Archive for SCADA Security
Author: Dave Lewis
May 7, 2008 at 9:28 pm · Filed under Critical Infrastructure, Disclosure, SCADA Security
Core Security, makers of the product Core Impact.
Nice folks.
I like the product.
Apparently they left the gate open and their brains ran away in the night. What am I talking about? Well, they posted a vulnerability in the software of SCADA vendor Wonderware.
From their posting:
A vulnerability was found in Wonderware SuiteLink Service (slssvc.exe) that could allow an un-authenticated remote attacker with the ability to connect to the SuiteLink service TCP port to shutdown the service abnormally by sending a malformed packet. Exploitation of the vulnerability for remote code execution has not been proven, but it has not been eliminated as a potential scenario.
Fine. Good catch. I have been lucky enough to work with 10+ vendors so far on security vulnerabilities including one donkey outfit in ‘07. But, the rest were all professional. I was patient as I waited for them to get their **** together.
Now, on the SCADA side of the line we have another world that would make the Mad Hatter quite perplexed. There are some EMS vendors that require you speak to them slowly as more than several sentences per minute and they might, regrettably, spontaneously combust. It would appear, based on their apparent time line that WW is potentially one such firm.
That, however, doesn’t merit this,
An attacker can trigger the memory allocation operation failure by specifying an abnormally large length field in a Registration packet. The following binary excerpt shows where the problem is:
And here they provide the binary analysis.
They left the tracks at this point. I have released several vulnerabilities to date and not once did I release the actual code for the specific problem. What would that accomplish? I gave them the opportunity to patch the problem. They were able to address the issue with their respective customers and I got the byline.
Again from their time line,
Core has learned over the course of 13 years working in this particular field that it is fundamental to provide precise and accurate technical information about problems.
But, releasing the actual binary analysis? Let go of my leg.
Not cool. So much for responsible disclosure.
Article Link
Thx to CJ, M, Darko, Melanie and Bob for sending this one in!
(ed note: I do enjoy stirring it up. Looks like this one did the trick.)
Author: Myrcurial
April 10, 2008 at 9:02 am · Filed under SCADA Security
In the past… once or twice… I’ve scrapped with Joe Weiss over issues.
Yesterday, Joe got up on a stage at RSA in SF and told people some truth.
Wednesday, computer-security experts who recently re-examined the Bellingham incident called its victims the first verified human causalities of a control-system computer incident. They argue that government cybersecurity standards currently under debate might have prevented the tragedy.
“I’ve logged over 90 incidents in all industries worldwide,” said Joe Weiss, managing partner at Applied Control Solutions, speaking at the RSA Conference in San Francisco. “The damage ranges from significant equipment failure to deaths.”
…and even more impressively…
“Until eight years ago, my whole life was making control systems usable and efficient, and, by the way, very vulnerable,” Weiss said. “It is exactly what you will find today in many, many industrial applications. This isn’t just 1999. No, this is June 2008.”
Damn Joe.
Well said on the first, and truly a class act on the second.
Thanks.
Muchly.
Tags: RSA2008, Joe Weiss, Applied Control Solutions, SCADA security
Author: Dave Lewis
March 13, 2008 at 7:28 am · Filed under SCADA Security
Well, looky here. The folks at Wurldtech have launched a cyber security vulnerability database dedicated to SCADA.
From The Standard:
It is designed to provide vendors, operators, system integrators, and service providers unparalleled visibility into the reliability, safety and security of the systems and networks essential to the operation of the world’s critical infrastructure.
Wurldtech CEO, Tyler Williams, said the company understands the unique security challenges facing the industrial automation industry today, particularly when attempting to address the issue of securing legacy industrial control systems.
“Our mission is to provide meaningful cyber-security solutions to safeguard the integrity of critical industrial automation and we are proud to announce Delphi, yet another tool to help our customers accurately identify real risks and make better-informed decisions to protect their industrial operations,” he said. As cyber-security risks increase in frequency, severity and sophistication, Williams said the process of managing the security of SCADA and process control systems is becoming extremely difficult.
Delphi…sigh. Even money says its running on Oracle. Gotta love geek humour.
Article Link
Tags: Wurldtech, SCADA Security, SCADA
Author: Dave Lewis
February 21, 2008 at 10:11 am · Filed under SCADA Security, Tools
From the press release:
Toronto, Canada — February 20, 2008
Lofty Perch, Inc. (www.loftyperch.com), a global leader in cyber-security solutions for process control, SCADA, and critical infrastructure announced today that it has been selected by the Department of Homeland Security to be a licensed distributor of the DHS Control Systems Cyber Security Self- Assessment Tool (CS2SAT). This application, created at the Idaho National Laboratory for the DHS National Cyber Security Division, was developed specifically to assist SCADA and Process Control System-users in improving the cyber security posture of their control systems. The CS2SAT application is a security assessment support tool based on industry standards, best practices, and regulatory guidance, and assists asset owners and operators in identifying actionable mitigations for their control system architectures.
