Chapter 6. Security

Cyber threat

Cyber vs physical attacks.

Mon, 21 Jul 1997 11:30:33 -0600

Barended (at last!) I have seen terrorism a lot of times. The guerrillas did fast and big damage during war, specially to power transmission lines and bridges, without taking the time to think about networks or decode nothing. They were not thinking about 'sharing less risk with a cyber approach'. If someone is going to do big damage it will be physical. Remember McVeigh in OK. Hackers today are thinking more on renaming the CIA to Central Stupidity Agency or placing duck fossils instead of dinos on the Lost World Web Site (or aren't they?), and trying to get hold of a credit card number instead of learning how to send commands to an RTU. I definitively think physical damage would be too much worst than a cyber attack, so physical security to utility facilities has more priority than cyber security.

 
                                       ____/|
     Jorge Rivera                    _|     |
     Informatica S. A.              _\      |
     Guatemala, Centro America     /        o\
     informa@guate.net             \    *   /
                                    \______/

Re: Cyber vs physical attacks.

Mon, 21 Jul 97 16:02:19 -0400

Jorge: Thank you very much for your insight and opinion. I am finding a wide range of arguments in every direction. Barry

Ref: 071997\msg00006.xml

Model of Scada for building a mathematical model

Wed, 23 Jul 97 15:26:13 -0400

Hello: Recognizing the various talents of readers on this list, I wanted to solicit input into a math model I am building that will help in assesing the inpact of various cyber risks to Scada. What I have listed below is a partial list of attributes to describe a basic Scada system. based on your experience, can you offer some additional attributes? At this point, I am creating a list with as many attributes as possible. Once assembled, I will then try to build a hierachial holographic model (HHM). This is a technique developed by Dr. Y. Haimes. Here is a beginning.... I appreciate everyones comments and candor.

Barry

_______

Hardware

software

information

communication

protocols

communication methods

modems

RTUs

MTUs

Water Supply

Water Distribution

Water Treatment

Local area

Regional

National

Temporal

Exogeneous

Endogeneous

attackers (developed by Dr Hood):

1. Hackers - for challenge and status.

2. Spies - to gain information for political exploitation.

3. Terrorist - fear and political gain.

4. Corporate raiders - gain a financial advantage.

5. Professional criminals - personal gain.

6. Vandals - to cause damage.

objectives. Hood's four distinct categories:

1. corruption of Information - any unauthorized alteration of files stored on a host computer

2. disclosure of information - dissemination of information to anyone not authorized access to the information.

3. theft of service - unauthorized use of computer or network without degrading services to other users.

4. denial of service - the intentional degradation or blocking of computer or network resources

Tools (developed by Hood):

1. user command - To guess the password or enter a long string and telnet into system.

2. script or program - At the User Command interface, attackers can make use of scripts or programs for the automation of commands. An example would be a "crack" program to determine passwords. Another example is a "Trojan Horse" program that is used to copy over an existing program. It performs like the program it replaced but also conducts other operations that the user is unaware about such as erasing files, logging passwords to a file, or corrupting data.

3. autonomous agent - This is the most widely publicized of means of attacks. It is similar to a Trojan Horse. The difference is that an Autonomous Agent contains program logic to make an independent choice of what host to attack (e.g. the computer virus).

4. toolkit - A grouping of scripts programs and autonomous agents into a GUI program (e.g. rootkit).

5. distributed tool - A tool that attacks a host simultaneously from multiple hosts. Clock time can be used to synchronize the attack.

6. data Trap - The exploitation of the electromagnetic field surrounding a computer. This field contains information about the computer. Namely, to reveal data in transit or on the terminal.

7. HERF Attack - HERF: High Energy Radio Frequency Attack. The ability to emit a pulse from a device that could be hidden in a coke can in a garbage can that could destroy all electronic devices, but not damage the building or other structures. This form of attack was added by the author.

Re: Model of Scada for building a mathematical model

Wed, 23 Jul 1997 13:58:56 -0600

Barend device in a domestic distribution network is a device that costs very little, has very little intelligence, almost non-existent security mechanisms, etc. Contrast that with the RTU at a major pumping station. There would seem to be a correlation for some reason between the size of the facility and the amount of money invested in the associated systems.

2) In the list of tools you listed, only the HERF was listed as a tool for denial of service. Vandals and terrorists have a much larger repetoire of tools (wire cutters, explosives, etc). For spies and others interested in the data, or even denial of data availability, there are wonderful tools (all the maintenance tools we have can be abused!) such as network analyzers, sniffers, and so on. And these tools don't even have to be used anywhere near the target installation in many instances. EG. just get hold of the telco's maintenance tools! I hope these thoughts are of some use to you. Good luck!

