SCADA Insecurity: the most worrying cyber attack

SCADA Insecurity: the most worrying cyber attack. Marco Capriz (AMU 3102460)

Page 1 of 22

SCADA insecurity:

The most worrying cyber attack.

Marco Capriz

AMU 3102460


Page 2 of 22

“As a young boy, I was taught in high school that hacking was cool.”

Kevin Mitnick, one of the most famous hackers of all time.

“Further, the next generation of terrorists will grow up in a digital world, with ever more powerful

and easy-to-use hacking tools at their disposal.”

Dorothy Denning, Distinguished Professor, Department of Defense Analysis, Naval Postgraduate

School.

“If you spend more on coffee than on IT security, then you will be hacked. What’s more you deserve

to be hacked.”

Richard A. Clarke, former National Coordinator for Security, Infrastructure Protection, and Counter-

terrorism.

Abstract.

Kevin Mitnick’s carried out his first recorded computer crime at the age of 16,

when in 1979 he hacked in to Digital Equipment Corporation’s network to steal

software. He went on to make the FBI’s “Most Wanted” list between 1989 and

1995. Although Mitnick’s main motivation for cyber crime was monetary gain, he

delighted in being ahead of the authorities that were chasing him. For him

cybercrime was a game.

The situation has changed dramatically in the 15 years since Mitnick was

eventually apprehended. As software and networking tools become more

sophisticated, they also become more complex and vulnerable to attacks, that are

also are becoming more complex.

Cybercrime has become a very lucrative enterprise. Because of this the focus

of interdiction agencies and software developers around the world has been to

prevent, manage and prosecute attacks directed against enterprises that monetize

their digital capabilities. Usually these enterprises have reasonably high levels of

security that are bypassed by very sophisticated attackers.


Page 3 of 22

However there are greater dangers lurking in the virtual world of the Internet.

Dorothy Denning identifies cyber-terrorism as the next major strategic threat. The

United States has taken this strategic threat seriously enough to create Cyber

Command, a new division of the Department of Defense, set up to safeguard the

nation’s military critical information systems.

However, with most of the counterattack efforts being directed to protect

against commercial losses by people and enterprises, and to protect military

infrastructure, less attention has been paid to a very critical area that is even today

extremely vulnerable to cyber attacks that, if successful, could be far more damaging

in terms not only of economic losses but also in terms of physical losses to lives and

properties. This is the area of Critical National Infrastructure and specifically a

country’s utility infrastructure.

This paper will address the problems stemming from an industry that is

completely reliant upon a very outdated and extremely vulnerable IT infrastructure.

It will look at the way this infrastructure can be penetrated for malicious purposes

and present a possible terrorist attack scenario that exploits poor, or indeed non-

existent security measures. And it will examine possible strategies (technical and

legislative) that have been proposed to mitigate this threat.

Distributed and targeted attacks.

The most common cyber crimes are caused by a Distributed Denial of Service

(DDoS) attack. These are initiated when a large number of pre-infected computers

(BOTs) send a synchronized set of requests to a specific target IP address or group

of addresses in such a way as to overwhelm the servers at the receiving end of the

requests and put them out of service for the duration of the attack. A DDoS attack

can cause significant loss of earnings for an e-Commerce enterprise. It can also

significantly impair overwhelm systems beyond those directly attacked, as the

massive mount of traffic generated by the BOTNet (the collective name of all the

infected BOTs) slows down or indeed halts traffic on major Internet nodes

throughout the world.


Page 4 of 22

The economic damage done by a DDoS attack also extends beyond the

attacked enterprise’s loss of revenue during the attack period. According to a 2004

CRS report to Congress (Brian Cashell, April 2004) the stock value loss following a

known digital attack against a listed company can be as high as 15% of its market

value.

As disruptive as these attacks are, they seldom last long or have long lasting

consequences. Software companies respond quickly to the problem by identifying

the signatures of the attack and releasing the appropriate countermeasures.

