Message-ID: <3F413315.96.AA7366@localhost>
From: cta at hcsin.net (Bernie, CTA)
Subject: SCADA makes you a target for terrorists

Back in the 1998 the warnings were out there but no one wanted 
to hear it. I tried to get people to listen and there reply was 
we have security guards with guns to take care of security.

Now to be fair to SCADA and the Power Plants, there are other 
similar instrumentation monitoring solutions, and some 
installations are secure and well thought out. However, I 
believe that many are not and more importantly management does 
not understand that its all about integrated System Security 
Engineering (or the lack thereof).

Anyone still think the Blackout was an isolated incident?


SCADA makes you a target for terrorists
......Correcting the problem doesn’t have to cost you anything 
but knowing what to do.

by Jared R.W. Smith
Institute of Gas Technology

Your SCADA system makes you an easy target for sophisticated 
terrorists. If you don’t take corrective actions, current trends 
will make you a far more attractive target within the year. 
Welcome to the world of high-speed transactional efficiency, 
where you have to protect your biggest assets through new cyber 
security measures.

Cyber security relates to protecting the communication and 
computer networks of your whole company, including transactional 
and operating controls, against hackers, disgruntled employees, 
and some foreign nationals. It means ensuring that once traders 
or marketers come onto your system through the Web, or hackers 
break into your SCADA system, they can’t read, alter, or destroy 
your records or physical operating controls.

Cyber assaults can be made against your system not just from 
within your company walls, but from thousands of miles away. 
They are electronic attacks, guided by computer-driven programs, 
and empowered by the steps our industry has taken to automate 
and cut costs in today’s highly competitive world. The attacks 
can be launched not only against the gas industry — in fact, the 
gas industry has unique safeguards that make it less vulnerable 
than many vital industries — but against any essential industry 
infrastructure. These infrastructures include banking and 
finance, telecommunications, electric power, transportation, and 
government services, among others. Because these infrastructures 
are now linked with your natural gas system and your service 
territory by automated links, all infrastructures are at risk 
due to each other’s vulnerabilities.

Skilled assailants can go through the existing system of 
passwords and firewalls to break into information systems. This 
same procedure could permit an attacker to give incorrect 
directions to automated units on your SCADA network. The U.S. 
Intelligence Community is aware that it can be done, as are the 
Institute of Gas Technology and the Gas Research Institute. 
Foreign nationals in other countries also know that it can be 
done. Gas companies have detected attempts by unknown outside 
parties to enter utility networks. Presumably, those attempts at 
break-ins are currently just hackers trying to have fun. But not 
necessarily.

There is reason to believe that your computer systems are 
vulnerable. According to the Washington Times, National Security 
Agency officials have run a simulated attack on SCADA systems 
controlling the U.S. power grid as well as military systems. 
They believe they can shut down the electric power grid in a 
number of U.S. cities within days as well as disrupting 
important military communications worldwide by using tools 
available on the Web. This exercise, called Eligible Receiver, 
was performed by a dedicated group, but the NSA and the 
Department of Defense think this may be exactly what industry 
will confront in the coming years. The U.S. Intelligence 
Community believes that the next major war could be fought 
largely through breaking into and taking over the automated 
systems that hold a country’s infrastructures together. Further 
examples can be given. There were computer intrusions into high-
level unclassified military computer systems by high school 
students operating out of California and Israel during a 1998 
Iraq weapons inspection crisis. During Desert Storm, according 
to the London Telegraph, Dutch hackers successfully hacked 34 
U.S. military systems, acquiring U.S. plans, weapons 
capabilities, and order of battle. They then tried to sell that 
information to Sadam Hussein. He did not buy the information, 
thinking it had to be a trick.

Pentagon computers have been significantly strengthened against 
assault since that time, but even before that incident they were 
better protected against assault than today’s SCADA systems. Yet 
these Pentagon computers are linked and communicate via the same 
electronic overlays that your SCADA system operates on.

Do you need SCADA?

Despite that, SCADA is essential to modern business. In fact, 
developing SCADA systems normally allows your company to 
function far more efficiently and safely — and at far lower cost 
— than a simple manually adjusted pneumatic system. These 
systems provide the near real-time data flows needed to operate 
efficiently in a deregulated environment. SCADA provides 
reporting of all transactions to provide permanent financial 
paper trails, and can dynamically adjust the pressure at 
regulator stations and other locations to save you money 
compared to seasonal adjustments. SCADA systems can perform all 
kinds of operations at the discretion of your gas control 
center. Some have artificial intelligence programs built into 
them so that they can perform even more efficiently under normal 
operating circumstances. They save money, and make money for 
your company. They are also increasingly linked: that becomes a 
vulnerability or an asset depending on whether you have the 
information to plan adequately.

While the benefits of SCADA systems are clear, the consequent 
vulnerabilities are less recognized. Very few such systems are 
protected even by passwords — the weakest form of security.