                              ////////////////////////////////////////
                             ///  R. Murray Reid   (403) 541-4787 ///
                            ///       murray.reid@pipe.nova.ca   ///
                           ////////////////////////////////////////

Ref: 071997\msg00016.xml

Model of Scada for building a mathematical model

Thu, 24 Jul 1997 08:17:10 -0400

You and many others on this group tend to overlook the fact that the use of SCADA is not limited to the water industry. All electric generation and transmission systems are under the "control" of a version of a SCADA system called "EMS" - Energy Management System. These have been in place for years and the only "attacks" that I am aware of were by disgruntled employees. Many distribution substations are coming under the control of SCADA as are many distribution lines (D.A. - Distribution Automation). As the vendors force these systems onto Intel platforms and even offer internet capability they will become increasingly vunerable to "attack". We focus our energies on two things - keeping our employees happy (employed) and limit dial-in ability. The rest of the system is secure. As for attacks to our stations; those are real problems that we always need to consern ourselves with and we have certain industry standard pracitces that give us some confidence that we can survive. It seems that internet disscussion groups like this are the wrong place to discuss these issues in depth as you will never know who is "listening". Best of luck. S/ JamesMGardner, Delaware Electric jmgardner@compuserve.com 302-349-3125 (V), 302-349-9455 (F)

Re: Model of Scada for building a mathematical model

I cendorse James Gardner's view regarding the suitability of this forum for such discussions. There is nothing to stop a "bad guy" subscribing to this discussion group.

Steve Clifton, Landis and Staefa Switzerland
 stephan.clifton@sta.ch.landisstaefa.com 

Re: Model of Scada for building a mathematical model

Mon, 28 Jul 1997 08:45:56 -0400

Expert, probably. Insider? Nah. As a class, distributed control systems and scada systems have similarities which are clear to only the most cursory study.

You can defend against the odd Luddite. You can defend against the lone bomber. You can NOT defend against somebody who wants to take out a complete system without constructing the system considerably differently than they are now done.

It has been possible for years to, for example, black out the entire West Coast of the United States, and deny Los Angeles much of their water supply...and to do it in such a way that it would take months to get back on line and in the pipe.

I just thank God nobody has ever tried it.

And I agree...we ought not be too specific here. Somebody might be doing homeworkg.

 Walt Boyes
 SeaMetrics Inc.
--
 ------------Walt Boyes------------------------------------
 SeaMetrics Inc.		ISA Online	MP Consultants
 www.seametrics.com	www.isa.org	www.netcom.com/~wboyes/home.html
 +sales and marketing	+EPUBS		+author/consultant/new media 
 ------------wboyes@ix.netcom.com--------------------------

Ref: 071997\msg00017.xml

My SCADA Survey For Water Supply Systems

Mon, 28 Jul 97 21:02:59 -0400

Hello everyone: I just returned from the Systems Engineering Department at the University of Virginia. I have constructed a web based survey with the hope that it recieves the widest possible dissemination. The web link is: http://watt.seas.virginia.edu/~bce4k/home.html

If you are a person envolved in water supply, it is my hope that you will complete the survey. At any rate, I have truly enjoyed the information learned from this mail list. Please check it out and tell me what you think. Are there any critical questions left out? Are any of them ambiguous? If you have a web site that reaches water supply utilities, please tag you page with this link. My goal is to get 1000 responses over the next three months. Thanks again for everyones help. Thanks alot.

 Barry
 
 Barry Ezell
 
 "Never ask a man what sort of computer he drives. If he's a Mac user
 he'll tell you. If not, why embarrass him?"
 --Tom Clancy

Ref: 071997\msg00019.xml

My survey on Cyber Risk to Scada and Water Supply Systems

Wed, 30 Jul 97 13:14:49 -0400

I wanted to give everyone a sitrep on how the repsonses are going. I have recieved 25 responses from around the world. Some of the answers are incredible! In order to get the widest possible dissemination, I would appreciate all of you send the message below to as many sites as possible. I look forward to sharing the information learned with everyone here. Also, if you have some ideas on other mail lists or sites, please let me know. Perhaps you have a web site that people in the water business visit, please post my web link on it.

http://watt.seas.virginia.edu/~bce4k/home.html

Listed below is the message I have been sending out. Australia is leading the way in responses!

Hello. My name is Barry Ezell. I am a graduate student at the University of Virginia in the Systems Engineering Department. I found your web page from a water utility link.

I am doing my thesis in on assessing the vulnerabilities of SCADA systems to cyber terrorist and network attacks. Recently, you may have heard about the President's Commission on Critical Infrastructure to determine the risk our infrastructures to different types of attack. The Center of Risk Management at UVA, along with industry and other universities are researching the water resources infrastructure for the Presidential Commission. A subset of that research is the cyber terrorist component which is my domain. My thesis is written to answer the following question:

Is the US water resource system vulnerable to network terrorism in the near term (five years)? And if so, what is the nature of the threat?

I just completed a web based survey that helps me gather information about cyber risks to SCADA systems controlling water supply. If it is appropriate, could you add this link to your web pages. Thank you. The link to the survey is below.

http://watt.seas.virginia.edu/~bce4k/home.html Barry Ezell

Re: My survey on Cyber Risk to Scada and Water Supply Systems

Wed, 30 Jul 1997 13:16:56 -0400

Barry Ezell wrote: Have you posted to the Automation list? Send email to Ken Crater, at ken@control.com and ask him to post for you if you are not a member.

 Walt
 -- 
 ------------Walt Boyes------------------------------------
 SeaMetrics Inc.		ISA Online	MP Consultants
 www.seametrics.com	www.isa.org	www.netcom.com/~wboyes/home.html
 +sales and marketing	+EPUBS		+author/consultant/new media 
 ------------wboyes@ix.netcom.com--------------------------

Ref: 071997\msg00022.xml

New subscriber

Sun, 20 Jul 97 12:04:39 -0400

My name is Barry Ezell. I am a graduate student at the University of Virginia in the Systems Engineering Department. I joined your site to learn more about SCADA. Also, I can share with you what I have learned about the cyber threat.

