Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Security The Internet

SCADA Systems a Target for Hackers? 189

superstick58 writes "As a system integrator, I am often providing control solutions that utilize sophisticated Ethernet networks and as they say in the biz 'link top floor to shop floor.' Forbes has an article about the security issues that exist in SCADA systems. When I look back at some of the systems I have put in which include direct I/O control over ethernet and distributed HMI monitoring, if I can get access from the internet, it would be easy to bring down power for a plant or at the very least make operators in the building very uncomfortable. How vulnerable are the manufacturing centers of the world?"
This discussion has been archived. No new comments can be posted.

SCADA Systems a Target for Hackers?

Comments Filter:
  • by EmbeddedJanitor ( 597831 ) on Thursday August 23, 2007 @08:38PM (#20338771)
    Being able to blow up physical devices is a lot more spectacular than playing with numbers in bank accounts which can be resotred from backups.
    • by Svartalf ( 2997 ) on Thursday August 23, 2007 @09:51PM (#20339379) Homepage
      Forget manufacturing plants...

      What if you could easily reproduce the East Coast Blackout of 2003 at will?

      Hacking SCADA systems can do that for you...

      Heh... What I could tell people...
      • Actually, to reproduce that failure all you'd have to do is to cut the right high voltage power lines. Our power grid needs some serious upgrades...
    • by Sj0 ( 472011 )
      If your SCADA systems can be easily made to blow up your plant, you need to redesign your systems to include interlocks below the SCADA level.

  • My view.. (Score:5, Insightful)

    by The Living Fractal ( 162153 ) <banantarrNO@SPAMhotmail.com> on Thursday August 23, 2007 @08:44PM (#20338813) Homepage
    I work in Big Oil. We have SCADA systems, we have an HMI to control the facilities, and it's all ethernet based. But the network is on a completley different wire than our internet-accessible network. You can't connect to the internet from our control network -- the wire simply doesn't exist.

    And it shouldn't. They should stay separate. Period.
    • Re:My view.. (Score:5, Interesting)

      by Doppler00 ( 534739 ) on Thursday August 23, 2007 @08:56PM (#20338903) Homepage Journal
      Are you absolutely sure? Doesn't the SCADA system connect to the internal corporate network somewhere? Don't managers want to see live plant operation data from their offices? At least the SCADA systems I've worked with have had a connection to the corporate network at some point. Usually through a dedicated SCADA system. I think in the end though, hackers don't want to actually have to buy the hardware they would need to test their methods out and if your corporate network has already been compromised, you're screwed anyway.
    • Re: (Score:3, Funny)

      by QuantumG ( 50515 )
      Cool. How do you get data from the SCADA system to the back office? Say, to import into Excel and do some performance analysis or something?

      Removable media and sneaker net?

      I bet I could make a virus that could hop that.

    • Re: (Score:2, Informative)

      by Anonymous Coward
      I worked in Big Oil & PetroChem for 20+ years and confirm.

      You'd have to have physical access to the control network and physical security is tighter than ever, at least here on the Gulf coast.
      • Re: (Score:3, Informative)

        by JonathanR ( 852748 )
        In addition to that, the means of getting access the corporate intranet (talking Big Oil here) usually require two factor authentication (a RSA token type setup).

        Unless there are unpatched vulnerabilities in the login system or vpn gateway, I'd reckon the chance of joe-cracker getting in that far are pretty slim.

        That said, a disenfranchised employee with login credentials would be a possible risk.
        • Re: (Score:3, Informative)

          by GIL_Dude ( 850471 )
          I'm also in Oil and accounts are disabled about when an employee leaves from their final day (or is escorted out if fired). Also, most of these people don't have remote access ability on their accounts. The systems run firewalls, the SCADA networks are either air-gap from the main corp nets or if they are not as critical they are firewalled so that only certain machines can get there from here. Not to say they can't be cracked, but there are a hell of a lot of softer targets to go after.
        • Re: (Score:3, Funny)

          by klenwell ( 960296 )
          That said, a disenfranchised employee with login credentials would be a possible risk.

