Interesting People mailing list archives
a rather complete report on SCADA djf -- "Hackers target U.S. power grid" (wash post)
From: David Farber <dave () farber net>
Date: Sun, 13 Mar 2005 00:11:39 -0500
------ Forwarded Message From: Bob Alberti <alberti () sanction net> Date: Sat, 12 Mar 2005 18:33:56 -0600 To: <dave () farber net> Subject: RE: [IP] "Hackers target U.S. power grid" (wash post) I have conducted data security audits of the Supervisory Control and Data Acquisition (SCADA) systems that control (among much else) the nation's electrical grid. The North American Electric Reliability Council (NERC) has done a creditable job of requiring security with its Urgent Action Standards 1200 and 1300, but the utilies themselves are very slow to meet the requirements of the Federal Energy Regulatory Commission as is illustrated by this article: http://tinyurl.com/5wrrw Among my clients data security was terribly poor, with most of the IT staff in complete denial about vulnerabilities. At the beginning of one audit my company was assured that the SCADA system was "completely separate" from the corporate network and therefore less vulnerable to hackers and viruses. Upon examination, however, I discovered that the primary IT administrator had a Windows NT 4.0 desktop system with two network cards, one connected to the SCADA system, and the other to the corporate Intranet. His "complete separation" of the two networks was accomplished by his network routing table alone, which he insisted was sufficient separation. Examination of the actual SCADA computers revealed that they were running out-of-date versons of a common operating system software, entirely unpatched and unsecured. Obtaining all passwords to these systems was accomplished by connecting to a particular port and typing "GET //etc/password". These out of date systems are delivered by the manufacturers, who make no attempt to secure their software or keep the systems up to date, and discourage tampering with their proprietary software. Finally, these utilities are not prepared to make changes. In one case our audit report was rejected by the company, which refused to pay us. Their reasoning was that the the report was useless because it could not be presented to the board, so damning was it of the company's security measures. We worked for six months to submit a version of the report that the client would pay for, and had so thoroughly watered down the results that they were next to meaningless. Here's what others involved in the field have to say about SCADA security... "I designed, built, implemented and managed a completely integrated manufacturing system. the Process Control network could be the ideal assault base [for hackers]" Rogan Dawes, Johannesburg, South Africa. "Many of these "obscure" [SCADA] protocols are even less secure than the *least* secure Internet protocols," Matthew Franz, IEEE Computer Society Technical Committee on Security and Privacy, United States. "SCADA networks have been implemented to be functional not secure and the SCADA management staff maintain the operational aspects of the systems, rerely implementing good business practices and/or proactive monitoring," Derek Grocke, EDS International Data Centre, Australia. "The [SCADA] vendors have little motivation to [secure their products] unless some big hand forces them to do so. Heck, we can't even get the vendors to bring Operating Systems up to the current patch level before deploying them. current trends indicate this [behavior] is a thing of the past." Mark Wolfgang, Computer Security Consultant/Engineer, US Navy (hon. dis.), Co-author "21 Steps to Improve Cyber Security of SCADA Networks," President's Critical Infrastructure Protection Board, the Office of Independent Oversight and Performance Assurance. ".most of the vulnerabilities are blindingly obvious." David S. Brown (CIAC, US), author of "The CIAC Binary Inspector Tool (BIT): A Non-Intrusive Vulnerability Detection Mechanism." As with much else in the post-911 world, many electrical utilities are paying lip service to security while failing to enact any changes that actually improve security. Dr. Bill Hancock of Savvis Communications asserts that it takes three security incidents before a culture will change to become more secure - the first being an anomaly, the second a coincidence, and the third an actual problem. I think he's got that right. Nationally, 9/11 was our first security incident, and the August 2003 East Coast blackout might constitute the first incident for the electrical industry. If Dr. Hancock's theory is correct, it's going to take a couple more August-2003-magnitude blackouts before the utility industry makes any substantive improvements in the security of our electrical infrastructure. Bob Alberti, CISSP, ISSMP, President Sanction, Inc. Phone: (612) 486-5000 ext 211 PO Box 583453 http://www.sanction.net Mpls, MN 55458-3453 "Security is more than firewalls, it's efficient business processes." -----Original Message----- From: owner-ip () v2 listbox com [mailto:owner-ip () v2 listbox com]On Behalf Of David Farber Sent: Saturday, March 12, 2005 10:00 AM To: Ip Subject: [IP] "Hackers target U.S. power grid" (wash post) BTW Pat Wood is a very good person who actually wanted to be at the FCC Dave ------ Forwarded Message From: Fred Langa <fred () langa com> Date: Sat, 12 Mar 2005 10:33:57 -0500 To: <dave () farber net> Subject: "Hackers target U.S. power grid" (wash post) Describing his reaction to the demonstration [of how easily hackers might break into electrical grid computers] Patrick H. Wood III, the chairman of the Federal Energy Regulatory Commission, said: 'I wished I'd had a diaper on.'" http://www.msnbc.msn.com/id/7152899 ============ Fred Langa Current Projects/Affiliations Info: http://www.langa.com/about_fred.htm General email: fred () langa com Free Newsletter ("The LangaList"): subscribe () langa com Free LangaList Link Exchange: http://www.langa.com/code.htm PR & Product Professionals: For priority handling, please send product-related email to: PR () Langa Com ------ End of Forwarded Message ------------------------------------- You are subscribed as ip () sanction net To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/ ------ End of Forwarded Message ------------------------------------- You are subscribed as lists-ip () insecure org To manage your subscription, go to http://v2.listbox.com/member/?listname=ip Archives at: http://www.interesting-people.org/archives/interesting-people/
Current thread:
- a rather complete report on SCADA djf -- "Hackers target U.S. power grid" (wash post) David Farber (Mar 12)