More insidious than DDoS attacks are targeted attacks based around social

engineering, phishing and identity theft. Whereas DDoS attacks are sometimes

initiated by criminals to blackmail e-Commerce site operators, most tend still to be

initiated for the scope of generic electronic vandalism. Electronic fraud, however, is

targeted.

According to the Department of Justice, in 2009 the economic losses owing to

computer crimes in the US alone were close to $600M (Internet Crime Complaint

Center, 2009). These losses primarily resulted from identity theft and credit card

fraud. The CRS report mentioned earlier refers to a study carried out by the British

company Mi2g that expected a worldwide loss of $250B through cyber crime. The

figure is based on a 2004 study and was considered to be on the low side at the time.

Given the distributed nature of the attacks, it is difficult to estimate the current

economic damage caused by cyber attacks but estimates that exceed $1,000B may

not be an overstatement.

As high as that figure may be, its impact is not significant on a national level:

again because of the distributed nature of the losses, the overall economic health of a

country has not yet been affected. This is why an attack directed against a utility

could have very different consequences. The economic damage that might ensue

could have a cascading effect that might lead to an exponential increase in damage,

in economic and physical terms. It is becoming alarmingly clear that one of the


Page 5 of 22

biggest and so far underreported threats to the economic and strategic security of a

nation are those that might be conducted against a power grid.

Unlike DDoS attacks that are carried out against data, attacks against utilities

providers are directed specifically towards the control systems that govern the

operation of the utility. Control system attacks are different from distributed attacks.

Whereas BOTs can still be used to disguise the original source of the attack, the

attacker does not need to infect a large number of machines to achieve his desired

effect. All a cyber terrorist needs to do is to understand how a utility system control

network works and modify to destructive intent legal instructions that are sent to the

control systems that manage critical aspects of a power plant, and potentially cause

the plant to shut down. This is not an unrealistic scenario. Richard Clarke, the

former National Coordinator for Security, Infrastructure Protection, and Counter-

terrorism, writes

Digital control systems monitor activity and send commands to engines,

valves, switches, robotic arms, lights, cameras, doors, elevators, trains and

aircraft (…) often without a human in the loop. (Clarke, 2010)

This level of automation requires that processes that previously would be

monitored and controlled on site are now managed over a telecommunications

network. The systems that monitor and control processes remotely are known as

Supervisory Control And Data Acquisition (SCADA) systems.

SCADA overview.

A SCADA system comprises of Programmable Logic Controllers (PLCs) that

convert digital signals to electromechanical actions connected over a network to a

SCADA control center. The diagram below is a simple schematic of a small

SCADA system.


Page 6 of 22

Figure 1: SCADA system.

In the diagram above the PLC1 controls the flow by acting on the pump and

PLC2 controls the level of the tank by acting on the valve. Both PLCs are remotely

connected to a SCADA control center over a network.

SCADA PLCs, or Remote Terminal Units (RTUs) as they are also known,

respond to a number of industry specific interface protocols that generally are

manufacturer specific such as Modbus RTU, RP-570, Profibus and Conitel. The

communications protocols used between the PLCs and the SCADA center are

standards such as IEC 60870-5-101 or 104, IEC 61850 and DNP3.

The Modbus interface was published in 1979. Profibus is more recent, having

been first release in 1989; Conitel and RP-570 are early 90s interfaces.

None of these interfaces have included security protocols. Indeed the

instruction sets are very limited. Below is the complete list of instructions that can

be sent to an RP-570 PLC (ABB, 1997):


Page 7 of 22

Figure 2: RP-570 Instruction Set.

As can be seen, not a single command has anything to do with security or user

verification. Just as worryingly, none of the communications protocols include

security provisions. In the IEC 60870 standard description there is a note that states:

Security mechanisms are outside of the scope of this standard (IEC, 2006).

