[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <200308151548.09701.dr@kyx.net>
Date: Fri, 15 Aug 2003 15:48:09 -0700
From: Dragos Ruiu <dr@....net>
To: "Geoff Shively" <gshively@...x.com>, <bugtraq@...urityfocus.com>
Subject: Re: CNN: 'Explores Possibility that Power Outage is Related to Internet Worm'
On August 15, 2003 11:21 am, Geoff Shively wrote:
> This email was origionaly posted to bugtraq early on in the 'crisis' but
> due to obvious congestion and instability issues it wasnt posted for a
> while.
>
> Since this post I have done much research on SCADA, DCS, and HMI
> (Human Machine Interface) systems. These systems run primarily
> on Windows and rely on RPC for remote monitoring. If this doesnt
> sound like an overwhealiming coincidance than I dont know what does.
>
> [ http://216.239.37.104/search?q=cache:w7lnOBBrPxUJ:st-div.web.cern
> .ch/st-div/ST2001WS/Proceedings/Session42/Sollander.pdf+SCADA+
> Windows+RPC&hl=en&ie=UTF-8
>
> "The data transmission layer is used to transport data from the equipment
> to at least one controlor monitoring application. This is usually done by
> remote procedure calls (RPC) or a middle-wareover a TCP/IP network."
> - CERN ]
>
> There has been much talk about this on DShield and Full Disclosure if
> anyone is interested in reading more.
While I have bid on a power system network audit, I haven't specifically
done one, so this is conjecture.... but somewhat informed conjecture.
Re: SCADA vulnerabilities
Yes you might have SCADA vulnerabilities... but in the power system
SCADA is used for data collection and measurement only not control.
This is at least in western Canada, YMMV but I believe this is typical of
other systems. The power routing is still done by humans flipping
(really freaking big) switches - or starting turbines or turning hydro
valves. There are lots of physical procedures and safeguards in the
system too. And people think carefully about those decisions, because
the fines and regulatory penalties for being out of spec are measured
in tens of thousands of dollars per minute.
You might be able to interfere with the data going into the power
NOC and fool the operators into making the wrong phone calls.
But arguably you would need to know a lot about the design of the
system and specific procedures and policy to create an outage
this way.
As far as I know there are no (or few) network based feedback loops in
typical power system. Breakers pop at predetermined points, the system
parameters are fairly static. In the western Canadian system, operators
review power demand and capacity on an hourly basis, and make the
appropriate routing decisions (and output levels of variable output
plants) and adjust capacity by bringing plants on line or adjusting
network topology to keep system stability.
As an interesting factoid, in the directives list for power noc engineers,
the prime directive is network stability (crucial for interconnected systems
outside theirs) and delivering power to customers comes lower in the list.
Unlike the internet, the power system is a network that delivers a very stable
commodity 60Hz 110 volts. There are no router like components that
dynamically adjust paths, and capacity based on any measured
data. All the collection and info feeds back to a control center where a
human operator adjusts simulations first and then when that's checked
by another engineer on other simualtions the configuration is "downloaded"
into the system via telephone to regional operators. The dynamic components
are like breakers, primarily binary on/off devices with fixed trigger
parameters not things adjusted constantly by a processor based on
network input. Power system switches are big physical things typically
moved by burly technicians, rather than a packet sent remotely by a
distant button or software.
If the control network goes away the systems will default to preset stable
(but not necessarily optimal) presets in the equipment I'm aware of.
Similarly if communications outages occur, the regional operators
have fallback stances in "safe" configurations. Unlike the internet
reliability engineers and audits are a big concern in the power system
engineering. The engineers there do their best to make sure that
the result of any or all of the components failing does not equal
"no power for anyone". Also unlike the internet power engineers _do_
consider "What if" scenarios for any individual components failing.
While from my knowledge there could be areas of vulnerability
in power distribution that might concern me (none of which I will
discuss) if I was building an attack tree. However, network based
disruption does not rank very high on my concern list.
If I really wanted to create a power outage, my tool of choice would
be a chainsaw, not network packets :-).
(News at 11: Chainsaws Banned because of potential terrorist threat :-)
cheers,
--dr
(Caveats, and Disclaimers:
I used to be a vms admin and developer at a power company R&D lab in uni.
Interestingly, one of the things I worked on was outage crash dump loggers.
I have visited mutliple power NOCs and have some knowledge of their
procedures. My now retired father used to manage the power distribution
system in western Canada, and my conclusions are based on information
thusly gleaned over time. :-)
--
Top security experts. Cutting edge tools, techniques and information.
Tokyo, Japan November, 2003 http://www.pacsec.jp
pgpkey http://dragos.com/ kyxpgp
Powered by blists - more mailing lists