FACT CHECK: SCADA Systems Are Online Now

Friday, September 23, 2011

Craig S Wright

8b5e0b54dfecaa052afa016cd32b9837

Follow-Up Article:  SCADA: Air Gaps Do Not Exist

*   *   *

A recent "Fact Check" by Scot Terban requires some fact checking.

In his post, he basically shows that he has no idea how many SCADA systems are online. Scot stated "How about the fact that said systems are connected to the internet on a regular basis and SCADA aren’t", well this is a flaw and error of epic magnitude.

The fact is, nearly everything is connected now.

In 2000 I contracted to the Sydney Olympic authority. To make the Olympics run smoothly, they NSW government officials decided to connect control systems into a  central head-quarters. We linked:

  •          Traffic systems
  •          Rail systems
  •          Water systems
  •          Power systems
  •          Emergency response systems / Police
  •          Sewerage systems

That was only the tip of the iceberg. The rail systems had been connected to report on rail movements. They used a Java class file that was set to read the signals devices. The class was not protected, but the read only status was considered sufficient (despite protests to the contrary).

The control class file was easy to reverse engineer and it was simple to toggle the controls in order to make it into a system that could send signals as well as report them. When I noted that I could reverse engineer the class file, the comment was "not everyone has your skills Craig, we do not think others can do this". Yet it is simple to reverse engineer a Java class file.

Once the Olympics ended, so did any funds to maintain the system. Nothing was done to remove the interconnectivity, it was considered valuable, but like all systems that are not maintained, it has slowly become less and less secure.

These network remain connected even now, though many of the people involved in setting them up have left. In fact, many of these networks are not even documented and known by the current people in the various departments.

Two years ago, I was involved in a project to secure SCADA systems that run and maintain a series of power plants. This was canned. Not for funds, but as the SCADA engineers did not trust that firewalling their network would not have a negative impact. Right now, the only controls are routing based.

Unfortunately, they also allow ICMP route updates, access from the file servers and source routing. Some of the systems are running on Windows 98, not XP, 98. The need for a zero-day does not exist, just some knowledge of the internal routes in the system.

Unfortunately the routes and network design of this organization (running a large percentage of power stations in NSW) was leaked in a vendor presentation - so it is also not difficult to obtain. It does take some effort to become knowledgeable about the systems and how they are run (and to not simply crash them) but the ISO 20000 processes are stored on the same network.

Let us see some other systems.

A while back now, but many of the same systems are in place in the same way, I was contracted to test the systems on a Boeing 747. They had added a new video system that ran over IP. They segregated this from the control systems using layer 2 - VLANs. We managed to break the VLANs and access other systems and with source routing could access the Engine management systems.

The response, "the engine management system is out of scope."

For those who do not know, 747's are big flying Unix hosts. At the time, the engine management system on this particular airline was Solaris based. The patching was well behind and they used telnet as SSH broke the menus and the budget did not extend to fixing this. The engineers could actually access the engine management system of a 747 in route. If issues are noted, they can re-tune the engine in air.

The issue here is that all that separated the engine control systems and the open network was NAT based filters. There were (and as far as I know this is true today), no extrusion controls. They filter incoming traffic, but all outgoing traffic is allowed. For those who engage in Pen Testing and know what a shoveled shell is... I need not say more.

So, Scot... FACT CHECK, SCADA systems ARE ONLINE!

Nearly all SCADA systems are online. The addition of a simple NAT device is NOT a control. Most of these systems are horribly patched and some run DOS, Win 95, Win 98 and even old Unixs. Some are on outdated versions of VMS. One I know of is on a Cray and another is on a PDP-11.

The last of these has an issue as they do not believe it will ever restart if it goes down. So that PDP-11 is not touched. We scanned a system at that network a couple years back and it crashed, the answer was that we could not ever ping the PDP-11 as it was thought it could also crash.

Yes Scot, Windows XP and unpatched networks are a concern, but they are less of a concern than those systems that are connected to the world and which control physical systems.

Right now, the Commonwealth government here in Australia has a project to connect to IPv6 by next year. It is mandated. I have been travelling and presenting to many departments in the last few months for this reason. Even with all the good standards from DSD, few of the people who are tasked with implementing these systems knew that IPSec supports a NULL cipher.

The DSD standards do say that you cannot use NULL as a cipher, but the awareness is only starting to grow (hence a very busy schedule actually talking to people in a number of government departments and letting them know these things).

Next year, we will have IPv6 starting to become the norm in the Australian Commonwealth Government and in time, it will be all there is. This starts with a IPv4-IPv6 gateway and transition project, but that is only the start and soon others will have to switch as well. Soon (and this is within 5 years), SCADA systems will be connected on IPv6 networks here in Australia.

IPv6 is distributed. There are no crunchy firewalls on the outside and even NAT offers little. Scott (and others who run some of these systems), I suggest that you have a look at how things are really configured.

About the Author:

Craig Wright is the VP of GICSR in Australia. He holds both the GSE, GSE-Malware and GSE-Compliance certifications from GIAC. He is a perpetual student with numerous post graduate degrees including an LLM specializing in international commercial law and ecommerce law, A Masters Degree in mathematical statistics from Newcastle as well as working on his 4th IT focused Masters degree (Masters in System Development) from Charles Sturt University where he lectures subjects in a Masters degree in digital forensics. He is writing his second doctorate, a PhD on the quantification of information system risk at CSU.