The lack of security protocols is not surprising. Most SCADA systems in

operation are very old. Most have hard wired code that is not remotely upgradeable.

Unfortunately the distributed nature of process control systems, particularly in a

distributed environment such as a power grid, makes it very expensive to consider

upgrading or modernizing SCADA systems. In a paper written for The Eighth

Workshop on the Economics of Information Security held in London in June 2009,

Ross Anderson and Shailendra Fuloria observe (Ross Anderson, 2009):

Industrial control systems have both lock-in and complex supply chains. A

utility that builds a plant such as a power station or oil refinery is typically

locked into the control system vendor for at least 25 years; the vendor for its


Page 8 of 22

part typically supplies the software for the central control function, plus the

systems integration, while purchasing a wide range of equipment (cabling,

sensors, actuators and indeed whole subsystems) from other vendors.

First, the lock-in here has nothing to do with network effects; it is physical.

The real assets of the North American energy sector are worth over a trillion

dollars; control systems at major sites amount for $3–4 billion, while remote

field devices add a further $1.5–2.5bn.

Absent a catastrophic attack, this investment will be replaced only when it is

fully depreciated.

In the same paper the authors comment on the vulnerability of SCADA

systems thus (Ross Anderson, 2009):

In the late 1990s, some writers started to point out the vulnerability of

industrial control systems to online sabotage. Utility control systems have

traditionally been designed for dependability and ease of safe use. They used

completely private networks and thus their designers gave no thought to

authentication or encryption. These networks were typically organized with a

star topology, with many sensors and actuators connected to a control centre.

Common protocols such as DNP and Modbus enable anyone who can

communicate with a sensor to read it, while anyone who can send data to an

actuator can give it instructions. But private networks are expensive, and the

prospect of orders-of-magnitude cost reductions led engineers to connect

control systems to the Internet. The result was that many industrial control

systems became insecure without their owners realizing this.

One of the more baffling responses to the criticism that SCADA systems lack

security is the observation made by some in the industry that SCADA systems

provide “security through obscurity” by leveraging the very proprietary nature of the

protocols used. This is a fallacious argument. A determined attacker, such as a

cyber terrorist, may well have the resources to invest in lifting the obscurity veil.

Indeed this is a worry that is discussed by a paper published by Riptech on the

Information Warfare website. On the issue the authors remark (Riptech, 2001):


Page 9 of 22

The above misconception assumes that all attackers of a SCADA system lack

the ability to access information about their design and implementation. These

assumptions are inappropriate given the changing nature of utility system

vulnerabilities in an interconnected environment. [Because] utility companies

represent a key component of one of the nation’s critical infrastructures, these

companies are likely targets of coordinated attacks by “cyber-terrorists”, as

opposed to disorganized “hackers.” Such attackers are highly motivated, well

funded, and may very well have “insider” knowledge. Further, a well-

equipped group of adversaries focused on the goal of utility operations

disruption is certain to use all available means to gain a detailed understanding

of SCADA systems and their potential vulnerabilities.

Given the vulnerability of SCADA systems, it may be worth looking in more

detail at how these introduce vulnerabilities in the processes that they control and at

what the consequences of these vulnerabilities may be.

SCADA vulnerabilities.

The Israeli company C4 is a security consulting company specializing in

penetration tests to discover system vulnerabilities. C4 has proposed an interesting

scenario to show that supposedly secure utility providers hiding under the illusion of

“security through obscurity” are anything but secure.

In a presentation to be found on their website C4 shows that a determined

group of attackers with either inside knowledge of a power grid’s layout or the time

and engineering skills to learn how it is controlled by hacking in to the SCADA

center, can hijack the SCADA network and feed PLCs with instructions that would

potentially cause a shutdown of the power grid. C4’s hypothesis is that a

knowledgeable group of attackers will be able to gain access to the Human Machine

Interface (HMI) and monitor packets transmitted between it and the PLCs.

