- SCADA « Secure Thinking

Posts tagged - SCADA

Monday, August 1, 2011

Are we in denial? Protecting the country’s infrastructure

Jeff Schmidt, Global Portfolio Head of Business Continuity, Security & Governance Capability, BT

I’ve been joking around lately that my home seems to be a Delta airplane. But with all the travel, it has given me the opportunity to catch up on my reading. Just the other day, I was reading a blog post by Gartner’s John Pescatore, who was looking back at the series of black outs that have occurred in the United States over the years. The most recent was in 2003, and he asks the question: Are we still in denial about attacks that could cripple our nation’s infrastructure?

In the United States, 85 percent of the country’s infrastructure, including utilities, electrical, power plants, etc., is managed by the private sector. The introduction of an attack, by a government or an individual, poses a risk to that infrastructure, as we saw recently with the Stuxnet attack on Iran.

While the industry does have standards, these are not necessarily deployed or approached in the same manner and leave a lot to interpretation and approach to implementation. Add in the lack of ability to measure the effectiveness of controls, and you have a problem with regards to consistency. Add in that when events happen, in the public and private sectors, there is an inclination to not share information, creating a greater load on the industry to come up with individual approaches. In fact, critical infrastructure information that is at times deemed confidential and top secret, is a barrier to sharing information at the right level of detail and in a timely fashion. The situation becomes even more complex when you add into this an ever-changing technological, threat landscape and growing number of access points in the enterprise.

Having a better baseline — and not processes for the sake of process, but for the sake of ensuring critical infrastructure is protected — is essential. Another essential is the creation of a set of standards for reporting and sharing, along with the right controls in place for incident response and the proactive means to stop an attack prior to it becoming a media event.

Incorporating processes and controls quickly will allow for a better cyber security posture for real-time and situational awareness. It also would allow for the appropriate retrofitting of current, and the alignment of future, processes to ensure the appropriate systems are in place to meet Smart Grid protection needs today, tomorrow and in the future.

Monday, May 2, 2011

Lurking in the Shadows: Why Utilities Need to Protect their IT Infrastructure

By Tara Savage, Senior Marketing Manager, BT Global Services

Kaspersky Lab’s Threat Post recently reported on a study from The Ponemon Institute which revealed that three quarters of global energy companies had suffered a data breach during the last 12 months.

Until the Stuxnet worm wreaked havoc on critical infrastructure systems around the world, most had assumed that energy companies were largely immune from the problems of hackers and data breaches that impact banks, consumer-oriented businesses and individuals.

But apparently, energy infrastructure is a prime target because of a combination of lack of management attention for IT security, poorly understood compliance regulations, such as NERC, and complex systems.

To read the entire report and learn more about the complexities introduced by SCADA systems, click here.

Monday, April 4, 2011

SCADA Software Holes Cause Concerns

By Jim Tiller, Vice President, Security Professional Services, North America, BT Global Services

SCADA – supervisory control and data acquisition – software has been taking a lot of hits lately. After last year’s Stuxnet threat, which targeted specific Siemens software, it was, according to some, inevitable that vulnerabilities were revealed in SCADA software, which is used in refineries, gas pipelines, manufacturing, and other critical operations. In fact, we asked that very question last July in our post whether there could be a hack into our infrastructure.

We still believe that it is absolutely possible, particularly given that SCADA software has traditionally been isolated from the Internet but is in transition to an environment in which it could be accessed through the Internet.

Recently, the Moscow-based security firm, Gleg, released its own software — dubbed “Agora_ SCADA Exploit Pack for CANVAS,” that targets 11 zero-day, or unpatched, SCADA holes. And, on its heels, the U.S. DHS National Cyber Security Division’s Control Systems Security Program (CSSP) issued four warnings that SCADA systems are at-risk for the exploitation of common bugs, including exploit stack, heap and integer overflows, as well as perform arbitrary command executions and memory corruptions, among other vulnerabilities.

According to the CSSP, at-risk are Siemens TecnomatixFactoryLink, Iconics GENESIS32 and GENESIS64, 7-Technologies IGSS (Interactive Graphical SCADA System) and DATAC RealWin products to the BugTraq security e-mail list. These vulnerabilities were exposed by Italian researcher Luigi Auriemma, who said his motivation for hacking the systems was “to educate the research community and alert software makers to problems with their products.”

SCADA software is in transition from a legacy environment that was isolated from the Internet. During the years it will take the plants that run our country’s critical infrastructure to upgrade to a more modern version, it will serve them well to heed the CSSP warnings and to find ways to keep their control systems secure.

Want to hear more from Jim Tiller? Join BT at Infosec 2011 on April 19-21, where he will be presenting along with Bruce Schneier, Ray Stanton and several of our partners. If you are planning on attending, come and find us at booth C92.

