An eye-opening SCADA security demo

by spettit 14. October 2009 03:17
I recently attended the Forrester Security Forum and had the opportunity to watch a demo of the Tofino product by Byres Security (you can see it online here: http://www.youtube.com/user/tofinosecurity#p/a/f/1/G4E0bxZGZL0).  I’d seen the demo up on the monitor of something that looks like a tub of water at other TCG sponsored events but hadn’t had the chance to listen to it and what I heard was fascinating and a little bit scary.  In our deployments of Great Bay’s Beacon for endpoint discovery, we’ve frequently located and identified SCADA/Process Controls systems in our customers networks, but I never fully appreciated the importance of those discoveries prior to seeing this demo.  The discovery and identification of SCADA systems is a good thing in the context of maintaining CIP-002 compliance, but this demo clearly demonstrated that discovery and monitoring is only scratching the surface relative to what’s required to secure these systems.  Without going into too many details, I was struck by the protocols used (ancient), the level of technical expertise required to take full control of these systems (rudimentary), and the profound impact one of these compromises could wreak (loss of life).  For those that have been working on/with SCADA systems, I'm stating what they've known for years, but I can't help but think that as IT security teams become more involved in the securing of these systems, they will be more than a little unnerved by what they find.

Recently, Network World posted an article about someone that pleaded guilty to tampering with SCADA systems after being denied full-time employment (http://www.networkworld.com/news/2009/092309-contractor-pleads-guilty-to-scada.html) and there’s no shortage of press regarding the power grid and its susceptibility to terrorist attacks.  The challenge, of course, is to figure out how much of this is vendor-driven hype to sell more stuff (Y2K) vs. a real threat that requires immediate attention.

Based on what I saw in this demo, combined with comments I’ve heard from companies in a number of industries like “we can finally be compliant with CIP-002” and “now we’ll know how many SCADA systems we actually have”, I’ve come to the conclusion that its the latter.

Tags: , , , ,

Industry standards | SCADA

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (0) | Post RSSRSS comment feed

Powered by BlogEngine.NET 1.4.5.0
Theme by Mads Kristensen

About the author

Steve Pettit is the President of Great Bay Software and can be reached at spettit@greatbaysoftware.com