Date post: | 21-Jan-2023 |
Category: |
Documents |
Upload: | americanmilitary |
View: | 0 times |
Download: | 0 times |
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 1 of 22
SCADA insecurity:
The most worrying cyber attack.
Marco Capriz
AMU 3102460
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 2 of 22
“As a young boy, I was taught in high school that hacking was cool.”
Kevin Mitnick, one of the most famous hackers of all time.
“Further, the next generation of terrorists will grow up in a digital world, with ever more powerful
and easy-to-use hacking tools at their disposal.”
Dorothy Denning, Distinguished Professor, Department of Defense Analysis, Naval Postgraduate
School.
“If you spend more on coffee than on IT security, then you will be hacked. What’s more you deserve
to be hacked.”
Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection, and Counter-
terrorism.
Abstract.
Kevin Mitnick’s carried out his first recorded computer crime at the age of 16,
when in 1979 he hacked in to Digital Equipment Corporation’s network to steal
software. He went on to make the FBI’s “Most Wanted” list between 1989 and
1995. Although Mitnick’s main motivation for cyber crime was monetary gain, he
delighted in being ahead of the authorities that were chasing him. For him
cybercrime was a game.
The situation has changed dramatically in the 15 years since Mitnick was
eventually apprehended. As software and networking tools become more
sophisticated, they also become more complex and vulnerable to attacks, that are
also are becoming more complex.
Cybercrime has become a very lucrative enterprise. Because of this the focus
of interdiction agencies and software developers around the world has been to
prevent, manage and prosecute attacks directed against enterprises that monetize
their digital capabilities. Usually these enterprises have reasonably high levels of
security that are bypassed by very sophisticated attackers.
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 3 of 22
However there are greater dangers lurking in the virtual world of the Internet.
Dorothy Denning identifies cyber-terrorism as the next major strategic threat. The
United States has taken this strategic threat seriously enough to create Cyber
Command, a new division of the Department of Defense, set up to safeguard the
nation’s military critical information systems.
However, with most of the counterattack efforts being directed to protect
against commercial losses by people and enterprises, and to protect military
infrastructure, less attention has been paid to a very critical area that is even today
extremely vulnerable to cyber attacks that, if successful, could be far more damaging
in terms not only of economic losses but also in terms of physical losses to lives and
properties. This is the area of Critical National Infrastructure and specifically a
country’s utility infrastructure.
This paper will address the problems stemming from an industry that is
completely reliant upon a very outdated and extremely vulnerable IT infrastructure.
It will look at the way this infrastructure can be penetrated for malicious purposes
and present a possible terrorist attack scenario that exploits poor, or indeed non-
existent security measures. And it will examine possible strategies (technical and
legislative) that have been proposed to mitigate this threat.
Distributed and targeted attacks.
The most common cyber crimes are caused by a Distributed Denial of Service
(DDoS) attack. These are initiated when a large number of pre-infected computers
(BOTs) send a synchronized set of requests to a specific target IP address or group
of addresses in such a way as to overwhelm the servers at the receiving end of the
requests and put them out of service for the duration of the attack. A DDoS attack
can cause significant loss of earnings for an e-Commerce enterprise. It can also
significantly impair overwhelm systems beyond those directly attacked, as the
massive mount of traffic generated by the BOTNet (the collective name of all the
infected BOTs) slows down or indeed halts traffic on major Internet nodes
throughout the world.
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 4 of 22
The economic damage done by a DDoS attack also extends beyond the
attacked enterprise’s loss of revenue during the attack period. According to a 2004
CRS report to Congress (Brian Cashell, April 2004) the stock value loss following a
known digital attack against a listed company can be as high as 15% of its market
value.
As disruptive as these attacks are, they seldom last long or have long lasting
consequences. Software companies respond quickly to the problem by identifying
the signatures of the attack and releasing the appropriate countermeasures.
More insidious than DDoS attacks are targeted attacks based around social
engineering, phishing and identity theft. Whereas DDoS attacks are sometimes
initiated by criminals to blackmail e-Commerce site operators, most tend still to be
initiated for the scope of generic electronic vandalism. Electronic fraud, however, is
targeted.
According to the Department of Justice, in 2009 the economic losses owing to
computer crimes in the US alone were close to $600M (Internet Crime Complaint
Center, 2009). These losses primarily resulted from identity theft and credit card
fraud. The CRS report mentioned earlier refers to a study carried out by the British
company Mi2g that expected a worldwide loss of $250B through cyber crime. The
figure is based on a 2004 study and was considered to be on the low side at the time.