I am doing my thesis in on assessing the vulnerabilities of SCADA systems to cyber terrorist and network attacks. Recently, you may have heard about the President's Commission on Critical Infrastructure to determine the risk our infrastructures to different types of attack. The Center of Risk Management at UVA, along with industry and other universities are researching the water resources infrastructure for the Presidential Commission. A subset of that research is the cyber terrorist component which is my domain. My thesis is written to answer the following question:

Is the US water resource system vulnerable to network terrorism in the near term (five years)? And if so, what is the nature of the threat? Thank you for allowing me to join. Sincerely, Barry

 Barry Ezell
 Captain, United States Army
 bcezell@aol.com
 bce4k@virginia.edu
 Grad Student, Systems Engineering, UVA
 804 975 3525 (home)
 
 "Never ask a man what sort of computer he drives. If he's a Mac user
 he'll tell you. If not, why embarass him?"
 --Tom Clancy

Re: New subscriber

Sun, 20 Jul 1997 09:54:45 -0400

The answer to your thesis question is: certainly it is. A better question would be: "So what do we do about it?"

Any distribution system sufficiently widespread and where 100% monitoring of resources such as pumping stations, dams, wellheads, etc. is impossible is vulnerable. It would be relatively simple to isolate the greater Los Angeles area from its water supply, for example. The question we ought to be interested in is, assuming a terrorist group willing to do it, how can such damage be prevented or minimized. Walt Boyes SeaMetrics Inc. -- ------------Walt Boyes------------------------------------ SeaMetrics Inc. ISA Online MP Consultants www.seametrics.com www.isa.org www.netcom.com/~wboyes/home.html +sales and marketing +EPUBS +author/consultant/new media ------------wboyes@ix.netcom.com--------------------------

Re: Your message

Sun, 20 Jul 1997 12:33:47 -0500

Hi Barry, I read your message, and welcome to the list. On the issue of cyber terrorism to the SCADA networks, that surely is a threat. As related to the country's water supply, I believe the greater threat is much simpler. Because of the widespread and isolated facilities such as pump stations, intake structures, dams, reservoirs and pipelines, we have a gigantic geographical area with little protection. It seems much simpler and more effective to compromise the water system physically, than to try and setup and decode the thousands of SCADA message protocols, then alter them to cause damage. The damage to the communication system would be detected, and very slow to take effect, versus the ability to cause illness within a few hours in a population of millions, or indeed to simply cut off all supply. I certainly do not minimize the threat of cyber intervention, just that in particular, the water supply has easier and faster means of intervention. Bill Cross CrosStar

Re: New subscriber

Sun, 20 Jul 97 13:16:55 -0400

I appreciate your feedback. I agree. Once we understand the threat, we will attempt to model the system, learn from how it reacts to different attacks, and then make it more redundant, robust and resilent. I believe this is going to be an excellent mail list!!

 Barry Ezell
 Captain, United States Army
 bcezell@aol.com
 bce4k@virginia.edu
 Grad Student, Systems Engineering, UVA
 804 975 3525 (home)
 
 "Never ask a man what sort of computer he drives. If he's a Mac user
 he'll tell you. If not, why embarass him?"
 --Tom Clancy

Re: New subscriber

Mon, 21 Jul 1997 08:33:53 -0600

Barry Ezell: There are a number of challenges that a terrorist would face in attempting to do damage via a SCADA system used by a water utility. The first area of challenge for the terrorist is that it is normal practice for all remote facilities tied to a SCADA system to be designed for fail-safe operation. It is a fact of life that telecommunications do get disrupted. Thus the remote systems will operate in a safe manner on their own. Further, they are built with safeguards against human error. An operator (remote or on site; legitimate or otherwise; program or human) cannot make changes that would destroy the facility. Thus, the ability to directly impact a remote site by issuing a set of commands to it is limited. (If the terrorist is sufficiently knowledgeable abou the systems/designs/etc, he could probably find a way to do damage - this is the classic problem of 'insider knowledge'/sabotage.) Another aspect of fail-safe operation is that to a large extent they are also protected against upsets to the process that could occur upstream or downstream of them. Things like abnormal pressures or flows get detected and responded to automatically.

Second is the problem of inserting messages into the SCADA telecommunications environment. It turns out that the older protocols can be the most difficult to penetrate. A master/slave multidrop environment is next to impossible to insert messages into. A sophisticated report-by-exception, routed network can still be a challenge as the extra messages will typically cause inconsistencies in the protocols and applications.

(A sub problem here is that there could be problems of physical access to the media to be able to make the data insertions.)

A third problem the terrorist faces is that the SCADA host system generally carries applications that do systemic load balancing and integrity checks. Thus the disruption of a remote site will not long remain undetected. It would take the messing with a number of remote sites in a concerted manner to actually be able to hide some disruption. Simply put, if one site is turned off, so that it is not delivering water, then somewhere else, some site(s) must be made to look like they are not putting an equivalent amount of water into the system, and every point in between must be made to agree about the reduced amount of water!

