SCADA - A Glimpse Beyond the 'Power Outage'
For at least the past ten+(+) years, we have heard
or read about our Country's vital SCADA (Supervisory Control And Data
Acquisition) systems being vulnerable and overwhelmingly
'cyber-attacked' by malicious hackers.
In general, SCADA systems refer to an industrial control system: a computer system monitoring and controlling a process. The process can be industrial, infrastructure or facility-based, and they run on very old PC's running very old versions of Microsoft Windows operating systems using a very insecure network protocol run over TCP/IP. Some of their systems have been mildly upgraded and connected to the Internet for those workers who like to connect from home.
Because these systems are proprietary and owner-operated, the reports and propaganda that has been passed around in the news and even in the industry itself has been focused on only one aspect of SCADA's area of control: The power grid. I would like to list the other Industrial control systems that SCADA systems influence:
:: Refining;
:: Fabrication;
:: Power generation;
:: Manufacturing;
:: Production;
:: Water treatment and distribution;
:: Waste water collection and treatment;
:: Oil and gas pipelines;
:: Electrical power transmission and distribution;
:: The pharmaceutical industry;
:: Wind farms;
:: Civil defense siren systems and
:: Large range communication systems
Facility processes occur both in public facilities and private ones, including buildings, airports, ships, and space stations. They monitor and control HVAC, access, and energy consumption.
So, as you can see, disrupting our SCADA system could mean a whole lot more than simply shutting down our power for a week. If all, or even three targets were taken down, say water treatment, waste water collection and, oh... large range communication systems, all at once (and they would be down for more than one week), whatever area(s) that were affected would feel and smell like a third world country pretty quickly. Is that the master plan - or am I hyping a conspiracy theory? It's plausible.
Think about the probability of one of the leading pharmaceutical companies being overtaken without anyone's knowledge and the grim thought of wide-spread distribution of an altered drug? Impossible? No!
It is interesting to note that several months ago I had decided to research this SCADA topic from several different angles for a book - including the "elite" hacker point of view (HD Moore and his pride and joy "Metasploit" architecture), imodscan (a network scanner built with Metasploit to scan and exploit the SCADA network protocol), and the modbus protocol (the very insecure protocol running over the TCP/IP network that sustains these SCADA networks) - in an attempt to (in my book) solve the issues from the inside-out by getting in using various cloak and dagger techniques.
By doing further research on the modbus protocol, I found the website to the company who designed the protocol, and amazingly enough, they had a huge list of their customers - hundreds of them. It took at least an hour or two, but I was able to compile a list of hardware, components, and ultimately hardware vendors and COTS vendors who pushed out full solutions to their customers who actually LISTED their customers. (Turns out China bought three systems from one of our U.S. manufactures. (Quid-pro-quo?) But I digress.
The real reason I am writing this column is because I came across this specific article that said "Even with minimal Internet access, malware and breaches are increasingly occurring in utility, process, and control systems." Still.
The article blames 30% of the malware coming in via USB keys internally. That part is easy to solve.
I can't help but wonder what the number of attacksbased on the code that HD Moore publicly spread around, proving exactlyhow easy it is to exploit the SCADA systems - the same code that waspublished in plain text in one of TechRepublic's online magazines... Ifthey still have it up there, the comments are truly hilarious and worth aread, but I won't post the exact location nor will I post any of ithere.
But what about the widely publicized problems: the privately owned facilities with no regulation authority? The mis-matched installation network interface cards, the patchwork of data transmission cables and the insecure protocols themselves? Antiquated machines, users who demand to connect to the intranet from home? Various versions of an unstable and security-ridden operating system? These systems monitor processes that in turn control and leverage the actual functionality of a facility. Yes, the facilities themselves (in most cases - water treatment, for example) use physical load bearing balancing acts to support the "old fashioned way", but it is not completely impossible to affect these as well, through intelligent efforts. And I haven't even touched the surface. All-in-all, these systems are riddled with issues that should concern even the most extreme anti-'paranoirist'.
