RE: SCADA Auditing Tools

From: Dawes, Rogan (ZA - Johannesburg) (rdawes@deloitte.co.za)
Date: Tue Jul 15 2003 - 04:06:38 EDT

I worked for an electricity utility in a previous life, and one thing I can
tell you is that the mode of operation is usually:

If it is working, don't touch it!

The amount of effort that goes into commissioning or recommissioning a
system is large, involving many people, over an extended length of time, and
is something that the bosses would rather avoid, if at all possible.

This particular utility still has servers running AIX 3.2.5 which were
installed in 1995, and have barely been touched since.

Newer machines commissioned since then are running AIX 4.x, which proves
that there are no technical reasons why the OS has not been upgraded. The
real reason is inertia, and fear of what might happen if they do upgrade.

There is also very little support from the vendor, to say that "Hi, we know
that there is this new version, here are the *supported* steps you need to
follow to successfully migrate your installation"

What concerns me is the number of process control devices that are now
offering embedded HTTP servers, connectivity over IP, etc. Given the
reported vulnerabilities on Bugtraq, etc, w.r.t embedded IP stacks in
devices like JetDirect cards and the like, I would to know how reliable the
IP stacks are in those devices.

Also the increasing number of links between IT LANs and Process Control
networks, for "management info", often provided via an HTTP interface!

Rogan

> -----Original Message-----
> From: Mark Wolfgang [mailto:moonpie@moonpie.org]
> Sent: 14 July 2003 05:49 PM
> To: Matthew Franz
> Cc: pen-test@securityfocus.org
> Subject: Re: SCADA Auditing Tools
>
>
> I agree that it shouldn't be too difficult for the right person to
> write some tools based around the control network protocols, but this
> of course takes time and more importantly, money. The vendors have
> little motivation to do this unless some big hand forces them to do
> so. Heck, we can't even get the vendors to bring Operating Systems up
> to the current patch level before deploying them.
> Many control systems I've seen are things like stock Solaris 2.6 boxes
> running critical apps. This may have been OK when SCADA systems where
> completely closed systems, but current trends indicate this is a thing
> of the past.
>
> While conducting an assessment at an ISO last year they were talking
> about implementing a new EMS and we spoke at length about how they
> should require the vendor to implement security into the new
> SCADA system or the deal is off.
> Requirements to the vendor such as:
> - there shall be no extraneous services running on systems
> - systems shall be brought up to the current patch level
> - the vendor shall supply patches to the client in regards to security
> and bug fixes
>
> This may answer the question for new systems, but demanding this from
> vendors for older systems might not go over well.
>
> The original question remains unanswered...
>
> -Mark
>
> On Thu, Jul 10, 2003 at 09:38:40PM -0500 or thereabouts,
> Matthew Franz wrote:
> > Back to the original question...
> >
> > If one were to bracket off on the "normal IT security stuff"--which
> > existing tools would cover (assuming they didn't bring down
> the control
> > system network and life as we know it) it wouldn't be
> terribly difficult
> > to write some tools that scanned industrial devices, at least the
> > Ethernet-enabled ones.
> >
> > Many of these "obscure" protocols are even less secure than
> the *least*
> > secure Internet protocols we know and love. Stuff that
> formerly ran on
> > [closed] RS-232/485 or field-bus (or whatever) networks has
> been plopped on
> > top of TCP/IP with no way to do even weak authentication or
> authorization.
> > Never mind the oh-so-popular embedded web servers that give
> out loads of
> > information about the devices in question (also without
> > authentication)....
> >
> > Among security-minded folks in the control system community there is
> > simultaneous frustration that these vulnerabilities aren't
> taken being
> > seriously by users and vendors, yet great fear of releasing
> any detailed
> > information about vulnerabilities in applications,
> protocols, or devices.
> >
> > And what independent/academic/corporate researcher would
> release even the
> > most benign auditing tools due to the fear of being branded
> a threat to
> > national security?
> >
> > - mdf
> >
> > ---------
> > Hi,
> >
> > I agree with Mark.
> > I have had the same experiances with SCADA reviews in that
> the many of
> > the risks asssociated in IT/business reviewes are that same.
> >
> > One thing that you need to be aware of is that generally
> SCADA networks
> > have been implemented to be functional not secure and the SCADA
> > management staff maintain the operational aspects of the
> systems, rerely
> > implementing good business proctices and/or proactive
> monitoring. i.e.
> > BCP/DRP/BIA/TRA, Intrusion Detection, patching/hotfixes.
> > This is normally because these systems are built and managed by
> > engineering staff and because of the operational integrity
> needs, don't
> > want the corporate playing around with them...
> >
> > There are some basic things that should be done within
> SCADA networks,
> > but in addition to the things we generally look at, all
> SCADA enviroments
> > are different, so you need to keep open minded. i.e. Radio
> (private,
> > 802.11, etc.), IP tunneling, isolation of business from
> SCADA networks,
> > restriction of commands/devives available to the general network,
> > restrict unauthenticated PBX modems, etc.
> >
> > Also the hardware manufactureres have not been helpful in providing
> > devices (RTU,PLC, etc.) which are supportive of these
> critical systems.
> >
> > Anyway have fun.
> > Derek
> >
> > ------------ Original Message --------------
> > From: Mark Wolfgang <moonpie@moonpie.org>
> > to: Alfred Huger <ah@securityfocus.com>
> > cc: pen-test@securityfocus.com
> > Subject: Re: SCADA Auditing Tools
> >
> >
> > Most of the SCADA/EMS/DCS audits I've done have been more risk-based
> > (policy driven) than technical approaches due to the chance of
> > crashing some old system that can't handle a bunch of SYN packets.
> >
> > The technical auditing I've done use many of the same tools as a
> > normal pen test, but I'll be a LOT more gentle and specific in what
> > I'm doing. I won't even portscan operational systems...no
> > thanks...don't want the liability. Of course there are systems in a
> > SCADA network that aren't absolutely critical for plant operations
> > (such as PI servers) that can be hammered pretty hard using
> > traditional methods.
> >
> > I try to think of SCADA as "system", much like any other information
> > system. It
> > has traditionally spoken more obscure protocols, such as
> modbus, ICCP,
> > and DNP, but is moving to more common protocol stacks such as
> > IP. This is sort of dangerous, in that now all of the IP based
> > vulnerabilities accompany this migration. Of course, security by
> > obscurity was never a good approach anyway.
> >
> > -Mark
> >
> > On Wed, Jul 09, 2003 at 11:19:42AM -0600 or thereabouts,
> Alfred Huger
> > wrote:
> > >
> > >
> > > Hey all,
> > >
> > > Does anyone out there know of any commercial or free
> SCADA auditing
> > tools?
> > > I've looked around and found very little and while I know
> there are
> > > private tools out there I am interested in hearing about
> those which the
> > > public can get their hands on.
> > >
> > > Some resources I have found which are pretty decent are:
> > >
> > > http://scada.trinux.org/
> > >
> http://grouper.ieee.org/groups/1525/SCADA%20Security/Rtcrypto=SCADA-
> > code.ppt
> > > http://www.plantdata.com/SCADA%20Security%20Strategy.pdf
> > >
> http://www.io.com/~mdfranz/papers/franz-API-future-of-scada-se
curity.ppt
> >
> http://grouper.ieee.org/groups/sub/wgc3/c37sections/clause5/clause5_3_secu
> rity/Substations%20communications%20system%20security%20D1r2.pdf
> >
> >
> > -al
> >
> > Alfred Huger
> > Symantec Corp.
>
>
>
---------------------------------------------------------------------------
> The Lightning Console aggregates IDS events, correlates them with
> vulnerability info, reduces false positives with the click of a button,
anddistributes this information to hundreds of users.
>
> Visit Tenable Network Security at http://www.tenablesecurity.com to learn
> more.
>
----------------------------------------------------------------------------
> 