A fourth problem in messing with water systems is that they are designed to handle a fairly wide range of demand and supply variance. They have built in storage capacities. Thus, even if it was possible to cause a disruption to the delivery of water, there is some excess capacity that can be drawn upon to mitigate the effects of the disruption. Thus, the disruption induced must be hidden for a period long enough to exceed the buffering capability built into the system and the time it would take to repair the damage. The longer this period, the more likely it is that the third point will cause discovery.

(My experience is in the natural gas utilities. I know of many cases where there have been major pipeline breaks. There have been immediate work arounds to provide alternate supplies to the affected areas (typically not at the same levels of supply), as well as storage capacity to tide things over. The ability to marshall resources to effect repairs has also been exceptionally prompt for such a critical resource. End consumers have typically been unaffected in their daily operations by such catastrophic events.)

Needless to say, the above has lots of generalities. I am certain that there are specific instances that can be found of systems or remote sites that do not behave as robustly as I have indicated. It is such 'less adequate' environments that a terrorist would have the best chances of exploiting. As with most such discussions of this nature, one needs to do some form of cost/ benefit analysis that weighs the risks against the costs of defending against the terrorist threat. I suspect, from what I know of security issues, that protection against sabotage by disgruntled employees is likely to be a more fruitful approach to 'hardening' a SCADA system against terrorist abuse.

I hope the above is of some use to you in your work.

                              ////////////////////////////////////////
                             ///  R. Murray Reid   (403) 541-4787 ///
                            ///       murray.reid@pipe.nova.ca   ///
                           ////////////////////////////////////////

Ref: 071997\msg00023.xml

Scada Survey

Mon, 21 Jul 97 21:09:52 -0400

Based on comments from several members and approval of Ian, I have posted the survey. If any memebrs have the time, I appreciate the feedback.

Are SCADA systems for water resources vulnerable to cyber terrorism in the near term (five years)? And if so, what is the nature of the threat?

Purpose:

The purpose of this survey is to gather information about the cyber threat. The ultimate goal of this research is to make our water system more survivable to a cyber attack. Note: All references to cities and people will be eliminated from the thesis. Also, data will be aggregated to protect cities.

Scope:

The survey is constructed to provide feedback with respect to risk assessment and management. We are interested in assessing the redundancies, robustness, and resiliency of current SCADA systems. In order to accomplish this, we are very interested in the following:

1. Redundancy of the system. Redundancy refers to the ability of certain components of a system to assume functions of failed components without adversely affecting the performance of the system itself.

2. Robustness of the system. Robustness refers to the degree of insensitivity of a system design to errors in the estimates of those parameters affecting design choice. Robustness or those properties that make the system less vulnerable to attack (stability).

3. Resiliency of the system. Resilience is the ability of a system to operate close to its optimal design technically and institutionally over a short run after an attack, such that the losses are within manageable limits.

If you have questions or comments regarding this work, please email me at bce4k@virginia.edu or, bcezell@aol.com. If you feel uncomfortable or unqualified answering a question, please fill free to simply leave blank.

Section One (administrative):

Name: ___________________

phone number: ________ or email: _________

1. What city or county do you provide water resources?

2. What is your position in the water utility organization?

3. Please describe the scope of your SCADA operation (e.g. number of treatment plants, sensors, sewage, etc.).

4. How many valves and pumps does your system control?

5. How many Remote Terminal Units do you supervise/control with your SCADA system?

6. Do you allow access to the internet for your operators?

yes no

7. Do you or your operators have access to email via an administrative LAN?

yes no

8. Is the LAN accessible via remote connections?

yes no

9. Do you have the ability to control your system via a dial-up connection? (e.g. laptop, modem, and dial in to your server)

yes no unknown

10. If question 9 does not adequately address your remote capabilities, please describe below how you accomplish remote access (e.g. intranet, WAN, etc.).

11. What type of communication protocol do you use?

TCP/IP other (please describe)

12. Do you use:

radio

telephone leased line

telephone party line

combination

ISDN dial-up

ISDN dedicated

other (please describe)

13. What is the speed of your connections?

300 bps

300-2400 bps

4800 bps

9600 bps

14,400 bps

28,000 bps

56,000 bps

64,000 bps

128,000 bps

other

14. Please describe how data is sent from RTU to MTU.

15. Which best describes your SCADA?

Distributed control

Master-slave control

Other (please explain)

16. Please provide any additional information about your system that you deem is important.

Section Three (Survivability of the System):

17. In your judgment, who do you see as your systemıs primary concern from cyber attacks? Please rank 1-6 where one is the highest primary concern and 6 is the least:

 
 Hackers			     1 2 3 4 5 6
 Spies				     1 2 3 4 5 6
 Terrorists			     1 2 3 4 5 6
 Corporate Raiders   	     1 2 3 4 5 6
 Professional Criminals	1 2 3 4 5 6
 Vandals				1 2 3 4 5 6
 none
18. What do you believe is the ultimate objective of an attacker?

 Challenge or Status		1 2 3 4
 Political Gain			1 2 3 4
 Financial Gain			1 2 3 4
 Damage				1 2 3 4
19. Indicate what tools you think a potential threat is most likely to use to attack your system. Please rank 1-6 where one is the highest primary concern and 6 is the least:

User command 1 2 3 4 5 6

To guess the password or enter a long string and telnet into system.

