Saturday, June 6, 2009

Industrial Hacks, Controlling and Securing SCADA Systems


SCADA, the Supervisory Control and Data Acquisition system is a software application used to control the process, monitor and gather the real-time data from remote devices in order to manage any hazardous conditions. Its application is widely applied in telecommunication, transportation, oil and gas industry, defense systems, water and waste control systems and power plants. Process controlling and monitoring can be categorized as industrial, infrastructure or facility.

Looking from the security perspective of these systems govern the major vulnerabilities and threats that can easily be exploited by malicious adversaries. For a decade, number of legacy IT tools have been developed for scanning and assessing the SCADA systems security. Number of incidents reported in past have proved the inconsistency of these systems, such that, on 10-June-1999 an "Olympic Pipe Line" company faced the rupture and release of gasoline causing damages of at least $45m and life of several people.

For more information:
http://www.cob.org/services/environment/restoration/olympic-pipeline-incident.aspx

Number of security problems discovered while investigating these kind of incidents range under
application response delay, system fault in shutdown and isolation process and various security vulnerabilities such as blank password access on compressor station. SCADA systems basically carry the operations which always hold real-time communication. Many of these systems are deployed without anti-virus to maintain the performance and scability. But at the same time, they are vulnerable to viruses and worms. One such incidents has been reported in 2003 at Davis-Besse Nuclear Power Plant, Ohio, infecting the whole network with Slammer worm and disabled the safety monitoring system. Employing security policies and procedures can remove such gaps from SCADA based network but changing them often is a nightmare.

Penetration Testing for the SCADA Systems
To assess the security of these systems, a traditional approach of Penetration Testing can be used to conduct the assessment in order to assure the SCADA network security. From my past experience in assessing the SCADA application and network, it is vital to defense such network at perimeter level (DMZ, IDS/IPS, Firewalls). Researchers from different security groups has revealed serious security issues in default SCADA system, such as:

-No Data encryption
-No Authentication or Blank Password
-No Integrity statement
-Network Traffic in clear text
-Default system/network configurations
-No backup strategies
-RAS/VPN access without proper security policies
-Physical security

Although the deployment of IT and SCADA system envrionment has similarity but the differences can be measured and the reliable security assessment approach can be done. Major security compliances that could help in achieving this goal include, BS7799, ISO15408, NIST-SPPICS, ISA S.99.1 and CIDX-VAM. Following the similar security approach from IT systems envrionment can help to integrate and preserve the CIA (confidentiality, integrity and availability) for SCADA systems.

Generally speaking, the SCADA Penetration Testing process involve:
-Identification
-Fingerprinting
-Vulnerability Mapping
-Exploitation
-Control

The major assessment tools remain same with an exception to modify the methodology of performing pen-testing against the SCADA envrionment as compared to the IT network. Tools like nmap, nessus, wireshark and metasploit play a key role in assessing the security posture of the organization's infrastructure. Custom scripts and fuzzers (SPIKE, LZfuzz) can also provide aid in assessing the SCADA applications.

Additional Resources:
CrISTAL Project: http://cristal.recursiva.org
ModScan: http://code.google.com/p/modscan
ScadaSafe: http://scadasafe.sourceforge.net
SMART: http://safemap.sourceforge.net