Wednesday, January 5, 2011

The Next SCADA Target?

As if Stuxnet, with its ability to reprogram PLCs and to hide the electronic signature of that reprogramming, is not scary enough for most ICS security managers; a new blog post at Tofinosecurity.com/blog [Corrected typo in web site name - 01-06-10 3:44 pm] warns that there is an even more insidious potential target of a Stuxnet type attack, the actual field devices that PLCs control. Rob Hulsebos, writing in a guest posting, warns that the increasing use of industrial Ethernet connections may allow sophisticated attackers to re-program the firmware on fieldbus devices (Fieldbus devices are the electronic brains of a wide variety of automated tools used in industry, they are operated remotely via PLCs).

According to Hulsebos there are two things that currently protect these devices from attack; reprogramming requires physical access via plug in cable and access to the vendor’s source code for the device. As an industrial network expert he overlooks the fact that the first defense only protects these devices against a remote attack. They are still vulnerable to attack via physical access and it is unlikely that the locations for all of these devices are protected as restricted areas since they will be scattered throughout the manufacturing facility.

Physical Security Note: I know, some one is going to mention seeing the odd unauthorized person sitting next to the frequency drive on a high-speed centrifuge with a lap top computer. But remember, most of the modern versions of these devices have USB ports to provide for this designed physical access. It just takes a couple of seconds to plug in a wireless device to such ports and you then have remote-physical access. Ask yourself, will your current security measures detect someone surreptitiously plugging in a small USB device into one of your many fieldbus devices? Really?

So, these devices are really only protected against cyber attack by the fact that the attacker must have access to source code for the device. That ought to be good enough; after all industrial control systems are just too complicated for an attacker to do the code modification necessary to change the operation of these devices. Unfortunately, that argument is no longer acceptable post-Stuxnet; Stuxnet showed that it was patently incorrect. It just takes the right amount of resources to acquire the necessary knowledge and information.

Like Stuxnet, the first Busnet (oh someone will come up with a better name, I’m sure) attack will take a sophisticated organization with money and a variety of technical and industrial espionage skills. But, once Busnet is released into the wild a wide variety of security researchers will be taking a long hard look at the innovative new attack system. It will be broken down, replicated and modified. Soon Busnet-lites will abound. And cyber security will become just that much more complicated.

So, what is a security manager to do about this next-next generation ICS security threat? No much yet. Look at your physical security measures; educate your employees about reporting unusual activities around any equipment. That’s about it right now.

For now, the ball is in the court of security researchers. They need to start thinking about how you would defend against this type of attack. I mean, it’s not like they’re busy on any other ICS cyber security issues (Sarcasm Warning).

1 comment:

Joel Langill said...

I think that I am going to hold off on launching any attacks using these low-level networks. With only 31.25kbps of bandwidth (much of which is consumed with the baseload communications required for the devices that they contain), and the fact that there are such a small number of devices on these networks (less than 16, but more like 4-8), my attack vector of choice will be HSE. This gives me 100Mbps of bandwidth, and direct access to now only field subsystems, but also critical system control components. Of course, my entry point will be all those insecure wireless networks that exist and provide a path into a network which is for the most part not monitored and not secured. Stay tuned!

 
/* Use this with templates/template-twocol.html */