          Just be sure to confiscate their eyeballs before they leave the company.
    • Re:My view.. (Score:4, Insightful)

      by Anonymous Coward on Thursday August 23, 2007 @09:29PM (#20339215)
      Wow. Must be nice to have all your equipment on one site, or spread out along a pipeline that you own.

      Some SCADA systems control diverse infrastructure scattered across areas bigger than any US state. As far as comms go, it's PSTN or nothing for places like that. Hard to keep your network scrupulously separated when you have to dial in to the remote sites!
    • by bl8n8r ( 649187 )
      If your HMI wire is connected to a layer 1 device that is connected to a wire connected to the internet, you are at risk.
    • Re:My view.. (Score:4, Interesting)

      by gsogeek ( 1146905 ) <matt@NOspAm.gsogeek.com> on Friday August 24, 2007 @12:13AM (#20340257) Homepage
      I worked as an intern for a municipal government IT department a while back, and had to do a site visit to a water filtration/pumping station. While I was there, I wandered down to one of the areas where the machines were that ran the pumps, valves, and other sundry devices. I found the workstation where two computers had been installed, one on the network to allow employees access to email, the intranet, and the internet. Beside it was another computer, which controlled the SCADA system for the plant and had root access to the entire city's water and sewer SCADA system. The plant manager assured me that they were totally seperate, and never the two should mix. Well, imagine my shock and surprise when I walked past the desk and tripped over a bright yellow patch cable that ran from the second (standby) network card into a small hub, that also fed the public terminal and then went to the internet port on the wall. I made a few notes, checked a few log files, then went and told the manager that the hub had to go and went back to the main IT office and reported. The answer I got? "So what? What could someone do with that?" As a demonstration, I took my noted, typed a few commands, and put a few nice words on top of the Wunderware logo on the terminal, then told the plant manager, who was still saying this was impossible, to check the screen. Turns out, an employee in the plant decided it was too much trouble to go between the computers, took the hub from a conference room upstairs, and made the connection. I wonder what might have happened if I opened that Cl2 valve or maybe closed a high pressure sewage line at the treatment facility? The weakest link in these systems is not the SCADA systems themselves, so to speak, but the people that use them daily, and managers that don't bother to look at the equipment on a regular basis, just to make sure it still looks like that nice drawing in the office.
    • Re: (Score:3, Interesting)

      by gnalre ( 323830 )
      Nice idea in theory, but there's always a push to allow such systems to be accessed remotely for example performance monitoring. By saying never you are ignoring commercial imperatives. It is better by acknowledging it will happen and put in the infrastructure and practices which will make it as safe as possible.

      For example we deal with ship control systems, which you may think are about as isolated as you can get. But there is a big push to allow remote access for such things as predictive maintenance, per
      • "For example we deal with ship control systems, which you may think are about as isolated as you can get"

        Hopfully not this one ... please pause the war while we coldboot the warship [slothmud.org] and a lot of boxes running mutually interlocking RPC calls can't be that isolated.

        was: Re:My view..
        • by dknj ( 441802 )
          Hopfully not this one ... please pause the war while we coldboot the warship and a lot of boxes running mutually interlocking RPC calls can't be that isolated.

          From your article:
          The Yorktown lost control of its propulsion system because its computers were unable to divide by the number zero, the memo said. The Yorktown's Standard Monitoring Control System administrator entered zero into the data field for the Remote Data Base Manager program. That caused the database to overflow and crash all LAN consoles an
          • by rs232 ( 849320 )
            "The Yorktown's .. administrator entered zero .. That caused the database to overflow and crash all LAN consoles and miniature remote terminal units "

            "If you understand computers, you know that a computer normally is immune to the character of the data it processes,"

            "Your $2.95 calculator, for example, gives you a zero when you try to divide a number by zero, and does not stop executing the next set of instructions. It seems that the computers on the Yorktown were not designed to tolerate such a simpl
    • by Xiaran ( 836924 )
      I worked in security and access control systems. Oh and fire control systems. The same for us. We often had idiot middle managment types of our clients wanting to be able to access their hotmail from the main security console... we told them no.
    • Your own employees! You're right of course, that the networks should be separate. However, a real danger of connecting your process control sytems to the 'office' intra/internet is that you:

      1. Immediately introduce an extra dimesion of complexity in support and debug. A NIC goes nuts in accounts? Someone connects some unauthorised hardware? Someone decides to repatch in the cable cabinet? Bang goes your process, (sometimes literally 'bang')

      2. Open the door to the exec. who - in trying to show-off the
    • I used to work in the HVAC field down in SW Florida. I worked for a well known consulting firm and we were designing HVAC systems for various new construction or renovations - colleges, mansions (20k+ sq. ft.) and of course your typical 5k to 10k sq. ft. condo. This was a couple years ago before the crash where now they can't "give away" the thousands of condos they built.

      Any way, one day we needed a computer control system for this real complicated HVAC system we were putting in. Needed to be the kind
    • is there a data historian in your SCADA system? Does it use some type of master-slave setup to replicate data into the corporate environment so that the bean counters can verify efficiency, production, or whatever metric they want to look at? Do you have RTUs or PLCs with unsecured dial in access? Is there wifi on the plant floor? Does your HMI use a web based help system?
  • by nuxx ( 10153 ) on Thursday August 23, 2007 @08:50PM (#20338861) Homepage
    I know of many, many plant floor locations at some very large manufacturing facilities that still run NT4 on various devices. MS will release patches for these too, but only under quite special contracts.

    It's kinda scary, really.
    • I've worked on a system like that before. The thing is, after you build a $2 million dollar facility and it's been running smooth for 10 years, you are reluctant to spend any more money to upgrade the control system just because Microsoft says it won't support you anymore. Most industrial I/O hardware can function for 10 to 20 years before it ever needs to be replaced. Heck, I would say indefinitely for the most part since most industrial systems have passive cooling mechanisms. I have rarely seen I/O logic
      • I believe you just made a strong case for using FLOSS.
        • by Doppler00 ( 534739 ) on Thursday August 23, 2007 @10:08PM (#20339497) Homepage Journal
          Naw, it would be the same problem. Just imagine being stuck on a Linux distribution 10 years old. Who's going to support you there? You'll be immediately told to upgrade to the latest and greatest fix your problems, but then your software may not function anymore. What's worse, is that I am not aware of any popular open source programs for industrial control systems.
          • Re: (Score:3, Insightful)

            by Nimey ( 114278 )
            The source is open, so you can hire a programmer to maintain the software. Not necessarily so with commercial s/w, especially if the vendor doesn't want to support your version any longer.
      • A lot of SCADA is still controlled by VMS systems. You can still buy them from HP. You can put off patches or upgrades until they scrap the refinery, and there's not a lot of activity among the script kiddies for DCL hacks. KESU rules.
    • by Cassini2 ( 956052 ) on Thursday August 23, 2007 @09:13PM (#20339077)
      NT4 was a nice operating system for SCADA applications. It was built in a time where Microsoft cared about security. One of NT4's design goals was Military security ratings. I liked the feature where you could tell the system to only run 9 different preset executables. It made it really tough to crack (until ActiveX and Internet Explorer came out.)
      • by wfberg ( 24378 )

        One of NT4's design goals was Military security ratings. I liked the feature where you could tell the system to only run 9 different preset executables.

        Hmm, the policy I've seen to restrict the use of executables only looked at the filename. Rename some file netscape.exe and you were in. Windows server 2003 has the much nicer policy (if XP clients are used) to check executables SHA-1 digest (which breaks when an update is applied), or certificate (but then, you might not want updated binaries to automatical

      • Re: (Score:3, Informative)

        Who modded this insightful? NT achieved C2 certification (discretionary access control). The military - I very much hope - are using at least B1-rated (mandatory access control) systems where it matters. See http://en.wikipedia.org/wiki/Trusted_Computer_Syst em_Evaluation_Criteria [wikipedia.org] (TCSEC, used to be orange book).
      • "NT4 was a nice operating system for SCADA applications. It was built in a time where Microsoft cared about security"

        NT security rating only applied to a stand-alone version [windowsitpro.com] on specific hardware and no network support.