Script or program 1 2 3 4 5 6

At the User Command interface, attackers can make use of scripts or programs for the automation of commands. An example would be a ³crack² program to determine passwords. Another example is a ³Trojan Horse² program that is used to copy over an existing program. It performs like the program it replaced but also conducts other operations that the user is unaware about such as erasing files, logging passwords to a file, or corrupting data.

Autonomous agent 1 2 3 4 5 6

This is the most widely publicized of means of attacks. It is similar to a Trojan Horse. The difference is that an Autonomous Agent contains program logic to make an independent choice of what host to attack (e.g. the computer virus).

Toolkit 1 2 3 4 5 6

A grouping of scripts programs and autonomous agents into a GUI program (e.g. rootkit).

Distributed tool 1 2 3 4 5 6

A tool that attacks a host simultaneously from multiple hosts. Clock time can be used to synchronize the attack.

Data Trap 1 2 3 4 5 6

The exploitation of the electromagnetic field surrounding a computer. This field contains information about the computer. Namely, to reveal data in transit or on the terminal.

HERF Attack: 1 2 3 4 5 6

HERF: High Energy Radio Frequency Attack. The ability to emit a pulse from a device that could be hidden in a coke can in a garbage can that could destroy all electronic devices, but not damage the building or other structures.

20. Please rank which vulnerability is greatest in your SCADA system:

Design Vulnerability 1 2 3 Configuration Vulnerability 1 2 3 Implementation Vulnerability 1 2 3

21. Do you believe the design, configuration, and implementation of your system is safe from:

Unauthorized Access yes no Unauthorized Use yes no

22. Which results from an attack on your SCADA system would have the greatest impact on your water resource system:

Corruption of Information 1 2 3 4 Disclosure of Information 1 2 3 4 Theft of Service 1 2 3 4 Denial of Service 1 2 3 4

23. Who would you call in the event your SCADA system was tampered with? (check all that apply)

CERT (Computer Emergency Response Team)

outsourced security firm

Police department

FBI

Other (please specify)

24. If you experienced a computer system intrusion, indicate the type (check all that apply):

manipulated data

installed a sniffer program

stolen password

probing/scanning your system

Trojan logons

IP spoofing

Introduced viruses

denied use of service

downloaded data

compromised information security

compromised email/documents

publicized intrusions

harassed personnel

other (please specified)

25. Do you have the capability to detect attempts to gain access to your system?

yes no unknown

26. Have you detected any attempts to gain access to your system in the past year?

yes no unknown

27. If yes, how many successful unauthorized attempts have you detected in the past 12 months?

1-10 11-20 21-30 31-40 41-50

28. How much time do you spend on ensuring your network is secure?

none 10% 10-20% 21-30% 31-40% 41-50% 51-60% 61-70%

References:

1. Questions 19-22 were developed from a dissertation presentented by Dr John D. Howard, 1997, An Analysis of Security Incidents on the Internet.

2. Other questions were modified from a survey conducted by the ³Manhattan Cyber Project² at www.warroomresearch.com.

Ref: 071997\msg00033.xml

SCADA vulnerabilty -Reply

Mon, 21 Jul 1997 13:52:15 -0300

Try the home page of the North American Electric Reliability Council http://nerc2.nerc.com:80/ for more info on what is going on. They have links to various committees, etc related to security of the North American Electric supply.

Re: SCADA vulnerabilty

Wed, 23 Jul 1997 12:32:01 -0400

murray.reid@pipe.nova.ca wrote: ....I suspect, from what I know of security issues, that protection against sabotage by disgruntled employees is likely to be a more fruitful approach to 'hardening' a SCADA system against terrorist abuse... Hi, I would think that security to protect the commercial value of the SCADA data from "industrial espionage" is going to be fairly important now that the North Americian electrical market going into full open competition. For instance, one could use another competitor's SCADA data in order to gain a financial advantage in pricing. Norm

Re: SCADA vulnerabilty

Wed, 30 Jul 1997 15:20:46 -0400

murend up in a pool which will be looked after by the ISO. The ISO will operate a daily electrical spot market and take bids for supply to the pool. If a generating company could see the status of a competitor's system, it could price it's own generation to maximize profit. For example, hydraulic, fossil and nuclear generation all have different operating costs. If my competitor is running up a lot of his fossil plants, I can generalize that his bid should be and price mine just under his. I have a newspaper article on the move to an ISO, but it's 2-3 pages long. If there's any interest I'll e-mail it to those who want it. I also owe the mail list a report on how we are doing with our integration of commerical data networks into our EMS/SCADA system. Norm

Ref: 071997\msg00035.xml

Analysis Patterns in SCADA Systems

Wed, 6 Aug 1997 10:59:41 +0000

I'm currently working on a paper about the use of analysis patterns (object-oriented) on SCADA systems. The goal is to build a software architecture of such a system, general enough so that the conclusions can be useful for other kind of applications (DCS, MES, etc.). I'm starting from my own experience building a small supervisory system with OO Analysis and Design Methods. Does anyone have OO Analysis models of such systems and is willing to share them? Additional comments or experience are also welcome. Best Regards Nuno

