|
The expense of protection is a fraction of 1% of the IT budget.
Friday, April 17, 2009
By
The Issue
It was a Trojan program inserted into SCADA system software that caused a massive natural gas explosion along the Trans-Siberian pipeline. The Washington Post reported the resulting fireball yielded "the most monumental non-nuclear explosion and fire ever seen from space."
Malicious hackers have discovered SCADA (Supervisory Control and Data Acquisition) and DCS (Distributed Control Systems) since reports of successful attacks began to emerge after 2001. A former hacker interviewed by PBS Frontline advised that "Penetrating a SCADA system that is running a Microsoft operating system takes less than two minutes."
 DCS, SCADA, PLCs (Programmable Logic Controllers) and other legacy control systems have been used for decades in power plants and grids, oil and gas refineries, air traffic and railroad management, pipeline pumping stations, pharmaceutical plants, chemical plants, automated food and beverage lines, industrial processes, automotive assembly lines, and water treatment plants.
The History
 There are a wide range of security technologies that can be used to protect the corporate network, but these are less successful within a production network. Software-based solutions (personal firewalls, anti-virus software) cannot run on some proprietary operating systems, due to lack of compatibility, and often can't be integrated into systems which use older processor technology -- because these lack the necessary performance.
The following table illustrates chronological history of publicly reported hacking incidents that provide a chilling insight into the problems and their potential for disruption and disaster. Some of these damaging exploits were kept secret for years.
"Some of these damaging exploits were kept secret for years."
| A Short Chronological List of Widely Reported Incidents of Hacking and Disruption |
| Feb 2009 |
Highly evasive Conficker/Downadup worm infects 12 million computers, stealing information. - BBC |
| Jun 2008 |
"Security Hole Exposes Utilities to Internet Attack" - Associated Press |
| May 2008 |
SCADA vulnerability...control software used by one-third of industrial plants. - SC Magazine |
| Mar 2008 |
Emergency 2-day shutdown of Hatch nuclear plant from software update on one business computer. |
| Feb 2008 |
Retail Chinese digital picture frame virus steals passwords and financial info. - SF Chronicle |
| Jan 2008 |
Hackers turn out the lights in multiple cities and demand extortion payments." - Associated Press |
| Sep 2007 |
DOE Idaho National Lab video shows the remote destruction of a large SCADA controlled generator. |
| Sep 2007 |
Hackers compromise Homeland Security computers, moving information to Chinese websites. - CNN |
| Jul 2007 |
3Com's security division demonstrates how SCADA system flaws can be exploited. |
| Nov 2007 |
"Insider Charged with Hacking California Canal System" - ComputerWorld |
| Nov 2007 |
"Solar Sunrise" - Three teenagers penetrate USAF logistic systems at Middle East support bases. |
| Aug 2007 |
"Hackers Take Down the Most Wired Country in Europe" for two weeks. - Wired Magazine |
| Jun 2006 |
"Information on SCADA systems can be found by a determined attacker." - US-CERT |
| Jan 2006 |
Homeland Security Conference - SCADA systems are vulnerable to intrusion. - UrgentComm |
| Jan 2006 |
"SCADA Security & Terrorism: We're Not Crying Wolf" conference presentation. - Xforce Security |
| Aug 2005 |
175 companies including Caterpillar, General Electric, UPS and DaimlerChrysler attacked by Zotob worm. |
| 2003-2005 |
Undetected for 2 years, Chinese Army downloads 10-20 terabytes data from Pentagon, DOE, others. |
| Aug 2003 |
CSX loses signaling & dispatch control over 23 state railroad due to a worm virus. - InformationWeek |
| 2003 |
"Cyber War" - PBS Frontline documents penetration of US utilities using commonly known methods. |
| Jan 2003 |
Davis-Besse nuclear plant safety monitoring system knocked offline 5-hours by the Slammer worm. |
| Jan 2003 |
"Slammer" worm infects 300,000 computers in the first 15 minutes, interrupting 911 and airlines. |
| Sep 2001 |
"Nimda" worm infects millions of computers causing billions of dollars in damage. Originator unknown. |
| Jul 2001 |
"Code Red" worm infects 300,000 computers in a month and then launches attack on White House web. |
| Apr 2000 |
Hackers succeeded in gaining control of the world's largest natural gas pipeline network (GAZPROM). |
| Apr 2000 |
Hacker uses a SCADA system to dump millions of gallons of sewage onto hotel grounds for 3 months. |
| 1998-2000 |
"Moonlight Maze" - For two years, hackers penetrated the Pentagon, NASA, DOE, university labs. |
| 1998 |
A 12-year-old hacks into Roosevelt Dam, with complete SCADA system control of massive floodgates. |
| 1997 |
"Eligible Receiver" - DOD & Joint Chief Command hacked in 48 hours with publicly available methods. |
| 1997 |
A teenager hacks into NYNEX and cuts off air/ground communication to Worchester Airport for 6 hours. |
| Many more incidents go unreported for reasons of national security or corporate embarrassment. Even more go undetected. Properly executed, successful hacks are undetectable and untraceable. |
The threat comes in many forms. It does not need to be an intelligently directed attack. The non-intelligent Slammer worm covered the globe in 30 minutes, infected business and Pentagon computers in the first 8 minutes, and caused $3 billion damage to Wall Street.