        'Because of Davis-Besse's widespread use of vulnerable Microsoft software [neohapsis.com], the worm jumped to the plant network and crashed the Safety Parameter Display System, keeping it offline for eight hours," Paller testified'

        was: Re:NT4 On The Plant Floor
      • by Lumpy ( 12016 )
        You can do that right now with XP.

        http://www.beyondlogic.org/solutions/trust-no-exe/ trust-no-exe.htm [beyondlogic.org]

        works great, I can limit someone to a very specific set of items. I even tried running a machine with it without Virus scan and let the user try to get it infected.

        works great. perfect for el-cheapo kiosks and SCADA systems.
  • Yes, SCADA systems are vulnerable to attack. Yes, they use old technology and rely on obscurity to keep them safe. Yes, theyre - to a large extent - hooked up in various fashions to the internet. Yes, you can cause big machines to do bad things this way that cause them to screw themselves up physically or hurt people nearby. The more interesting question here is why no one has seen (or at least admitted to have seen) an actual attack.
    • Re:Pretty old news (Score:5, Insightful)

      by Doppler00 ( 534739 ) on Thursday August 23, 2007 @09:04PM (#20338989) Homepage Journal
      Well, lets say you are able to hack in. Would a bad guy know what to do with all those buttons and knobs without actually seeing the outcome from behind his computer screen? They would also need to retrieve a copy of the plant process diagram somehow, study it, and come up with a devious scheme to make the robots do something catastrophic. And a good safety system would have so many redundant independent interlocks, both physical and electronic, that it would be difficult to do any irreparable harm.
      • by jofny ( 540291 )
        Thats not particularly more challenging than any other network attack. Yes, you have to have some basic idea of how the system works to break in...whatever the system is. But doing damage can consist of something as simple as causing rotors to repeatedly and rapidly change directions till the system overheats and catches fire (yes, Ive seen video of this being done intentionally)
      • Let's say someone is able to hack in. Sending random data will only cause a redundant system to take over because it assumes a failure has happened.

        In order to cause any damage, a cracker would need expertise in fields from IRIG-B time codes [irigb.com] to Buchholz relays [indubras.com.br]. If you know that much, you'll get so many million$$$ working legally that you won't bother to do any cracking.

      • Re:Pretty old news (Score:5, Insightful)

        by putaro ( 235078 ) on Thursday August 23, 2007 @10:15PM (#20339569) Journal
        I don't know about that. Yes, taking control of the network and making things do what you want would require a lot of knowledge. Lots of hackers just like to "mess around" though and doing something that they think is l33t, like running a Quake server on a nuclear power plant network, could cause a lot of problems. These kinds of systems are not usually designed with a lot of redundancy at the software level. The people who build those kind of things just don't understand how to manage those kinds of things in software.

        Case in point. Long ago I worked for a supercomputer manufacturer. Our system had a nifty temperature sensing and power control system that was all controlled from a small front end system, a 286 running Microport Unix. We could also do things like boot the system from that console and dial in to do remote diagnostics. I was working with a customer and he needed a patch so I started uploading it to main system via the modem link and a pass-through from the console into the main system (must have been Kermit). Things are moving along and then the main system crashes. For some reason it's overheating. OK, that's weird, we reboot and I start the upload again. System crashes again. About the third time we start putting two and two together and I go off and do some sleuthing around to figure out why that might cause a problem.

        Well, it turns out that the hardware guys have the whole temperature and power control system running over an RS-232 line. Using a protocol that they designed that has no checksums, no framing, no resynchronization. And, a 286 running Microport is just not fast enough to handle two 9600 baud streams of data simultaneously and it starts dropping characters. Drop a few characters out of this unframed, unchecksummed data stream and it starts getting fan speed values (or whatever) mixed up with its temperature values and the control software thinks that the machines is melting down and turns it off - fast.

