[LINK] FP: The SCADA Paradox
Roger Clarke
Roger.Clarke at xamax.com.au
Fri Aug 16 14:39:46 AEST 2013
[The article below, reproduced in the AFD today, includes this: "
... attackers have never been able to engage in cyber-sabotage
against America's critical infrastructure -- not once. ICS-CERT has
never witnessed a successful sabotage attack in the United States,
they told me. Sure, there have been network infiltrations. But those
were instances of espionage, not destructive sabotage".
[(The first sentence should logically read "have never engaged in";
but nonetheless it's an interesting claim).
[One possible inference is that the rattling of virtual sabres by US
and other governments, claiming that cyber-warfare is rampant and
that therefore they have to engage in it too, is simply
self-interested posturing.
[On the other hand, the rational position of any cyber-warrior right
now is to penetrate SCADA / ICS systems, perform small-scale tests,
discover vulnerabilities that are likely to be persistent, create
more vulnerabilities that can be exploited when the time is right,
and avoid discovery of the above.
[The more interesting question is: why aren't 'the 14-year-old
whizz-kids in their bedrooms' testing their capabilities on real
systems; or, formulated differently, why aren't their attempts
coming to light?
[A few possible answers exist. One is the conspireacy theory that
anything that US natsec interests say is untrustworthy. Another is
that crackers aren't as clever as popular mythology believes. Yet
another is that maybe not as much SCADA / ICS traffic has migrated
from private networks to the Internet as people imagine.]
Cyber-Sabotage Is Easy
So why aren't hackers crashing the grid?
THOMAS RID (a UK academic)
Foreign Policy
JULY 23, 2013
http://www.foreignpolicy.com/articles/2013/07/23/cyber_sabotage_is_easy_i_know_i_did_it
Hacking power plants and chemical factories is easy. I learned just
how easy during a 5-day workshop at Idaho National Labs last month.
Every month the Department of Homeland Security is training the
nation's asset owners -- the people who run so-called Industrial
Control Systems at your local wastewater plant, at the electrical
power station down the road, or at the refinery in the state next
door -- to hack and attack their own systems. The systems, called ICS
in the trade, control stuff that moves around, from sewage to trains
to oil. They're also alarmingly simply to break into. Now the
Department of Homeland Security reportedly wants to cut funding for
ICS-CERT, the Cyber Emergency Response Team for the nation's most
critical systems.
ICS-CERT's monthly training sessions in Idaho Falls put 42 operators
at a time into an offensive mindset. For the first three days in last
June's workshop, we learned basic hacking techniques, first in
theory, then in practice: how to spot vulnerabilities, how to use
exploits to breach a network, scan it, sniff traffic, analyse it,
penetrate deeper into the bowels of the control network, and
ultimately to bring down a mock chemical plant's operations. There
was something ironic about Department of Homeland Security staff
teaching us how to use Wireshark, an open-source packet analyzer;
Metasploit, a tool for executing exploit code; man-in-the-middle
attacks; buffer overflow; and SQL-injection -- all common hacking
techniques -- and then adding, only half-jokingly: "Don't try this on
your hotel's Wi-Fi!"
So it may come as a surprise to learn that attackers have never been
able to engage in cyber-sabotage against America's critical
infrastructure -- not once. ICS-CERT has never witnessed a successful
sabotage attack in the United States, they told me. Sure, there have
been network infiltrations. But those were instances of espionage,
not destructive sabotage. Which raises two questions: one obvious,
and one uncomfortable. If it's so easy, why has nobody crashed
America's critical infrastructure yet? And why isn't the Defense
Department doing more to protect the grid?
The questions only loomed large on the fourth day of the training --
a 10-hour exercise. We split into two groups, a large blue team and a
small red team. The blue team's task was to defend a fake chemical
company, with a life-sized control network complete with large tanks
and pumps that would run production batches, a real human-machine
interface, a so-called "demilitarized zone," even simulated paperwork
and a mock management with executives that didn't understand what's
really happening on the factory floor -- just like in real life. The
red team's task was to breach the network and wreak havoc on the
production process. By 5 pm they got us: toxic chemicals spilled on
the floor, panic spread in the control room. Good thing for us this
was only an exercise, and the gushing liquid was just water.
That exercise in Idaho was not unrealistic -- control system-related
incidents can have serious consequences. In March 1997, a teenager in
Worcester, Massachusetts, used a dial-up modem to disable controls
systems at the airport control tower. In June 1999, 237,000 gallons
of gasoline spilled out of a 16-inch pipeline in Bellingham,
Washington, killing three people when it ignited. An ICS performance
failure limited the controller's ability to understand what was
happening and react swiftly.
In August 2006, two disgruntled transit engineers sabotaged the
traffic light controls at four busy L.A. corners for four days,
causing major traffic jams. One of the most serious accidents
happened in 2009 at the Sayano-Shushenskaya hydroelectric dam and
power station in Russia, when a remote load increase caused a 940-ton
turbine to be ripped out of its seat. The accident killed 75 people,
pushed up energy prices, and caused damage in excess of $1.3 billion.
In Idaho I heard two more stories from participants: one maintenance
issue paralysed 600 ATM machines for 6 hours, and one innocent
network scan in a manufacturing plant caused a large and powerful
robotic arm to swirl around as if in rage, potentially injuring
anybody near it.
Attacking such systems just got easier, for a number of reasons. One
is that vulnerabilities are easier to spot. The search engine Shodan,
dubbed the "Google for hackers," has made it easy to find turbines
and breweries and large AC-systems that shouldn't be connected to the
Internet but actually are. One project at the Freie Universität
Berlin has enriched the Shodan data and put them on a map. The
rationale of this "war map," as project leader Volker Roth called it
tongue-in-cheek, is visualizing the threat landscape with colored
dots, yellow for building management systems, orange for monitoring
systems, and so on. The U.S. eastern sea board looks like a butt on a
paintball range after a busy shooting session.