Given the distributed nature of the attacks, it is difficult to estimate the current
economic damage caused by cyber attacks but estimates that exceed $1,000B may
not be an overstatement.
As high as that figure may be, its impact is not significant on a national level:
again because of the distributed nature of the losses, the overall economic health of a
country has not yet been affected. This is why an attack directed against a utility
could have very different consequences. The economic damage that might ensue
could have a cascading effect that might lead to an exponential increase in damage,
in economic and physical terms. It is becoming alarmingly clear that one of the
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 5 of 22
biggest and so far underreported threats to the economic and strategic security of a
nation are those that might be conducted against a power grid.
Unlike DDoS attacks that are carried out against data, attacks against utilities
providers are directed specifically towards the control systems that govern the
operation of the utility. Control system attacks are different from distributed attacks.
Whereas BOTs can still be used to disguise the original source of the attack, the
attacker does not need to infect a large number of machines to achieve his desired
effect. All a cyber terrorist needs to do is to understand how a utility system control
network works and modify to destructive intent legal instructions that are sent to the
control systems that manage critical aspects of a power plant, and potentially cause
the plant to shut down. This is not an unrealistic scenario. Richard Clarke, the
former National Coordinator for Security, Infrastructure Protection, and Counter-
terrorism, writes
Digital control systems monitor activity and send commands to engines,
valves, switches, robotic arms, lights, cameras, doors, elevators, trains and
aircraft (…) often without a human in the loop. (Clarke, 2010)
This level of automation requires that processes that previously would be
monitored and controlled on site are now managed over a telecommunications
network. The systems that monitor and control processes remotely are known as
Supervisory Control And Data Acquisition (SCADA) systems.
SCADA overview.
A SCADA system comprises of Programmable Logic Controllers (PLCs) that
convert digital signals to electromechanical actions connected over a network to a
SCADA control center. The diagram below is a simple schematic of a small
SCADA system.
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 6 of 22
Figure 1: SCADA system.
In the diagram above the PLC1 controls the flow by acting on the pump and
PLC2 controls the level of the tank by acting on the valve. Both PLCs are remotely
connected to a SCADA control center over a network.
SCADA PLCs, or Remote Terminal Units (RTUs) as they are also known,
respond to a number of industry specific interface protocols that generally are
manufacturer specific such as Modbus RTU, RP-570, Profibus and Conitel. The
communications protocols used between the PLCs and the SCADA center are
standards such as IEC 60870-5-101 or 104, IEC 61850 and DNP3.
The Modbus interface was published in 1979. Profibus is more recent, having
been first release in 1989; Conitel and RP-570 are early 90s interfaces.
None of these interfaces have included security protocols. Indeed the
instruction sets are very limited. Below is the complete list of instructions that can
be sent to an RP-570 PLC (ABB, 1997):
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 7 of 22
Figure 2: RP-570 Instruction Set.
As can be seen, not a single command has anything to do with security or user
verification. Just as worryingly, none of the communications protocols include
security provisions. In the IEC 60870 standard description there is a note that states:
Security mechanisms are outside of the scope of this standard (IEC, 2006).
The lack of security protocols is not surprising. Most SCADA systems in
operation are very old. Most have hard wired code that is not remotely upgradeable.
Unfortunately the distributed nature of process control systems, particularly in a
distributed environment such as a power grid, makes it very expensive to consider
upgrading or modernizing SCADA systems. In a paper written for The Eighth
Workshop on the Economics of Information Security held in London in June 2009,
Ross Anderson and Shailendra Fuloria observe (Ross Anderson, 2009):
Industrial control systems have both lock-in and complex supply chains. A
utility that builds a plant such as a power station or oil refinery is typically
locked into the control system vendor for at least 25 years; the vendor for its
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 8 of 22
part typically supplies the software for the central control function, plus the
systems integration, while purchasing a wide range of equipment (cabling,
sensors, actuators and indeed whole subsystems) from other vendors.
First, the lock-in here has nothing to do with network effects; it is physical.
The real assets of the North American energy sector are worth over a trillion
dollars; control systems at major sites amount for $3–4 billion, while remote
field devices add a further $1.5–2.5bn.
Absent a catastrophic attack, this investment will be replaced only when it is
fully depreciated.