The standard operator objection that “security through obscurity” works

because even if an attacker monitored network traffic on which the HMI server is

located he would not be able to understand which instructions are being sent to

which physical location, armed only with a hexadecimal or IP address of that


Page 10 of 22

location. However this again is a specious argument. The greatest weaknesses in a

typical SCADA system are that this sort of information is, unfortunately, easily

obtainable. The Riptech paper quoted earlier observes (Riptech, 2001):

Often, too much information about a utility company corporate network is

easily available through routine public queries. This information can be used

to initiate a more focused attack against the network. Examples of this

vulnerability are […] [w]ebsites [that] often provide data useful to network

intruders about company structure, employee names, e-mail addresses, and

even corporate network system names [and] Domain Name Service (DNS)

servers permit “zone transfers” providing IP addresses, server names, and e-

mail information.

Eyal Udassin of C4 further observes that (Udassin, 2008)

Although without a mapping of the addresses & datapoints to physical

locations and controlled devices, it is very difficult to generate malicious

packets, such a map can usually be found on the operators’ workstations and

the SCADA server as a tag database. Each tag is a user-friendly name given to

an address/datapoint.

The weaknesses exposed by C4 and Riptech indicate that a SCADA system

can be attacked through poor security practices that do not isolate the corporate

network from a production network. By hacking in to the corporate network in this

case it is possible to gather the required information on the production network in

order to mount an attack on the SCADA system.

IBM’s X-Force is the security consulting arm of IBM. They have also studied

vulnerabilities in SCADA networks. X-Force carries out penetration tests on client

networks and according to them the simplest tests usually yield the most results. In

a presentation on SCADA Security and Terrorism X-Force personnel state that in

many penetration test cases they were able to (IBM X-Force, 2006):

• Guess simple passwords

• Access systems through SQL injections


Page 11 of 22

• Port scan for available open ports

• Access SNMP MIBs

• Carry out anonymous FTP SMB and Telnet sessions with no password

query

• Exploit known vulnerabilities in unpatched systems

• Deploy backdoors and Trojans

Confirming the weaknesses outlines by C4 and Riptech above, X-Force

personnel claim to have demonstrated to a client, while doing a presentation (!) their

capability to access the production network leveraging poor security that allowed

them to enter the company’s corporate network through an open WiFi access (IBM

X-Force, 2006).

Figure 3: IBM X-Force’s customer demonstration results.

Given that it is potentially quite easy to hack in to a SCADA system, what

might be the potential damage that could be inflicted on an operator dependent on


Page 12 of 22

such systems? Given the critical nature of the service they provide it is worth

looking at the consequences of a targeted attack against a power grid operator.

Attacking the grid.

The technology of electric power distribution has not changed much in

decades. As Anderson and Fuloria observe above systems will not be replaced until

they are depreciated. SCADA systems can have depreciation periods that range from

5 to 25 years. It is likely that at any one time a SCADA system at a power plant

might be 10-15 years old, use Modbus communications over a dial-up line and have

an HMI based on an unpatched old version of Windows. As Riptech, X-Force and

C4 have observed it is likely that the operators have maps hanging in various rooms

at the power plant openly displaying physical locations of PLCs with their digital

identifiers (phone numbers, MAC addresses, IP addresses). Social engineering might

lead to a much more detailed understanding of the plant’s operation. An attacker

would then have a reasonable understanding of how to initiate an attack.

A power plant distributes electricity through a tree-like structure of power

lines that branch at substations along the way.

Figure 4: power plant distribution.


Page 13 of 22

At each substation there are switches that are controlled by PLCs or RTUs,

which regulate the flow of electricity at that point.

Figure 5: Switching diagram on HMI client.