        Our hardware guys were not stupid. They just weren't familiar with communications protocols, didn't bother to consult with the folks on the software side who were, and it had always worked in the lab and the field. I'm quite certain there are any number of pieces of software and hardware running around out there that would be very vulnerable to an unexpected change in the environment and the cascading effects would be incalculable.

        Even if you do have safety protocols and interlocks in place, just shutting things down has costs. If you shut down a nuclear power plant, how much does it cost to bring it back on line? If you shut down a factory floor, how much does it cost you to not be producing, how much product will be spoiled and how much clean up will you have to do?

        The risks are non-trivial and people believe that there networks are secure when in reality, someone probably installed a wireless access point somewhere or has a router bridging things (so that managers can look at "view only" data as one poster mentioned above) that just opens everything up.
        • by PDAllen ( 709106 )
          It doesn't cost all that much to shut down and bring back on line a nuclear plant: it's fairly automated, not quite you press the big START button and wait, but close.

          The expensive bit is that when you start shutting down you must complete the shutdown then restart it: if you try to jump in half way and restart then you create all sorts of heat stresses the plant wasn't designed for, heat stresses lead to cracks and cracks in a nuclear plant are a big no-no. So how long does it take to shut down and restart
      • by Lumpy ( 12016 )
        Yes. SCADA are simple. You want to cause havoc? start turning things on. Ohh look at those big pump icons, let's turn on all 5 of them. Wow the PSI meter is off the scale! that is SO COOL!

        while the plant explodes, pipes break everywhere, chlorine cloud covers the city.
  • Amazing (Score:4, Funny)

    by dbcad7 ( 771464 ) on Thursday August 23, 2007 @09:05PM (#20339005)
    A "system integrator" working on his "sophisticated systems".. I was truly impressed until the lame a$$ question.

    I'll answer though ... Just hide away until after Armageddon is over, I'll find you.. don't worry... really, just wait til I say it's safe to come out.

  • by Cassini2 ( 956052 ) on Thursday August 23, 2007 @09:05PM (#20339007)

    Generally, SCADA systems are not trusted. All systems have failsafe hardwired I/O that is designed to shutdown on failure. Unfortunately, the shutdowns can cost money.

    I just got through getting a cell working after an extensive blast of repetitive downtime. I never did work out what exactly caused the failure, however high on my list of suspects is a router that may have been dropping packets due to excessive network load. When the router shutdown, the PLCs shutdown too. I'm just not clear on what caused all the excessive error packets on the network ... I have lots of theories, but no evidence.

    These SCADA networks are designed to be operated in a fairly secure environment. They can't withstand errors or high network load. Botnet attacks, virus outbreaks, or someone hacking in can cause trouble. However, mostly I worry about much more mundane causes of downtime.

    Microsoft Windows updates, particularly XP SP2, are notorious causes of SCADA system problems. Automatic installation of anti-virus software that triggers system reboots causes system to shutdown unexpectedly. Employees installing CPU-intensive screen-savers also cause headaches. Unexpected system changes result in unexpected system shutdowns. These unexpected shutdowns are what cause the economic disruptions.

    Personally, I wonder how much longer we can deploy Microsoft Windows as a SCADA platform. Fast, simple and straightforward are key system goals for SCADA applications. Vista, which effectively requires networking, is a step in the wrong direction. Linux is much more secure, and can easily be set up with read-only partitions. Read-only memory seems to make the systems much more stable, as every reboot always reloads a secure, known-correct program image.

    • by g-san ( 93038 )
      Love those patch reboots. While proving some updates to a customer and running a large data set overnight, our server picked that night to contact windows update, install patches and reboot. We came in the next morning to a logon screen, a moment of panic, and a wasted day. It's ironic that you can't have automatic updates active on a critical production system.
    • by dave562 ( 969951 )
      What about this take on things? ...

      Your SCADA system shouldn't be accessible via the internet. It should be on its own locked down network, seperate from the other networks. Most of the patches that Microsoft releases are either security related, or product enhancements. If the SCADA system will run just fine on out of the box, unpatched Windows, then why are patches being installed? If the system is so mission critical that it can't be rebooted, then why are automatic updates enabled?

