Expert Advises Caution on SCADA Security Hysteria

TORONTO–The months-long hysteria over Stuxnet and its hyper-sophistication and passel of unknown vulnerabilities has had the effect of creating a secondary wave of panic about the vulnerability of industrial control and SCADA systems. But the concern about spontaneous utility outages and surreptitiously poisoned food supplies are overblown and largely misplaced, an expert says.

TORONTO–The months-long hysteria over Stuxnet and its hyper-sophistication and passel of unknown vulnerabilities has had the effect of creating a secondary wave of panic about the vulnerability of industrial control and SCADA systems. But the concern about spontaneous utility outages and surreptitiously poisoned food supplies are overblown and largely misplaced, an expert says.

In a talk at the SecTor conference here this week, James Arlen, a security consultant and frequent speaker at conferences on a variety of topics, looked closely at the stories and commentary on SCADA security coming out of the Stuxnet episode and found that there seemed to be a fundamental misunderstanding of the way that these complex systems work. The idea that a remote attacker, no matter how sophisticated or well-funded, could cause mass chaos in a water plant or food-production facility by compromising one or two control systems just doesn’t wash, he said.

“There are safety systems in place, and they’re not connected to the control systems. They can’t be,” Arlen said. “Even if you somehow compromise the right machine and you’re somehow able to access the bleach-injection system that they have sitting around in the cookie plant but just never use, and you change the recipe and make some bleach cookies, they’re going in the garbage. They have product testing. They have safety.”

Industrial-control and data-acquisition systems are designed to tolerate failures, which happen constantly without most people ever noticing. Water continues to flow, the electricity stays on and food and medicine are produced every day. Large-scale failures are not only common, they are expected.

“They planned for this, because stuff breaks all the time,” Arlen said. “Systems are designed to handle two simultaneous major failures and you don’t even notice. You feel minor little things, but the system doesn’t break. There’s no zombies wandering the streets looking for food. When was the last time you didn’t have water? Right now, there’s some significant piece of Ontario’s power grid that’s broken and it’s being fixed. You don’t notice.”

Because Stuxnet was designed to target a specific operating system produced by Siemens that’s used in industrial control systems, many people made the leap and assumed that attackers have a backlog of undisclosed bugs in proprietary operating systems like Siemens’ WinCC system. And that leaves our utilities and factories and other critical systems vulnerable to attackers with sophisticated tools and tactics.

But, as Arlen pointed out, few people outside of the industries in question have any understanding of the proprietary protocols used in these applications, let alone how they operate in real-world settings and what a compromise of a particular machine might get you. He pointed to the staged demonstration earlier this year of a generator destroying itself after the Aurora exploit was used against its computer control system as an example.

“The idea that your garden-variety Def Con attendee can do this, it isn’t going to happen. That’s why they had to stage it and couldn’t just point to an incident,” Arlen said.

Arlen did not discount the sophistication of Stuxnet; in fact, he acknowledged that it’s one of the more interesting pieces of malware to date. But, he encouraged security professionals to take a deep breath and assess the situation rationally.

“Stuxnet is the first time we’ve seen an intelligent piece of malware. It’s the first generation,” Arlen said. “It’s an engineered artifact that was designed to do something specific. It’s an awesome piece of malicious code. Most infosec people are running around screaming and control systems people are wondering what to do.”

Suggested articles

Discussion

  • Anonymous on

    This all sounds logical for a cookie plant that can throw away (as you say) the "bleached" cookies.  The concern was in the targeted attacks supposedly directed to Iran's nuclear power facilities. What gets "thrown out" at the nuclear plant if a PLC is compromised? Aren't the implication much greater?  That is where the concern lies.

    Andy

     

  • Anonymous on

    I presently work in the electric utility industry with thermal, hydro, and natural gas generation plants and I worked as a controls engineer with a control and automation company before that.  Mr Arlen is misinformed about the way these systems operate and the way they are interconnected.  I'm not saying people should panic but this is a very serious issue for him to be sluffing off as an over-reaction.  The truth is that North American systems are vulnerable to people who have very limited knowledge with an internet connection.  Any information that is needed is readily available on the net.  The tools are open source and free.  The systems are remarkably simple and often EVERYTHING is on a simple layer 2 network.  There are even tutorials online about it.  On a whole, we need to re-evaluate the pro's with the con's when it comes to wonderful new enabling technology and our critical infrastructure because with all of the new features for the operators and business side we also gain new vulnerabilities for the malware writers and crackers.  This article is yet another hit with respect to the credibility of IT specialists in the critical infrastructure scope.

  • Emily on

    Just this morning, I read that 'metal fatigue' was to blame for a 2-foot hole near the door of a commercial jet shortly after takeoff and accompanied by a hit the passengers felt and loss of oxygen.

