An eye-opening SCADA security demo

by spettit 14. October 2009 03:17
I recently attended the Forrester Security Forum and had the opportunity to watch a demo of the Tofino product by Byres Security (you can see it online here: http://www.youtube.com/user/tofinosecurity#p/a/f/1/G4E0bxZGZL0).  I’d seen the demo up on the monitor of something that looks like a tub of water at other TCG sponsored events but hadn’t had the chance to listen to it and what I heard was fascinating and a little bit scary.  In our deployments of Great Bay’s Beacon for endpoint discovery, we’ve frequently located and identified SCADA/Process Controls systems in our customers networks, but I never fully appreciated the importance of those discoveries prior to seeing this demo.  The discovery and identification of SCADA systems is a good thing in the context of maintaining CIP-002 compliance, but this demo clearly demonstrated that discovery and monitoring is only scratching the surface relative to what’s required to secure these systems.  Without going into too many details, I was struck by the protocols used (ancient), the level of technical expertise required to take full control of these systems (rudimentary), and the profound impact one of these compromises could wreak (loss of life).  For those that have been working on/with SCADA systems, I'm stating what they've known for years, but I can't help but think that as IT security teams become more involved in the securing of these systems, they will be more than a little unnerved by what they find.

Recently, Network World posted an article about someone that pleaded guilty to tampering with SCADA systems after being denied full-time employment (http://www.networkworld.com/news/2009/092309-contractor-pleads-guilty-to-scada.html) and there’s no shortage of press regarding the power grid and its susceptibility to terrorist attacks.  The challenge, of course, is to figure out how much of this is vendor-driven hype to sell more stuff (Y2K) vs. a real threat that requires immediate attention.

Based on what I saw in this demo, combined with comments I’ve heard from companies in a number of industries like “we can finally be compliant with CIP-002” and “now we’ll know how many SCADA systems we actually have”, I’ve come to the conclusion that its the latter.

Tags: , , , ,

Industry standards | SCADA

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (0) | Post RSSRSS comment feed

The troubling new threat in IT Security - the....ummm....Air Conditioners? (Part 1)

by spettit 24. July 2009 05:41

For the past five years Great Bay Software has been carefully stating our belief that there are real IT Security threats associated with the non-windows computing devices in the enterprise network.  We’ve been mentioning this carefully because this information has been largely met with eye rolling and snickers; the most common feedback being “our concern is with the Windows-based user devices; our printers, SCADA, UPS’, HVAC, IP Phones, IP Cameras, etc. do not pose a threat”.  

As evidenced by two recent items in the press, the light is beginning to shine on these devices and their role in the IT security threat landscape.  The first one is about an enterprising young man who hacked into the HVAC systems (among other things) in a hospital:

The article is here:

http://www.darkreading.com/insiderthreat/security/attacks/showArticle.jhtml?articleID=218300006

and there’s loads more information here:

http://www.mcgrewsecurity.com/2009/06/30/ghostexodus-the-eta-and-a-control-systems-incident-at-carrell-clinic-part-1/ 

Note - be sure to check out the videos of our brave little superhero installing a botnet on an XP machine and later showing off his myriad of toys; you’ll laugh, you’ll cry, you’ll run home and make your kids work harder in school.  My favorites are 1) when he logs into the PC he’s about to attack bare handed and then puts on latex gloves so he doesn’t leave any fingerprints and 2) when he conceals his face during the “tools” video only to show an up-close of his fake FBI ID with his real picture on it. 

Although some folks have been quick to point out that changing the temperature in a room isn’t immediately life threatening, it certainly isn’t funny either, especially for folks that are in surgery or seriously ill.  Further, health care facilities have a myriad of patient care system on the network and if this person had targeted those there could have been a real threat to the health of patients.  I’ve seen a number of posts that defend his actions by stating that he technically never changed anything, but really, simply messing around with these systems should be considered highly illegal.  Patient care systems in particular are frequently older Windows OS devices that cannot be patched or updated due to federal regulations about who can change what and when on them.  In the wide range of systems attaching to the enterprise network today I would think securing unpatched, outdated, patient care systems would be a much higher priority than securing the managed, patched, updated, back office machines.  Yes, I know they have PHI on them, but preserving lives should take priority over preserving data.   Many IT professionals in health care are aware of this and continue to fight the good fight in trying to get this prioritized, but their pleas continue to be met with that same eye rolling and snickers. 


Tags: , ,

E-mail | Kick it! | DZone it! | del.icio.us
Permalink | Comments (323) | Post RSSRSS comment feed

Powered by BlogEngine.NET 1.4.5.0
Theme by Mads Kristensen

About the author

Steve Pettit is the President of Great Bay Software and can be reached at spettit@greatbaysoftware.com