courtesy FreeFoto.com
Cybercrime and internet security
SecureTest's managing director, Ken Munro, argues that Cybercrime is likely to become even more of an issue in the future as critical infrastructure networks converge
Production control systems, SCADA and other networks are now being integrated with the existing LAN, bringing them onto the IP network. This makes them susceptible to the same cyber attacks as any other organisation but with far more wide-reaching implications, such as the disruption of a production line or collapse of a provisioning system.
But how much evidence is there that critical infrastructure is under threat? The Industrial Security Incident Database (ISID) tracks and classifies potential cyber threats to SCADA. From 2001 there has been a marked increase in the number of incidents with far more deriving from external sources (although there remains a high proportion of accidental errors). That's not to say there aren't cases of sabotage; just that these are still fairly rare… for the moment. There is already extensive evidence of state-sponsored cyber attack by foreign powers which appear to have been primarily directed at web sites to date.
One of the weaknesses a hacker could exploit is mobile connectivity. Any wireless connection to the network is a prime target; GPRS enabled serial-IP converters with default credentials could theoretically be hijacked from a company mobile, for instance. For resilience in the case of lost communications with remote outstations, GPRS modems with serial-IP convertors are often installed at control points. However, it's not uncommon for these to have default credentials, and the phone number for the modem is often located in the same range as the company's mobile phones.
An incident was reported in October 2006 suggesting that an employee laptop was used to hack into the Harrisburg water system SCADA network. The remote access point was used as the conduit by the hacker who went on to install malware and spyware in the SCADA HMI (Human-Machine Interface) computer, proving that mobile access to SCADA can and will be hacked. It's also worth noting that anti-virus doesn't check serial connections, so a laptop used by a field engineer to programme a Programmable Logic Controller (PLC), typically over a serial connection, for instance, could be vulnerable.
Then there is the problem of malicious software. Internet worms pose a real threat to SCADA and may infiltrate the system entirely by mistake. They have the ability to affect the IT network, but can also stop production or cause it to malfunction. If a worm was introduced to a SCADA system the network 'noise' created could cause a failure. A payload wouldn't be necessary; just tying up the network could be enough. A worm infection on such a network could easily be enough to 'tip' a critical system over the edge.
Email provides the ideal vehicle for this type of malware and addresses are far easier to come by than you might think. Company spokespersons can be identified and email addresses guessed at by tracking down marketing materials such as press releases or client testimonials online. It's very easy to deliver an exploit over email. It's not hard to find the email addresses of the engineers that support SCADA systems. Their laptops generally use Windows operating systems, so it's really not hard to send an Office document, containing an exploit, that installs a process in the background that simply waits for a serial connection, such as when the engineer connects to a PLC for programming purposes.
We believe the SCADA community should also help itself. We found numerous details using a simple string of searches, from key SCADA personnel, to system updates, to system suppliers, network settings, to firewall rulesets and web server patch levels. Surely this information should be dispensed on a need-to-know basis? Do your vendors really need to give out a senior personnel's name? Why does the job spec for a new role in Critical Infrastructure put out by HR specify the systems you are working with? Why do you allow your IT support staff to disclose useful information when they put out a help request on a public forum?
The best means of assessing these threats is to carry out a penetration test. But beware, sometimes the very test can cause systems to fail if carried out by an inexperienced team. Recent 'headliners' on the Process Control Systems Forum include 'Penetration Test locks-up Gas SCADA System' or 'Audit causes water SCADA crash' and the worrying 'Anti-virus software prevents boiler safety shutdown', all thanks to faulty pen tests. What you should do is ask any pen tester worth their salt what experience they have of programming and working with PLCs and RTUs (Remote Telemetry Unit) or other 'in the know' questions specific to critical infrastructure testing.
Ken Munro
ken.munro@securetest.com
