Evaluating Or Testing Utility SCADA Security? 227
EncryptedBit writes "I am a local elected official involved in bringing new water and waste water treatment plants online in a small town. The new plants will incorporate SCADA, which can be used to change operational aspects at the plants, up to forcing a shutdown or changing operational parameters. Can any Slashdotters recommend ways to make sure it is secure? Any testing recommendations? The operational engineers are oblivious to security and SCADA is a new factor, so this concerns me. Any pointers would be appreciated."
From what I understand (Score:5, Interesting)
There isn't much to do with SCADA regarding security - The systems themselves are inherently insecure, the extent of it reaching only so far as default passwords that are scarcely ever changed and the requirement to have a compatible console. If you're connecting these devices to the internet in any way, then you're opening yourself up for a world of hurt. The best security is physical security, with no link to the outside world except in closed, site-to-site communications. I'm by no means an expert, but having heard experts speak about the subject and with some limited experience of my own, there really doesn't seem to be any better way the way things are.
Re:Don't put it on the Internet! (Score:2, Interesting)
Re:Do NOT connect to the Internet! (Score:3, Interesting)
Do NOT, under any circumstances, connect the SCADA systems, including workstations which can control or monitor them, to anything which touches or has access to the Internet.
When that's not possible due to management pressure, there are options that are better than just giving in and connecting systems up to the internet.
The simplest of such options is a "data diode" -- its a device that physically only permits data to flow in one direction. For example, optical network connections have a transmit fibre and a receive fibre. A data diode would physically connect just one fibre.
Implementing a data diode - say to run your monitoring software on an internet connected PC so as to send status updates via SMS to engineers' phones - can take some effort in order to get all the necessary software to work in the one-way environment. But it is a way to get data out of your SCADA system without having to worry about malicious attacks coming in on the same connection. At worst your monitoring system gets fuxxored, but the SCADA stuff continues to run unmolested.
Here's one data diode product with an emphasis on SCADA, it was just the first one that came up in google, there are many such products out there:
http://www.datadiode.eu/products/scada [datadiode.eu]
Re:Scared yet? (Score:3, Interesting)
Now, the fact that said official appears to have strong reason to distrust his engineers, and no ready internal supply of expertise, suggests that any script-kiddie with a copy of Telnet and 10 minutes will be able to quite literally put some poor town up shit creek without a paddle once the project goes live; but the fact that an elected official has forseen that possibility and is asking questions down at the geek club to see if there is a way to head it off seems like a good thing...
Re:Don't put it on the Internet! (Score:3, Interesting)
> Except we all want cheaper stuff. And that means using the lowest bidder.
It means using the lowest qualified bidder. Do you think you'd get better quality from the highest bidder?
Re:Don't put it on the Internet! (Score:5, Interesting)
I've also done SCADA system security on the water plants of nuclear reactors, and can confirm that all the ones I've seen have been connected to the Internet. One time I saw a Junxion box and a AP just plugged into the core switch for the control network. It wasn't that crazy given that the Junxion box had its power supply in the manager's office and you can't get within miles of the place without having rifles shoved in your face, but it was still pretty surprising to see it.
Another site uses default passwords for everything and they have a dial-up modem which drops you right into a login prompt on one of the control hosts. You have to call them to get them to plug it in first, though, so they haven't had any problems. Unlike in Hackers, they don't plug it in for any schmuck who asks; you have to give a CAC ID and it has to match the schedule maintenance roster, otherwise the FBI gets called.
The really important stuff isn't really under control of a computer though, it's all in some PLC somewhere and there's only one guy who understands the control logic anyway. I'm not too worried about someone breaking into those networks. If anyone tried to do anything bad, it's much more likely that they're just going to break something unintentionally while learning how the system works and trigger an investigation, not create a meltdown.
Re:Do NOT connect to the Internet! (Score:3, Interesting)
Oblig XKCD [xkcd.com]
If you're putting AV on it, you're doing it wrong.
Re:Don't put it on the Internet! (Score:1, Interesting)
You are obviously NOT a systems integrator, or you would NEVER have made that bone-headed statement, "every SCADA system in the Americas is Internet connected". That is not, I repeat, NOT, true.
How would I know? I work for an outfit that has installed MANY SCADA systems.
As always, the answer is not cut-and-dried. In the case of, for example, wastewater treatment SCADA systems, the absolute worst thing that can happen is the flow of water is stopped, and you might flood somebody's basement. The only other thing is, if somebody got physical access to the site, the only thing they would be interested in is the large cannisters of chlorine, which would be good to have for terrorist purposes. That's the reason the government has been making the plants put up fences & access gates.
Some systems integrators (like us) like to have remote access to the system, especially during start-up, so we can take care of minor problems & tweaks. Security varies by customer. We warn everyone to not use the SCADA computer for web browsing. If they're really concerned about having the system accessible and yet secure, we help them set up a VPN.
Many water treatment plants are cheap: they have remote access to the system, but it's via POTS, not the Internet.
We advise all customers on security, and many of them take our advice. We have had very few customers come down with an actual virus, worm, or zombie program.
The absolute worst I can imagine would be somebody doing to a plant is taking control of the SCADA system, then trying to ransom it. In that case, we would just shut it down, wipe the hard drive, reload the original image and data (we back up all of our customers software). Other than that, there is no money in messing with SCADA systems. That is what all the cyber punks are after these days.
Re:Don't put it on the Internet! (Score:3, Interesting)
http://www.blackandveatch.com/Markets/Telecommunications/Utility_Automation/Default.aspx I stopped reading there.
Re:Don't put it on the Internet! (Score:2, Interesting)
Back in the bad old days - when SCADA was driven by OPC - you had to turn off security just to get things like DCOM to work properly. It was scary and wrong, but you had very little choice. Talking to friends in the industry it doesn't seem to have gotten any better.
The real problem stems from engineering departments losing political clout within business that are primarily engineering concerns. The rise of the IT department, with its alignment closer to the management end of things (as opposed to the end that does the work) meant that engineers had to compromise their networks to fit in with corporate policy.. hence we end up with SCADA systems on the corporate network and other such craziness.
Once I was working in a factory as a consultant and I noticed a set of blue cables running behind I beams. I made a mention about them and next thing the head engineer whisked me around the corner, told me to be quiet.. and the explained that that was the engineers "own" network.. one they had to run to keep the factory going and that they would appreciate it if I kept my mouth shut in future.
That kind of madness is why we're where we are now, with far too much critical infrastructure available over the internet. And I would heartily recommend the model that was presented to me.. keep it on its own network.. and don't tell anyone from IT.
Re:Don't put it on the Internet! (Score:3, Interesting)
People resist taking away their ability to remote view a control system because at times it can be damn bloody useful. Alternatively we could just move back to 5-15psi pneumatic loops. Can't hack that.