In the same paper the authors comment on the vulnerability of SCADA
systems thus (Ross Anderson, 2009):
In the late 1990s, some writers started to point out the vulnerability of
industrial control systems to online sabotage. Utility control systems have
traditionally been designed for dependability and ease of safe use. They used
completely private networks and thus their designers gave no thought to
authentication or encryption. These networks were typically organized with a
star topology, with many sensors and actuators connected to a control centre.
Common protocols such as DNP and Modbus enable anyone who can
communicate with a sensor to read it, while anyone who can send data to an
actuator can give it instructions. But private networks are expensive, and the
prospect of orders-of-magnitude cost reductions led engineers to connect
control systems to the Internet. The result was that many industrial control
systems became insecure without their owners realizing this.
One of the more baffling responses to the criticism that SCADA systems lack
security is the observation made by some in the industry that SCADA systems
provide “security through obscurity” by leveraging the very proprietary nature of the
protocols used. This is a fallacious argument. A determined attacker, such as a
cyber terrorist, may well have the resources to invest in lifting the obscurity veil.
Indeed this is a worry that is discussed by a paper published by Riptech on the
Information Warfare website. On the issue the authors remark (Riptech, 2001):
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 9 of 22
The above misconception assumes that all attackers of a SCADA system lack
the ability to access information about their design and implementation. These
assumptions are inappropriate given the changing nature of utility system
vulnerabilities in an interconnected environment. [Because] utility companies
represent a key component of one of the nation’s critical infrastructures, these
companies are likely targets of coordinated attacks by “cyber-terrorists”, as
opposed to disorganized “hackers.” Such attackers are highly motivated, well
funded, and may very well have “insider” knowledge. Further, a well-
equipped group of adversaries focused on the goal of utility operations
disruption is certain to use all available means to gain a detailed understanding
of SCADA systems and their potential vulnerabilities.
Given the vulnerability of SCADA systems, it may be worth looking in more
detail at how these introduce vulnerabilities in the processes that they control and at
what the consequences of these vulnerabilities may be.
SCADA vulnerabilities.
The Israeli company C4 is a security consulting company specializing in
penetration tests to discover system vulnerabilities. C4 has proposed an interesting
scenario to show that supposedly secure utility providers hiding under the illusion of
“security through obscurity” are anything but secure.
In a presentation to be found on their website C4 shows that a determined
group of attackers with either inside knowledge of a power grid’s layout or the time
and engineering skills to learn how it is controlled by hacking in to the SCADA
center, can hijack the SCADA network and feed PLCs with instructions that would
potentially cause a shutdown of the power grid. C4’s hypothesis is that a
knowledgeable group of attackers will be able to gain access to the Human Machine
Interface (HMI) and monitor packets transmitted between it and the PLCs.
The standard operator objection that “security through obscurity” works
because even if an attacker monitored network traffic on which the HMI server is
located he would not be able to understand which instructions are being sent to
which physical location, armed only with a hexadecimal or IP address of that
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 10 of 22
location. However this again is a specious argument. The greatest weaknesses in a
typical SCADA system are that this sort of information is, unfortunately, easily
obtainable. The Riptech paper quoted earlier observes (Riptech, 2001):
Often, too much information about a utility company corporate network is
easily available through routine public queries. This information can be used
to initiate a more focused attack against the network. Examples of this
vulnerability are […] [w]ebsites [that] often provide data useful to network
intruders about company structure, employee names, e-mail addresses, and
even corporate network system names [and] Domain Name Service (DNS)
servers permit “zone transfers” providing IP addresses, server names, and e-
mail information.
Eyal Udassin of C4 further observes that (Udassin, 2008)
Although without a mapping of the addresses & datapoints to physical
locations and controlled devices, it is very difficult to generate malicious
packets, such a map can usually be found on the operators’ workstations and
the SCADA server as a tag database. Each tag is a user-friendly name given to
an address/datapoint.
The weaknesses exposed by C4 and Riptech indicate that a SCADA system
can be attacked through poor security practices that do not isolate the corporate
network from a production network. By hacking in to the corporate network in this
case it is possible to gather the required information on the production network in
order to mount an attack on the SCADA system.
