Bad system design is bad system design. I can't tell you how many times I've heard variations of the comment "We aren't going to waste a bunch of money on cyber security on this system, who would want to hack this?" Hackers do things because it's easy and they can. If you don't make it easy, most of them just move on to targets that are.
"You measure the size of the accomplishment by the obstacles you had to overcome to reach your goals" -- Booker T. Washington
I don't believe I wrote that it was 'internet" or even "wired" in the original post.
I've set up wireless SCADA in the past, and wireless I/O, and wireless data point transducers for single inputs. Some have been cellular, some have been satellite, and some have been line-of-sight. I'm confident that anyone who has worked on municipal, refinery, agricultural, or any other larger scale (geographically) project has done the same.
The article you linked seems to echo what my intent was - Don't blow this off as "it can't happen here" or "this is a one-off incident" because I know better. If you've ever been involved in DOE projects, you will already know the rules, protocols, and limits to communication. I believe it is once again time to remind some of the more passive engineers to be more prudent.
The National SCADA Test Bed Standards Report outlines the common industry standards and guidelines. From what I know, the requirements from DOE do not dictate the on-site systems to component or protocol levels, but the general communication schemes - Nothing in, nothing out. I imagine that "regulations" vary widely from site to site since each company must certify its compliance, but within how that company manages its security. Among those I've done work for pipeline, refining, and ethanol producing companies, in addition to the "normal" work for food, beverage, chemical, paper, metal finishing, and other types of businesses along with the typical municipalities.
I've had to submit a "secure" internal network plan to the company for approval so that they can certify it "secure" to their agencies. AFAIK the DOE doesn't dictate below that level. I've been on DOE regulated sites which do not allow anything but text email in and out (no html, no attachments, etc.), restrict cellular phones, have no wifi, and similar restrictions on communications. I have provided control systems on these sites with no external true duplex communications. Anything on the site can be wide open, but with no external ethernet, RF or other externally accessible network connections. The SCADA PCs look like a "normal" one, HMIs have all the same features and animations and functions, but it's all internal to the site. The SCADA PC is on the site with no outside network connected. Any external monitoring and alarms are done via isolated digital signals the simple, old fashioned way - Relays for alarms, status, and remote safeties, and MAYBE a phone dialer. Any reprogramming is not via ethernet or even MODEM, but on site or by shipping a new PLC ROM module or HMI flash card or USB stick. Get it right and mail it, or plan a trip.
I've heard that DOD sites are tougher, but I'm totally ignorant about that.
I'm working on a product that would have a cellular connection that might possibly feed into a SCADA network. The actual info would 'visit', say, Verizon's LTE network between the sensor and the control network. This might link the control network to the internet but I would think one could still prevent any diddling with the control network operation/programming.
Is there provision for that kind of data path or does everything have to reside within the SCADA network's radio and cabled realm?
"This might link the control network to the internet but I would think one could still prevent any diddling with the control network operation/programming."
Today, it's relatively straightforward to spoof a cell tower, so anything that's being transmitted on a cellular network is vulnerable to eavesdropping, which means that any protocol that sends data can be data mined for security procedures.
TTFN (ta ta for now)
I can do absolutely anything. I'm an expert!
A lot of the reasoning behind 'no external' is that most industrial protocols are inherently insecure.
A lot of SCADA used to be set up to either communicate directly with lower level equipment, or communicate using insecure protocols (Modbus is a good example) thus if there is external communications, then its vulnerable. I believe OPC has developed to allow for encrypted communications between local OPC servers and remote (SCADA) clients, but that ends up with a whole lot more hardware at one end, which isn't always desirable.
The second aspect of vulnerability is how secure the communications link and end equipment is. There is a lot of stuff around that ends up sitting on the internet with little security but enough capability to be compromised, including the modem itself. Leaving things like Telnet enabled for remote administration, as an example, is asking for trouble.
As a result, leaving an airgap between the equipment and external communications is one of the better options. If external communications is needed, then at the very least some sort of security at both ends (e.g. VPN) should be employed.
Air gapping is not all that secure. Look no further than Suxnet. Someone, sometime will insert a USB flash drive into a USB port. Right now the current philosophy is defense in depth. Multiple layers of firewalls, malware checks, software versioning checks etc. For a secure network, you cannot assume that malware will not infect at least some of the hardware.
"Someone, sometime will insert a USB flash drive into a USB port."
Classified computers have all their USB ports disabled for flash drives. We've not had any breaches of our own classified network. It's not impossible to breach, but it's much harder. Our non-classified computers likewise have had their USB ports disabled for flash drives. Likewise, Auto-open and Auto-play are disabled. We're connected to email and internet, so those are still vulnerable.
TTFN (ta ta for now)
I can do absolutely anything. I'm an expert!
Having dealt with VPN and networks to get online with SCADA or PLCs. These are all driven by customers. DOD has always been the strickest, so can see this happening over Ethernet considering what Gov agency NSA has setup. You would think that NSA would bless the other agencies with the same security that they have but looks like that is not the case.
But not all businesses are going that route of no external since time is money. To me this is all customer driven on how long they can afford to be down until either you dial in (whatever way that is) or to a trip to site.
Again like I said there are always ways malware can get into a system. You can't make a system fool proof because fools are so ingenious. In any case as I posted above, the system in the OP more than likely was not a SCADA system.
Please help me understand. Modern PCs use USB ports for the mouse and keyboard. Is it possible to disable these ports for use as drives while maintaining mouse and keyboard functions? Thanks.
The management isn't in the physical USB interface, its in what kind of device and what access is granted to it. Since HID (Human Input Device) is different to any sort of mass storage connection, its entirely possible to block the mass storage access on a per user or per group basis. I don't know the exact details of how to achieve it though.
In terms of modern Operating Systems, there's a lot that can be done to manage users and access levels, but a lot of it isn't actually implemented. I've worked in a few places where they do such things, as well as block access to change wallpaper, access to network device configuration and so on.
Yes, our company blocks devices that self-identify as mass storage, but other devices can still get in. Haven't tried to spoof yet. USB would still be vulnerable from other devices. Certainly, a keyboard or mouse HID can potentially do lots of damage, particularly from a keyboard.
There's a different level of protection for internal vs. external attacks. Our computers only allow 5 login errors before account is locked out.
TTFN (ta ta for now)
I can do absolutely anything. I'm an expert!
