The Frightening State of SCADA Security

Carl Weinschenk
Slide Show

Six Data Breach Predictions for 2015

One of the scariest of the many dark corners in the world of Internet security is the back and forth over the integrity of the supervisory control and data acquisition (SCADA) systems that control much of our critical infrastructure.

Computerworld’s Lucian Constantin reports that Siemens has released updates for its SCADA systems. The vulnerabilities the patches are aimed at correcting include one in which unauthenticated attackers could execute arbitrary code on the SIMATIC WinCC SCADA server via specially crafted packets. This could lead to a full system compromise, which is a 10 on the Common Vulnerability Scoring System (CVSS). The other vulnerability enabled extraction of arbitrary files from the same server. It received a CVSS rating of 7.8.

Last month, the U.S. Department of Homeland Security issued an alert that a variant of the BlackEnergy malware had infiltrated SCADA systems that control oil and gas pipelines, the power grid and water distribution systems, according to Greentech Media. The report, which originated with ABC News, said that crackers sponsored by the Russian government were responsible. The hack was first made public by the Department of Homeland Security's Industrial Control System Cyber Emergency Response Team (ICS-CERT).


The team said that no interference in systems operations had been made. The speculation is that the malware is a deterrent against an attack on Russian systems. The Siemens system was among those targeted:

The report goes on to say that the likely initial infection was through systems running GE’s Cimplicity. The malware has also targeted Advantech/BroadWin WebAccess and Siemens' WinCC. Other vendors may also be affected. The vendors that have been identified have provided patches or are in the process of providing updates, according to EETimes.

Last summer, the National Institute of Standards and Technology (NIST) said that it is building a test bed aimed, according to The Register, at “addressing the SCADA industry’s chronic insecurity.” The project, which was officially named The Reconfigurable Industrial Control Systems Cybersecurity Testbed, is in its earliest stages of development. The story says that its first use will be on a chemical process with the foreboding name of “the Tennessee-Eastman problem.”

Rebecca Abrahams, the chief communications officer at Ziklag Systems offered a dire update on SCADA security in the Huffington Post. Essentially, SCADA is pretty much a train wreck and our enemies – private, governmental and the gray area in between – are pouring resources into exploiting the problems.

Cybersecurity

The answer, she writes, is twofold. Not only must SCADA must be replaced, but the underlying platform must also be changed:

In parallel, we need new, secure operating systems for our sensitive computer networks to replace unsuitable commercial products which, unless changed out, will lead to our destruction. Commercial network operating systems cannot be repaired -they must be scrapped. This is a tall order: but we have the expertise to do the job. In fact, even the Chinese are already putting in place their own operating system development to keep Western intelligence agencies out. We can build even better ones. We need to urgently.

The unfortunate reality is that it is entirely possible that the warning will be ignored. It also is easy to see what the possible result of that neglect will be.

Carl Weinschenk covers telecom for IT Business Edge. He writes about wireless technology, disaster recovery/business continuity, cellular services, the Internet of Things, machine-to-machine communications and other emerging technologies and platforms. He also covers net neutrality and related regulatory issues. Weinschenk has written about the phone companies, cable operators and related companies for decades and is senior editor of Broadband Technology Report. He can be reached at cweinsch@optonline.net and via twitter at @DailyMusicBrk.



Add Comment      Leave a comment on this blog post
Dec 2, 2014 6:23 AM Jake Brodsky Jake Brodsky  says:
This is a far deeper subject than I can discuss in 1200 characters. In fact I co-edited and co-authored a handbook from CRC press on the subject and we still barely scratched the surface. Those of you who are in IT and think you're going to teach those ignorant SCADA savages how to be secure have much to learn. Conversely, those of you in Engineering who think IT is being hysterical, also have much to learn. The big evil are those data hounds who write articles for glossy magazines on how they share SCADA data and control with people on the other side of the planet and make magical synergies with data. I call this CIO porn. It contains a barely clothed, carefully airbrushed idea with no resemblance to any reality anywhere. These are the people who expose SCADA to the world and then wonder why they have no security. For further details please plug Project SHINE in to your favorite search engine. Reply

Post a comment

 

 

 

 


(Maximum characters: 1200). You have 1200 characters left.

 

null
null

 

Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.