IBM’s X-Force is the security consulting arm of IBM. They have also studied
vulnerabilities in SCADA networks. X-Force carries out penetration tests on client
networks and according to them the simplest tests usually yield the most results. In
a presentation on SCADA Security and Terrorism X-Force personnel state that in
many penetration test cases they were able to (IBM X-Force, 2006):
• Guess simple passwords
• Access systems through SQL injections
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 11 of 22
• Port scan for available open ports
• Access SNMP MIBs
• Carry out anonymous FTP SMB and Telnet sessions with no password
query
• Exploit known vulnerabilities in unpatched systems
• Deploy backdoors and Trojans
Confirming the weaknesses outlines by C4 and Riptech above, X-Force
personnel claim to have demonstrated to a client, while doing a presentation (!) their
capability to access the production network leveraging poor security that allowed
them to enter the company’s corporate network through an open WiFi access (IBM
X-Force, 2006).
Figure 3: IBM X-Force’s customer demonstration results.
Given that it is potentially quite easy to hack in to a SCADA system, what
might be the potential damage that could be inflicted on an operator dependent on
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 12 of 22
such systems? Given the critical nature of the service they provide it is worth
looking at the consequences of a targeted attack against a power grid operator.
Attacking the grid.
The technology of electric power distribution has not changed much in
decades. As Anderson and Fuloria observe above systems will not be replaced until
they are depreciated. SCADA systems can have depreciation periods that range from
5 to 25 years. It is likely that at any one time a SCADA system at a power plant
might be 10-15 years old, use Modbus communications over a dial-up line and have
an HMI based on an unpatched old version of Windows. As Riptech, X-Force and
C4 have observed it is likely that the operators have maps hanging in various rooms
at the power plant openly displaying physical locations of PLCs with their digital
identifiers (phone numbers, MAC addresses, IP addresses). Social engineering might
lead to a much more detailed understanding of the plant’s operation. An attacker
would then have a reasonable understanding of how to initiate an attack.
A power plant distributes electricity through a tree-like structure of power
lines that branch at substations along the way.
Figure 4: power plant distribution.
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 13 of 22
At each substation there are switches that are controlled by PLCs or RTUs,
which regulate the flow of electricity at that point.
Figure 5: Switching diagram on HMI client.
An attacker that could gain control of the switches could cause a lot of damage
by opening all of them suddenly causing a power station lock up. Sudden
unexpected load drops cause big problems in power stations. A 600MW power
station needs to generate 10 tons of steam at 7000C per second. Whereas interlocking
and power management ensure that the production load is balanced with the
distribution, this is entirely dependent on the SCADA system working the substation
switches correctly. The gap between production capacity and consumption in a
power station is small: about 1%. Anything in excess of that will cause the power
station to initiate a shutdown. A huge imbalance will be problematic. Explosive
steam shut-off valves will take off some of the load, but the furnace needs to be
stopped, as does the conveyor belt carrying the coal to the furnace (in the case of a
nuclear power stations the shutdown process is faster as control rods can be quickly
lowered terminating a nuclear reaction – but few of these are online these days
following the no-nuclear policies of the last decades).
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 14 of 22
Arguing the lack of IT security in power stations, Eyal Udassin hypothesizes
the following scenario: a skilled group of attackers penetrate the production network
(in ways similar to those exposed by the X-Force team described above) and over a
period of time monitor SCADA commands to become familiar with the geographical
location of the PLCs and RTUs, their logical addresses, and the command sequences
that are sent to them to manage the flux of power distribution between day and night
usage. In most countries there is a significant variation between daytime and
nighttime use of power.
Figure 6: Variations between daytime and nighttime residential power use in Florida. (Florida Solar Energy Center, 2002).
Udassin suggests (Udassin, 2008) that a possible attack strategy would be to
understand the sequence of PLC commands that regulates the power release flux
then reverse them. In detail an attacker might do the following:
Stage 1: Preparation mode:
• Install malware on the SCADA communications Server (this might be
accessible and poorly protected as X-Force have shown)
Stage 2: Learning Mode:
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 15 of 22
• Sniff traffic to and from the field (easy to distinguish if protocols are
known; addresses and locations are acquired)
• Create request/response PLC instruction pairs with a timestamp for day
& night classification.
Stage 3: Active Mode:
• When enough packet data is collected, wait for the next critical time of
day transition (dawn, nightfall)
• Drop all messages being sent from the SCADA server to the PLCs
• Replace them with the commands of the opposite timeframe to the
field.