“We are very proud in becoming a licensee for this vital technology. Lofty Perch will be able to provide unparalleled service to the SCADA and control system communities based on our history with the tool,” said President and CEO Mark Fabro. “Our industrial cyber security subject matter expertise and market exposure have us perfectly positioned to get this technology to the entire community of interest in the most effective way.”
Lofty Perch has been working with the CS2SAT technology since its inception. Recently their Senior Engineer, Ed Gorski received an award from the Idaho National Laboratory in recognition of his wide-ranging contributions to the CS2SAT project.
Mark Zanotti, Lofty Perch’s VP and Chief Technology Officer, will lead the effort for the CS2SAT support. “In addition to making the tool widely available, we will also be providing direct support to our customers.” said Zanotti. ”Lofty Perch is the first CS2SAT licensee that will not outsource their support function as we can provide direct value based on our work with INL. We are excited about being able to provide our clients with a robust set of services and training designed specifically for the CS2SAT technology.”
Lofty Perch intends to initially license the tool for $399.00 USD. For information on CS2SAT availability, pricing, and services please contact cs2sat@loftyperch.com.
No, Mark didn’t put me up to this.
Article Link (.pdf)
Tags: Lofty Perch, Mark Fabro, SCADA Security
Author: Dave Lewis
February 13, 2008 at 8:55 am · Filed under Hacker, Military, SCADA Security
Uncle Sam, namely the Air Force, is looking for a few good hackers to flush out the ranks of their “Cyber Command”. Just as a side note, I would like nothing better than to slap the crap out of whoever decided that “cyber” was the buzzword to denote anything computer/internet based.
Anywhoo…
From Wired:
“We have to change the way we think about warriors of the future,” Lord enthuses, raising his jaw while a B-52 traces the sky outside his windows. “So if they can’t run three miles with a pack on their backs but they can shut down a SCADA system, we need to have a culture where they fit in.”
But before Lord and his geek warriors can settle in for the wars of the future, the general has to survive a battle of a decidedly different nature: a political and cultural tug of war over where the Cyber Command will set up its permanent headquarters. And that, for Lord and the Air Force, is where things get trickier than a Chinese Trojan horse.
With billions of dollars in contracts and millions in local spending on the line, 15 military towns from Hampton, Virginia, to Yuba City, California, are vying to win the Cyber Command, throwing in offers of land, academic and research tie-ins, and, in one case, an $11 million building with a moat. At a time when Cold War-era commands laden with aging aircraft are shriveling, the nascent Cyber Command is universally seen as a future-proof bet for expansion, in an era etched with portents of cyberwar.
Interesting. I wonder how many hackers would actually answer the call. Bearing in mind the vast majority (of ones I know at least) are not overly well disposed towards authority.
Article Link
Tags: Uncle Sam Wants You, Air Force Recruiting, Hackers
Author: Dave Lewis
February 8, 2008 at 11:16 am · Filed under SCADA Security
Aruba Networks has rolled out an access point product that is designed for SCADA environments. As an added bonus (?) it is, er, explosion resistant. That sounds like a red neck challenge if I ever heard one.
Aruba Networks has announced a new series of high performance, explosion-resistant access points targeted at industrial and outdoor applications.
Aruba designed the new AP-85 Dual-Radio Outdoor Access Point family with radio, packaging, and operational features designed specifically for petrochemical, material handling, shop-floor, logistics, and SCADA applications. Robustly constructed yet simple to install, the access points include features targeted specifically at reducing both operating and capital expenditures.
The new AP-85 access points feature dual, high-power radios that deliver up to 200mW (23dBm) for wide area coverage. The weatherproof enclosure and ATEX Zone 2 safety rating enable the access points to operate in explosion hazardous environments and across temperatures from -30 to +55 degrees Centigrade without extra-cost housings.
Read on.
Article Link
Tags: SCADA Wireless, SCADA Security, SCADA Communications
Author: Dave Lewis
February 5, 2008 at 8:31 am · Filed under SCADA Security
The title is a little bit of tongue in cheek. That being said, on the SCADA mailing list this past Saturday the following was posted with regards to a new SCADA security list.
(5) Due to heightened security and awareness levels worldwide, ALL MESSAGES ARE WATCHED CAREFULLY. Violators who report methods that are going to disable, damage, dismember, destroy, or disarm any control system, SCADA device, or infrastructure will be reported to DHS (and/or their respective national or federal authority).
reference*
I was floored that they would endeavour to launch a public mailing list dealing with SCADA security but, threaten you if you disclose security issues. Especially since information that would “qualify” is routinely posted to the SCADA list. Odd. While I understand their motivations I think they missed the boat. Others are far more vocal on this point.