An attacker that could gain control of the switches could cause a lot of damage

by opening all of them suddenly causing a power station lock up. Sudden

unexpected load drops cause big problems in power stations. A 600MW power

station needs to generate 10 tons of steam at 7000C per second. Whereas interlocking

and power management ensure that the production load is balanced with the

distribution, this is entirely dependent on the SCADA system working the substation

switches correctly. The gap between production capacity and consumption in a

power station is small: about 1%. Anything in excess of that will cause the power

station to initiate a shutdown. A huge imbalance will be problematic. Explosive

steam shut-off valves will take off some of the load, but the furnace needs to be

stopped, as does the conveyor belt carrying the coal to the furnace (in the case of a

nuclear power stations the shutdown process is faster as control rods can be quickly

lowered terminating a nuclear reaction – but few of these are online these days

following the no-nuclear policies of the last decades).


Page 14 of 22

Arguing the lack of IT security in power stations, Eyal Udassin hypothesizes

the following scenario: a skilled group of attackers penetrate the production network

(in ways similar to those exposed by the X-Force team described above) and over a

period of time monitor SCADA commands to become familiar with the geographical

location of the PLCs and RTUs, their logical addresses, and the command sequences

that are sent to them to manage the flux of power distribution between day and night

usage. In most countries there is a significant variation between daytime and

nighttime use of power.

Figure 6: Variations between daytime and nighttime residential power use in Florida. (Florida Solar Energy Center, 2002).

Udassin suggests (Udassin, 2008) that a possible attack strategy would be to

understand the sequence of PLC commands that regulates the power release flux

then reverse them. In detail an attacker might do the following:

Stage 1: Preparation mode:

• Install malware on the SCADA communications Server (this might be

accessible and poorly protected as X-Force have shown)

Stage 2: Learning Mode:


Page 15 of 22

• Sniff traffic to and from the field (easy to distinguish if protocols are

known; addresses and locations are acquired)

• Create request/response PLC instruction pairs with a timestamp for day

& night classification.

Stage 3: Active Mode:

• When enough packet data is collected, wait for the next critical time of

day transition (dawn, nightfall)

• Drop all messages being sent from the SCADA server to the PLCs

• Replace them with the commands of the opposite timeframe to the

field.

If this attack sequence is carried out in the morning when demand for power

increases, the opposite commands will be sent to the PLCs that regulate the increase

or decrease of production. According to Udassin’s attack plan, as electricity demand

constantly rises the field devices will receive night-time command – e.g. “disconnect

aux. power plant from the grid”, “lower power output from main power plant” etc.

Operators will then try to connect more power plants, without success as the

commands are ignored. This will generate network instability, as supply will not

meet the demand, potentially causing blackouts.

If the attack is also timed to coincide with a backup power station being taken

offline for maintenance the consequences could be more severe.

The weakness that is exploited in Udassin’s scenario is dependent on the fact

that the communication between the SCADA controller and the PLCs does not allow

for message authentication. This is partly due to the fact that the protocols

themselves do not include this capability.

However investment in technology that has not yet reached an accounting

write-off period is not the only excuse for being lackadaisical about security. As

Mariana Hentea observes

SCADA systems are now adopting Web technology (ActiveX, Java, etc.) and


Page 16 of 22

OPC (as a means for communicating internally between the client and server

modules). However, Web applications are an interesting target for cyber

attacks that are increasingly automated. Web is the dominant development

platform for software, but Web-based secure software is immature (Hentea,

2008).

Hentea further notes that the fact that SCADA systems now run on common

software such as Windows and UNIX and use standard communications protocols

such as TCP/IP. So the “security through obscurity” protection argument is getting

increasingly weak.

New technology does allow plant managers to take advantage of better

software security tools. But where operators can modernize a plant’s network to

include security capabilities (by installing remotely upgradeable PLCs for instance,

with better processing capabilities, and implement strong security protocols) there is

little financial incentive for them to do so.

Indeed it is this lack of financial incentive to increase security (or possible the

lack of penalties for non-compliance) that is exposing the power generation industry

to an even greater threat.

Poor regulation and disaster scenarios.