What happens if one encounters an emergency situation in a fully 
linked but unprotected SCADA system? A properly functioning 
SCADA system will provide you with correct data interpretation 
and enhanced capability to respond. But what about a maliciously 
planned emergency brought on by people who are familiar with 
system operations or by outside third parties that are armed 
with sophisticated computer systems knowledge? Well...as long as 
we are able to maintain pneumatic control over our systems, we 
may lose data in a break-in and we may lose control of the 
system, but we won’t be likely to suffer a major system shut-
down under most circumstances. The pneumatic controls of our 
system guard us against the kind of loss of control NSA feels 
the electric grid is faced with. Right? Not really.

The pneumatic controls our systems operate under have protected 
us well. The safeguards built into those systems were evolved 
over many years by engineers and scientist working in both the 
public and private sector. Those safeguards were built for the 
technology of the time, developed over the last several decades. 
They are not adequate to meet the security needs of embedded 
systems in the electronic age. The electronic age allows a 
person with sufficient knowledge to make you think your 
pipelines are at capacity when they are not, that you are 
lowering pressure when you are actually raising it at remote 
locations, or that there is nothing wrong on your system when in 
fact your system is failing. And if your system gives your 
operators incorrect information, they will take inappropriate 
actions, either manually or via remote command.

Safe operations

That is why the Gas Operations and Infrastructure Center, 
jointly formed by IGT and GRI, is working extensively with the 
U.S. Intelligence Community in partnership with gas company and 
manufacturing company members to develop new, safe operating 
practices and equipment standards that will protect the industry 
and its customers. This center is currently working with the 
Technical Support Working Group and other government entities to 
ensure that secure encryption capabilities combined with secure 
protocols and operating practices are developed to harden the 
gas industry against cyber attack. We are also testing the 
resulting technology developments in our laboratories and 
planning field tests conducted in combination with members, to 
make sure that adaptations we recommend do not slow the speed of 
transaction or hinder operating efficiency. These technologies 
and procedures will also harden the industry against 
vulnerability to natural hazards like earthquakes and floods. 
Most importantly, the work we will be initiating with standards 
setting groups like IEEE and ANSI, combined with our 
communications with the manufacturing sector, will ensure that 
the cost of developing these safeguards will be very small. The 
key to this low-cost approach will be that they will be built 
into all automated systems as these systems are developed.

The wonder of SCADA systems, and of all automation, is that the 
communications and computing components of the systems are 
similar enough that they are able to intercommunicate for the 
sake of efficiency and replaceability, whether for gas or 
electric. That means manufacturers and users in both industries 
have to deal with the same issues, and that drives down costs. 
If your manufacturers understand these issues, they will support 
them. It lowers their costs, your costs, and your potential 
liabilities.

Whatever we do as an industry to protect ourselves and our 
customers has to be done now, during a narrow window of 
opportunity. Fully automated system units are being placed in 
the field right now. Their integration with your overall system 
is increasing every day. If these systems do not include 
sufficient safeguards, they will be expensive to retrofit. The 
company that waits loses money. How much money do you have at 
stake in each of your automated units? How much property are 
those units protecting with what cost for protection, when each 
unit is a potential gateway into the rest of your company? Each 
company will ultimately decide for itself. The Gas Operations 
and Infrastructure Center can provide you with the information 
you need for informed decisions. We hope also to give you the 
information you need to make sure your suppliers and contractors 
can cover your vulnerabilities. We will have the technical fix 
in place in the field within one year. That is just about when 
you need it.

IGT is offering a five-day technical course that gets into 
algorithms, protocols, standards, and other vital concerns you 
have to deal with in developing a fully integrated and fully 
competitive system. It is being developed in combination with 
the U.S. Intelligence Community and the natural gas industry, 
and will be offered February 15 through 19 at IGT Headquarters 
in Des Plaines, Illinois. Participants will be exposed 
throughout that period to the industry scientists working on 
these issues, as well as have the opportunity to visit the 
laboratories where the work is taking place. More importantly, 
participants will come to realize how to combine these 
safeguards with the economic need companies have to properly 
integrate their automation technology for growth and competition 
in the years ahead.

If we move ahead with these issues today, they will be a central 
part of our operating plans and our emergency response plans 
tomorrow. They will be an integral part of how you do business, 
based on your own internal risk assessments as to how these 
issues impact your IT and MIS functions, along with your 
operating functions.

Jared R.W. Smith is associate director of the IGT and Gas 
Operations and Infrastructures Center.

Reprinted from Gas Utility & Pipeline Industries Magazine
October 1998-
****************************************************
Bernie 
Chief Technology Architect
Chief Security Officer
cta@...in.net
Euclidean Systems, Inc.
*******************************************************
// "There is no expedient to which a man will not go 
//    to avoid the pure labor of honest thinking."   
//     Honest thought, the real business capital.    
//      Observe> Think> Plan> Think> Do> Think>      
*******************************************************

Powered by blists - more mailing lists