 -----------------------------------------------------------
 |           "Estes romanos sao loucos" - Asterix          |
 -----------------------------------------------------------
 |        Nuno Jardim Nunes - Computer Science Unit        |
 |   Dep. Mathematics - University of Madeira - Portugal   |
 -----------------------------------------------------------
 | Address: Largo do Municipio, 9000 - Funchal - Portugal  |
 | Contact: Voice: 351-(0)91-225111, Fax: 351-(0)91-225111 |
 | e-mail : dnnunes@dragoeiro.uma.pt                       |
 | URL    : http://www.uma.pt/dnnunes/nuno.html            |
 -----------------------------------------------------------

Ref: c:\scada\081997\msg00005.xml

Fwd: CERT Summary CS-97.05

Tue, 26 Aug 97 15:58:50 -0400

Hello: Some might be interested in Certs lastes update on security. I forwarded it to the list. Barry --------------------------------------------------------------------------- CERT* Summary CS-97.05 August 26, 1997

The CERT Coordination Center periodically issues the CERT Summary to draw attention to the types of attacks currently being reported to our incident response team. The summary includes pointers to sources of information for dealing with the problems. We also list new or updated files that are available for anonymous FTP from ftp://info.cert.org/pub/

Past CERT Summaries are available from ftp://info.cert.org/pub/cert_summaries/ - ---------------------------------------------------------------------------

Editorial note. The content of this note has been editted out. It is a long posting available on the net at the address shown for those interested. I have left the para headings.

Recent Activity - --------------- Since the last regularly-scheduled CERT Summary issued in May, we have seen the following trends in incidents reported to us. 1. Continuing IMAP Exploits

2. Increased Denial-of-Service Attacks

3. Increased Use of IRC in Root Compromises

4. Increased Exploitation of IRIX Buffer Overflows

5. Continuing INND Exploits

What's New in the CERT FTP Archive

 How to Contact the CERT Coordination Center
 
 Email    cert@cert.org
 
 Phone    +1 412-268-7090 (24-hour hotline)
                 CERT personnel answer 8:30-5:00 p.m. EST
                 (GMT-5)/EDT(GMT-4), and are on call for
                 emergencies during other hours.
 
 Fax      +1 412-268-6989
 
 Postal address
         CERT Coordination Center
         Software Engineering Institute
         Carnegie Mellon University
         Pittsburgh PA 15213-3890
         USA

Ref: c:\scada\081997\msg00011.xml

Re: Cyber Survey for Water and SCADA

Thu, 21 Aug 1997 11:24:42 +1000

It seems to me the best way to combat threats of the nature you are concerned about is to remove the cause rather than trying to cope with the consequences.

This means stopping people from wanting to attack you.

Questions to answer:

* Why do people want to attack my system?

* How can I stop them wanting to attack my system?

* Is it more appropriate (cheaper, easier, etc.) to stop them wanting to attack my system than it is to imagine ALL the ways they could this and prevent them doing so?

* Would it be better not to have a system in the first place? What alternatives could exist?

Start thinking outside the box. I do not think anything can be made impregnable to all forms of attack, so efforts should be directed to removing the source of the problem. It seems that this is not how Americans usually think, so maybe you need a non-American to suggest it to you.

 Regards,
 .----------------------------------------------------------------.
 |         Andrew West                .       Foxboro Australia   |
 |  Embedded Systems Engineer     _--_|\      42 McKechnie Drive  |
 |  Telephone: +61 7 3340 2164   /     *\ -- Eight Mile Plains   |
 |  Facsimile: +61 7 3340 2100   \_,--._/      Queensland 4113    |
 |  Email: andreww@foxln.com.au        v          Australia       |
 '----------------------------------------------------------------'
 

Ref: c:\scada\081997\msg00012.xml

RE: Cyber Survey for Water and SCADA

Thu, 21 Aug 1997 09:17:24 -0400

I disagree that Americans generally do not think "outside of the box". I believe that the U.S. has an excellent record of innovation that leads the world. Let's not generalize.

The unique mix of people from around the world working together in a free society(mostly) gives us a pretty good perspective on things.

Regarding Cyber attacks:

Attempting to remove the cause of the attack works for potential attackers that you have the ability to influence. Unfortunately, terrorism many times involves attacks on people/things from previously unknown entities which makes it quite difficult to influence.

I think Barry Ezell's work is a worthwhile project. Although I hope that potential attackers don't read this Bulletin Board!

It is very similar to the reasons why people buy car alarms. Do they make the car impervious to illegal entry and theft? No.

However, by having an alarm and "The Club" and an ignition "kill-switch" you make it more difficult for the attacker/criminal. Either the potential attacker finds another target that is easier or the increased time it takes to make entry allows time for detection/prevention.

You are right that nothing can be made impregnable(and practical). You can only make it more difficult, more time consuming and easier to detect.

Be prepared for the worst.

By the way Andrew, your discussion of SCADA systems has been very helpful. I appreciate it.

Thanks,

 Kevin Maguire
 Proud American

RE: Cyber Survey for Water and SCADA

Thu, 21 Aug 1997 15:43:30 -0600

I've had very little interest in this thread until now.

You may or may not have missed Scott Stevenson's point. Your suggested method of verification was commonly used on the original Mission Impossible TV series. If I give you my phone number, tell you it's my private line at the White House and answer that phone with "Bill speaking" that will prove that I'm the President. Hmmm!

Whatever your identity another approach to this same thesis comes to mind. Appropriate titles include "Those that fail to heed the lessons of history are doomed to repeat them" or for a navy man how about "Loose lips sink ships". It appears the greatest Cyber Risk to anything is the willingness to share information with anyone that simply asks!

