<<< Date Index >>>     <<< Thread Index >>>

[IP] a rather complete report on SCADA djf -- "Hackers target U.S. power grid" (wash post)



------ Forwarded Message
From: Bob Alberti <alberti@xxxxxxxxxxxx>
Date: Sat, 12 Mar 2005 18:33:56 -0600
To: <dave@xxxxxxxxxx>
Subject: RE: [IP] "Hackers target U.S. power grid" (wash post)

I have conducted data security audits of the Supervisory Control and Data
Acquisition (SCADA) systems that control (among much else) the nation's
electrical grid.  The North American Electric Reliability Council (NERC) has
done a creditable job of requiring security with its Urgent Action Standards
1200 and 1300, but the utilies themselves are very slow to meet the
requirements of the Federal Energy Regulatory Commission as is illustrated
by this article: http://tinyurl.com/5wrrw

Among my clients data security was terribly poor, with most of the IT staff
in complete denial about vulnerabilities. At the beginning of one audit my
company was assured that the SCADA system was "completely separate" from the
corporate network and therefore less vulnerable to hackers and viruses.
Upon examination, however, I discovered that the primary IT administrator
had a Windows NT 4.0 desktop system with two network cards, one connected to
the SCADA system, and the other to the corporate Intranet.  His "complete
separation" of the two networks was accomplished by his network routing
table alone, which he insisted was sufficient separation.

Examination of the actual SCADA computers revealed that they were running
out-of-date versons of a common operating system software, entirely
unpatched and unsecured.  Obtaining all passwords to these systems was
accomplished by connecting to a particular port and typing "GET
//etc/password".  These out of date systems are delivered by the
manufacturers, who make no attempt to secure their software or keep the
systems up to date, and discourage tampering with their proprietary
software.

Finally, these utilities are not prepared to make changes.  In one case our
audit report was rejected by the company, which refused to pay us.  Their
reasoning was that the the report was useless because it could not be
presented to the board, so damning was it of the company's security
measures. We worked for six months to submit a version of the report that
the client would pay for, and had so thoroughly watered down the results
that they were next to meaningless.

Here's what others involved in the field have to say about SCADA security...

"I designed, built, implemented and managed a completely integrated
manufacturing system. the Process Control network could be the ideal assault
base [for hackers]" Rogan Dawes, Johannesburg, South Africa.

"Many of these "obscure" [SCADA] protocols are even less secure than the
*least* secure Internet protocols," Matthew Franz, IEEE Computer Society
Technical Committee on Security and Privacy, United States.

"SCADA networks have been implemented to be functional not secure and the
SCADA management staff maintain the operational aspects of the systems,
rerely implementing good business practices and/or proactive monitoring,"
Derek Grocke, EDS International Data Centre, Australia.

"The [SCADA] vendors have little motivation to [secure their products]
unless some big hand forces them to do so.  Heck, we can't even get the
vendors to bring Operating Systems up to the current patch level before
deploying them. current trends indicate this [behavior] is a thing of the
past." Mark Wolfgang, Computer Security Consultant/Engineer, US Navy (hon.
dis.), Co-author "21 Steps to Improve Cyber Security of SCADA Networks,"
President's Critical Infrastructure Protection Board, the Office of
Independent Oversight and Performance Assurance.

".most of the vulnerabilities are blindingly obvious." David S. Brown (CIAC,
US), author of "The CIAC Binary Inspector Tool (BIT): A Non-Intrusive
Vulnerability Detection Mechanism."

As with much else in the post-911 world, many electrical utilities are
paying lip service to security while failing to enact any changes that
actually improve security.  Dr. Bill Hancock of Savvis Communications
asserts that it takes three security incidents before a culture will change
to become more secure - the first being an anomaly, the second a
coincidence, and the third an actual problem.  I think he's got that right.
Nationally, 9/11 was our first security incident, and the August 2003 East
Coast blackout might constitute the first incident for the electrical
industry.

If Dr. Hancock's theory is correct, it's going to take a couple more
August-2003-magnitude blackouts before the utility industry makes any
substantive improvements in the security of our electrical infrastructure.

Bob Alberti, CISSP, ISSMP, President                   Sanction, Inc.
Phone: (612) 486-5000 ext 211                           PO Box 583453
http://www.sanction.net                           Mpls, MN 55458-3453

"Security is more than firewalls, it's efficient business processes."


-----Original Message-----
From: owner-ip@xxxxxxxxxxxxxx [mailto:owner-ip@xxxxxxxxxxxxxx]On Behalf
Of David Farber
Sent: Saturday, March 12, 2005 10:00 AM
To: Ip
Subject: [IP] "Hackers target U.S. power grid" (wash post)


BTW Pat Wood is a very good person who actually wanted to be at the FCC

Dave

------ Forwarded Message
From: Fred Langa <fred@xxxxxxxxx>
Date: Sat, 12 Mar 2005 10:33:57 -0500
To: <dave@xxxxxxxxxx>
Subject: "Hackers target U.S. power grid" (wash post)



Describing his reaction to the demonstration [of how easily hackers might
break into electrical grid computers] Patrick H. Wood III, the chairman of
the Federal Energy Regulatory Commission, said: 'I wished I'd had a diaper
on.'"

http://www.msnbc.msn.com/id/7152899



============

Fred Langa

Current Projects/Affiliations Info:
http://www.langa.com/about_fred.htm

General email: fred@xxxxxxxxx

Free Newsletter ("The LangaList"): subscribe@xxxxxxxxx

Free LangaList Link Exchange: http://www.langa.com/code.htm

PR & Product Professionals:
For priority handling, please send product-related
email to: PR@xxxxxxxxx



------ End of Forwarded Message


-------------------------------------
You are subscribed as ip@xxxxxxxxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/




------ End of Forwarded Message


-------------------------------------
You are subscribed as roessler@xxxxxxxxxxxxxxxxxx
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/