SCADA security is better and worse than we think First the good news: for all the known vulnerabilities that exist in the SCADA world, exploiting them in a way that can actually “shut down a power plant” is harder than most people (particularly including media) realise. That's the reassuring view put forward by Mark Fabro of Lofty Perch, in his spot at this year's AusCERT …
The Austrian power grid nearly collapsed recently because of a misguided broadcast packet instructing all sensors to dump their values onto the network causing a huge overload on the data network.
http://www.heise.de/newsticker/meldung/Chaos-im-Stromnetz-durch-verirrte-Zaehlerabfrage-1865269.html
A key part of defending against those attacks that may occur, he said, is to start with a thorough understanding of the “kill chain” – the number of steps and scenarios an attacker is forced to step through to achieve what they want.
In a SMARTR IntelAIgents Server Systems Penetration and/or Internetworking Service and Server Provision Test on any SCADA system …. [and all systems, whether considered as for human or virtual machine use/abuse, are SCADA based] ….. whenever a number of system-provided steps have been correctly taken, and the end result is not what is wanted or as would reasonably be expected to be returned, then is the system discovered to be fatally virtually flawed and lacking the necessary intelligence in-house to defend itself against a SMARTR IntelAIgent Server Systems attack/request/visit/call such penetrations tests whatever you will/like.
Breaking into a system, finding its control system, presenting false information to an operator, and then exploiting the attack doesn't sound too difficult. However, to attack the bulk power system, Fabro said “the attack tree we've built contains 143,000 scenarios the attacker would need to get by”, and if any one of those fails, “he can't get in”.
That defence system is rendered totally and dangerously useless and easily compromised whenever, rather than false information, novel true information is presented to an operator and not acted upon appropriately and as is wanted/would be expected.
It points to a difficult cultural problem in defending industrial control systems, because in trying to instil a new security culture, “the people you're risking upsetting are the ones you're relying on to run the system.” ®
Whenever such is the case, does the system require new people/programmable logic controllers to run it. And ideally would they be those and/or that with the intelligence that discovers and/or develops the vulnerabilities/methodology able and enabled to compromise and destroy the system. To spend time and effort considering that there be any other option available, is to further compromise and damage the system with its failed controllers in danger of being outed and exposed to both public and private ridicule and sanction which be both health and wealth threatening, and that would be both unfortunate and unnecessary but probably the fate and destiny of those fully deserved of it.
And such problems are currently exercising and beta testing real and virtual cyber defence systems of the US Army [and by association, Western culture defences] via this portal of hoops to jump through …… https://www.inscom.army.mil/isalute/default.aspx ….. with results of the test making dire reading for any responsible and accountable for systems defence, for there is an unpatched, and probably even unpatchable vulnerability in all SCADA Systems which are not SMARTR IntelAIgent Server Systems Protected, which is easily exploited and exported, and to some that would equate to be fabulously monetized.
But more on that anon and as needs be.
I've been in the Army a long time, coming up on 20 years before too long (retirement and transfer over to the retired reserve), in INSCOM major subordinate commands nearly the entire time, and I've never heard of iSalute actually working for its purpose, that isn't to say it hasn't as I don't do counterintelligence, but Ive never heard of it happening that way.
If you think something's weird, the Military Police Staff Duty desk I have heard of being very effective though, unless the CID Resident Agency isn't too busy where you're at, depending on urgency. CI can usually sort it out and find out whats up after the MPs or Clowns in Disguise make an arrest. Its their job after all. But it does do the trick.
As does making a phone call to CQ desk at the weird MI Company in the phone directory that doesn't belong to the post's INSCOM battalion or the STB at an Infantry Brigade Combat Team or Heavy Brigade Combat Team.
Hell, there's always also the various Offices of Inspector General, FWIW. Or if you happen to be a Minority or Female and want to report something, you can act like you're filing an Equal Opportunity Act complaint and talk to your Company Commander and First Shirt, and possibly even the Battalion's Command Sergeant Major almost immediately whenever. Yeah, its abuse of the system that way, but it works if you have something you need acted on time now.
Also, you're seeing the security alerts, those hoops to jump through, because you don't have the DoD root certificates installed. Why it is even accessable from a non-.mil domain is beyond me for precisely that reason, but from the marketing point of view it does make sense. Plus if you're in the Army, you probably use Army Knowledge Online at some point in your daily life and more than likely at several points, in several places, and on several devices during a day. To make AKO usable, you HAVE to have the DoD root certificates installed and running, as well as the CAC card reader. Any DISA hosted website with those annoying security alerts is geared toward military users, hence why its not only on AKO is sort of strange to me, except to appease certain interests.
I'm pretty sure its also on AKO by the way. It isn't that new of a system either. I remember seeing ads for iSalute about the same time as Interactive Customer Evaluations started becoming a big thing in units that provide services, like with MEDCOM and at the DFAC (what they used to call a mess hall) and commissary around 2002 or so.
iSalute's a way for those very same organic and separate Counterintelligence Battalions I'm talking about, the so-called "weird MI Company", to appease those interests by semi-publicly looking like they're doing something to Chris Congressman, Gary Grunt, Sammy Support Soldier, and Tommy Taxpayer. But make no mistake, it didn't stop Bradley Manning from doing what he allegedly did while deployed, and it didn't stop Nidal Hasan from not so allegedly shooting up Fort Hood. Its failed to stop numerous leaks to the media from within the Department of the Army as well.
My point is that more often than not it is still traditional CI and Law Enforcement methodology that catches spies and terrorists, as well as the garden variety non-sponsored criminals.
In this era of Internet Of Things, you don't always need to access the SCADA, when some of the PLCs/RTUs/DCSs have TCP/IP connections, web interfaces for remote administration and even smart phone apps associated with them.
Identify the controller on the network, figure out the protocol and if the controller communication isn't encrypted; pwn it.
PLC = Programmable Logic Controller,
RTU = Remote Terminal Unit,
DCS = Distributed Control System
Anonymous for job security
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