      To offer a car ana

  • by mangu ( 126918 ) on Thursday August 23, 2007 @09:09PM (#20339031)
    I have worked with SCADA systems for the last 28 years, since I left college with an EE degree.


    I have worked in two industries: electric power (both hydro and nuclear) and communication satellites.


    Technologies are similar to those used in consumer systems for a purely practical reason, there's cheap hardware available. But the safeguards built into any industrial system are totally unbelievable for anyone used to consumer systems, and possibly also for people in banking or other businesses.


    I once counted the redundancy levels in a transformer protection system. There were 63 (yes, sixty three) different levels of protection for a humble transformer costing a mere $5 million. Imagine the protection around a $5 billion power plant.


    Possible in theory, but in real life it's more likely that you would be able to drop a helicopter by ramping a car up a toll booth.

    • by QuantumG ( 50515 )
      Says you. The great thing about these kinds of arguments is that *no-one* is qualified to say whether or not it is possible, because no-one tests this stuff. And, if anything, that was the message of the film.

      • no-one tests this stuff


        Funny, I've been testing this stuff for the last 28 years. Well, perhaps I'm a no-one. Anyhow, since no one has been able to get into any of my systems yet, the score is still 1x0

        • by QuantumG ( 50515 )
          Riiight. You secure national infrastructure do you?

          • by mangu ( 126918 )
            You secure national infrastructure do you?


            Yes, I do. Just this week I signed a revision of an NDA (Non Disclosure Agreement) requested by the US Department of State to conform with a new interpretation of the ITAR (International Trade in Arms Regulation). Any other questions?

            • by QuantumG ( 50515 )
              Seeing as you've opted to make yourself pseudo-anonymous, I can't confirm anything you're saying.
              • by mangu ( 126918 )
                I can't confirm anything you're saying.


                You could start by looking at some professional systems. Search for "testing" at their site [abb.com].

                • by dbIII ( 701233 )
                  Don't worry about it - this guy has just decided he can have some fun with you. If you look at his posting history you will see he does a lot of "playing the man and not the ball" offtopic comments until the other poster gives up in disgust or boredom.
                • by dave562 ( 969951 )
                  ABB are the guys who installed the system at the plant that I used in my example.
              • by dbIII ( 701233 )

                Seeing as you've opted to make yourself pseudo-anonymous, I can't confirm anything you're saying.

                Trolls engage in social engineering now? These are dark times.

                As for me - from my name I'm really an obsolete piece of database software.

                • by QuantumG ( 50515 )
                  I'm confused, who are you calling the troll, him or me?

                  See, this kinda pisses me off. Someone says "no no, you should listen to me, I do this for a living" and someone else replies "well who the fuck are you? Where do you work? How do I know you're not just speaking shit?" and the original person insists that you should listen to them even though they are not willing to even volunteer their email address let alone their name or where they work.

                  It's pretty simple, unless you're willing to say who you are,
        • Funny, I've been testing this stuff for the last 28 years.

          You can't test in information security. It has to be done by design and analysis, at all levels of abstraction, from metastable digital latches to number theory.

          Anyhow, since no one has been able to get into any of my systems yet, the score is still 1x0

          In a way that you recognized.

      • I work for a government lab that tests this very type of thing, performing in house assessments on SCADA systems, in plant assessments and we play with what if scenarios, and all I can add knowing what I know and having seen what I have seen is that it is a miracle that there has not been a major SCADA cyber event.
    • by jsse ( 254124 ) on Thursday August 23, 2007 @09:46PM (#20339327) Homepage Journal

      I once counted the redundancy levels in a transformer protection system. There were 63 (yes, sixty three) different levels of protection for a humble transformer costing a mere $5 million. Imagine the protection around a $5 billion power plant.
      I saw Tiffany drove a bike into the security station, blew up everything in her path then bought down the entire power-grid by with a single ssh nuke. She did it all in less than 5 minutes.

      63 levels of protection doesn't give me more assurance sorry.

