They’re vulnerable, they’re unpatchable, and they’re connected to the Internet.
After he was turned down for a job with the Maroochy Shire Council in Queensland, Australia, the 48-year-old disgruntled techie unleashed his anger in early 2000 by hacking into the town’s wastewater system at least 46 times. On two separate occasions, his electronic attacks (apparently he used a stolen laptop and a radio transmitter) led to pumping station failures that caused as much as 1 million liters of foul-smelling raw sewage to spill into parks, waterways and the grounds of a tourist resort.
But there have been other control system breaches, including, for example, a 1997 control tower shutdown at the Worcester (Mass.) Regional Airport and a Slammer-related disruption of the safety monitoring system at FirstEnergy’s Davis-Besse nuclear plant in Ohio.
Electric utilities, oil and gas refineries, chemical factories and even food processing plants use control systems to digitize and automate tasks once handled by people: opening and closing valves in pipes and circuit breakers on the power grid, monitoring temperatures and pressures in reactors, and managing assembly line machinery. And because these systems are now connected to corporate networks, their vulnerabilities serve as an entrĂ©e into the guts of the nation’s critical infrastructure. A malicious hacker or terrorist group could conceivably take down parts of the power grid, throwing the country into darkness; they could take out emergency telephone systems or disable the floodgates to a dam.
Even scarier to terrorism experts is a digital intrusion combined with a physical attack—think 9/11, but magnify the chaos by adding an electronic knockout of regional or national communication and power systems. The intent is clearly present: Raids in Afghanistan in early 2002 discovered that al-Qaida operatives had scoured websites containing information on SCADA (supervisory control and data acquisition) networks in U.S. water systems and the electricity grid. Unfortunately, the people with detailed knowledge of control systems security say no. Control systems are designed for efficiency and reliability—not security. In fact, “It requires very little knowledge” to hack into a control system, says Juan Torres, program manager of the SCADA program at Sandia National Laboratories.
Experts worry that this issue is not getting enough attention from both government and the private sector, for a variety of reasons: technical ignorance, lack of funding and perhaps the absence of a major incident to date in the United States.
Older, legacy controllers can’t handle newer security technologies such as encryption; in fact, many don’t even have enough horsepower to accept operating system updates or software patches. “How a control system works is different from an IT system, technologically,” says Joe Weiss, the former technical manager of the Electric Power Research Institute’s Enterprise Infrastructure Security program, now an executive consultant with Kema. Compounding these technical challenges are a number of entrenched cultural and management obstacles.
The people generally responsible for managing control systems are engineers who often have had little cybersecurity training—or interest.
For years, distributed control systems and SCADA systems were designed with proprietary technology, and were physically and technologically isolated from the corporate networks that run standard IT applications. Fatefully, the drive for efficiencies of cost and time led many companies to knock down the wall that traditionally separated those two types of networks. Manufacturing executives wanted to pull up real-time information from, say, their assembly lines, to monitor how efficiently their factories were running. “As the networking evolution came through and local and wide area networks were installed, they were generally installed by IT. Operations, so as not to spend double the money, started using the corporate LANs and WANs for the control networks,” Weiss says. Ultimately, this meant many control systems were connected to the Internet. Now control systems are exposed—via the Internet, intranets, remote dial-up and wireless capabilities—to hacks, worms, viruses and other dangerous payloads.
That exposure scares Jonathan Pollet, president of PlantData Technologies, who advises companies on control system security. “With each release of worms and viruses, there are more and more customers with downtime,” he says. Pollet says the Sasser worm in spring 2004 took out several oil platforms in the Gulf of Mexico for two days. “They had firewalls, but worms crawled through commonly used ports like ports 80 and 139.
Accentuating the connectivity problem is the growing move away from proprietary software toward standardized and off-the-shelf software and hardware. In a typical corporate IT network, hundreds (or thousands) of PCs, servers and other devices are packed to the gills with processing power and memory. Because SCADA systems were designed for efficiency and ease of use, vendors enable their products to be accessed remotely—through dial-up modems, wireless handhelds and the like—so that customers will have an easier time making fixes to systems, often with no authentication required. Companies often fail to install the same security measures on control systems—such as firewalls and intrusion detection systems—that they use to protect IT systems.
Instead of waiting for market pressures to force them into building more secure systems, they could take a more proactive stance and begin making a concerted effort to beef up the security of their products, and work more closely with customers to identify and mitigate the vulnerabilities of existing systems. Various private industry and government groups are taking steps to make critical infrastructure companies more aware of the flaws in their control systems.
The National Institute of Standards and Technology and the National Security Agency established the Process Controls Security Requirements Forum (members include reps from the electric, water, chemical and oil industries, as well as government labs and control system vendors) to develop security specs for control systems. Other government agencies and major critical infrastructure industries have established working groups to address the issue. Notably, last December, the Department of Homeland Security created a new Control Systems Section inside the Protective Security Division of the Information Analysis and Infrastructure Protection Directorate.
But most managers, engineers and workers with day-in and day-out responsibilities for maintaining control systems may be a long way from putting cybersecurity on the front burner. Earlier this year, Weiss held a conference session attended by 30 to 40 people, some 15 of whom were plant managers. Weiss says that in his informal discussions afterward, every one of those managers thought cybersecurity had to do solely with the vulnerability of their e-mail systems. “They had no idea whatsoever about security around control systems,” he says.
What this article brings to light is not new and not easily going away. These control venues are actively being expanded, ever so quietly, into the MAN/WAN/LAN environments. As SAN and NAS technology increase and new tape systems abound, to name a couple, all of these devices implement new WEB/JAVA interfaces with imbedded technology. These remote sites of equipment whether they are valves or tape systems all need to be monitored, controlled, and reconfigured on a regular basis. Some of these devices, like SAN switches, may even be forgotten after the original installation while the tape drives are manipulated daily, on the open network.
Every day, more of these devices, whether HVAC, Public Utilities, IT infrastructure are all designed with ease of use capabilities. They can all be put to a closed or controlled network but that again, raises the cost.
Security has to be a conscience effort and alas, costs a little more. Some say that the cost is not worth the investment, until someone makes an example out of them.
While the article is right on in many respects, the terrorism aspect is pretty irrelevant. People don’t become terrorists because they’re smart, and you would need to be at least fairly bright and patient to exploit control system commands (or already be on the inside, like the Aussie case).
Low-tech attacks are much easier, cheaper and more efficient. For example, a single person with a rifle loaded with steel-jacketed slugs can take out an entire substation in seconds and is almost gauranteed to escape safely.
You should be aware that this lack of a uniform security standard for HMI/SCADA software has already been dealt with by the OPC Foundation – an International, non-profit standards setting organization.
Also a quick point about the actual threat risk analysis to control systems as the 2000 Australian sewage plant attack is almost always quoted as an example of the types of threats to protect yourself from but there are very few, thankfully, other stories of this type in the public domain. So these threats are either a very low risk or we have been very lucky or the incidents are happening and are not being reported.
http://www.csoonline.com/read/080104/control.html