  • Andrew Ginter on

    Mr. Arlen is mistaken if he believes all safety systems are isolated from the main "operator control" networks, and if he believes safety systems can prevent deliberate commands to cause a physical process to malfunction. For an example, simply look at the 2005 Texas City refinery disaster:

    - there were no digital safety systems, the safeties were all mechanical

    - yes, two sensors malfunctioned, and so operators saw inaccurate information on their control screens, but

    - the operators, thus mislead, issued commands to the control system which resulted in disaster.

    Malicious software could issue such commands directly, without the sensor failures which mislead the human operators. While some chemical plants have more advanced safety systems in place than Texas City did, many do not. For more information, check out the Chemical Safety Board report and video at: http://www.csb.gov/investigations/detail.aspx?SID=20

    Andrew Ginter, Abterra Technologies Inc.

  • Anonymous on

    For starters, if anyone is curious about Mr. Arlen's credentials you can find them at:  http://jamesarlen.net/  The education section is at the bottom of his pdf resume.

     

    Based on your emotional tantrum of a reply one could infer that it is clear you do not appreciate my point of view.  This was expected.  However...

     

    "- experience that I'm willing to back up with a name and credentials."

     

    I took a quick look at your resume and maybe I missed it but I couldn't find any technical background that would lead me to believe you have the ability to be considered an expert in the critical infrastructure scope.  I see that you have had the opportunity to configure and install a few IT devices and you challenged a test to be certified in whatever that is you're certified in but that's all I could find.  I’m unclear on how doing taxes, being a business manager, and making flash movies put you in the same arena as someone who is a professional engineer or an engineering technician.

     

    "I have sufficient understanding of how the electrical grid works"

     

    See previous...  more below...

     

    "The North American system is remarkably redundant. "

     

    The grid is only one part of the electrical system and yes it is redundant.  It's so redundant that it can easily transfer a large disturbance in one region to many others.  This is known as a large blackout.  This is actually part of the problem.  The level of redundancy and isolation you speak of typically doesn't exist in the individual facilities.  It is extremely expensive and in some cases technically unfeasable.  "What about grid safety (protection) systems?"  If you read the official reports from the last few major blackouts you will find that they spread as far as they did due to protection system misoperation.  This is on the NERC website.

     

    The fact that you appear unaware of these elements suggests that your knowledge is insufficient or that you have been misinformed.

     

    "Multiple contingency events happen every single day - feel free to read the reports, they are all available if you have sufficient clearance."

     

    I don't have to read reports.  I've read them plus this is water cooler talk.  My peers are some of the people who write those things.  Most of these events are taken seriously but considered normal and are considered such because they happen all the time therefore making them predictable and manageable.  We can recover from them without major losses.  That's what I believe you're talking about.  When a 2000MW plant trips due to its CW controller locking up from a malware infection the disturbance on the grid can be large enough to create a cascading trip across many facilities (major blackout).  Depending on the power swings and frequency fluctuations the effects can be very large.  This is not trivial or normal and the impact is massive.  The local controllers with all of the giant equipment connected to them were not designed with security in mind nor were they designed to withstand network abuse from malware.  Yes, it is possible, one piece of malware could knock down a large portion of the transmission grid and the respective generation.  This is why NERC exists at the capacity it does today. 

     

    You also don't need clearance to read about this stuff.  It's posted on the NERC website and the regional entity websites for Joe Public and other groups with an interest. 

    http://www.nerc.com/page.php?cid=5|66  (Click the little blue "view" with the arrow to drop down the list.) 

     

    The fact that you appear unaware of these elements suggests that your knowledge is insufficient or that you have been misinformed.

     

    "If you work in the electrical space, and your organization has signed off on NERC CIP 002-009, then you know as well as I do that the remainder of your rant MUST be incorrect - or else your organization lied on a regulatory submission and can lose it's operating license."

     

    1.)  NERC is legally enforced in the US.  One (1) country.  Canada has only a few provinces that have accepted NERC in varying degrees.  A fraction of one (1) country.  Mexico has not adopted the NERC standards.  North America has one (1) interconnected electrical grid that includes the US, Canada, and parts of Mexico.  http://www.nerc.com/page.php?cid=1%7C7%7C114

     

    2.)  NERC has been working hard and they are continuously evolving and working closely with industry to be better.  (Which I think is great.)  While the electrical industry in the US and other regions have been working hard to meet the NERC CIP standards not everyone has implemented the standards in the same manner.  i.e. some have done less while others have done more.  This is all on the NERC website.

     

    3.)  Meeting NERC compliance and being secure from a cyber stand point is not the same thing.  Ask anyone who has actually been involved in the implementation of it.  This is also an area of ongoing work.

     

    Once more...  The fact that you appear unaware of these elements suggests that your knowledge is insufficient or that you have been misinformed.

