Monday, January 13, 2014

Our energy infrastructure has Swiss cheese security

I've been posting for something like 4 years that the security of industrial control systems (SCADA) that run our energy and other infrastructure is lousy.  Here's the latest:
Researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems.

The vulnerabilities were discovered by Russian researchers who over the last year probed popular and high-end ICS and supervisory control and data acquisition (SCADA) systems used to control everything from home solar panel installations to critical national infrastructure.

Positive Research chief technology officer Sergey Gordeychik and consultant Gleb Gritsai detailed vulnerabilities in Siemens WinCC software which was used in industrial control systems including Iran's Natanz nuclear plant that was targeted by the US Stuxnet program.

"We don’t have big experience in nuclear industry, but for energy, oil and gas, chemical and transportation sectors during our assessments project we demonstrated to owners how to get full control [of] industrial infrastructure with all the attendant risks," Gordeychik told SC Magazine.
The bad news?  You can make a big boom taking over a refinery.  The good news?  The industry may actually be paying attention now ("we demonstrated to owners ...").

It would actually be a good thing if the NSA monitored these systems.  Do the Country a favor, NSA - focus on an actual threat (i.e. not us).


Spike said...

So if the Russian civilians have penetrated our infrastructure, what have the foreign military boffins been up to?

Borepatch said...

Spike, precisely. The question is not what portion of the infrastructure is vulnerable. The question is what portion is already owned by the Bad Guys?

Paul, Dammit! said...

Do SCADA systems have any privacy? From the news, it sounds like my kid could get through their firewall with the IR transmitter on his Nintendo DS.

Arthur said...

"It would actually be a good thing if the NSA monitored these systems."


Yeah, that will work out great.

Spike said...

Paul, from what I understand, these systems want to be found and easy to use. They were never meant to be connected to the interweb.

R.K. Brumbelow said...

I have wondered for years why there is any outward facing node in transportation or energy.

There is enough dark fibre to dedicate lines: entire lines, router, switch, bridge, server everything; and have 0 energy or transportation systems on any public network.

If you need to monitor the system publicly, then turn off error checking and set up the internal system as write only, the external system as read only. Poll data however often you need to for effective results.

What about feedback loops to regulate output and demand? Again, specific systems with one way communication. Put a human in the feed, so they can stop any strangeness from occurring. Need finer control than a human can provide? Put in a buffer system. Too much power out and the excess gets dumped into some large storage system: Gravity fed water, flywheels, compressed air, big capacitors of a similar nature. Too little power? Draw from those same systems.

The point is, the security of energy and transportation control systems is of sufficient importance to justify the human node and complete separation from public networks.

Chris Byrne said...

As someone who was the security operations manager for a power company...'s FAR FAR worse than this...

Chris Byrne said...
This comment has been removed by the author.