On August 15, 2003 11:21 am, Geoff Shively wrote: > This email was origionaly posted to bugtraq early on in the 'crisis' but > due to obvious congestion and instability issues it wasnt posted for a > while. > > Since this post I have done much research on SCADA, DCS, and HMI > (Human Machine Interface) systems. These systems run primarily > on Windows and rely on RPC for remote monitoring. If this doesnt > sound like an overwhealiming coincidance than I dont know what does. > > [ http://216.239.37.104/search?q=cache:w7lnOBBrPxUJ:st-div.web.cern > .ch/st-div/ST2001WS/Proceedings/Session42/Sollander.pdf+SCADA+ > Windows+RPC&hl=en&ie=UTF-8 > > "The data transmission layer is used to transport data from the equipment > to at least one controlor monitoring application. This is usually done by > remote procedure calls (RPC) or a middle-wareover a TCP/IP network." > - CERN ] > > There has been much talk about this on DShield and Full Disclosure if > anyone is interested in reading more. While I have bid on a power system network audit, I haven't specifically done one, so this is conjecture.... but somewhat informed conjecture. Re: SCADA vulnerabilities Yes you might have SCADA vulnerabilities... but in the power system SCADA is used for data collection and measurement only not control. This is at least in western Canada, YMMV but I believe this is typical of other systems. The power routing is still done by humans flipping (really freaking big) switches - or starting turbines or turning hydro valves. There are lots of physical procedures and safeguards in the system too. And people think carefully about those decisions, because the fines and regulatory penalties for being out of spec are measured in tens of thousands of dollars per minute. You might be able to interfere with the data going into the power NOC and fool the operators into making the wrong phone calls. But arguably you would need to know a lot about the design of the system and specific procedures and policy to create an outage this way. As far as I know there are no (or few) network based feedback loops in typical power system. Breakers pop at predetermined points, the system parameters are fairly static. In the western Canadian system, operators review power demand and capacity on an hourly basis, and make the appropriate routing decisions (and output levels of variable output plants) and adjust capacity by bringing plants on line or adjusting network topology to keep system stability. As an interesting factoid, in the directives list for power noc engineers, the prime directive is network stability (crucial for interconnected systems outside theirs) and delivering power to customers comes lower in the list. Unlike the internet, the power system is a network that delivers a very stable commodity 60Hz 110 volts. There are no router like components that dynamically adjust paths, and capacity based on any measured data. All the collection and info feeds back to a control center where a human operator adjusts simulations first and then when that's checked by another engineer on other simualtions the configuration is "downloaded" into the system via telephone to regional operators. The dynamic components are like breakers, primarily binary on/off devices with fixed trigger parameters not things adjusted constantly by a processor based on network input. Power system switches are big physical things typically moved by burly technicians, rather than a packet sent remotely by a distant button or software. If the control network goes away the systems will default to preset stable (but not necessarily optimal) presets in the equipment I'm aware of. Similarly if communications outages occur, the regional operators have fallback stances in "safe" configurations. Unlike the internet reliability engineers and audits are a big concern in the power system engineering. The engineers there do their best to make sure that the result of any or all of the components failing does not equal "no power for anyone". Also unlike the internet power engineers _do_ consider "What if" scenarios for any individual components failing. While from my knowledge there could be areas of vulnerability in power distribution that might concern me (none of which I will discuss) if I was building an attack tree. However, network based disruption does not rank very high on my concern list. If I really wanted to create a power outage, my tool of choice would be a chainsaw, not network packets :-). (News at 11: Chainsaws Banned because of potential terrorist threat :-) cheers, --dr (Caveats, and Disclaimers: I used to be a vms admin and developer at a power company R&D lab in uni. Interestingly, one of the things I worked on was outage crash dump loggers. I have visited mutliple power NOCs and have some knowledge of their procedures. My now retired father used to manage the power distribution system in western Canada, and my conclusions are based on information thusly gleaned over time. :-) -- Top security experts. Cutting edge tools, techniques and information. Tokyo, Japan November, 2003 http://www.pacsec.jp pgpkey http://dragos.com/ kyxpgp
This archive was generated by hypermail 2b30 : Mon Aug 18 2003 - 10:29:35 PDT