Cross-posted from GSE-Complance

Possibly Related Articles:
124659
Network->General
Information Security
SCADA Stuxnet ICMP Network Security Infrastructure IPv6
Post Rating I Like this!
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia BTW, you fail to mention that that Boeing system was deliberately built so that it could not interfere with an engine in flight. Of course this isn't to say that something couldn't be potentially engineered, but you did not even attempt to caveat it. Once again, FUD.
K.
1317045489
8b5e0b54dfecaa052afa016cd32b9837
Craig S Wright @K What do you think malware is?

What do you think we are talking of with Stuxnet. Yes, a sophisticated piece of software would be required.

Have you forgotten that has already occurred more than once now?
1317061596
Default-avatar
Jean-Marc Liotier What version of the Boeing 747 are you writing about ? As far as I know, only 747-8 has Ethernet... The two first ones were cargo versions refused last week by Cargolux, so none is even in operation yes. Anyway, since you mention it was "a while back now" it is probably not a 747-8... When was it and what model ? I have a few aviation people here questioning your claim.
1317080380
8b5e0b54dfecaa052afa016cd32b9837
Craig S Wright "As far as I know, only 747-8 has Ethernet.."

Then you know very little about Boeing aircraft, not that I said Ethernet, but it is there. A 747-400 is comprised of:

10BaseT
100BaseT
1000Base-SX, a 1-gigabit
FDDI
1000Base-SX (digital Video and cockpit display)
802.11B (only active when on ground)
Boeing wideband
1317252061
Default-avatar
Jean-Marc Liotier Indeed my knowledge of the Boeing family is second hand an limited - it is Airbus country here... Thanks for the contextual information !
1317278327
Default-avatar
Jean-Marc Liotier I'm amazed there is FDDI there - what it is used for ? When you mentioned VLAN, I thought Ethernet since I considered unlikely that other VLAN bearers were present aboard a 747 - again I was wrong...
1317278457
8b5e0b54dfecaa052afa016cd32b9837
Craig S Wright FDDI was being removed for the most part.

My understanding of the reasoning at the time was that the fibre optic LAN was expensive and difficult to maintain so was replaced using 100BaseT. The systems and equipment manager was having troubles in the older 747-400s as parts had become expensive and the order times was increasing making inventory retention more costly as well. Also systems started requiring more data throughput.

Never touched an Airbus other than to fly in one.
1317279916
Da3ca2c61c4790bcbd81ebf28318d10a
Krypt3ia Pay no nevermind that this has nothing to do with the engine system at the core of your argument, nor the actual specs to said system.
1317311946
8b5e0b54dfecaa052afa016cd32b9837
Craig S Wright @K Crashing critical systems more than 30-45 mins from an airport (such as over the Pacific) is a problem. Without the flight-critical systems, a flight is at extreme risk.

If you think I am going to publicly say how these systems are interacting and what they are, then you are mad.
1317327275
Default-avatar
Jean-Marc Liotier Related, yeah - I'm sure the virus hit the drone fleet from the in-flight entertainment system !
1318072471
8b5e0b54dfecaa052afa016cd32b9837
Craig S Wright I was thinking the CoD and WoW systems ...
1318073012
8b5e0b54dfecaa052afa016cd32b9837
Craig S Wright I was thinking the CoD and WoW systems ...
1318073013
Default-avatar
Jean-Marc Liotier Are there really instances of such programs being installed on workstations used for drone operations ?
1318073205
8b5e0b54dfecaa052afa016cd32b9837
Craig S Wright No, at least I hope not. There are instances of people connecting USB drives etc.

We need to start thinking of design that will account for human behavior and not trying to redesign how humans behave.
1318073814
8b5e0b54dfecaa052afa016cd32b9837
Craig S Wright The big issue with the Drone system is one I have fought with for many years. Malware can infect a system and not cause damage (at first) so it is left.

This does not mean that it will not do damage in the future.

Right now, I am seeing a lot of malware infected SCADA and other control systems that people will not fix as they are working. Even with the drones, it took far too long for them to finally wipe and rebuild the system.

We really need to start rethinking how we react to these systems.
1318073986
Default-avatar
Jean-Marc Liotier The standard reaction to rootkits is rebuilding from the ground up. The problem here is people not wanting to make that effort...
1318074976
A966b1b38ca147f3e9a60890030926c9
Chris Blask "We need to start thinking of design that will account for human behavior and not trying to redesign how humans behave."

@Craig - Indeed.

There is no good reason to ever trust a device or application in the first place. Even if you have patches up to date and current antimalware on a host, all you have done is eliminated some of the risk. The known complexities of human and technical fallibility

Where we build systems in which we only trust devices as long as they behave we don't find ourselves scrambling so often.

The redundancy of the system has been questioned in SCADASEC list comments. If they had simply planned for hosts to die at the least opportune time (like we all know hosts always will), then just nuking a suspect server and reimaging the damn thing wouldn't be an issue whatever the cause.
1318127354
8b5e0b54dfecaa052afa016cd32b9837
Craig S Wright @Chris, yes, it is surprising. Poor design really. When you think just how easy it is to create a system that you can wipe and redeploy, it seems foolish that this was not done on a system worst as much as this one is.
1318128383
Default-avatar
jnmx mueller When you mentioned VLAN, I thought Ethernet since I considered unlikely that other VLAN bearers were present aboard a 747 - again I was wrong... " What do you mean with "VLAN" ? Greez Mark, http://www.starbike.com
1324484659
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.