Supervisory Control and Data Acquisition systems are the technology connection between control systems and the switches, pumps, and motors that run our automated physical world. SCADA is the basis of everything from power plants to train systems. It’s also one heck of a security risk.
I’ve talked about SCADA before in a few posts, including this, this, and this. In general, it seems obvious that running these things on standard IT technology, then connecting them to the Internet (no matter how many firewalls you have) isn’t the smartest idea in the world. This is highly contested by SCADA traditionalists who constantly assure us that the odds of a successful attack resulting in physical impacts are extremely low. Methinks those traditionalists might need to pull their heads out of either the sand or a rather unattractive orifice, since there are more than enough examples these days to prove them wrong.
The latest, courtesy of Hoff and Stiennon, is that the CIA released a report that hackers have caused unspecified power outages on multiple occasions (overseas is my guess):
CIA: Hackers to Blame for Power Outages By TED BRIDIS — 3 hours ago WASHINGTON (AP) – Hackers literally turned out the lights in multiple cities after breaking into electrical utilities and demanding extortion payments before disrupting the power, a senior CIA analyst told utility engineers at a trade conference. All the break-ins occurred outside the United States, said senior CIA analyst Tom Donahue. The U.S. government believes some of the hackers had inside knowledge to cause the outages. Donahue did not specify what countries were affected, when the outages occurred or how long the outages lasted. He said they happened in “several regions outside the United States.” “In at least one case, the disruption caused a power outage affecting multiple cities,” Donahue said in a statement. “We do not know who executed these attacks or why, but all involved intrusions through the Internet.”
Both Hoff and Stiennon predicted SCADA attacks this year (and I made fun of them for it, but that’s another story).
Now before you SCADA defenders get your panties in a bunch, over my career as an analyst and consultant I was privy to more than one successful and physically dangerous SCADA attack communicated to me by clients. I’ll never talk details, but they really happened, putting lives at stake.
I’ll still talk SCADA, but there’s enough evidence now of real problems that I don’t see the need to waste time trying to prove how important it is. If you don’t get it by now, you never will, and I hope you don’t have anything to do with my corner of the power grid.
Okay, just a quick primer on the major risks of connecting a process control network with the business network:
- Loss of communications due to a non-SCADA failure or attack disrupting network communications. Inability to monitor and control remotely.
- Exploitable vulnerabilities on SCADA systems running on standard platforms, e.g. Windows. You often can’t patch a running SCADA system or install antivirus, HIPS, or other defenses. Vulnerable to mass exploits that have nothing to do with SCADA.
- Direct attack on SCADA software/systems.
- Exploitation of a control workstation which is then used to access/control the SCADA system. Has the added advantage that the attacker can remotely monitor normal activity to determine how to commit malicious actions on a proprietary system they don’t have prior knowledge of.
<
p style=”text-align:right;font-size:10px;”>Technorati Tags: Cybercrime, puppy
Reader interactions
9 Replies to “The Last I’ll Ever Need To Write Proving SCADA Risks”
[…] attack on several city power systems was released by the CIA, and has been covered by several thoughtful articles. Please see their reportings on the findings of this […]
Rich.. I’‘ve noticed you, Hoff, and Dave Lewis picking up a bit on “SCADA” as you call it over the past year or two. It’s great coverage that I seem to think follows the same echos of the media and SANS. And this is what it’s designed to do.
Does it maybe occur that politics play a large role into press releases from large organizations and videos from other tax/government sponsored areas? The more impact, the more tax dollars funneled into the labs and government sponsored organizations and projects. With about five years of critical infrastructure experience I’‘ve seen this happen over and over and all it really does to those in the industry is annoy them and provide them firepower whenever they need some additional funding in the IT security budget.
So now I’‘m just hoping that since the CIA has put out a press release with no details at all that you really won’‘t stop writing about “SCADA” risks. =P
I agree there’s a huge problem, but the issues won’‘t be resolved over night. FERC approving the NERC CIP standard will be a huge improvement however.
It’s sad to say it, but regulation and associated fines are just about the only motivation to improve security for companies involved with critical infrastructure or not.
Oh, the politics are HUGE here. A total mess, especially in some agencies. The FBI is particularly bad about this.
But I’‘ve seen enough real data to believe the risks are material, and we need to keep on the issue.
And since none of them hire me, I have no vested interest 🙂
[…] has been talking about the CIA’s warning on SCADA attacks, including me, and I am a horrible (too infrequent) blogger. The skinny is […]
The press release really gets me … “Hackers literally turned out the lights in multiple cities …”. Really? Where? When? How? If it was hackers extoring money, why not say where and when? Did they get a ‘‘Dr. Evil’’ video in the mail? Is the CIA really ‘‘releasing information to the public’’ as stated in the SANS press release?
Rich, not arguing that it could not happen, and if it did, that there would not be considerable damage. But this is does not look like communicating with the public to me. Generating fear in the public seems to be the common method for providing an impetus to fund various government efforts, and marketing fear is SOP because there are no penalties for doing so. I would consider this a more likely motiviation, until proven otherwise, for the announcement.
Looking at it the other way, hackers for profit efforts are usually kept quiet, both by the hackers and law enforcement. There have been banking thefts for years that go unannounced to the public, and the reasoning is to keep public confidence in the banking system and to not tip off hackers as to the status of the investigation. Meaningful threats, be it airlines, utilities or financial institutions are usually communicated through different channels, to the people who can make some meaningful decisions with the information. Not through a CIA press release via SANS … wow, did I just really type the phrase ‘‘CIA press release’‘?
What is the motivation for releasing this information to the public and how does this assist? Am I supposed to go buy candles for the big power outage? Call Pacific Gas & Electric and threaten to buy power from someone else? At least BART is safe … they do not seem to be able to keep their computers up long enough for someone to hack into them.
[…] The Last I’ll Ever Need To Write Proving SCADA Risks […]
someone from sourcefire once joked to me that all you had to do was write the most ‘‘bad ass scada worm’’ and let god sort it out.