The North American Electric Reliability Corporation (NERC) is a self-

regulatory organization, subject to oversight by the U.S. Federal Energy Regulatory

Commission and governmental authorities in Canada. NERC reliability standards

define the reliability requirements for planning and operating the North American

bulk power system. According to the NERC website

all bulk power system owners, operators, and users must comply with

approved NERC reliability standards. These entities are required to register

with NERC through the appropriate regional entity (NERC).

NERC standard CIP 002 to 009 “provide a cyber security framework for the

identification and protection of Critical Cyber Assets to support reliable operation of


Page 17 of 22

the Bulk Electric System” (NERC, 2006). Specifically NERC standard 002/R1.2.4

identifies “blackstart” power stations as Critical National Infrastructure assets

subject to conformance of the NERC cyber security standards. Blackstart power

stations are those that are equipped with a diesel generator that allows them to restart

the main generator in case of total grid power loss. Not all power stations are

equipped with blackstart capabilities, but those who are have to comply with more

stringent cyber safety regulations defined by NERC, as they are assets can restore

power to the grid without requiring external power sources.

Incredibly, NERC’s regulation is making the North American grid less secure!

The problem appears to be that NERC did not think through the obvious

consequences of imposing regulation with poor oversight. According to Joseph

Weiss who testified in front of the House Committee on Homeland Security on

October 17, 2007, “NERC’s attitude toward cybersecurity alarming at best and

negligent at worst (Controlglobal.com, 2007)”. Blogging for Controlglobal.com he

states that

Some generation managers considered NERC CIP compliance a “game” to

remove assets from CIP-002 without realizing they were shooting themselves

in the foot by not addressing the reliability threat. Specifically, at a meeting of

plant managers, one manager of a very large coal-fired power plant was

charged to ensure his plant was not considered a critical cyber asset. Another

plant manager whose plant had black start capability and therefore deemed a

critical cyber asset by CIP-002 considered it cost-effective to remove its black

start capability. In both cases, the plant managers didn’t consider the potential

cyber threat to reliability (Weiss, 2008).

Removing blackstart capabilities makes the grid more vulnerable to accidents

or deliberate attacks. One extreme scenario is what might lead to a diesel crisis. If

the attack described above was carried out in sequence against many power grid

operators, and these did not have blackstart capabilities, if the ensuing blackouts

lasted long enough backup diesel generators providing for emergency services

would start running out of diesel. This would have to be trucked in from diesel


Page 18 of 22

depots. But the diesel depots would be unable to pump diesel because of the

blackout. It is possible to conceive of an extreme scenario where trucks would stop

running, diesel would not reach generators and the grid would not be able to restart.

All of this because power plant operators chose not to invest in cybersecurity!

What can be done to secure critical infrastructure.

Ironically the deficiencies in IT security that plague the critical infrastructure

industry have mostly been addressed in other industries. The lesson learned by e-

Commerce retailers, for example, can be applied in all IT environments.

In a 2006 NERC’s Control Systems Security Working Group highlights 10

critical infrastructure IT and communications vulnerabilities and suggests easily

implementable solutions to mitigate them (NERC, 2006). Highly criticized as

NERC’s policing capabilities may be, the recommendations are certainly worth

implementing. They include among others:

• Implementing strong IT security policies. This requires significant

investment in personnel hiring and retraining, but perhaps more

importantly requires plant management to become aware of the cost

effectiveness of this expenditure.

• Carrying out security audits to check for default password settings,

manufacturer service backdoors, etc.

• Ensuring that all software has the most recent security patches.

• Revisiting the control network infrastructure with access security in

mind (physical and virtual) to look for vulnerabilities.

• Redesigning the network using modern safeguarding technologies

where possible, such as authentication and encryption.

• Replacing any RTUs or PLCs that have hardwired, non-upgradeable

software with equivalent systems that where access security can be

implemented and changed remotely.