Friday, October 29, 2010

Trick or Treat: DVR Zombies and Other Halloween Tales

By Erik Mogus, Manager – Device Management, BT Global Services

The once disparate realms of networks and physical devices move closer to convergence on a daily basis. This is the reality — there is no reversing the trend. It makes too much sense for convergence not to happen.

There are a few drivers for this, including a move on the commercial side to subscription-based services, as well as enhanced feature sets for internet-enabled devices which add convenience and functionality for the consumer.

What were once standalone devices — anything from DVRs to complex control systems in industrial plants — are now part of a system of networked devices accessible via IP networks. While the threat of an attacker accessing your stash of Jersey Shore repeats on your network-enabled DVR might not be of much concern to your average netizen, there are other scenarios that are more worthy of our attention.

At the home consumer level, incremental changes in technology can create greater security and privacy implications than the typical user initially perceives. For example, five years ago, a webcam didn’t provide any real value without a computer to pair it with. However, the current generation of webcams offer more advanced functionality including native support for WIFI networks and their own user interface.

If you understand the types of risks that these devices introduce, then you’re in good shape. The question is — would you trust a less technical friend or relative to configure one of these cameras without your assistance? More importantly, would you trust them to install one for you, in your living room? The bottom line is that for information security professionals, security is a way of life. For your average user, it is not. Although, I’d like to point out that even tech savvy people sometimes use questionable judgment when it comes to this sort of thing.

Another example would be Stuxnet, which has garnered a high degree of notoriety in recent weeks due in large part to its complexity, intrigue around who authored the worm, what their motivations might be, and its possible impact in the “real world.” While most people are not well versed in SCADA and may not fully comprehend the risk Stuxnet has introduced, they can readily grasp the potential consequences of a successful attack by the worm. There are still differing accounts as to what role Stuxnet may have played in delaying Iran’s implementation of its nuclear program. We may never know for sure what role it may have played, but it’s interesting to consider.

Boiling the technical details down mostly doesn’t matter to the population at large; most people will never appreciate the elegant logic and creativity that went into developing the worm. What will matter to them is how real the threat is, and what the implications are of a successful compromise. These concerns are magnified when the threat crosses over from the wire to a physical device which controls systems that have an obvious impact our “real” lives. While the risk of such an attack to systems is mostly regarded as unlikely in our community, the outcome of a successful attack is something we have difficulty quantifying.

As National Cyber Security Awareness Month comes to a close, it’s important to think about the implications that the continued convergence of networks and physical devices is going to have. In some cases, the risks introduced by this crossover may become greater, if not more personal, than network only threats. This is what we call a “good problem to have.”

Thursday, September 16, 2010

Fully Redundant Houses of Cards

By Robert Jamison, Manager, Network Intelligence, Managed Security Solutions Group, BT Global Services

A substantial chunk of security in the CIA triad is the “A” for Availability. Distributed Denial of Service attacks, natural disasters and plain ordinary hardware failure can contribute to diminishment of this most noticeable attribute. When it’s simply not there or working, everybody notices, as long as “it” can be defined as one of the ingredients absolutely necessary in making the process work.

Electricity is one key ingredient in every modern automated process, and much has been written about SCADA systems vulnerable to Trojans, such as Stuxnet, or types of denial of services attacks on the electrical grid.

Storage is not on the same tier as electricity, but in information systems, it is ranked quite high. During the past week In Virginia, several government agencies have suffered through information systems processing failure. This comes one month after a similar failure in another Virginia Information System, and little more than a year after disclosure of the complete breach of personal medical prescription information from a hack against the central database for the Virginia Prescription Monitoring Program.

Origins of the failure point to faulty hardware, specifically the write-ahead cache in Storage Area Network (SAN) interface cards. These cards (originally RAID controller cards before SAN became a popular term) use dedicated on-card memory allocated fully by the card’s processing unit, allowing the system to buffer data that needs to be written to the storage arrays. Data arrive at this point through any one of the myriad servers that need to “write” to storage as part of a transaction process. Depending on the complexity and distribution of the application’s structure, the data may have places to be stored temporarily outside of the SAN area (a cache).

But this doesn’t seem to be the case for the State of Virginia’s Department of Motor Vehicles and Social Services. These systems seem to be of the mainframe or star topology, effectively forcing each critical application to rely completely on timely access to the SAN. This is necessary to operate at all.

Typically, the more distributed a system’s applications are, the more people using them, the more storage space is going to be needed. This makes SANs a particularly attractive option for businesses, and the sales rhetoric reflects that.

