Now that I have your attention, allow me to direct you to an article on a different kind of SCADA vulnerability. Recently, folks got themselves all in a lather over the SCADA talk that was given at Defcon. I’ve shared my view on the presentation. Short answer is “boo” SCADA has problems. No great revelation there. What is oft overlooked when dealing with security of systems are the soft assets. Education, documentation and age. As the critical infrastructure ages in North America, Europe et cetera, so do their operators and a great deal of their knowledge is not necessarily being documented.
There has been a closed society mentality to SCADA until recently. This has not only slowed the adoption of security practices that are now well entrenched in verticals such as finance and the like but, it has not drawn in a wealth of new talent. Kids graduating school today are keen to rush off to run a SCADA system.
Not a great deal of sex appeal.
An article that showed up on ZDNet a few days ago tackles the SCADA security subject:
Echoing Shaw’s comments, Slay said that engineers who operate SCADA systems lack the “mindset for privacy”.
“When we go to an electricity utility, the thing that’s driving them is 99.99 percent availability so there is not the mind set for privacy. Because they’re using simple systems and everything is in real time, if you add auditing or monitoring to the process, it’s seen as a waste of resources,” Slay said.
Slay was amongst the first of a group of Australians to attend a training seminar in Idaho on protecting critical infrastructure, which is part of a knowledge-sharing program between the US and Australian Governments.
The threat of terrorism has raised concerns over the security of essential services as SCADA systems have increasingly been opened to TCP/IP protocol corporate networks to improve process automation and visibility of data.
Cause for this concern was reaffirmed recently when a security expert from 3Com’s security division, Tipping Point, at the Black Hat conference in Las Vegas, demonstrated how a SCADA system flaw could be exploited to cause the system to crash.
Slay called the hack “worrying”, remarking it had become “cool” for hackers to exploit SCADA vulnerabilities.
The downside to the article is that the author bought into the Defcon presentation. Ganesh heavily overplayed the simplicity involved in attacking a SCADA network. Kim Slay commented that she found it “worrying” that hackers have taken an interest in SCADA. Time for heads to be pulled out of the sand. This really should come as no surprise. Anything that a hacker can access you better believe that they will take the opportunity. It’s a target and there is a great deal of damage that could potentially occur should an attacker be successful. This is a great indication that SCADA operators/manufacturers need to take security more seriously. And to their credit some are.
There is a great deal of FUD that is starting to churn from vendors that have bolt on security solutions to sell. Security needs to be baked in from the beginning. This is the sad realization for an industry that has essentially dropped the ball and needs to cover a lot of ground in a short space of time. There are some signs of life such as the NERC CIP and FERC’s feedback (.pdf). On the other hand there is also a great deal of information floating around the internet that would assist a motivated individual in ferreting out a vulnerability.
The race is on.
[tags]SCADA Security, SCADA, Defcon SCADA[/tags]