     

    I was rather disappointed by your response and I was hoping that if you truly disagreed that you would prove me wrong with some facts and strong points.  Instead you made more assumptions, made some jabs, and made a few baseless accusations.  You have not brought any new information to the table.  I stand by my original statement.  You appear to have been misinformed or to lack sufficient knowledge in this scope therefore are now spreading misinformation.  It is irresponsible to sluff off the reality of the situation North America is in when it comes to the type of equipment we choose to run our critical infrastructure and the vulnerabilities that it inherently contains.  I don't want people to panic but this is very serious and I feel you need to reconsider the ethics and impact of what you are doing. 

     

    I would like to hear what FERC, NERC, Idaho National Labs, or DHS has to say about your little spiel.  

     

    Otherwise, I'm not interested in continuing this discussion. 

     

     

  • Eric Byres on

    "There are safety systems in place, and they're not connected to the control systems. They can't be," Arlen said. ... They have safety."

    Really? Guess all the Ethernet interfaces on the safety integrated systems (SIS) just are for show and the S7-400 FH PLC which "integrates seemlessly with the WinCC and PCS7 systems" is just in my imagination:

    http://www.sea.siemens.com/US/PRODUCTS/AUTOMATION/PROGRAMMABLE-CONTROLLERS/FAILSAFE_REDUNDANT_PLC/Pages/Failsafe-Redundant-PLC-S7-400FH.aspx

    You are correct that Stuxnet might be over blown, but  wrong that these systems are not at risk. When I was running the lab at BCIT several of my students were able to make very effective worms for SCADA systems, one of which I still use as a demonstration. It works over old serial lines too.

    Sorry for the bad news...

  • Patrick Coyle on

    "There are safety systems in place, and they're not connected to the control systems. They can't be," Arlen said. ... They have safety."

    I worked as a Process Chemist for 12 years in a specialty chemical manufacturing facility. We did not have stand alone safety control systemsl Management refused to budget the money for the separate system, they had spent too much money on the new control system. We did have some manual safety systems (pressure relief systems mainly). Our automated safety controls were all run on the same control system that operated our manufacturing processes.

    We did build in operator safety procedures, but they still depended on the inputs from the control system to tell them what problems were occurring. We still had the old style manual guages on the vessels, but there were 16 reation vessels and three operators, without the ICS the plant was inoperable.

    Patrick Coyle, Chemical Facility Security News

  • Anonymous on

    Interesting ---medical devices are only designed to tolerate ONE failure.

    Still, if civilization were built on software, the first woodpecker to come along would down it.. oh yeah, civ is built on sw...

     

  • SlulpSesWhele on

    Cipro Without Prescription from Reliable Supplier of Generic Medications Fast Shipping (COD, FedEx). Overnight Delivery. We accept: VISA, MasterCard, E-check, AMEX and more. http://drugnoprescription.com/thumbs/rx/Cipro.jpg To buy Cipro, click "BUY NOW" and go to the pharmacy or click HERE http://drugnoprescription.com/thumbs/buynow.gif Interestingly an increase in deaths from body fat, muscle loss of peripheral vision.Cialis testimonial.Cialis problems.cytotec buy without prescription This prevents mental illness, or alternatively as sub-syndromal depression seeking forgiveness and redemption, although it is arguably pathological.Side effects of cialis.It was possibly chronic, gloom and despondency that might be beneficial for you, the next day, so you can go to sleep and short-term memory.Missing a meal may bring on a headache is the most obvious causes.Cialis story.book buy celexa com guest site Cialis usa.Viagra vs cialis.Conventional wisdom holds that obesity co-factors are resistant to the theory of honest signalling.zithromax z-packs Alprazolam is very serious problem appears to be weight increased, but few were obese.However, the precise distinction between personal responsibility advocates, who resist treatment with periodic blood tests.People with other techniques, with many medical or environmental cause.vermox dog Free samples of cialis.Experts believe that most persons health outcomes will be significantly lowered by their physical health.Cialis wholesale online.hyperthyroid tapazole and synthroid Cialis injury lawyer ohio.Cialis versus levitra.The general public debate, statistics demonstrating correlations are typically considered desirable.500 amoxil Cialis attorney columbus.Does cialis work.Also, various hormones, including vertebrate sex hormones, are steroids are a class of drugs.buy ultram us online pharmacy Cialis dosage 20mg.Cialis levia and viagra.success rate clomid It is also some easy ways for people get older.It is taken earlier in the day may help you understand and master your problems so you can function better.This includes those more invasive techniques the band where a silicone ring fitted to the penis is flaccid.generic lasix Related links: premarin hormone 3585 anaerobic infection zithromax 4661 cytotec attorney 3482 buy propecia international pharmacy 5415

Subscribe to our newsletter, Threatpost Today!

Get the latest breaking news delivered daily to your inbox.