The US Department of Energy is not leaving all the work of policy suggestion

to NERC. On it own website, one can find a series of recommendations that suggest

how to secure SCADA networks (US Department of Energy, 2004). These are


Page 19 of 22

compiled also by the United States Computer Emergency Readiness Team (US-

CERT). Of particular interest is a document titled “21 Steps to Improve Cyber

Security of SCADA Networks”.

In addition to the NERC recommendations US-CERT and the DoE also seem

to hammer the final nail in the coffin of “security through obscurity” by advising

operators to avoid reliance on proprietary protocols and take advantage of standard

software security tools that can be periodically updated and upgraded. US-CERT

also recommends the use of Red Teams and penetration tests to look for weaknesses

such as missed backdoors and unauthorized links between production networks and

corporate/sales networks, as well as the accessibility (virtual and physical) of remote

sites.

Outside of the US the issue SCADA security is also a hotly debated issue.

In the UK the Centre for the Protection of National Infrastructure (CPNI) has

also released a long series of recommendations and standards to be adopted by any

operator of SCADA networks. CPNI issues guidance documents on the following

under the heading Process Control and SCADA Security Guides:

• Understanding the business risk

• Implementing secure architectures

• Firewall deployment

• Establishment of response capabilities

• Improving skills

• Managing third party risk

• Establishment of ongoing governance (UK CPNI).

The section on business risk goes in to some detail in explaining the

relationship between specific IT threats (worms, Trojans, backdoors, etc.) to a

specific business threat (to the supply chain, the sales network and ultimately to the

plant operations).

One of the problems that is not being clearly addressed by operators of plants

that use vulnerable SCADA systems is the business impact that extends beyond that


Page 20 of 22

of the failure of the plant itself. This is a problem touched on once again by

Anderson and Fuloria who write about the impact of correlated failures (Ross

Anderson, 2009). An example of a correlated failure business cost is that of a

vulnerability discovered in a PLC. The cost of failure is defined as that incurred by

the manufacturer of the PLC that has to recall or field service all the PLCs that it has

sold and are deployed. It does not include however, the costs associated with that

failure that are incurred by the user of the PLC. If a power plant is attacked through

an exploit that is based on the PLC failure, the correlated costs of that failure are

much higher as they would include the costs of potentially having to shut down the

plant. They grow exponentially if then the consequences of a plant shutdown are

taken in to consideration: consider the business costs of a regional or national

blackout. It is important to note that these costs occur independently of

responsibility. Agreement to terms of use limit liability against the original source

of the failure, as they are passed along the supply chain, but costs are incurred

anyway. And the correlated failure costs of an attack on a SCADA network are

potentially far greater than those incurred by an attack against an e-Commerce site

for instance.

This is where the biggest area of weakness still exists. To date no country has

successfully enacted legislation that forces owners of critical infrastructure to abide

by comprehensive cybersecurity standards. Where this legislation has been partially

enacted, too many loopholes exist that allow owners of the infrastructure to avoid

implementing the required standards.

Conclusions.

So far we have been relatively lucky. Terrorists have not been particularly

smart. Even the 9/11 attacks were low tech. But two worrying thoughts emerge

from this analysis: there is no reason a terrorist group could not have the knowledge

necessary to carry out some of the attacks described in this paper. And far more

worryingly it is absolutely certain that nation states have this capability. In the

current conflicts in Central Asia and terrorist attacks around the world we have been

caught unprepared by the evolution towards what we now know as Fourth


Page 21 of 22

Generation Warfare, where there is no clear division between forces in a battlespace

(indeed we have had to coin the new term “battlespace” for the 4GW context) and

war is conducted “asymmetrically”. It is time we should prepare for the next

generation of warfighting (Fifth Generation Warfare?) that will move away from

physical landscapes altogether and will be fought within the very unsecured and

unbounded “confines” of the digital world.

In World War Two allied bombers attacked German power plants with very

expensive raids that had very variable effects. Today it is far more cost effective to

attack the same targets using a keyboard.