Common Objections
"Our production systems are completely isolated from outside access"
In his book "The Art of Intrusion," hacker Kevin Mittnick clearly explains how even a neophyte can easily gain root (administrator) access to the entire network through the corporation's protected public website, from anywhere in the world. The majority of PLCs are currently ordered with Web services enabled, but 87% of users leave the Web servers active, unused (and not configured), with factory default passwords.
"Our system is secure because it would be impossible for an outsider to understand it."
This is nicknamed "security by obscurity" and has repeatedly been shown to be a false assumption. There are only 5-6 leading DCS and SCADA systems used throughout the world, and there are millions of U.S. and foreign engineers who have been trained in their use.
"We're not a likely target. We're not important or interesting enough to attract hackers."
Malware (Trojans, viruses and worms) can be inadvertently downloaded from the Internet, and these can replicate themselves on portable memory devices of all types. In 2008, digital picture frames sold by major retailers were found infected with a program that disabled antivirus software and sent passwords to servers in China.
"We've never had a problem. There has been no intrusion or disruption in our production network."
When new Intrusion Detection Systems (IDS) were installed on US Department of Defense networks, they showed that thousands of attempted illegal penetrations were going on daily. One general was incensed. "Before we had these IDS, we were never attacked. Now that we got them on the network, people are attacking our nets every day thousands of times trying to get in! And some of them are getting in!"
"We can't justify the expense and manpower."
The expense of protection is a fraction of 1% of the IT budget. With the latest generation of equipment, a network of protection can be installed, plug and play, by a handful of technicians rather than IT managers. Production need not be interrupted. Beyond ROI, the simplest justification is "What will we suffer if a disaster shuts us down?"
The consequences of production interruption in the Industrial sector are much more serious than failures within the office network. In 2005, the Zotob worm simultaneously attacked 175 major corporations including Caterpillar, General Electric, DaimlerChrysler and United Parcel Service. Thirteen U.S. DaimlerChrysler plants had to be shut down, idling their assembly lines and 50,000 workers. What do you think that cost per hour?
"Thirteen U.S. DaimlerChrysler plants had to be shut down, idling their assembly lines and 50,000 workers. What do you think that cost per hour?"
Harmful programs, capable of paralyzing automation systems, are often introduced internally. External service technicians, contractors, employees and visiting consultants with laptops can inadvertently (or deliberately) introduce malicious software behind the external firewall. Surveys reveal that roughly 40% of security incidents involved insiders.
Establishing production network security bears a close relationship to the logic of adhering to fire codes.
Industry Recommendations
The ideal solution would require several unique features. It should provide distributed "Defense in Depth" as a second or third layer of protection. These offer greater security, flexibility and lower cost. It should be capable of providing various levels of security. It should be easy to implement, by technicians rather than network administrators, without modification to the network's configuration.
Various Applications and Formats Available: Rackmount, DIN Mount and PCI cards
Templates for devices should be configurable for single units or very large groups from a central location. It should be available in various formats, provide hardware and software based security, and be applicable to various network configurations.
It should monitor incoming and outgoing data packets offering secure communication via Virtual Private Network (VPN) tunnels. Ideally, the solution and firewall should be invisible to intruders attempting to map the network. Network Address Translation (NAT) should be used to provide protection by IP address masquerading.
For remote maintenance and diagnostics, the ideal solution would be one that denies access, even by the original manufacturer of the production equipment, except when the equipment operations people request it, and when the connection is strictly authenticated via digital certificates of authority.
Specific industrial-based solutions are already available. They may be lesser known in the IT world because they exist in the industrial space, and they may be lesser known in the security world, where there is a tendency to concentrate on physical security and physical access.
Products include Phoenix Contact mGuard™, Byers Tofino, Siemens Scalance, Weidmuller IE, Hirschmann Eagle mGuard™, and Innominate mGuard™. It was Innominate Security Technologies AG, the developer of mGuard, that won the Frost & Sullivan "2008 Global Ethernet Security Product Value Leadership of the Year Award," for their mGuard product family. Some of the products listed above are derived from the Innominate product set or licensed and rebranded OEM products based on earlier Innominate software releases.
Now that inexpensive solutions are available, the security of industrial networks can no longer be ignored. With threats to industrial networks increasing in complexity and scope, decision makers need to take action before it is too late.
Note: A comprehensive copy of the White Paper from which this article is available at www.innominate.com.
Frank Dickman, BSMAE, RCDD, is a widely experienced engineering consultant and former delegate to NEMA, TIA/EIA, ISO, CENELEC and the BICSI Codes & Standards Committees. He is a technical consultant to a number of leading data communications firms and is a recognized expert on U.S. and International physical infrastructure network standards. Beyond telecommunications, his experience includes consulting engineering work for petroleum refineries, chemical plants, conventional and nuclear power plants, auto manufacturers and the aerospace industry.
Interested in information related to this topic? Subscribe to our Information Technology eNewsletter.
©2009 IndustryWeek. All Rights Reserved.
|
Special Training Webcast Offer