      But since your mentioned the plant hires Transformers for protection or something, I do believe these alien robots could stand some chance.
      • The exploit she used was a real one. Check it out:
        http://www.securityfocus.com/news/4831
      • Yeah, but you're talking about a sendmail priv. escalation! Surely no power plant has a distro with sendmail running! That'd be like treating LDAP as a security layer!
  • They're safe as long as they are isolated from public networks. The problem is that there is a huge temptation to use the Internet to enable remote monitoring and control, as it is much cheaper and simpler than extending a private network and installing dedicated workstations at remote locations. Many managers will ignore security concerns when they see an opportunity for large cost savings.
  • Well I build them... (Score:3, Informative)

    by Anonymous Coward on Thursday August 23, 2007 @09:33PM (#20339257)
    and at some point they're all connected to an outside connection.
    Every customer my company has has a main site and a backup site. With redundancy in the main site as well (hot and standby servers, sans, etc). But most have remote clients that can connect to view data (corporate users) however maybe only 1 in 50 are actually tied in to the corporate domain. they're usually separate systems.

    As far as the industry I've seen this in, oil & gas, as well as the water and waste water systems for a lot of medium size cities in north america. They also have a slew of international customers as well and the designs are pretty universal. How easy is it to break in and damage stuff? The software and protocols are all proprietary, and in fact most of the packets show up as "malformed" in wireshark. My guess is to really do damage they'd have to either be intimately familiar with the product (i.e. an ex-employee) or they'd have to find a way to take down the main site and backup site completely at once. These are always in geographically different locations.
  • But of course! (Score:4, Insightful)

    by WheelDweller ( 108946 ) <WheelDweller@gmai l . c om> on Thursday August 23, 2007 @09:46PM (#20339335)
    SCADA systems, until recently, weren't build with security in mind; kinda like running everyting 'root' because you have a decent firewall. I used to program them; imagine blowing open a 3', 500psi natural gas pipeline?

    SO MUCH MORE fun than hanging up an airport for hours, now isn't it?

    Though, I'm not sure how far they'd really get...all these devices are different...kinda like Linux boxes. What works on a Vax with a communications network to controllers will be different from site to site...and they'd need to get the nomenclature from the inside. It would still be non-trivial, and the 'testing' to learn the system might tip off the Feds.

    It's like the first time someone mentioned blowing up buses/trains; if there are people involved and a spectacular media coverage, it's a target. (Shouldn't be a big surprise, actually)
  • My experience (Score:2, Insightful)

    by pionzypher ( 886253 )
    Our SCADA systems were located on an isolated network. Recently though the company has been moving in the same direction (top floor -> shop floor). The key for us has been that those components that are accessible from the corporate side are view only. Control of critical systems should ALWAYS be on an isolated network, whatever the plant super or whoever else thinks. If a suit feels like changing some part of the process, they should have to walk their happy asses down and change it on the floor sys
    • by crossmr ( 957846 )
      view only still means a connection of some sort... unless you go with some kind of streaming 1 way technology.
  • by CompMD ( 522020 ) on Friday August 24, 2007 @12:21AM (#20340287)
    im in ur power plant retractin ur control rods
  • The long story short is that most of these installations are physically protected from intrusion. First rate firewalling, and in most cases, complete seperation of internet and operations systems are in place. Physical alarms and access controls, id badges, and real security guards do the rest.

    I am not naive enough to suggest that any such situation is 100% perfect, but at the very least, we are not talking about script kiddies. If someone has a real reason or agenda to break into these systems, and enou
    • Sorry to disappoint you, but it's not FUD, just after the facts. I have been providing the security knowledge behind securing one of the biggest companies that was exposed, and they then started to drive SCADA security globally (the person talking the most about it is an engineer himself, just wasn't that clued up on security then :-).

      First, it is 100% true that the backup mechanisms typically don't use IP yet for connectivity, but look at the trend. I would personally advise anyone to avoid IP in failsaf
  • by billsf ( 34378 ) <billsf@cuba.calyx . n l> on Friday August 24, 2007 @01:16AM (#20340533) Homepage Journal
    The right way: As simple as will get the job done. Its been used on the space shuttle since the beginning. When you hear the three computers agree, this is three 1802, a 1MHz 8-banger that was approved for this 30 years ago. The other "certified perfect" piece of hardware is the i486. Sure a few more may have been added, but nothing 'hi-tech'.