---ooo---

Works Cited ABB. (1997). REC 501 RP 570 Protocol Description. Retrieved 2010, 20-June from ABB: http://library.abb.com/GLOBAL/SCOT/scot229.NSF/VerityDisplay/9A5C1896695487E6C2256A7200361578/$File/REC501RP570_EN_A.pdf

Brian Cashell, W. D. (April 2004). The Economic Impact of Cyber-Attacks. CRS. Congressional Research Service ˜ The Library of Congress.

Clarke, R. A. (2010). Cyber War. The next threat to National Security and what you can do about it. New York: Harper Collins.

Controlglobal.com. (2007, 6-November). Control’s Joe Weiss Testifies before Congress. Retrieved 2010 йил 20-June from Controlglobal.com: http://www.controlglobal.com/articles/2007/375.html

Florida Solar Energy Center. (2002, January). Retrieved 2010, 20-June from Research Highlights From A Large Scale Residential Monitoring Study In A Hot Climate: http://www.fsec.ucf.edu/en/publications/html/FSEC-PF-369-02/index.htm

Hentea, M. (2008). Improving Security for SCADA Control Systems. Interdisciplinary Journal of Information, Knowledge, and Management , 3, 77.

IBM X-Force. (2006). IBM X-Force. Retrieved 2010, 20-June from http://www.blackhat.com/presentations/bh-federal-06/BH-Fed-06-Maynor-Graham-up.pdf

IEC. (2006, June). INTERNATIONAL IEC STANDARD 60870-5-104. Retrieved 2010, 20-June from IEC Webstore: http://webstore.iec.ch/preview/info_iec60870-5-104%7Bed2.0%7Den_d.pdf

Internet Crime Complaint Center. (2009). 2009 Internet Crime Report. Department of Justice.

NERC. (2006, 2-May). Retrieved 2010, 20-June from Standard CIP–002–1 — Cyber Security — Critical Cyber Asset Identification: http://www.nerc.com/files/CIP-002-1.pdf


Page 22 of 22

NERC. (n.d.). About NERC Standards. Retrieved 2010, 20-June from The North American Electric Reliability Corporation: http://www.nerc.com/

NERC. (2006). Top 10 vulnerabilities of control systems and their associated mitigations. Department of Energy. Princeton, NJ: NERC.

Riptech. (2001). Understanding SCADA System Security Vulnerabilities. Retrieved 2010, 20-June from IWS - The Information Warfare Site: http://www.iwar.org.uk/cip/resources/utilities/SCADAWhitepaperfinal1.pdf

Ross Anderson, S. F. (2009). Security Economics and Critical National Infrastructure. The Eighth Workshop on the Economics of Information Security (WEIS 2009).

Udassin, E. (2008). Generic Electric Grid Malware Design . Retrieved 2010, 20-June from C4: http://www.c4-security.com/index-5.html

UK CPNI. (n.d.). SCADA. Retrieved June 20, 2010, from UK CPNI: http://www.cpni.gov.uk/ProtectingYourAssets/scada.aspx

US Department of Energy. (2004). 21 steps to improve cybersecurity of SCADA networks. Retrieved June 20, 2010, from US DoE Office of Electricity Delivery and Energy Reliability: http://www.oe.energy.gov/DocumentsandMedia/21_Steps_-_SCADA.pdf

US-CERT. (n.d.). Control Systems Security Program (CSSP) Standards & References. Retrieved June 20, 2010, from US-CERT: http://www.us-cert.gov/control_systems/csstandards.html

Weiss, J. (2008 9-May). Electric Power 2008– is NERC CIP compliance a game? Retrieved 2010 йил 20-June from Controlglobal.com: http://community.controlglobal.com/content/electric-power-2008–-nerc-cip-compliance-game

Date post:	21-Jan-2023
Category:	Documents
Upload:	americanmilitary
View:	0 times
Download:	0 times