Here’s a podcast worth a listen. Brian Contos @ Imperva interviews Joseph Weiss on the topic of control system security.
- "Running the operational systems comes before any security requirements."
- "Power [industry] does not take this seriously"
- "Are we more secure [than 10 years ago]? No."
- Systems that run Windows 95 and NT 4.0 even after the upgrades.
- Can't patch them without breaking them.
- Custom written TCP stacks that crash when you ping them.
- Field devices with built in bluetooth or wireless modems
- Bolted-on security. Very old platforms, not designed with security in mind.
- Two cyber incidents on systems with brand new control systems. Very significant equipment damage.
- Significant environmental discharge. Three deaths.
I have no particular knowledge of this general topic, other than a couple decades ago I made a living programming CNC machine tools, wrote a textbook on the topic, and occasionally played with PLC's. Oh - and I tried to write a Windows 3.x app that communicated with HART field instruments at 1200 baud. That was pre-internet, pre-almost-everything. You can see from the 30-year-old pic of me that we were hardly advanced past stone knives and bear skins.
Starting from the point of view of someone with almost no knowledge here’s my-
A bunch of years ago when I lived in a small town, I woke up one winter morning to a cold house, no heat and no hot water. A bit of investigating and a knock on the door from a city utility worker cued me in to the cause. A couple teenagers thought it would be amusing to climb over a fence and put a big wrench on a big valve and shut off the main natural gas line coming into town. It didn't take long for the underground gas distribution pipes to empty out and run the whole town out of natural gas. This ended up being much more than an amusing prank. The city utility workers had to:
- shut off and lock the gas meter at every house and business in town. Gas meters in older houses were still indoors, so the workers had to get access to those houses. (a couple days work)
- re-fill the pipeline and city distribution network
- go back to every house and business, contact the residents, locate every gas appliance in each house, turn on the gas to the house, re-light and test each appliance. (a couple more days work)
The tasks needed to be done serially. In other words, until all the gas was shut off, no gas lines could be re-pressurized. If memory serves me correctly, I had no gas, stove, heat or hot water for 3 or 4 days in late winter (in Minnesota, where winter is really winter) This was a minor incident, nothing more than a prank gone bad, but one with significant downstream consequences. Safely restoring service after a simple prank took significant resources and disrupted an entire community.
CNC machine tools and industrial robots, most of which are now networked, can be damaged easily by a simple bug in their programming, and when damaged can take weeks to repair (don't ask me how I know…).
Programmable road signs apparently are amusingly easy to re-program.
If a bad guy can embed a trojan at the heart of a payment processor network, then presumably doing the equivalent with the networks that control infrastructure like power, water, chemical, oil and similar facilities shouldn't be much more difficult. The consequences though, could be far worse. Nobody dies when their payment card gets caught up in fraud.
If you are going to declare cyber war on a nation, don't play around with network DDOS's. They are annoying and disruptive, but the damage is transient and whatever service was disrupted is easily restored after the attack. Servers reboot, routes heal, big deal. 'Rebooting' a pipeline, refinery, or similar infrastructure is non-trivial, and repairing physical damage caused by disrupting complex control systems is orders of magnitude more expensive and difficult than repairing virtual damage from hacking web sites or DDOS'ing political entities. Crank around on the PLC's that control the valves that mix things together in a municipal water system, refinery or chemical plant and really bad things that hurt real people can happen.
In a recent Schneier post, Bryan Singer commented:
I feel pretty confident in saying that any of us that have been working in this space for any time probably have the knowledge required to stop a significant amount of manufacturing, disable infrastructure, stop utilities, turn off the lights, water, etc without a lot of effort. If we know how to do it, so do the proverbial "bad guys" (or they shortly will).