If this attack sequence is carried out in the morning when demand for power
increases, the opposite commands will be sent to the PLCs that regulate the increase
or decrease of production. According to Udassin’s attack plan, as electricity demand
constantly rises the field devices will receive night-time command – e.g. “disconnect
aux. power plant from the grid”, “lower power output from main power plant” etc.
Operators will then try to connect more power plants, without success as the
commands are ignored. This will generate network instability, as supply will not
meet the demand, potentially causing blackouts.
If the attack is also timed to coincide with a backup power station being taken
offline for maintenance the consequences could be more severe.
The weakness that is exploited in Udassin’s scenario is dependent on the fact
that the communication between the SCADA controller and the PLCs does not allow
for message authentication. This is partly due to the fact that the protocols
themselves do not include this capability.
However investment in technology that has not yet reached an accounting
write-off period is not the only excuse for being lackadaisical about security. As
Mariana Hentea observes
SCADA systems are now adopting Web technology (ActiveX, Java, etc.) and
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 16 of 22
OPC (as a means for communicating internally between the client and server
modules). However, Web applications are an interesting target for cyber
attacks that are increasingly automated. Web is the dominant development
platform for software, but Web-based secure software is immature (Hentea,
2008).
Hentea further notes that the fact that SCADA systems now run on common
software such as Windows and UNIX and use standard communications protocols
such as TCP/IP. So the “security through obscurity” protection argument is getting
increasingly weak.
New technology does allow plant managers to take advantage of better
software security tools. But where operators can modernize a plant’s network to
include security capabilities (by installing remotely upgradeable PLCs for instance,
with better processing capabilities, and implement strong security protocols) there is
little financial incentive for them to do so.
Indeed it is this lack of financial incentive to increase security (or possible the
lack of penalties for non-compliance) that is exposing the power generation industry
to an even greater threat.
Poor regulation and disaster scenarios.
The North American Electric Reliability Corporation (NERC) is a self-
regulatory organization, subject to oversight by the U.S. Federal Energy Regulatory
Commission and governmental authorities in Canada. NERC reliability standards
define the reliability requirements for planning and operating the North American
bulk power system. According to the NERC website
all bulk power system owners, operators, and users must comply with
approved NERC reliability standards. These entities are required to register
with NERC through the appropriate regional entity (NERC).
NERC standard CIP 002 to 009 “provide a cyber security framework for the
identification and protection of Critical Cyber Assets to support reliable operation of
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 17 of 22
the Bulk Electric System” (NERC, 2006). Specifically NERC standard 002/R1.2.4
identifies “blackstart” power stations as Critical National Infrastructure assets
subject to conformance of the NERC cyber security standards. Blackstart power
stations are those that are equipped with a diesel generator that allows them to restart
the main generator in case of total grid power loss. Not all power stations are
equipped with blackstart capabilities, but those who are have to comply with more
stringent cyber safety regulations defined by NERC, as they are assets can restore
power to the grid without requiring external power sources.
Incredibly, NERC’s regulation is making the North American grid less secure!
The problem appears to be that NERC did not think through the obvious
consequences of imposing regulation with poor oversight. According to Joseph
Weiss who testified in front of the House Committee on Homeland Security on
October 17, 2007, “NERC’s attitude toward cybersecurity alarming at best and
negligent at worst (Controlglobal.com, 2007)”. Blogging for Controlglobal.com he
states that
Some generation managers considered NERC CIP compliance a “game” to
remove assets from CIP-002 without realizing they were shooting themselves
in the foot by not addressing the reliability threat. Specifically, at a meeting of
plant managers, one manager of a very large coal-fired power plant was
charged to ensure his plant was not considered a critical cyber asset. Another
plant manager whose plant had black start capability and therefore deemed a
critical cyber asset by CIP-002 considered it cost-effective to remove its black
start capability. In both cases, the plant managers didn’t consider the potential
cyber threat to reliability (Weiss, 2008).
Removing blackstart capabilities makes the grid more vulnerable to accidents
or deliberate attacks. One extreme scenario is what might lead to a diesel crisis. If
the attack described above was carried out in sequence against many power grid
operators, and these did not have blackstart capabilities, if the ensuing blackouts
lasted long enough backup diesel generators providing for emergency services
would start running out of diesel. This would have to be trucked in from diesel
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 18 of 22
depots. But the diesel depots would be unable to pump diesel because of the
blackout. It is possible to conceive of an extreme scenario where trucks would stop
running, diesel would not reach generators and the grid would not be able to restart.
