[LINK] AUSCERT: SCADA connectivity could grow into risky business

Bernard Robertson-Dunn brd at iimetro.com.au
Tue May 22 15:08:13 AEST 2007 

<brd>
We talked about this on Link many years ago before SCADA systems were 
ever connected to the internet. IIRC the concensus then was that nobody 
would be so stupid.
</brd>

AUSCERT: SCADA connectivity could grow into risky business
U.S. government employee identifies the risks and challenges facing 
SCADA systems
Sandra Rossi 22/05/2007 11:24:50
http://www.computerworld.com.au/index.php/id;1732714836

Former White House staffer Marcus Sachs believes that there are 
thousands of critical infrastructure attacks that go unreported, 
demonstrating the need to educate critical asset owners.

As deputy director of SRI International's computer science laboratory, 
Sachs said access to critical infrastructure control systems is easier 
than originally thought.

Sachs is responsible for the U.S. Department of Homeland Security's 
cybersecurity R&D centre, which is operated by SRI International under 
contract. In addition to 20 years in the military, Sachs has also worked 
at the National Security Council.

Speaking at AusCERT 2007 about the risks and challenges facing SCADA 
systems, he said control systems in decades past have traditionally been 
private, and not connected to the Internet.

This has certainly changed today as connectivity has grown, he said.

"Weak security protocols that characterize the Internet have now 
transferred to industrial control system," Sachs said.

"In the old days protocols were proprietary, but there is a new trend to 
move over to TCP/IP."

Demonstrating vendor advertisements found on the Internet, Sachs showed 
how these systems were connected to the Internet so plant managers could 
log-on from home. The increased connectivity was said to have created 
serious security issues.

"One advertisement demonstrated how to run Modbus on the Internet so you 
can log onto the plant's control system from home - how dangerous is 
that?" he said.

"Most industries don't report breaches so there is a lot of cover up, 
and it is hard to quantify. I believe it happens a lot more than we 
realize."

Sachs cited examples of insiders modifying systems, and pointed out that 
plant managers generally are more concerned about safety than IT security.

Sachs said there are plenty of threat multipliers in this environment.

For example, he said there is no authentication in most SCADA protocols.

"Machines trust each other. Then there is legacy architectures," Sachs 
said. "If vulnerable, they are too costly to upgrade."

Finally, Sachs said there is a serious lack of awareness and education.

"Most of the reported attacks are in the US, Australia and Canada; this 
is just the tip of the iceberg," he said.

One major problem is the serious divide between those who manage control 
systems and those on the IT side.

He said these are two very different worlds, with totally different 
mindsets.

"There is big animosity between the two groups because plant managers 
focus on making the plant work and don't see IT as a friend, but an 
enemy," Sachs said.

"The big challenge is to bring the two together and bridge the gap."

-- 

Regards
brd

Bernard Robertson-Dunn
Sydney Australia
brd at iimetro.com.au

More information about the Link mailing list