 Bob Lockert

 Carried Process
 #7, 5918 - 5th Street S.E.
 Calgary, Alberta, Canada

RE: Cyber Survey for Water and SCADA

Fri, 22 Aug 1997 16:48:24 -0600

This thread is titled Cyber Risk. I have been involved in computer and communications industries for 30 years. I have had legitimate physical and electronic access to literally hundreds of systems in Oil Gas, municipal utility, banking, manufacturing, RD, and government at various times. Each and every one of these had a varying level of concern for security not limited to terrorism. Fraud, disgruntled employees or customers and corporate espionage are common threats requiring protective measures.

In the early 70's I designed mainframe computer rooms. The fashion was to be located at ground level with public visibility. A positive public image was desired. Following an incident in NYC a major oil company lost its data center through physical attack. Within 2 years every such system here was relocated to windowless bunkers or upper level corporate floors. These were massive undertakings that underscored these companies' focus on security. The idea was really "out of sight - out of mind". I was actively involved in this process as a vendor representative and worked closely with customer security groups. Since then I periodically consult on specific security issues.

In no way do I consider myself a security expert. However, I do have a good understanding of the concepts, the most important being - "The best security is unknown security". The first line of defense in any security method is to limit the spread of knowledge of those methods. Exceptions to this prove the rule. A 'beware of dog' sign on your front door works whether you actually have a dog or not.

Absolutely true. And a knowledgable threat has greater power than an ignorant one. Nobody would consider putting a sign on their door saying "Key under the mat".

There are of course many valid reasons to discuss these issues. I do seriously question the suitability of the internet as the right forum however, considering the unregulated public access. This isn't a fear of a boogeyman or conspiracy theories but simply my own conviction that it would be imprudent to do so.

If my position is shared by others, you won't hear from them either. This implies that the survey results will be skewed towards the least secure systems. And the simple act of contributing to the survey has reduced that level of security by removing that knowledge barrier.

I'm not trying to discourage you but I think the insecure aspects of the Internet may be filtering responses from those that have developed a security awareness. At the least you may want to add a footnote to your survey results and/or thesis identifying this potential for error in your methodology.

Ref: c:\scada\081997\msg00013.xml

Decision Variables for Scada systems

Wed, 20 Aug 97 16:27:41 -0400

low is a list of decision variables I have developed over the past week. These variables will be optimized to improve the redundancy, robistness, and resiliency of SCADA systems to cyber risks. I would appreciate some feedback from everyone on these variables. In particular, have I gotten the selection of comm protocols correct for water utilities? Have I considered all the possibilities??

decision variables:

1. Modems for LAN/WAN/Internet connection of MTU

- auto answer

- challenge (certificate-algorithm)

- dial back

- encryption

- other

2. Modems for RTU-MTU

- auto answer

- challenge (certificate-algorithm)

- dial back

- encryption

- other

3. Communication Protocols for LAN/WAN/Internet connection to MTU

- TCP/IP

- IPX/SPX

- SLIP

- PPP

4. Communication protocols for RTU-MTU

- PGE

- Conitel

- TCP/IP

- MODBUS

- LANDISGYR

- DNP 3.0

- IEC 870-5

- VCA

- other

5. Communication Methods for LAN/WAN/Internet

- dial up telephone line

- ISDN dedicated

- ISDN dial up

- ATM

- other

6. Communication Medium for RTU-MTU

- Leased Line from phone company

- Private line leased from company

- Radio

- ISDN

7. Personnel Exposure to system MTU-RTU

- IS Manager

- System Analyst

- Operator

- repairman

- other

8. Network protection devices preventing Internet Incursion

- router

- firewalls

- other

9. Back up of data

- on site

- off site

10. Password protection for LAN/WAN/Internet

- alpha only

- numeric only

- combination

- disposal of passwords by shredding

10. Password protection MTU-RTU

- alpha only

- numeric only

- combination

- disposal of passwords by shredding

11. MTU connectivity to other networking equipment

- NT server

- Unix Computer

- Open VMS

- LAN Server

- Web Server

- Application Server

- other

12. Policy Security Measures

- data exposure to unauthorized personnel by the monitor

- data exposure to unauthorized personnel by removable media

- data exposure to unauthorized personnel by paper printouts

13. Potential to misuse system as a function of exposure and access authority

- IS Manager

- System Analyst

- Operator

- Repairman

14. Physical Security Measures

- system security by alarm

- guards

- fences

- other

random variables (r):

r1: user command attack

r2: script/program attack

r3: autonomous agent attack

r4: toolkit attack

r5: distributed tool attack

r6: data trap attack

r7: HERF attack

input variables (u):

u1: the information corruption in the system

u2: the disclosure of information in the system

u3: the theft of service in the system

u4: the denial of service in the system

exogenous events (++):

++1: the demand on the water distribution system at a given time

++2: local political situation

++3: the national political situation

++4: the international political situation

state variables (s):

s1: the performance of the system

s2: the cost of the system

s3: the reliability of the system

s4: the risk of attack from hackers

s5: the risk of attack from spies

s6: the risk of attack from terrorists

s7: the risk of attack from professional criminals

s7: the risk of attack from vandals

Objectives of an attacker:

1. Challenge or status

2. Political Gain

3. Financial Gain

4. Damage

Objectives of the decision maker:

maximize the survivability of the system

minimize the effects of a cyber attack on the system

Survivability of the system is a function of the 3Rs of the system:

--cost of f1(R1, R2, R3)

--performance f2(R1,R2,R3)

--Reliability f3(R1, R2, R3) --??