    What kind of line speed does it take to say, control the dijkes. This is not the place to say _exactly_ how its done, but I'm not afraid of a break. Trains are the other extreme, you need a real computer. The embedded boxes that take the measurements are simple in design, a PIC or 1802, a world favourite in payphones.

    Going on the net can't be all that bad, but as one writer noted, thoughtlessly designed systems lock out the rightful user. Of course, never run ssh on port 22 and if life is on the line, a telephone backup must be used. "Fuzzing" is over rated, sure it crashes poorly designed systems, but well designed systems would have to be flooded quite fast to prevent a 'distress signal'. (Upstream the networks are well monitored.) I will always remember the first security lesson from a German professor: Rule No.1 NO Microsoft products!

    My biggest fear is the possibility (actually quite easy) of spoofing an IP of a rightful owner. These addresses must either be secrets or rotated often, preferably both. Still a dedicated network, where management can only look and then pick up the phone is almost mandatory if human life is at stake. True fast hopping radio can be most secure, stealth and 'unjamable'. Fibre is secure too.

    It is rather remarkable with this publicly known for years and even popular music (figure out that yourself) telling how to do it, it hasn't been a problem. Broadcast and cable is totally vulnerable, though breaches rarely occur. It is rather commonplace to control a TV sender through a DTMF telephone: Would you know what to do if you got in? In a real war, things could go from bad to worse. Social engineering would be a primary tool. (Could anything be easier to social engineer than the military?) Loose lips do bad things. Its all about logic to do it right. Its scary to see sysadmins use Windows for stupid reasons like: "It works best on my laptop". Then don't use it for anything else!

    It is so often when doing a security audit, you hear: "I let my kids play games and surf the web". On company computers that do important things. Damn. Don't use Windows and keep your computer to yourself.

    BillSF

  • I to read the Forbes article, but I can approach it from a unique view point.

    For the past 5 years I have been doing research work on SCADA or control system security.
    Some of the research findings are astounding. No one can die if a hacker port scans a printer and ruins your print job, but people can die if a hacker port scans some SCADA devices and knocks them offline.

    Here's why;

    Back in the good-old-days most of the SCADA/Control system networks were isolated, proprietary, and in general a real pain in th
    • What I found particularly impressive is that some SCADA devices can be killed with one single packet. Just one (1, uno). And it gets killed in such a way that it:

      (a) end up in an indeterminate position (i.e. you don't know HOW it's going to fail, only that it will)
      (b) is non-recoverable, i.e. it's not just a matter resetting the thing, you have to rebuild it from the ground up.

      Shocking stuff. And this kit controls our plants, sewage facilities, oil platforms, power stations ..
  • There MUST be NO network connectivity between the production systems and the Internet. If you really NEED a gateway, put a wetware firewall, reading off one screen, typing on a keyboard attached to the other. Then apply physical protection of the internal network. Employees inside might have a network access, say, on laptops with wireless, but the production network should be totally isolated.
  • "In January of 2003, SCADA system computers infected with the Slammer worm caused a blackout at the Davis-Besse power plant in Ohio", Forbes

    'The Slammer worm penetrated a private computer network at Ohio's Davis-Besse nuclear power plant in January and disabled a safety monitoring system for nearly five hours [theregister.co.uk] '

    "Seven months later, another computer virus was widely suspected of preventing the detection of power loss at a plant providing electricity to parts of New York State", Forbes

    'TRANSCRIPTS of
  • A client of mine is in the waste management industry and over the last fourty years has grown in size from his humble beginnings of picking up recyclables in the back of his pickup truck, to running a multi-million dollar a year operation that includes the ownership of two power plants to burn green waste. He is an insanely smart individual but he has so many plates spinning at the same time that he rarely has time to completely grasp the subtle nuiances involved in implementing everything that he asks for

Genius is ten percent inspiration and fifty percent capital gains.

Working...