However, in light of the failures of two identical controller cards on two redundant arrays, clearly mirroring SAN environments is not enough redundancy when the business model (a large state government) starts stacking application after application from various unrelated agencies, each needing SAN I/O to perform its task. There was not sufficient redundancy to provide for business continuity within a given week. These individual agencies had limited control of where their own data were accessed from – that is clear. At least in Virginia, it is somehow either necessary or politically beneficial to surrender all your agencies’ critical application data to some common repository and pray the stated continuity and time to recovery is acceptable for your mission.

Our concern in writing this is not to shed light on Virginia’s folly in managing their IT infrastructure, as the model of sending and retrieving info from a SAN has some huge security benefits, such as having centralized control over backups and not having personnel data lying around on random hard drives at local sites. Using a third party to mirror the already redundant array may be a solution here. It does increase the possibility of data theft, but this should draw more attention to the need to encrypt data, both at rest and in transit. Additionally, it reduces the effect of the monoculture redundancy that this article’s title very subtly alludes to. When an identical piece of hardware or software is present on each node in a redundant solution, the true redundancy count heads downwards towards 1, not “N” as touted. To further clarify, the vulnerability is present in all nodes in the solution and MTF becomes not a function of a normal failure distribution, but instead a domino-like chain reaction is possible. When “N” is low to begin with (it was 2 in the case of Virginia’s Storage Solution) the risk profile is completely different then the way most organizations would view it.

Thursday, July 22, 2010

Is a hack into our nation’s domestic infrastructure possible?

By Toby Weir-Jones, Vice President of Product Development, Managed Security Solutions Group, BT Global Services

The National Security Agency recently unveiled a program to help secure the networks of crucial domestic infrastructure, including the networks of electrical companies and nuclear power plants. Called “Perfect Citizen,” the program is geared to bring attention to the possibility of grid hacking.

Interestingly, a recent Wired article asked, “…if it’s so easy to turn off the lights using your laptop, how come it doesn’t happen more often?” According to the article (“Hacking the Electric Grid? You and What Army?” (July 13, 2010):

Your average power grid or drinking water system isn’t analogous to a PC or even to a corporate network. The complexity of such systems, and the use of proprietary operating systems and applications that are not readily available for study by your average hacker, make the development of exploits for any uncovered vulnerabilities much more difficult than using Metasploit.

To start, these systems are rarely connected directly to the public Internet. And that makes gaining access to grid-controlling networks a challenge for all but the most dedicated, motivated and skilled — nation-states, in other words.

Let’s pretend for a moment that hackers were planning to attack the U.S. What would they need to do to gather enough information necessary to take out the electrical power in key parts of the country? They don’t want to fiddle at the edges, mind you. They want to have enough data to build the technical capability necessary to shut out the lights in Washington or New York or California at precisely the time and for exactly the duration they want.

For starters, they would need to know things like: Where are the power plants? What kind of plants are they? What sort of fuel do they use? Who built them and when? What sort of materials and technology were used when they were built? Who manufactured the generators, turbines and other key equipment? Whose SCADA software are they running? Who runs the plants? How does fuel, people, supplies get into or out of the plant? What sort of security do they have? And perhaps most importantly: which plants supply power to which parts of the country?

While the Wired article included a lot of questions that are interesting, we ask: Are foreign attacks on our nation’s crucial infrastructure possible? Our answer is absolutely. This is a real security threat and one that shouldn’t be taken lightly.

In fact, The New York Times reported last week that a new virus targets the computers used to manage large-scale industrial control systems used by manufacturing and utility companies. While the SCADA systems that run the software are not typically connected to the Internet, this specific virus spreads when an infected USB stick is inserted in the computer.

To assist these organizations, BT Managed Security Solutions Group offers a multi-layered, holistic approach to secure critical network infrastructure (CNI) and organizational monitoring. This offering enables any organization to have a view of its security posture as it relates to its critical infrastructure (substations, control centers, energy management systems) and its interconnectivity with the organization.

In today’s regulatory-driven environment, an organization must consider its entire critical infrastructure – from the substation to the control center and out to the enterprise network – when making security monitoring decisions.

The fast and accurate detection of security-related events is an organization’s first line of defense against security intrusions. This can only be achieved through a holistic solution that provides enterprise-wide security by aggregating and correlating information from both critical network infrastructure and enterprise networks, providing organizations transparency into their security posture.

Thursday, October 15, 2009

The Difficulties of Detecting Attacks on SCADA Systems

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

A company’s most important assets are its network, applications, customer data, and reputation. These important assets are all, predictably, prime targets of attack from viruses, Trojans, and other intrusions sent by amateur hackers and, with increasing frequency, organized criminals.

Firewalls, IDSs, IPSs, and anti-virus software can go a long way to protect against such attacks, but this type of protection alone can never be enough. The only way to ensure effective defense is through vigilance: fast, accurate detection and response to stop the attacks that get past perimeters. Vigilance is a company’s most important and first line of defense. The only way to be truly vigilant against attacks is through real-time monitoring.

