By Kevin Coleman
Defense Tech Cyber Warfare Analyst
Malicious code was discovered and disclosed in late July that appears to target infrastructure control systems. The code is called Stuxnet and is designed to exploit a Zero Day flaw in Windows and targets SCADA controllers and systems.
Definition: SCADA is the acronym that stands for — Supervisory Control And Data Acquisition. It refers to industrial control systems aka a computer system used for monitoring and controlling a process or process control equipment. These industrial systems are typically used to control critical processes and equipment at power generating and distribution facilities, manufacturing facilities, water treatment plants, and even nuclear power plants. Many of the systems are relatively old and are thought to contain numerous vulnerabilities.
The exploit seeks out and steals industrial data from SCADA systems running Siemens Simatic WinCC or PCS 7 software. So far the malware is thought to have infected around 20,000 computers worldwide, mostly in Iran, Indonesia and India.
As you may recall Congressman Jim Langevin, who chaired a subcommittee on cyber security, had called representatives of the nation’s electric utilities to Washington to find out what they were doing to address cyber security and defend against cyber attacks. This was part of a 60 Minutes special investigation into cyber security that aired in November of 2008.
If you saw the piece then you may recall his committee was told that the problem was being addressed. However, at a subsequent hearing that took place almost seven months later, the committee found out that was not to be the case! Now it is a mad scramble to address the cyber security of not just the power grid but the entire U.S. critical infrastructure.
{ 16 comments… read them below or add one }
I still don't understand why a purpose-built operating system hasn't been designed from the ground-up with its own security measures in place etc. Then its simply a matter of not letting the Chicoms steal the technology…
In fact, why not two completely seperate and unique OS? Only one of them would be used for general purpose, and the secondary one would only be used in the case of an emergency, I.E. – if the primary is hacked/infected, etc. and we need to get our systems back online, we reboot to the secondary one which has more stringent security measures and limited access (which I suppose means limited functionality as well) in order to keep the systems running in some capacity.
Why not use an available and fully developed secure OS like Linux ?
$$$
typo you meant SELinux
I find it shocking that the gov't uses Windows for important infrastructure systems. Would like to know the idiot that made that decision.
Microsoft should have never allowed Windows to be used in critical infrastructure. They had to be aware that it wasn't secure and probably never would be.
Uhhh… if that were true, then how did Vitek Boden hack into an Australian SCADA system (Sunshine Coast), reverse some valves and pump MILLIONS of gallons of sewage into roadways, hotels and parks?
I work in risk management. During a recent audit we found a SINGLE, UNSECURED valve on the OUTSIDE of the secured perimiter – if turned would drop the (single) data center of a 2.2Billion dollar company. We reported our findings and a year later they still have yet to put a $20 locking mechanism on it. But their board of directors is told, "Everything is fine, we are aware of everything and have it all under control".
Yep, that is why companies expend all the money and effort on risk management; to purportedly find the holes.
The work I do is subsea (think the recent Gulf disaster); you know as well as I do that nothing is infallible. You also know that risk = probability X consequences. Small consequences like sewage on the road will have much less attention (and money) paid to them than large consequences like burning oil rigs sinking to the ocean floor and spewing oil for a few months.
As for the Vitek Boden case, it was basically an inside job by the guy who designed the control system. It was not a virus generated by the Chinese military to help them penetrate and Chernobyl an American nuclear power plant.
Not having worked on a sewage plant, I'll still wager that the shutdown system was not nearly as fault tolerant as you would find on a small GOM wellhead.
You're right – the more intricate a system is, the more opportunities for failure. Most of the time those failures come from human error – or human intervention – Chernobyl is a good example of this.
Unfortunately, insider threats have been and continue to be the number one threat to companies – a statistic that goes unheard. (I'm not usually this cynical)
If someone has access and need, they can get around the system. Australia wasn't State Sponsored, but what would it take to pay/extort the right person?
Of course that leasds to the question of who watches the watchers right?
Food for thought – About once a year we find a rogue wireless router plugged into sensitive networks and these devices often create the (unapproved) cross connection to the Internet as well as all the security issues that come with a wireless network.
That was my point. Usually an oil & gas plant control system isn't physically connected to the outside world. It is a point-of-use network.
I'll wager that even small non-critical manufacturing plants like paper mills won't usually have their control systems on the web. The continued operation of the paper mill might not be critical to the US economy, but it is extremely critical to the company's bottom line.
I think that would be a good study to do. I was in the manufacturing sector 10 years ago, and we were always pushing to make our manufacturing data closer to real time. This increased our abilities in the realm of Just in Time manufacturing, as well as give customers up to date information on thier orders. We worked in plastics and rubber, so we tracked from the lot of rubber, to the press it was formed in, to the inspector that inspected the finished product. We gained a number of efficiencies, and now with companies allowing people to work from home, it doesn't seem like a giant leap to allow more of that reporting to be done remotely.
Although I DO see it a leap to allow say the tempurature or pressure on a press to be controlled remotely (offsite).
Just goes to show, technology isn't good or evil, just how you use it.
I worked for an IT company that had a Gas & Electric facility as a client. I was their main IT support guy when they needed external help. The SCADA room was locked tighter than a drum and only two people were allowed access to the room. No external incoming lines were allowed in the room and no removable media was ever allowed in the room.
I had to work on the system twice (over like 10 years) and both times I was flanked by the two employees. I don't know if all facilities have security that tight, but I have been in and out of a lot of different types of companies and that was the best I have seen.
They DON'T !!!!
Run some good anti virus,installed firewall harware and software and cut the connection of the server to the internet. Used UNIX and FTP and wireless tele-communication for secured communication, email and trasfer of data. If is possible this viruses may come from China, or other foreign entity viruses.
I too work in the Oil and Gas business and have direct contact with our SCADA systems around the world. I would agree that most control system for plant and such are not directly connected to the internet, but at some point they will need maintenance and or system upgrades, or even backups. This would introduce a USB, CD, or some other type of media into the control environment with the potential to carry the virus.