All of this because power plant operators chose not to invest in cybersecurity!
What can be done to secure critical infrastructure.
Ironically the deficiencies in IT security that plague the critical infrastructure
industry have mostly been addressed in other industries. The lesson learned by e-
Commerce retailers, for example, can be applied in all IT environments.
In a 2006 NERC’s Control Systems Security Working Group highlights 10
critical infrastructure IT and communications vulnerabilities and suggests easily
implementable solutions to mitigate them (NERC, 2006). Highly criticized as
NERC’s policing capabilities may be, the recommendations are certainly worth
implementing. They include among others:
• Implementing strong IT security policies. This requires significant
investment in personnel hiring and retraining, but perhaps more
importantly requires plant management to become aware of the cost
effectiveness of this expenditure.
• Carrying out security audits to check for default password settings,
manufacturer service backdoors, etc.
• Ensuring that all software has the most recent security patches.
• Revisiting the control network infrastructure with access security in
mind (physical and virtual) to look for vulnerabilities.
• Redesigning the network using modern safeguarding technologies
where possible, such as authentication and encryption.
• Replacing any RTUs or PLCs that have hardwired, non-upgradeable
software with equivalent systems that where access security can be
implemented and changed remotely.
The US Department of Energy is not leaving all the work of policy suggestion
to NERC. On it own website, one can find a series of recommendations that suggest
how to secure SCADA networks (US Department of Energy, 2004). These are
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 19 of 22
compiled also by the United States Computer Emergency Readiness Team (US-
CERT). Of particular interest is a document titled “21 Steps to Improve Cyber
Security of SCADA Networks”.
In addition to the NERC recommendations US-CERT and the DoE also seem
to hammer the final nail in the coffin of “security through obscurity” by advising
operators to avoid reliance on proprietary protocols and take advantage of standard
software security tools that can be periodically updated and upgraded. US-CERT
also recommends the use of Red Teams and penetration tests to look for weaknesses
such as missed backdoors and unauthorized links between production networks and
corporate/sales networks, as well as the accessibility (virtual and physical) of remote
sites.
Outside of the US the issue SCADA security is also a hotly debated issue.
In the UK the Centre for the Protection of National Infrastructure (CPNI) has
also released a long series of recommendations and standards to be adopted by any
operator of SCADA networks. CPNI issues guidance documents on the following
under the heading Process Control and SCADA Security Guides:
• Understanding the business risk
• Implementing secure architectures
• Firewall deployment
• Establishment of response capabilities
• Improving skills
• Managing third party risk
• Establishment of ongoing governance (UK CPNI).
The section on business risk goes in to some detail in explaining the
relationship between specific IT threats (worms, Trojans, backdoors, etc.) to a
specific business threat (to the supply chain, the sales network and ultimately to the
plant operations).
One of the problems that is not being clearly addressed by operators of plants
that use vulnerable SCADA systems is the business impact that extends beyond that
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 20 of 22
of the failure of the plant itself. This is a problem touched on once again by
Anderson and Fuloria who write about the impact of correlated failures (Ross
Anderson, 2009). An example of a correlated failure business cost is that of a
vulnerability discovered in a PLC. The cost of failure is defined as that incurred by
the manufacturer of the PLC that has to recall or field service all the PLCs that it has
sold and are deployed. It does not include however, the costs associated with that
failure that are incurred by the user of the PLC. If a power plant is attacked through
an exploit that is based on the PLC failure, the correlated costs of that failure are
much higher as they would include the costs of potentially having to shut down the
plant. They grow exponentially if then the consequences of a plant shutdown are
taken in to consideration: consider the business costs of a regional or national
blackout. It is important to note that these costs occur independently of
responsibility. Agreement to terms of use limit liability against the original source
of the failure, as they are passed along the supply chain, but costs are incurred
anyway. And the correlated failure costs of an attack on a SCADA network are
potentially far greater than those incurred by an attack against an e-Commerce site
for instance.
This is where the biggest area of weakness still exists. To date no country has
successfully enacted legislation that forces owners of critical infrastructure to abide
by comprehensive cybersecurity standards. Where this legislation has been partially
enacted, too many loopholes exist that allow owners of the infrastructure to avoid
implementing the required standards.
Conclusions.
