Wednesday, December 05, 2007

SCADA Compromise in 08? Bring it On!


So as yet another sign that SCADA is out of the closet, it made Hoff's 2008 [In]Security Predictions.

Be-Afraid-A of a SCADA compromise...the lunatics are running the asylum! Remember that leaked DHS "turn your generator into a roman candle" video that circulated a couple of months ago? Get ready to see the real thing on prime time news at 11. We've got decades of legacy controls just waiting for the wrong guy to flip the right switch. We just saw an "insider" of a major water utility do naughty things, imagine if someone really motivated popped some goofy pills and started playing Tetris with the power grid...imagine what all those little SCADA doodads are hooked to...


Call me cynical, but was has changed to make things worse in the last five years that would increase the liklihood of a "SCADA Compromise" (WTF that means). While things are probably different (meaning better, more rational) inside in large asset owners, in public forums the IT vs. Control System debate is as unealthy as it was back in 2003. Many control systems folks are still intent on making broad generalizations based their own bad experience with "IT".

What we're seeing here is a clash of technological focus and philosophies. IT departments don't do risk analysis the way Control Engineers do. Often things are replaced only because they're going to be out of date real soon now. Many throw software and servers at the wall until something useful sticks. I've heard estimates that up to 1/3 of all IT projects are regarded as failures. Few seem to see anything wrong with this. They take the risk anyway, knowing that the payoff can be very lucrative. Conversely, the control engineer tends to run a risk analysis on everything before making a move. They're very conservative and often don't change anything unless there are no parts for it any more and they've run out of spares. Their bosses are penny pinchers. They won't spend money to invest in anything that isn't broken.


and
And the fundamental difference between the IT department and the industrial control system engineer is that the engineers usually work at the application level. There is very little knowledge of the OS under the hood.

It pretty easy to come of with counterexamples for these. For every Areva admin that has no clue about Windows 2000 and TPKT/COTP, I'll bet there is an Oracle DBA that is equally clueless about Solaris 2.8 and TCP/IP.

But the more interesting question of about high visibility critical infrastructure compromise scenarios is why they aren't happening vs. how they could happen.

3 comments:

Anonymous said...

My point of writing that exaggerated comment on the SCADA list was to show where most of those attitudes come from, and to encourage exactly what you're suggesting.

There is no use in denying that both sides have some major cultural baggage to overcome. One of the earlier comments from a contributor that inflamed Walt was that Control systems are a subset of typical IT applications.

That is exactly the attitude we must steer away from, if we are to have any success at SCADA security.

As for how the IT security tools can be implemented on a control system, we must first wipe the table clean of any notions that either side knows better than the other. Then, we must open our ears and our minds to what the others are saying.

We didn't get in to this morass overnight. The reason many utilities chased their IT departments away from control systems is because the usual office IT philosophy, policies, and practices are fundamentally different from a control system.

Both sides have an awful lot of "we do it that way because we always do it that way" going on. And in most applications it may work just fine for them. But now it's time to upset some apple carts on both sides and try to get some key leaders on both sides to push this forward.

You won't find many of them. They're rare birds. That's why this is taking so long.

Matt Franz said...

Jake,

For the most part, I agree.

Although I still find totalizing comments like "usual office IT philosophy, policies, and practices" problematic not only because there is a signficant amount of diversity within large IT organizations, but because these sort of generalizations work to the rhetorical advantage of the SCADA side of the argument when you equate all of IT with "desktop apps" UNIX with Windows or server apps with network infrastructure. Each have different levels of risk tolerance, security expertise, and availability requirements...

But thanks for the response, although I'm not terribly optimistic about a successful or timely resolution to the morass.

- mdf

Anonymous said...

Hey Matt:

To address the point you raised:

"Call me cynical, but was has changed to make things worse in the last five years that would increase the liklihood of a "SCADA Compromise" (WTF that means). While things are probably different (meaning better, more rational) inside in large asset owners, in public forums the IT vs. Control System debate is as unealthy as it was back in 2003."

What's changed is the increase in attention, focus and opportunity associated with this vector.

That DHS video wasn't "accidentally" leaked. I know where it came from and from whom...and why. Without the need to summon images of the black helicopter crowd, while things have improved substantially, you'll note that I didn't say this would be an attack from the outside...

Having performed security assessments starting in about (strangely) 2003 and correlating those with the technology being pushed today to provide complete utility automation and control out to the curb via (of all things) wireless, I'm less than comfortable with the theory that we're all good...

I made that "prediction" mostly to agitate but as one of my good buddies says, it'll never happen until it does ;)

/Hoff