to save you money compared to seasonal adjustments. SCADA systems can perform all kinds of operations at the discretion of your gas control center. Some have artificial intelligence programs built into them so that they can perform even more efficiently under normal operating circumstances. They save money, and make money for your company. They are also increasingly linked: that becomes a vulnerability or an asset depending on whether you have the information to plan adequately. While the benefits of SCADA systems are clear, the consequent vulnerabilities are less recognized. Very few such systems are protected even by passwords the weakest form of security. What happens if one encounters an emergency situation in a fully linked but unprotected SCADA system? A properly functioning SCADA system will provide you with correct data interpretation and enhanced capability to respond. But what about a maliciously planned emergency brought on by people who are familiar with system operations or by outside third parties that are armed with sophisticated computer systems knowledge? Well...as long as we are able to maintain pneumatic control over our systems, we may lose data in a break-in and we may lose control of the system, but we wont be likely to suffer a major system shut- down under most circumstances. The pneumatic controls of our system guard us against the kind of loss of control NSA feels the electric grid is faced with. Right? Not really. The pneumatic controls our systems operate under have protected us well. The safeguards built into those systems were evolved over many years by engineers and scientist working in both the public and private sector. Those safeguards were built for the technology of the time, developed over the last several decades. They are not adequate to meet the security needs of embedded systems in the electronic age. The electronic age allows a person with sufficient knowledge to make you think your pipelines are at capacity when they are not, that you are lowering pressure when you are actually raising it at remote locations, or that there is nothing wrong on your system when in fact your system is failing. And if your system gives your operators incorrect information, they will take inappropriate actions, either manually or via remote command. Safe operations That is why the Gas Operations and Infrastructure Center, jointly formed by IGT and GRI, is working extensively with the U.S. Intelligence Community in partnership with gas company and manufacturing company members to develop new, safe operating practices and equipment standards that will protect the industry and its customers. This center is currently working with the Technical Support Working Group and other government entities to ensure that secure encryption capabilities combined with secure protocols and operating practices are developed to harden the gas industry against cyber attack. We are also testing the resulting technology developments in our laboratories and planning field tests conducted in combination with members, to make sure that adaptations we recommend do not slow the speed of transaction or hinder operating efficiency. These technologies and procedures will also harden the industry against vulnerability to natural hazards like earthquakes and floods. Most importantly, the work we will be initiating with standards setting groups like IEEE and ANSI, combined with our communications with the manufacturing sector, will ensure that the cost of developing these safeguards will be very small. The key to this low-cost approach will be that they will be built into all automated systems as these systems are developed. The wonder of SCADA systems, and of all automation, is that the communications and computing components of the systems are similar enough that they are able to intercommunicate for the sake of efficiency and replaceability, whether for gas or electric. That means manufacturers and users in both industries have to deal with the same issues, and that drives down costs. If your manufacturers understand these issues, they will support them. It lowers their costs, your costs, and your potential liabilities. Whatever we do as an industry to protect ourselves and our customers has to be done now, during a narrow window of opportunity. Fully automated system units are being placed in the field right now. Their integration with your overall system is increasing every day. If these systems do not include sufficient safeguards, they will be expensive to retrofit. The company that waits loses money. How much money do you have at stake in each of your automated units? How much property are those units protecting with what cost for protection, when each unit is a potential gateway into the rest of your company? Each company will ultimately decide for itself. The Gas Operations and Infrastructure Center can provide you with the information you need for informed decisions. We hope also to give you the information you need to make sure your suppliers and contractors can cover your vulnerabilities. We will have the technical fix in place in the field within one year. That is just about when you need it. IGT is offering a five-day technical course that gets into algorithms, protocols, standards, and other vital concerns you have to deal with in developing a fully integrated and fully competitive system. It is being developed in combination with the U.S. Intelligence Community and the natural gas industry, and will be offered February 15 through 19 at IGT Headquarters in Des Plaines, Illinois. Participants will be exposed throughout that period to the industry scientists working on these issues, as well as have the opportunity to visit the laboratories where the work is taking place. More importantly, participants will come to realize how to combine these safeguards with the economic need companies have to properly integrate their automation technology for growth and competition in the years ahead. If we move ahead with these issues today, they will be a central part of our operating plans and our emergency response plans tomorrow. They will be an integral part of how you do business, based on your own internal risk assessments as to how these issues impact your IT and MIS functions, along with your operating functions. Jared R.W. Smith is associate director of the IGT and Gas Operations and Infrastructures Center. Reprinted from Gas Utility & Pipeline Industries Magazine October 1998- **************************************************** Bernie Chief Technology Architect Chief Security Officer cta () hcsin net Euclidean Systems, Inc. ******************************************************* // "There is no expedient to which a man will not go // to avoid the pure labor of honest thinking." // Honest thought, the real business capital. // Observe> Think> Plan> Think> Do> Think> ******************************************************* _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.netsys.com/full-disclosure-charter.html
Current thread:
- SCADA makes you a target for terrorists Bernie, CTA (Aug 18)
- Re: SCADA makes you a target for terrorists Ron DuFresne (Aug 18)