SCADA « SecureThinking

Posts tagged SCADA

Thursday, July 22, 2010

Is a hack into our nation’s domestic infrastructure possible?

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

The National Security Agency recently unveiled a program to help secure the networks of crucial domestic infrastructure, including the networks of electrical companies and nuclear power plants. Called “Perfect Citizen,” the program is geared to bring attention to the possibility of grid hacking.

Interestingly, a recent Wired article asked, “…if it’s so easy to turn off the lights using your laptop, how come it doesn’t happen more often?” According to the article (“Hacking the Electric Grid? You and What Army?” (July 13, 2010):

Your average power grid or drinking water system isn’t analogous to a PC or even to a corporate network. The complexity of such systems, and the use of proprietary operating systems and applications that are not readily available for study by your average hacker, make the development of exploits for any uncovered vulnerabilities much more difficult than using Metasploit.

To start, these systems are rarely connected directly to the public Internet. And that makes gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled — nation-states, in other words.

Let’s pretend for a moment that hackers were planning to attack the U.S. What would they need to do to gather enough information necessary to take out the electrical power in key parts of the country? They don’t want to fiddle at the edges, mind you. They want to have enough data to build the technical capability necessary to shut out the lights in Washington or New York or California at precisely the time and for exactly the duration they want.

For starters, they would need to know things like: Where are the power plants? What kind of plants are they? What sort of fuel do they use? Who built them and when? What sort of materials and technology were used when they were built? Who manufactured the generators, turbines and other key equipment? Whose SCADA software are they running? Who runs the plants? How does fuel, people, supplies get into or out of the plant? What sort of security do they have? And perhaps most importantly: which plants supply power to which parts of the country?

While the Wired article included a lot of questions that are interesting, we ask: Are foreign attacks on our nation’s crucial infrastructure possible? Our answer is absolutely. This is a real security threat and one that shouldn’t be taken lightly.

In fact, The New York Times reported last week that a new virus targets the computers used to manage large-scale industrial control systems used by manufacturing and utility companies. While the SCADA systems that run the software are not typically connected to the Internet, this specific virus spreads when an infected USB stick is inserted in the computer.

To assist these organizations, BT Managed Security Solutions Group offers a multi-layered, holistic approach to secure critical network infrastructure (CNI) and organizational monitoring. This offering enables any organization to have a view of its security posture as it relates to its critical infrastructure (substations, control centers, energy management systems) and its interconnectivity with the organization.

In today’s regulatory-driven environment, an organization must consider its entire critical infrastructure – from the substation to the control center and out to the enterprise network – when making security monitoring decisions.

The fast and accurate detection of security-related events is an organization’s first line of defense against security intrusions. This can only be achieved through a holistic solution that provides enterprise-wide security by aggregating and correlating information from both critical network infrastructure and enterprise networks, providing organizations transparency into their security posture.

Thursday, October 15, 2009

The Difficulties of Detecting Attacks on SCADA Systems

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

A company’s most important assets are its network, applications, customer data, and reputation. These important assets are all, predictably, prime targets of attack from viruses, Trojans, and other intrusions sent by amateur hackers and, with increasing frequency, organized criminals.

Firewalls, IDSs, IPSs, and anti-virus software can go a long way to protect against such attacks, but this type of protection alone can never be enough. The only way to ensure effective defense is through vigilance: fast, accurate detection and response to stop the attacks that get past perimeters. Vigilance is a company’s most important and first line of defense. The only way to be truly vigilant against attacks is through real-time monitoring.

Organizations that use Industrial Control Systems (ICS) like SCADA (Supervisory Control and Data Acquisition), EMS (Energy Management Systems), DMS (Distributed Management Systems), DCS (Distributed Control Systems) and other control systems face some particular challenges. For this article, the term “SCADA” will be used to describe all industrial control systems used in a variety of industries. For example, utility companies use industrial control, or SCADA systems, to help manage electrical grids and power generation, manufacturers use them to manage factory floor equipment.