-- 
Risk accepted by one is imposed on all
http://moonpie.org
---------------------------------------------------------------------------
Your network Firewall and IDS products do not prevent Web application
exploits - the most common form of online attack - resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the first and only company that provides a complete and an
integrated suite of Web application security products, allowing you to
assess your entire environment, automatically set positive security
policies and maintainĀ it without compromising business performance.
For more information on KaVaDo and to download a FREE white paper on Web
applications - security policy automation, please visit:
http://www.kavado.com/ad.htm
----------------------------------------------------------------------------
Important Notice: This email is subject to important restrictions, qualifications and disclaimers ("the Disclaimer") that must be accessed and read by clicking here or by copying and pasting the following address into your Internet browser's address bar: http://www.Deloitte.co.za/Disc.htm. The Disclaimer is deemed to form part of the content of this email in terms of Section 11 of the Electronic Communications and Transactions Act, 25 of 2002. If you cannot access the Disclaimer, please obtain a copy thereof from us by sending an email to ClientServiceCentre@Deloitte.co.za.
---------------------------------------------------------------------------
Your network Firewall and IDS products do not prevent Web application
exploits - the most common form of online attack - resulting in Web
defacement, data theft, sabotage and fraud.
KaVaDo is the first and only company that provides a complete and an
integrated suite of Web application security products, allowing you to
assess your entire environment, automatically set positive security
policies and maintainĀ it without compromising business performance.
For more information on KaVaDo and to download a FREE white paper on Web
applications - security policy automation, please visit:
http://www.kavado.com/ad.htm
----------------------------------------------------------------------------

This archive was generated by hypermail 2.1.7 : Sat Apr 12 2008 - 10:53:36 EDT