Organizations that use Industrial Control Systems (ICS) like SCADA (Supervisory Control and Data Acquisition), EMS (Energy Management Systems), DMS (Distributed Management Systems), DCS (Distributed Control Systems) and other control systems face some particular challenges. For this article, the term “SCADA” will be used to describe all industrial control systems used in a variety of industries. For example, utility companies use industrial control, or SCADA systems, to help manage electrical grids and power generation, manufacturers use them to manage factory floor equipment.

Traditionally, SCADA systems have run on radio and serial network connections. Now, however, many organizations are running them over IP networks to boost performance and save money. SCADA systems running on IP networks have the following issues:

SCADA systems can be extremely sensitive to routine vulnerability scanning
Patches will often break the SCADA application and therefore cannot be applied
Vendors of the SCADA system often do not verify the latest security patches
Standard IDS does not look for SCADA specific attacks
SCADA engineers often do not have experience with IP security issues

In addition, because cybersecurity is not a core competency of control system vendors, the task of securing industrial control and SCADA networks is generally left up to the end-user. The gap between IT departments and the individuals in charge of the SCADA networks is both political and technical. Organizations that are part of the critical infrastructure, such as energy, have been forced by regulations to take appropriate security measures. The magnitude of the impact that an interruption can have on key services, such as flight control or regional power grid, is far greater than the potential impact to a downed office network. Industrial control systems have unique requirements and therefore need Network and Host IDS with custom signatures created to detect exploits in these networks.

Industrial control networks have largely been protected through their inaccessibility and the fact that, until recently, most were not IP enabled. The dynamics of industrial control systems are changing, especially in manufacturing where government regulations have not required the installation of suitable security control mechanisms, which has resulted in a noticeable increase in the presence of malware. Most well known IDS/IPS vendors have been responsive – they’ve have used digital bond signatures and have made SCADA-aware signatures available for their platform.

However, the lack of a central monitoring framework means attacks are not easily detected. Even the fixes available to organizations with large-scale SCADA systems are less than ideal, with most solving their ICS monitoring requirement in isolation, rather than as part of system-wide perspective on security. This results in a fragmented view of their organizational risk. The footprints of the attacker are undoubtedly scattered within both the corporate and industrial control systems and, without a holistic picture, it is easier for the attacker to escape undetected.

The solution lies in a holistic approach to monitoring, combining corporate monitoring data with industrial control system log data to enable a comprehensive picture of an attack to be painted. To learn more about BT MSSG’s SCADA Solutions, powered by BT Counterpane, click here.

http://bt.counterpane.com/managed-security-solutions.html

Thursday, September 17, 2009

Protecting Our Nation’s Most Critical Infrastructure and Assets

Sushila Nair, Product Manager, Managed Security Solutions Group, BT Global Services

If you lived in Cleveland, New York or Baltimore in August 2003, you probably remember the large scale power outage. While the major blackout was not caused by cyber terrorism, this event, along with the terrorist attacks on September 11, 2001, brought the possibility of attacks against critical infrastructure into sharp focus and accelerated the implementation of standards to provide a cyber security framework that would identify and protect critical cyber assets. By defining critical assets, these standards are intended to support the reliable operation of bulk electric systems in North America.

The North American Electric Reliability Corporation (NERC) Critical Infrastructure Protection (CIP) Reliability Standards provides guidelines covering a variety of areas related to cyber security for bulk power system owners, operators and users. However, due to the rapidly changing security landscape of the Industrial Control Systems (ICS), companies are failing to adequately secure their systems.

Industrial Control Systems (ICS), which includes Supervisory Control and Data Acquisition (SCADA) and Distributed Control Systems (DCS), controls systems that provide operators automated direct and indirect control over the functions throughout the power grid. These systems, used within CNI, provide unique security challenges to organizations. As business requirements change and the demands for real-time information increase, the need for securing CNI networks and their process control systems is paramount for organizations.

Organizations have typically addressed compliance and security in silos, which results in an incomplete picture of the cyber threat. Addressing security in isolation only provides an organization the perception of security, but does not provide an organization with an organizational view of its risk due to gaps in information.

To assist these organizations, BT Managed Security Solutions Group and Industrial Defender have partnered to offer a holistic solution in critical network infrastructure (CNI) and organizational monitoring. This offering enables organizations to have a view of its security posture as it relates to its critical infrastructure (substations, control centers, energy management systems) and its interconnectivity with the organization.

With a holistic approach, the footprints of an attack may be discovered across multiple systems or even across multiple operating areas. As organizations merge to achieve economies of scale, disparate geographic operating regions become interconnected via common enterprise environments. In today’s regulatory-driven environment, an organization must consider its entire critical infrastructure – from the substation to the control center and out to the enterprise network – when making security monitoring decisions.