Monday, November 21, 2011

SCADA Attacks, are very similar to the Stuxnet attack, basic yet effective

SCADA Attacks, are very similar to the Stuxnet attack, basic yet effective

This attack like the Stuxnet attack, went after some very simple code, that is used to control valves, security gates, and other peripheral devices. Normally a SCADA control program is a fairly sophisticated deal, but when it hands off simple routines like controlling valves, the use of a PLC or programmable logic controller is used. The code for PLC operations is fairly simple, it only handles very small tasks. To insert a bogus code into a PLC is not all that hard, PLC's are designed to be programmed in the field, as such no compiler or at least a sophisticated compiler is needed. This makes them great targets, as one recent article pointed out correctly that most Prison's use SCADA systems, which use PLC's to control doors and gates at the Prison, meaning that it would be possible to program them to open if attacked. Now this would be a more sophisticated attack than a normal Stuxnet would attempt. In fact most of the sophistication of the Stuxnet was in getting the code to the PLC.

Remember PLC's have simple short codes, so getting it to do simple actions like keep opening and closing a valve or door, is pretty easy, to open a door at a predetermined time is really going to have to attack the main SCADA program, a much harder task, not impossible, but harder that attacking the PLC's.

Most SCADA systems should be off line from the internet, and as such it would take an attack like the one used against the Iran nuclear facility. In that case it was introduced via a USB flash device. That takes physical access to the system, or spoofing someone else to have access. If the attack was on part of a SCADA system that was hooked up to the internet,  a big no no usually. Then it is a matter of loose or no passwords to protect the system, which would have at least make it harder for the bad guys to attack the system.

Maintenance contracts for SCADA systems, often require internet access, but these contracts should be reviewed for security purposes. If possible internet hookups should be only physically connected during a time when the maintenance vendor needs access. Often security guards are trained to manually make the connection, and then physically disconnect it when the vendor is done. IT departments make a very big issue of the fact that they can put security controls in place that can stop anything. The bad news is that it is harder and harder to stop everything.

Rich

1 comment:

  1. So? Anyone can throw a spanner in the works. If systems are correctly monitored, then any SCADA attack will be instantly identified. They have no more significance than a motor running a bearing, or a rat cutting a cable. It's just something more for the maintenance guys to deal with.
    T.

    ReplyDelete