[ISN] SCADA State of Denial

From: InfoSec News (alerts@private)
Date: Mon Apr 16 2007 - 22:20:09 PDT


http://www.darkreading.com/document.asp?doc_id=121887

By Kelly Jackson Higgins
Senior Editor
Dark Reading
April 16, 2007 

Utilities and other process-oriented companies that run supervisory 
control and data acquisition (SCADA) systems are starting to feel the 
heat of security vulnerabilities -- and hackers.

Some of these risks -- and bugs -- are unique to their environments, 
which historically weren't secured because they were built to be 
isolated, closed systems, but they also share the same Microsoft 
vulnerabilities as a typical enterprise does. These once-cloistered 
systems and networks are increasingly using off-the-shelf products such 
as Microsoft-based operating systems and IP-based networking equipment, 
and require interconnection via the Internet as well, which also opens 
the door to attackers from the outside in addition to the inside.

Researchers recently disclosed new vulnerabilities in the OLE for 
Process Control (OPC) protocols, open source interfaces for 
process-control apps. And meanwhile, some security vendors are forging 
partnerships to beef up their security offerings for the SCADA market.

With critical infrastructures at risk when it comes to power (nuclear 
and otherwise), water, and transportation companies running these 
systems, the stakes are obviously much higher. Trouble is, these 
companies aren't necessarily approaching security properly, security 
experts say.

"It's an industry in denial," says Robert Graham, CEO of Errata 
Security. "They don't believe they have the security problems they have. 
It's not a technical issue, but a political issue."

One of the biggest missing links is authentication: Many don't even 
bother using authentication because they consider their systems closed 
and therefore safe, he says. "They put in Windows with no intention of 
ever patching it, and then they are surprised when they get hit by a 
worm," Graham says. Or they avoid patching and vulnerability testing 
because these processes pose risks of their own for SCADA systems -- 
introducing other bugs to their highly sensitive and uptime-demanding 
systems, for instance. And rebooting isn't an attractive option for 
these systems that absolutely must be available, either.

Many of these companies assess risk based on past experience with major 
security events. "They are managed by a Pearl Harbor-type mentality," 
Graham says. "Until there's a Pearl Harbor, there is no risk as far as 
they are concerned."

But that doesn't mean attacks aren't actually hitting SCADA-based 
systems today. "Hacks are happening, they are just not being 
publicized," he says.

OPC-based systems, for instance, typically run without usernames and 
passwords, which leaves them ripe for attack, according to Graham. 
Attacks exploiting the latest OPC bugs could be avoided if logins were 
required in the app because the attacker needs login privileges to do 
his dirty work.

Ron Gula, CEO and CTO for Tenable Network Security, says he does see 
some progress in locking down SCADA-based operations. "SCADA needs work, 
but it's not as bad as people think."

One problem he points to is the SCADA security auditing process, 
however. Because these systems are so sensitive to change, audits 
typically aren't as detailed as with Sarbox or other regulations, he 
notes. "Auditing is not as in-depth in my opinion or as transparent for 
SCADA" as it is for other industries.

And some security experts say commercial IDS/IPS, antivirus, and SIM 
products don't really fit for SCADA. Mark Fabro, CEO of Lofty Perch, 
which makes SIM solutions for the water utility industry as well as 
other critical infrastructure companies, says commercial IDS/IPS and SIM 
systems don't map well to industry control systems, where there are 
thousands of different protocols, many of them proprietary.

"These older protocols, DNP and ICCP, for instance, were designed for 
communicating with entities that were separate from the rest of the 
world, so there's no authentication, and it's an insecure stack," he 
says. "But if an attacker gets in, you need security to monitor and trap 
him... The trigger becomes very important."

His company this month partnered with Endeavor Security, which developed 
and is supplying IPS signatures specifically for SCADA systems to Lofty 
Perch. "No one has ever really taken SCADA-oriented logs and generated 
signatures for them," says Chris Jordan, Endeavor's CEO.

Meanwhile, SCADA security supplier Verano this month purchased the 
Managed Security Services Division of e-DMZ Security LLC, and is now 
offering a co-managed security service for the real-time SCADA and 
control environment.

There are some SCADA security initiatives underway, too. The North 
American Electric Reliability Council, for instance, has come up with 
the Critical Infrastructure Protection (CIP) standards, which cover 
everything from attack and abuse to availability. It also tries to 
balance securing SCADA without inviting trouble when installing new 
security tools or fixes on SCADA systems.


__________________________
Subscribe to InfoSec News
http://www.infosecnews.org



This archive was generated by hypermail 2.1.3 : Mon Apr 16 2007 - 22:28:18 PDT