Kevin Poulsen From Wired:
Only the SCADA community could conceive of a mailing list that tries to get you arrested for discussing security issues. And we wonder why SCADA is still insecure.
What he said.
Article Link
Tags: SCADA, SCADA Security
Author: Myrcurial
January 24, 2008 at 11:34 pm · Filed under Conventions, SCADA Security
I must say that I’ve enjoyed my 2 days at the S4 conference.
This is the first time I’ve experienced the WebEx “Virtual Attendee” capability for a conference. The reality of the program is that you don’t have to put up with the increasingly hostile air travel system but you miss out on the side-bar conversations and mixing with your co-attendees.
In a comment posted by Dale Peterson, he asked some specific questions which I’m more than happy to answer (I like Dale - he’s a good egg.)
I’ve enjoyed reading your comments, good and bad, about the S4 event. I guess it is payback for me when I do it at events.
I would be curious to get your final opinion, for all to see good or bad, on the Virtual Attendee experience. Obviously the problems at the first keynote started it off poorly, but now that you have done it for two days, should we offer it next year? Should others that can’t travel consider it or save their money? Would you like to see it for other, non-Digital Bond events?
My final opinion is this: For some kinds of conference - the Virtual Attendee program is “almost as good as being there.” I wouldn’t suggest it as sufficient for a conference or symposium with more than ~100 attendees as you’d miss too much of the “action”, but for a smaller, focused, intense discussion such as S4 — it’s a great fit that let me attend and contribute without actually having to leave the comfort of my desk. Blackhat wouldn’t work this way - S4 does quite well.
I would ask that it be offered again next year with a couple of minor changes:
- allow on-site participants to log into the chat area
- provide a feed of the non-conference proceedings - breaks and lunch - etc.
- allow virtual attendees to see the full list of other attendees (virtual and non)
- provision slides before hand - being able to flip back a few slides and ahead a few slides during the talk to help with context is important and is available to the onsite participants.
If you can make the case for needing access to the information but can’t clear the hurdles associated with international travel or some other reason (hesitant to fly into the USA given current TSA policy and practice) seriously consider spending the money on the virtual attendee program for next year’s S4.
Would I put in the effort for another conference or symposium - depends on the subject matter, the topical content, the speakers, and whether or not I get coffee service during the breaks and lunch sent in at the appropriate time!
Thanks for putting the program together Dale, and maybe next year, we can arrange for control-systems-engineers vs. IT security paintball/dunk tank/mud wrestling…
Maybe not the mud wrestling.
Tags: S4, SCADA, Security Conferences, Dale Peterson
Author: Myrcurial
January 24, 2008 at 3:06 pm · Filed under Conventions, SCADA Security
Still attending S4 - and the quality of the speakers continues it’s lumpy lurching way towards the goal.
Currently watching Langner discuss Threat Modeling in SCADA — except he’s gone right off the bleepin rails.
I mean WAY OFF THE RAILS. Offensively off the rails.
How do you create a presentation which goes all Giuliani off the top and invokes 911 - continues with the Islamist threat - launches into a discussion of fatwa and right off into fantasy land.
I feel bad for Dale - this is double-plus-ungood.
Langner should not be listened to - he should not be given a stage - he’s propagating the same kinds of myths that pervade the “control systems engineers” world - that SCADA is too hard, that hackers aren’t interested, that the bad guys are on religious missions of hatred, that the war on moisture is ok.
He closed with a eulogy for Richard C. Rescorla of Dean Witter / Morgan Stanley who predicted the plane attacks on 911.
Sigh. I don’t want to forget what happened on that day in New York, but I refuse to live a life of fear. More people need to jump off the fear bandwagon.
The previous piece - on the plans for the mandatory PCTs for California by Grant Gilchrist of EnerNex - was quite good. I think that he may be in a position to do good things - especially by having some people look at implementation level issues.
Tags: S4, SCADA, Langner, EnerNex, PCTs, bad advice, sycophant
Author: Myrcurial
January 24, 2008 at 10:23 am · Filed under Conventions, SCADA Security
Back at S4 again for the day.
This morning started with a serious smackdown laid on the control systems folks by Dave Aitel from Immunity Inc.
It was interesting watching the faces in the crowd as they heard statements which were uncomfortable.
Currently watching Julian Rrushi from the University of Illinois talking through some of the intricacies of IEC 61850. While I appreciate (yet) another protocol - especially one which is deterministic - I can see too many opportunities for implementation level screwups in this new protocol.
I’m going to have to miss the next session due to a meeting, but I’m looking forward to three sessions this afternoon - Key Management for Advanced Metering, SCADA Threat Modelling and OPC Unified Architecture Exposed.
Tags: S4, SCADA, Immunity Inc, Dave Aitel, Cryptography, Threat Modelling
Next entries »
Explore
Security Bloggers Network
