Weekly Edition
Return to the Security page
| |||||||||||||
SCADA system vulnerabilitiesCore Security released a security advisory on 11 June that details a fairly pedestrian stack-based buffer overflow vulnerability. This is similar to hundreds or thousands of this kind of flaw reported over the years except for one thing: it was found in large industrial control systems for things like power and water utility companies. That there is a vulnerability is not surprising—there are certainly many more—but it does give one pause about the dangers of connecting these systems to the internet. The bug was found in a Supervisory Control and Data Acquisition—better known as SCADA—system and could be exploited to execute arbitrary code. Given that SCADA systems run much of the world's infrastructure, an exploit of a vulnerable system could have severe repercussions. The customers of Citect, the company that makes the affected systems, include "organizations in the aerospace, food, manufacturing, oil and gas, and public utilities industries." Makers of SCADA systems nearly uniformly tell their customers to keep those systems isolated from the internet. But as Core observes: "the reality is that many organizations do have their process control networks accessible from wireless and wired corporate data networks that are in turn exposed to public networks such as the Internet." So, the potential for a random internet bad guy to take control of these systems does exist. None of that should be particularly surprising when you stop to think about it, but it is worrying. Many SCADA systems—along with various other control systems—were designed and developed long before the internet started reaching homes and offices everywhere. They were designed for "friendly" environments, with little or no change for the hostile environment that characterizes today's internet. Also, as we have seen, security rarely gets the attention it deserves until some kind of ugly incident occurs. Even for systems that were designed recently, there are undoubtedly vulnerabilities, so it is a bit hard to believe that they might be internet-connected. According to the advisory, though, SCADA makers do not necessarily require that the systems be physically isolated from the network, instead customers can "utilize technologies including firewalls to keep them protected from improper external communications." Firewalls—along with other security techniques—do provide a measure of protection, but with the stakes so high, it would seem that more caution is required. It is probably convenient for SCADA users to be able to connect to other machines on the LAN, as well as to the internet, but with that convenience comes quite a risk. Even systems that are just locally connected could fall prey to a disgruntled employee exploiting a vulnerability to gain access to systems they normally wouldn't have. One can envision all manner of havoc that could be wreaked by a malicious person (or government) who can take over the systems that control nuclear power plants, enormous gas pipelines, or some chunk of the power grid. Unfortunately, it will probably take an incident like that to force these industries into paying as much attention to their computer security as they do to their physical security. (Log in to post comments)
SCADA system vulnerabilities Posted Jun 12, 2008 1:32 UTC (Thu) by pynm0001 (subscriber, #18379) [Link] Good questions indeed. I would expand the list of concern out farther than nuclear power plant though. Any power plant which had their control system compromised and was subsequently taken offline could have disastrous effects on the power grid, whether coal or uranium is the fuel. This is assuming of course that the reactor protection and emergency core cooling systems do not depend on network functionality (i.e. disabling interlocks must happen manually, or at least electronically, but not remotely via network). If the NRC actually allowed nuke plants to control their reactor safeguards systems over a network then they are incompetent.
SCADA system vulnerabilities Posted Jun 13, 2008 17:13 UTC (Fri) by pascal.martin (guest, #2995) [Link] As much as I know, nuclear safety systems are fully independent from the plant's scada system and built using the same safety design guidelines as the commercial aircrafts are. This usually exclude network. These safety systems have no real user interface anyway. None of the nuclear plant engineers I have met thus far wanted their systems to be connected to the internet. Even when the network ventures out of the plant to a nearby office, I have seen the (dedicated) link being encrypted using military equipment. There is a trend however within the scada communauty: VPN access for remote maintenance. The most cautious (i.e. most customers) keep the link disconnected. It is connected on request from an identified source, after some level of management approval (i.e. it is a bit of a pain to work with, except when this is the customer who calls you first..).
SCADA system vulnerabilities Posted Jun 12, 2008 7:45 UTC (Thu) by johill (subscriber, #25196) [Link] Do they pay that much attention to physical security? Nuclear power plants, yes, but those are just the highest profile items. Separating the network or firewalling it off also means that it must not be possible for someone to walk up to say a remote converter station, gain access and connect to the network.
SCADA system vulnerabilities Posted Jun 12, 2008 8:59 UTC (Thu) by nim-nim (subscriber, #34454) [Link] The question is not whether control systems can or can not be totally isolated. We're way past the point a completely isolated system would work given current economic requirements. Industrial processes can be geographically distributed. That means MAN or WAN because no company is going to pay people to go on-site physically to push buttons or read analog dials anymore (and the MAN/WANs can be built using the same physical infrastructure as public networks). Likewise production orders are now issued by computerized processes on the business layer, not phoned to plant operators, so business network/control network bridging is mandatory too. Companies that manage a good business layer/control layer integration have a huge competitive advantage over competitors that fail to do it. The question today is what is the right security interface between control networks and business networks. Many organisations have this interface designed by industrial people with little IT security culture.
SCADA system vulnerabilities Posted Jun 13, 2008 17:32 UTC (Fri) by pascal.martin (guest, #2995) [Link] This is generally true. The context varies somwhat from 1 system to the other, and (even more) depending on the type of remote interaction: - Data acqusition remote units (i.e acquiring sensor data locally and transmitting it to the scada system): I have yet to see the internet used for that purpose. Not even the corporate network was deemed acceptable by the customers I dealt with. The 2 nain reasons: availability (corpae IT people don't mind 1/4 hour downtime on portions of the corprate network) and real time performance. All customer pay us a lot of money to install dedicated network (this is often the most expensive portion of a scada system). - Remote user terminal in the field: also use a dedicated netwok, often with firewalls due to the access control issue (nobody in the terminal area). - Interface with corporate systems: this the growing trend, including customer information on the web. This usually involve multiple layers of firewalls & dmz. I sometime wish our customers contact specialized network security companies (which is a problem on is own: how to identify the really competent ones?).
|
|||||||||||||