These system priorities begin with availability being paramount, but Top Secret level security solutions need to be in the loop somewhere - including a DoD physical presence in light of the electromagnetic wave and in-range bombing threats.
My head spins around when I read such material knowing what I now know about how critical these systems truly are and knowing they are privately owned and operated.
While there has been much progress in several areas of study on the matter, as well as the development of "SCADA and Control Systems Survival Kit", (a document of best practices for SCADA systems), there has been a severe lack off concentrated effort, solutions and real-time contribution among the most "key" whitehat security "experts".
In general, SCADA systems refer to an industrial control system: a computer system monitoring and controlling a process. The process can be industrial, infrastructure or facility-based, and they run on very old PC's running very old versions of Microsoft Windows operating systems using a very insecure network protocol run over TCP/IP. Some of their systems have been mildly upgraded and connected to the Internet for those workers who like to connect from home.
Because these systems are proprietary and owner-operated, the reports and propaganda that has been passed around in the news and even in the industry itself has been focused on only one aspect of SCADA's area of control: The power grid. I would like to list the other Industrial control systems that SCADA systems influence:
:: Refining;
:: Fabrication;
:: Power generation;
:: Manufacturing;
:: Production;
:: Water treatment and distribution;
:: Waste water collection and treatment;
:: Oil and gas pipelines;
:: Electrical power transmission and distribution;
:: The pharmaceutical industry;
:: Wind farms;
:: Civil defense siren systems and
:: Large range communication systems
Facility processes occur both in public facilities and private ones, including buildings, airports, ships, and space stations. They monitor and control HVAC, access, and energy consumption.
So, as you can see, disrupting our SCADA system could mean a whole lot more than simply shutting down our power for a week. If all, or even three targets were taken down, say water treatment, waste water collection and, oh... large range communication systems, all at once (and they would be down for more than one week), whatever area(s) that were affected would feel and smell like a third world country pretty quickly. Is that the master plan - or am I hyping a conspiracy theory? It's plausible.
Think about the probability of one of the leading pharmaceutical companies being overtaken without anyone's knowledge and the grim thought of wide-spread distribution of an altered drug? Impossible? No!
It is interesting to note that several months ago I had decided to research this SCADA topic from several different angles for a book - including the "elite" hacker point of view (HD Moore and his pride and joy "Metasploit" architecture), imodscan (a network scanner built with Metasploit to scan and exploit the SCADA network protocol), and the modbus protocol (the very insecure protocol running over the TCP/IP network that sustains these SCADA networks) - in an attempt to (in my book) solve the issues from the inside-out by getting in using various cloak and dagger techniques.
By doing further research on the modbus protocol, I found the website to the company who designed the protocol, and amazingly enough, they had a huge list of their customers - hundreds of them. It took at least an hour or two, but I was able to compile a list of hardware, components, and ultimately hardware vendors and COTS vendors who pushed out full solutions to their customers who actually LISTED their customers. (Turns out China bought three systems from one of our U.S. manufactures. (Quid-pro-quo?) But I digress.
The real reason I am writing this column is because I came across this specific article that said "Even with minimal Internet access, malware and breaches are increasingly occurring in utility, process, and control systems." Still.
The article blames 30% of the malware coming in via USB keys internally. That part is easy to solve.
I can't help but wonder what the number of attacksbased on the code that HD Moore publicly spread around, proving exactlyhow easy it is to exploit the SCADA systems - the same code that waspublished in plain text in one of TechRepublic's online magazines... Ifthey still have it up there, the comments are truly hilarious and worth aread, but I won't post the exact location nor will I post any of ithere.