 ******************************* [:-)] *******************************
  *     Barry Ezell                                                      
 *     Captain, United States Army                                      
 *     bcezell@aol.com                                                  
 *     bce4k@virginia.edu                                               
 *     Graduate Student, Systems Engineering, UVA                       
 *     804 975 3525 (home) 
 
*

Ref: c:\scada\081997\msg00014.xml

For the scada folks in the water business

Mon, 11 Aug 97 10:03:06 -0400

Hello: I am trying to decide the best systems to model for my thesis. The ones I choose should be more or less represented of whats currently in the field with a hint of what is to come. Could any and everyone respond to the current system they have in place. IN particular, I am interested in the functions of RTUs and the MTU. Do you have a master-slave relationship?

Are your RTU's "dumb"?

Do they only react when polled by the MTU?

Do they scan there remote site and report on a prearranged schedule?

etc...

Check out my chapter 4, on the beginnings of a model. From what I have learned from people over the weekend is that my model may be a little too simplistic for what is actually in the field. Many thanks to Ian Wiese and Andrew West for thier help over the weekend!!! Barry

******************************* [:-)] *******************************
*                                                                   
*     Barry Ezell                                                      
*     Captain, United States Army                                      
*     bcezell@aol.com                                                  
*     bce4k@virginia.edu                                               
*     Graduate Student, Systems Engineering, UVA                       
*     804 975 3525 (home) 

Re: For the scada folks in the water business

Mon, 11 Aug 1997 12:22:48 -0700

I thought I'd post my last email message to you to initiate a discussion regarding RTU capabilities. Like you, I am interested in others responses, observations and needs.

............................... In MY ideal SCADA system the RTU must report "events" to the MTU in near real time. These events can be changes in state (digital), excursions outside predefined limits (typically analogue) or "rate of change" from accumulator inputs.

As you can imagine, if an overheating pump/motor is not noticed until the next MTU "scan time" it isn't of much use. Or, if a security sensor notes intrusion into a building, or a pump suddenly speeds up to an unacceptable value or .........

Each RTU must be capable of reporting alarm conditions contained in evaluation parameters within each RTU. RTU's must maintain their own "scan time" or "scan interval" where, upon occurrence of that interval they wake, scan their own inputs, evaluate values, report excessive values, then sleep to the next interval.

In my systems this "RTU scan interval" can be as small as once per second.

Regards
Mark Hill, President, Intelligent SCADA Solutions
markhill@uniserve.com

Re: For the scada folks in the water business

Tue, 12 Aug 1997 09:39:36 +1000

This has the flavour of: "What is the Buddha-nature of SCADA?" With my apologies to true disciples of Zen.

SCADA is one of the small areas of the world where every customer still has their own idea of how things should be done, and specifies systems to work the way they want.

Some SCADA vendors make a simple "we do it this way" product, and they sell to people for whom that is a close enough fit. This is usually OK for small or simple functions, where there are relatively few possibilities for doing things in more than one way. These devices are usually relatively inexpensive.

Some vendors do a lot of custom engineering for each customer to give them exactly what they want. The customer pays for this. Some vendors have products that are configurable to work in many ways. This then requires that the vendor or the customer configure the system to work as required. The customer pays for this. If the customer is prepared to learn the configuration process then this usually results in a lower cost of ownership over the lifetime of the equipment.

With regard to "do the RTU and MTU have a master-slave relationship?": Usually: Yes. However, we have a customer who specified a particular functionality in their system; namely that the remote sites should continue to perform their intelligent monitoring and control functions even if the comms to the master was lost for a significant period. While the specification did not prescribe the MTU-RTU relationship required to achieve this, we found that the best model was to have an almost peer-to-peer relationship. Note that in this system the functionality of the RTU is very high, and it is this, more than the "Master" or "Remote" label, that really determines the hierarchy.

No. They can be configured to do most things that an RTU can do. And we are working on adding the few exceptions that are not absolutely idiotic. We are that sort of company.

If you configure them to. You can also configure them to send data in an unsolicited manner. Ie: They call you if something "significant" (again, configurable) happens in the field. Their reaction to polling is configurable.

If you configure them to.

Do not be misled into thinking that there is a single model for how the MTU and RTU should interact. Expect greater intelligence and autonomy in the RTU in the future. This can lead to lower comms usage if you get the RTU to only report when it has decided that interesting things have happened, but it will be more likely to lead to a lot more comms as people want to look at all the extra interesting data that will be available.

.----------------------------------------------------------------.
|         Andrew West                .       Foxboro Australia   |
|  Embedded Systems Engineer     _--_|\      42 McKechnie Drive  |
|  Telephone: +61 7 3340 2164   /     *\ -- Eight Mile Plains   |
|  Facsimile: +61 7 3340 2100   \_,--._/      Queensland 4113    |
|  Email: andreww@foxln.com.au        v          Australia       |
'----------------------------------------------------------------'

Ref: c:\scada\081997\msg00020.xml