More SCADA weakness?
More SCADA weakness?
(OP)
http://www.cnn.com/2017/04/08/us/dallas-alarm-hack...
This is one of the more publicized events. It's possibly only the proverbial tip of the iceberg.
This is one of the more publicized events. It's possibly only the proverbial tip of the iceberg.





RE: More SCADA weakness?
"You measure the size of the accomplishment by the obstacles you had to overcome to reach your goals" -- Booker T. Washington
RE: More SCADA weakness?
RE: More SCADA weakness?
Not only, no internet was involved. The RF link was supposedly more secure...
TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! https://www.youtube.com/watch?v=BKorP55Aqvg
FAQ731-376: Eng-Tips.com Forum Policies forum1529: Translation Assistance for Engineers Entire Forum list http://www.eng-tips.com/forumlist.cfm
RE: More SCADA weakness?
I've set up wireless SCADA in the past, and wireless I/O, and wireless data point transducers for single inputs. Some have been cellular, some have been satellite, and some have been line-of-sight. I'm confident that anyone who has worked on municipal, refinery, agricultural, or any other larger scale (geographically) project has done the same.
The article you linked seems to echo what my intent was - Don't blow this off as "it can't happen here" or "this is a one-off incident" because I know better. If you've ever been involved in DOE projects, you will already know the rules, protocols, and limits to communication. I believe it is once again time to remind some of the more passive engineers to be more prudent.
RE: More SCADA weakness?
Keith Cress
kcress - http://www.flaminsystems.com
RE: More SCADA weakness?
https://energy.gov/sites/prod/files/oeprod/DocumentsandMedia/18-Security_Metrics_for_CS.pdf
The National SCADA Test Bed Standards Report outlines the common industry standards and guidelines. From what I know, the requirements from DOE do not dictate the on-site systems to component or protocol levels, but the general communication schemes - Nothing in, nothing out. I imagine that "regulations" vary widely from site to site since each company must certify its compliance, but within how that company manages its security. Among those I've done work for pipeline, refining, and ethanol producing companies, in addition to the "normal" work for food, beverage, chemical, paper, metal finishing, and other types of businesses along with the typical municipalities.
I've had to submit a "secure" internal network plan to the company for approval so that they can certify it "secure" to their agencies. AFAIK the DOE doesn't dictate below that level. I've been on DOE regulated sites which do not allow anything but text email in and out (no html, no attachments, etc.), restrict cellular phones, have no wifi, and similar restrictions on communications. I have provided control systems on these sites with no external true duplex communications. Anything on the site can be wide open, but with no external ethernet, RF or other externally accessible network connections. The SCADA PCs look like a "normal" one, HMIs have all the same features and animations and functions, but it's all internal to the site. The SCADA PC is on the site with no outside network connected. Any external monitoring and alarms are done via isolated digital signals the simple, old fashioned way - Relays for alarms, status, and remote safeties, and MAYBE a phone dialer. Any reprogramming is not via ethernet or even MODEM, but on site or by shipping a new PLC ROM module or HMI flash card or USB stick. Get it right and mail it, or plan a trip.
I've heard that DOD sites are tougher, but I'm totally ignorant about that.
RE: More SCADA weakness?
I'm working on a product that would have a cellular connection that might possibly feed into a SCADA network. The actual info would 'visit', say, Verizon's LTE network between the sensor and the control network. This might link the control network to the internet but I would think one could still prevent any diddling with the control network operation/programming.
Is there provision for that kind of data path or does everything have to reside within the SCADA network's radio and cabled realm?
Thanks much Watthour.
Keith Cress
kcress - http://www.flaminsystems.com
RE: More SCADA weakness?
Today, it's relatively straightforward to spoof a cell tower, so anything that's being transmitted on a cellular network is vulnerable to eavesdropping, which means that any protocol that sends data can be data mined for security procedures.
TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! https://www.youtube.com/watch?v=BKorP55Aqvg
FAQ731-376: Eng-Tips.com Forum Policies forum1529: Translation Assistance for Engineers Entire Forum list http://www.eng-tips.com/forumlist.cfm
RE: More SCADA weakness?
A lot of SCADA used to be set up to either communicate directly with lower level equipment, or communicate using insecure protocols (Modbus is a good example) thus if there is external communications, then its vulnerable. I believe OPC has developed to allow for encrypted communications between local OPC servers and remote (SCADA) clients, but that ends up with a whole lot more hardware at one end, which isn't always desirable.
The second aspect of vulnerability is how secure the communications link and end equipment is. There is a lot of stuff around that ends up sitting on the internet with little security but enough capability to be compromised, including the modem itself. Leaving things like Telnet enabled for remote administration, as an example, is asking for trouble.
As a result, leaving an airgap between the equipment and external communications is one of the better options. If external communications is needed, then at the very least some sort of security at both ends (e.g. VPN) should be employed.
EDMS Australia
RE: More SCADA weakness?
RE: More SCADA weakness?
TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! https://www.youtube.com/watch?v=BKorP55Aqvg
FAQ731-376: Eng-Tips.com Forum Policies forum1529: Translation Assistance for Engineers Entire Forum list http://www.eng-tips.com/forumlist.cfm
RE: More SCADA weakness?
RE: More SCADA weakness?
Classified computers have all their USB ports disabled for flash drives. We've not had any breaches of our own classified network. It's not impossible to breach, but it's much harder. Our non-classified computers likewise have had their USB ports disabled for flash drives. Likewise, Auto-open and Auto-play are disabled. We're connected to email and internet, so those are still vulnerable.
TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! https://www.youtube.com/watch?v=BKorP55Aqvg
FAQ731-376: Eng-Tips.com Forum Policies forum1529: Translation Assistance for Engineers Entire Forum list http://www.eng-tips.com/forumlist.cfm
RE: More SCADA weakness?
But not all businesses are going that route of no external since time is money. To me this is all customer driven on how long they can afford to be down until either you dial in (whatever way that is) or to a trip to site.
RE: More SCADA weakness?
RE: More SCADA weakness?
Please help me understand. Modern PCs use USB ports for the mouse and keyboard. Is it possible to disable these ports for use as drives while maintaining mouse and keyboard functions? Thanks.
RE: More SCADA weakness?
The management isn't in the physical USB interface, its in what kind of device and what access is granted to it. Since HID (Human Input Device) is different to any sort of mass storage connection, its entirely possible to block the mass storage access on a per user or per group basis. I don't know the exact details of how to achieve it though.
In terms of modern Operating Systems, there's a lot that can be done to manage users and access levels, but a lot of it isn't actually implemented. I've worked in a few places where they do such things, as well as block access to change wallpaper, access to network device configuration and so on.
EDMS Australia
RE: More SCADA weakness?
-AK2DM
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
"It's the questions that drive us"
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
RE: More SCADA weakness?
There's a different level of protection for internal vs. external attacks. Our computers only allow 5 login errors before account is locked out.
TTFN (ta ta for now)
I can do absolutely anything. I'm an expert! https://www.youtube.com/watch?v=BKorP55Aqvg
FAQ731-376: Eng-Tips.com Forum Policies forum1529: Translation Assistance for Engineers Entire Forum list http://www.eng-tips.com/forumlist.cfm