But what about the widely publicized problems: the privately owned facilities with no regulation authority? The mis-matched installation network interface cards, the patchwork of data transmission cables and the insecure protocols themselves? Antiquated machines, users who demand to connect to the intranet from home? Various versions of an unstable and security-ridden operating system? These systems monitor processes that in turn control and leverage the actual functionality of a facility. Yes, the facilities themselves (in most cases - water treatment, for example) use physical load bearing balancing acts to support the "old fashioned way", but it is not completely impossible to affect these as well, through intelligent efforts. And I haven't even touched the surface. All-in-all, these systems are riddled with issues that should concern even the most extreme anti-'paranoirist'.
These system priorities begin with availability being paramount, but Top Secret level security solutions need to be in the loop somewhere - including a DoD physical presence in light of the electromagnetic wave and in-range bombing threats.
My head spins around when I read such material knowing what I now know about how critical these systems truly are and knowing they are privately owned and operated.
While there has been much progress in several areas of study on the matter, as well as the development of "SCADA and Control Systems Survival Kit", (a document of best practices for SCADA systems), there has been a severe lack off concentrated effort, solutions and real-time contribution among the most "key" whitehat security "experts".
Posted by cyber-uproar at July 27, 2010 
Categories: uncategorized
Tags: cyber scada modscan power grid supervisory control and data acquisition metasploit imodbus
Categories: uncategorized
Tags: cyber scada modscan power grid supervisory control and data acquisition metasploit imodbus
Excellent article!
Reply to this
I sincerely appreciate the compliment. Thank you.
Reply to this
Where can I find more information on the topic of this article?
Reply to this
Write more often
Reply to this
Excellent article!
Reply to this
Hi, I agree with every statement that you have made in the post and I really appreciate your effort in gathering up the information. Thanks for it.
http://wwwheroin-detoxcom/drug-detox-program-center-drug-detox-rehab-drug-detox/
Reply to this
Very true! Makes a cnhgae to see someone spell it out like that.
Reply to this
Soudns great to me BWTHDIK
Reply to this
Do not quite understand, do you transfer your texts
Reply to this
You may have not intended to do so, but I think you have managed to express the state of mind that a lot of people are in. The sense of wanting to help, but not knowing how or where, is something a lot of us are going through.
Reply to this
It's nice to hear that more and more folks are greatly concerned with the efforts that need to take place to move forward.
The biggest problem is that the systems were deregulated and are owned by proprietary owners all over the states, making it a more difficult problem to solve.
There are now a few companies that are working on fixing the underlying networking protocol that will curb the transmission of unwanted/hostile data being sent throughout the SCADA networks, which is a fantastic way to approach the problem... basically stabbing it at the root and defending all the top layers (the old systems, software, internet access) that are causing major security risks, however it will not solve the problems of wireless, outdated or insecure applications, and the internal use of USB keys. But, it's definitely a fantastic start and a very clever way to solve the problem.
HD Moore developed the open source Metasploit framework for various... ways to program "unique" security applications for the internet and networks, which, when the networking protocol furnished by all SCADA providers was found to be insecure in a manner of ways, was able to detect and be used by a handful of clever individuals to re-write the protocol entirely.
The fine folks running DefCon were kind enough to display the insecure protocol step-by-step and offer a way to resolve the issue to a very large crowd of technical conference attendees, including government officials and folks from the Department of Defense, which inspired a number of them to take this information back to their companies - some of which specifically dealing with security products.
With this information in hand, my hope is that the companies creating the secure protocol are able to reach the SCADA providers and convince them of their need to make the transition, and to reach them all in good time.
A solution/opportunity to offer to you: Strike deals with the companies working on/already providing the new protocol and offer to promote and install them to privately owned operators in your area, or as far as you can reach. I'm sure you can find funding through a government grant.
Thanks for reading my blog.
Reply to this
I was wondering if you ever considered changing the layout of your blog? Its very well written; I love what youve got to say. But maybe you could a little more in the way of content so people could connect with it better. Youve got an awful lot of text for only having one or two images. Maybe you could space it out better? http://wwwacheter-du-viagracom
Reply to this
All art is solitary and the studio is a torture area. / http://wwwlawnumbrellacom/
Reply to this