But so far, attackers have lacked either the necessary skill,
intelligence, or malicious intention to use that map as a shooting
range. That may be changing. While the more sophisticated ICS attacks
are actually harder than meets the eye, many nation states as well as
hackers are honing their skills. Some are also busy gathering
intelligence; earlier this year, for example, the U.S. Army Corps of
Engineers' National Inventory of Dams was breached, possibly from
China. And any political crisis may change an attacker's intention
and rationale to strike by cyber attack.
All of which keeps the federal government's main organization in
charge of critical infrastructure protection busy. ICS-CERT employs
between 80 and 100 staff, depending on contractors. Three of its
activities stand out.
The first is incident response. At the request of asset owners,
ICS-CERT can deploy so-called fly-away teams to meet with the
affected organization. They'll review network topology, identify
infected systems, image drives for analysis, and collect other
forensic data. Last year, the government's control system experts
responded to 177 incidents. That included 89 site visits and, in the
most extreme cases, 15 deployments of on-site teams to respond to
advanced persistent threat incidents in the private sector, the DHS
told me. The fly-aways are controversial, with some critics pointing
to a lack of focus and a waste of scarce government resources. One
prominent critic is Dale Peterson of Digital Bond, a leading
consultancy on critical infrastructure protection. "It doesn't
scale," he says about the fly-away teams, "It's a band-aid." Still, a
band-aid is better than no treatment at all.
The second main activity is keeping the operators vigilant and
informed. ICS-CERT is doing this through vulnerability alerts and
advisories: one recent alert, for instance, warned about a range of
300 medical devices that had hard-coded passwords, which could enable
an attacker to gain remote access to surgical and anaesthesia devices
or drug infusion pumps.
But for some, the warnings don't come fast enough, or don't produce a
strong enough response. So more and more independent security
researchers publish information on faulty design without notifying
vendors and their clients first. Many at the Department of Homeland
Security think some of these revelations are irresponsible or
premature -- Digital Bond disagrees. The consultancy organizes a
leading industry event, the S4 conference, where devices get hacked
for good effect. A lot of people in the ICS community, Peterson tells
me, "are getting gradually more aggressive because there has been so
little progress."
Then there are those five-day-training sessions for those who are
really at the front line of potential cyber attacks: the plant and
factory owners and operators. That program is the least
controversial. After three days of lectures and hands-on practice,
and after one day of spilling chemicals by cyber attack, the
participants in my class had a chance to discuss lessons learned on
the fifth day. One or two may have expected a slightly different
technical focus, yes, but the rest loved it. The Department of
Homeland Security understood a crucial thing: if the asset owners
understand the offense, they are able to improve -- and better invest
in -- their network defense.
The reverse does not apply. The National Security Agency and its
military twin, U.S. Cyber Command, are investing in all kinds of
offensive measures that do nothing to make the nation's critical
infrastructure more secure: They're discovering and buying previously
unknown zero-day vulnerabilities -- holes in software that hackers
can use to wiggle their way into a system. They're gathering target
intelligence on foreign infrastructure, and clandestinely developing
bespoke cyber weapons for high-profile attacks from Fort Meade. All
of this may have theoretical benefits at some point. But such
offensive investments do not translate into more efficient
information-sharing at home, into safer logic controllers, or into
better-trained asset owners. To the contrary: the offense can suck up
skills needed on the defense. And while it would make all of us more
secure to close up those software holes, the NSA and CYBERCOM would
rather they stay open as avenues of espionage and attack.
One reason why, perhaps, is that, so far, there's only been one
publicly-acknowledged destructive ICS attack anywhere, ever. The only
successful cyber-sabotage strike that targeted control systems (and
that was not an insider attack) was an American intelligence
operation: the famous Stuxnet worm that targeted Iran's nuclear
enrichment program in Natanz -- without achieving its goal. The White
House, it seems, has learned some lessons from this episode. In a
recently leaked secret document, the administration highlighted the
"unintended or collateral consequences" of offensive cyber operations
that may affect U.S. national interests. Apparently the White House
sensed that Stuxnet had a counterproductive effect on "values,
principles, and norms for state behavior." Cyber sabotage, they fear,
could come back to haunt them.
In cyber security, it seems, a good offense is bad defense --
certainly made worse by sequestering the critical training of those
who really keep the nation's infrastructure safe: the asset owners,
engineers, and operators who make the monthly trek to Idaho Falls
from all fifty states. Idaho National Labs has its own "war map" with
red and blue and green and white pins: it's a large chart of the
entire United States (and a smaller with allied nations), up in the
first floor lunch area of the training facility. Every participant of
the ICS training places a pin into their home town by sector: white
if they come from the government, red for energy, blue for water, and
so on. This is the map that really counts. The more dots and the more
color, the better. But unless there's a radical change in how the
U.S. secures its power plants and factories, there's never going to
be enough push pins to stave off calamity.
--
Roger Clarke http://www.rogerclarke.com/
Xamax Consultancy Pty Ltd 78 Sidaway St, Chapman ACT 2611 AUSTRALIA
Tel: +61 2 6288 6916 http://about.me/roger.clarke
mailto:Roger.Clarke at xamax.com.au http://www.xamax.com.au/
Visiting Professor in the Faculty of Law University of N.S.W.
Visiting Professor in Computer Science Australian National University
More information about the Link
mailing list