So far we have been relatively lucky. Terrorists have not been particularly
smart. Even the 9/11 attacks were low tech. But two worrying thoughts emerge
from this analysis: there is no reason a terrorist group could not have the knowledge
necessary to carry out some of the attacks described in this paper. And far more
worryingly it is absolutely certain that nation states have this capability. In the
current conflicts in Central Asia and terrorist attacks around the world we have been
caught unprepared by the evolution towards what we now know as Fourth
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 21 of 22
Generation Warfare, where there is no clear division between forces in a battlespace
(indeed we have had to coin the new term “battlespace” for the 4GW context) and
war is conducted “asymmetrically”. It is time we should prepare for the next
generation of warfighting (Fifth Generation Warfare?) that will move away from
physical landscapes altogether and will be fought within the very unsecured and
unbounded “confines” of the digital world.
In World War Two allied bombers attacked German power plants with very
expensive raids that had very variable effects. Today it is far more cost effective to
attack the same targets using a keyboard.
---ooo---
Works Cited ABB. (1997). REC 501 RP 570 Protocol Description. Retrieved 2010, 20-June from ABB: http://library.abb.com/GLOBAL/SCOT/scot229.NSF/VerityDisplay/9A5C1896695487E6C2256A7200361578/$File/REC501RP570_EN_A.pdf
Brian Cashell, W. D. (April 2004). The Economic Impact of Cyber-Attacks. CRS. Congressional Research Service ˜ The Library of Congress.
Clarke, R. A. (2010). Cyber War. The next threat to National Security and what you can do about it. New York: Harper Collins.
Controlglobal.com. (2007, 6-November). Control’s Joe Weiss Testifies before Congress. Retrieved 2010 йил 20-June from Controlglobal.com: http://www.controlglobal.com/articles/2007/375.html
Florida Solar Energy Center. (2002, January). Retrieved 2010, 20-June from Research Highlights From A Large Scale Residential Monitoring Study In A Hot Climate: http://www.fsec.ucf.edu/en/publications/html/FSEC-PF-369-02/index.htm
Hentea, M. (2008). Improving Security for SCADA Control Systems. Interdisciplinary Journal of Information, Knowledge, and Management , 3, 77.
IBM X-Force. (2006). IBM X-Force. Retrieved 2010, 20-June from http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf
IEC. (2006, June). INTERNATIONAL IEC STANDARD 60870-5-104. Retrieved 2010, 20-June from IEC Webstore: http://webstore.iec.ch/preview/info_iec60870-5-104%7Bed2.0%7Den_d.pdf
Internet Crime Complaint Center. (2009). 2009 Internet Crime Report. Department of Justice.
NERC. (2006, 2-May). Retrieved 2010, 20-June from Standard CIP–002–1 — Cyber Security — Critical Cyber Asset Identification: http://www.nerc.com/files/CIP-002-1.pdf
SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)
Page 22 of 22
NERC. (n.d.). About NERC Standards. Retrieved 2010, 20-June from The North American Electric Reliability Corporation: http://www.nerc.com/
NERC. (2006). Top 10 vulnerabilities of control systems and their associated mitigations. Department of Energy. Princeton, NJ: NERC.
Riptech. (2001). Understanding SCADA System Security Vulnerabilities. Retrieved 2010, 20-June from IWS - The Information Warfare Site: http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf
Ross Anderson, S. F. (2009). Security Economics and Critical National Infrastructure. The Eighth Workshop on the Economics of Information Security (WEIS 2009).
Udassin, E. (2008). Generic Electric Grid Malware Design . Retrieved 2010, 20-June from C4: http://www.c4-security.com/index-5.html
UK CPNI. (n.d.). SCADA. Retrieved June 20, 2010, from UK CPNI: http://www.cpni.gov.uk/ProtectingYourAssets/scada.aspx
US Department of Energy. (2004). 21 steps to improve cybersecurity of SCADA networks. Retrieved June 20, 2010, from US DoE Office of Electricity Delivery and Energy Reliability: http://www.oe.energy.gov/DocumentsandMedia/21_Steps_-_SCADA.pdf
US-CERT. (n.d.). Control Systems Security Program (CSSP) Standards & References. Retrieved June 20, 2010, from US-CERT: http://www.us-cert.gov/control_systems/csstandards.html
Weiss, J. (2008 9-May). Electric Power 2008– is NERC CIP compliance a game? Retrieved 2010 йил 20-June from Controlglobal.com: http://community.controlglobal.com/content/electric-power-2008–-nerc-cip-compliance-game