Traditionally, SCADA systems have run on radio and serial network connections. Now, however, many organizations are running them over IP networks to boost performance and save money. SCADA systems running on IP networks have the following issues:

SCADA systems can be extremely sensitive to routine vulnerability scanning
Patches will often break the SCADA application and therefore cannot be applied
Vendors of the SCADA system often do not verify the latest security patches
Standard IDS does not look for SCADA specific attacks
SCADA engineers often do not have experience with IP security issues

In addition, because cybersecurity is not a core competency of control system vendors, the task of securing industrial control and SCADA networks is generally left up to the end-user. The gap between IT departments and the individuals in charge of the SCADA networks is both political and technical. Organizations that are part of the critical infrastructure, such as energy, have been forced by regulations to take appropriate security measures. The magnitude of the impact that an interruption can have on key services, such as flight control or regional power grid, is far greater than the potential impact to a downed office network. Industrial control systems have unique requirements and therefore need Network and Host IDS with custom signatures created to detect exploits in these networks.

Industrial control networks have largely been protected through their inaccessibility and the fact that, until recently, most were not IP enabled. The dynamics of industrial control systems are changing, especially in manufacturing where government regulations have not required the installation of suitable security control mechanisms, which has resulted in a noticeable increase in the presence of malware. Most well known IDS/IPS vendors have been responsive – they’ve have used digital bond signatures and have made SCADA-aware signatures available for their platform.

However, the lack of a central monitoring framework means attacks are not easily detected. Even the fixes available to organizations with large-scale SCADA systems are less than ideal, with most solving their ICS monitoring requirement in isolation, rather than as part of system-wide perspective on security. This results in a fragmented view of their organizational risk. The footprints of the attacker are undoubtedly scattered within both the corporate and industrial control systems and, without a holistic picture, it is easier for the attacker to escape undetected.

The solution lies in a holistic approach to monitoring, combining corporate monitoring data with industrial control system log data to enable a comprehensive picture of an attack to be painted. To learn more about BT MSSG’s SCADA Solutions, powered by BT Counterpane, click here.

http://bt.counterpane.com/managed-security-solutions.html

Thursday, September 17, 2009

Protecting Our Nation’s Most Critical Infrastructure and Assets

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

If you lived in Cleveland, New York or Baltimore in August 2003, you probably remember the large scale power outage. While the major blackout was not caused by cyber terrorism, this event, along with the terrorist attacks on September 11, 2001, brought the possibility of attacks against critical infrastructure into sharp focus and accelerated the implementation of standards to provide a cyber security framework that would identify and protect critical cyber assets. By defining critical assets, these standards are intended to support the reliable operation of bulk electric systems in North America.

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards provides guidelines covering a variety of areas related to cyber security for bulk power system owners, operators and users. However, due to the rapidly changing security landscape of the Industrial Control Systems (ICS), companies are failing to adequately secure their systems.

Industrial Control Systems (ICS), which includes Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS), controls systems that provide operators automated direct and indirect control over the functions throughout the power grid. These systems, used within CNI, provide unique security challenges to organizations. As business requirements change and the demands for real-time information increase, the need for securing CNI networks and their process control systems is paramount for organizations.

Organizations have typically addressed compliance and security in silos, which results in an incomplete picture of the cyber threat. Addressing security in isolation only provides an organization the perception of security, but does not provide an organization with an organizational view of its risk due to gaps in information.

To assist these organizations, BT Managed Security Solutions Group and Industrial Defender have partnered to offer a holistic solution in critical network infrastructure (CNI) and organizational monitoring. This offering enables organizations to have a view of its security posture as it relates to its critical infrastructure (substations, control centers, energy management systems) and its interconnectivity with the organization.

With a holistic approach, the footprints of an attack may be discovered across multiple systems or even across multiple operating areas. As organizations merge to achieve economies of scale, disparate geographic operating regions become interconnected via common enterprise environments. In today’s regulatory-driven environment, an organization must consider its entire critical infrastructure – from the substation to the control center and out to the enterprise network – when making security monitoring decisions.