SCADA Security

Over the weekend a new super worm exploded onto the cyber security landscape. Known as Flame or sKyWIper, it appears to be targeting sites in the Middle East, just like the Stuxnet and Duqu worms did. But what does it have to do with SCADA or ICS security? At this stage the answer appears to be nothing and…everything.

Note from Eric Byres:  Oliver Kleineberg makes his debut today as a blogger for Practical SCADA Security and we welcome his expertise in the areas of fault tolerance and redundant networking.  He has recently joined Tofino Security from Hirschmann, our sister company, based in Germany (and both of our groups are part of Belden).

In Part 1 of this series, I explained what a stateless firewall is and the hazards of stateless security.  In this article I will show you just how dangerously insecure these devices are.

Following on from Eric Byres’ discussion of Deep Packet Inspection (DPI), this article discusses a second and equally important aspect of effective firewall security referred to as “stateful inspection”.

Deep Packet Inspection (DPI) is important for the future of SCADA / ICS security - and in this article I explain why.  

DPI SCADA Security: Reviewing the Basics

In Part 1 of this series I explained DPI technology in detail. To review, the traditional IT firewall examines the TCP/IP and Ethernet headers in the network messages it sees. It then makes decisions whether to allow or block a message based on this limited information.

I have talked repeatedly about something called Deep Packet Inspection (DPI) and why it is so important for SCADA / ICS security (for example, see Air Gaps Won’t Stop Stuxnet’s Children). The trouble is, I have never described what DPI actually is. So in today’s blog I will back up and explain what DPI firewall technology is all about.

In my earlier column on the philosophy of Defense in Depth, I discussed how relying on a single defensive solution exposes a system to a single point of failure. No matter how well designed or strong that single defense is, either resourceful adversaries or Murphy’s Law eventually results in the defense malfunctioning or being bypassed. When that happens, the entire system is wide open to attack.

 I am flying home from Digital Bond’s S4 SCADA Security Symposium as I write this (BTW this was a stellar event where, even as a security expert, I learnt an amazing amount).  After listening to two days of excellent, but scary talks, the first thing that comes to mind is “SCADA/ICS security is in worse shape than I thought”. Much worse shape…

Recently Rob Hulsebos wrote an article for this blog where he raised the perennial problem of programming errors contributing to security vulnerability. I have a newsflash for you - this isn’t new. It may be a new concept to some in the world of Industrial Control Systems, but it’s been a problem for software engineers since about 5 seconds after the first ever program successfully compiled.

It has been almost 25 years since I first started working in the industrial network field and 15 years since I first focused on SCADA and ICS security.  From the start, I have been amazed at how difficult it is to get people to see the whole picture.

For example, control engineers know what a PLC or control loop is, but constantly underestimate the impacts that cyber threats have on their industrial processes.  IT professionals understand the risks, but often don’t understand the processes and components.

Last week I discussed the first steps to take to get started to improve ICS and SCADA Security in your facility.  Those steps included:

• Step 1 - Conducting a Security Risk Assessment,
• Step 2 - Learning Industrial Cyber Security Fundamentals, and
• Step 3 - Understanding the Unique Requirements of ICS and SCADA Cyber Security.

This week I discuss the remainder of the process.

The furor over the Siemens vulnerabilities and the fear that Son-of-Stuxnet could be around the corner has raised awareness of the need for cyber security to be taken seriously by the process and critical infrastructure industries.

Earlier this month I came across a great article called “The new paradigm for utility information security: assume your security system has already been breached” by Ernie Hayden of Verizon’s Global Energy & Utility Practice.  I highly recommend you read it, for the reasons I explain in this blog post.

One of the mantras about good SCADA security is that it is primarily dependent on people and processes, not technology.

Thus if you have an ICS security problem, first look for solutions such as user training or better processes rather than  technology solutions.  This sounds good on the surface, but I’m not sure it’s true.

Performing tasks securely just isn’t part of human nature. Doing them the easiest way possible is. Unless the secure way is also the easy way, security will lose 9 times out of 10.

How can I reliably and easily secure my control system?

A lot of people are re-examining this question and giving it higher priority after learning about Stuxnet and the recent publishing of SCADA system vulnerabilities on the Internet.  It is no longer possible to believe that ‘air gaps’ between your systems and the rest of the world, or that ‘security by obscurity’ are effective security strategies.

At approximately 11:00 a.m. EDT last Saturday morning (April 16, 2011), The Repository for Industrial Security Incidents (RISI) received the following email:

Subject: Florida Power & Light Company (FPL) Fort Sumner Wind turbine Control SCADA was HACKED

When you hear the words “defense–in-depth” do you immediately think of layers of firewalls?

If so, you are not alone – most of us immediately think of security concepts in traditional physical security terms.  For example, we imagine “more defense” as being more moats and castle walls around the crown jewels.  But that is not the only way (or even the best way) to create secure ICS or SCADA systems.

The publication of numerous SCADA vulnerabilities by L. Auriemma last month, on top of the game-changing Stuxnet malware revealed last year, has exposed many security weaknesses in Industrial Control Systems (ICS). The weaknesses occur on two fronts: technology and human factors.

As mentioned in a blog article we wrote earlier this week, an Italian “Security Researcher” named Luigi Auriemma published thirty-four SCADA product vulnerabilities against four SCADA products (the complete list of vulnerabilities and companies is provided in the earlier article).

One of the unfortunate facts about security is that if you can find one vulnerability, you can usually find lots more. Vulnerabilities are not just bad luck – they are caused by a poor Software Security Assurance (SSA) process (or a complete lack of one). Next in line for blame are experienced professionals who do little in terms of security assessments prior to commissioning systems in actual production facilities.