It’s a Swiss cheese world, and everything talks to everything else.
Back in 2000 this fact was only exploited for fun and games… or at least for “frustration and revenge.” It was back in January 2000 that a fired IT staffer from Brisbane, Australia’s Maroochy Water Services hacked into several SCADA devices — industrial remote control systems responsible for “supervisory control and data acquisition” — and reverse-pumped millions of tons of waste water and sewage onto the grounds of some of the area’s nicest hotels and resorts.
The IT administrator-turned-hacker responsible for the event caused havoc over a period of three or four months before being arrested by Australian authorities and locked up for two years. At the end of the day it was annoying and smelly and an affront to nature, but not a cause for international alarm.
Then came Stuxnet, bringing the realization that a highly refined piece of custom malware, when used in conjunction with simple hack methods, could sabotage complex manufacturing processes with relative impunity. In fact, it could derail government-funded, highly strategic projects… like Iran’s project to develop a world-class nuclear program. While not directly related to SCADA systems, this attack is nevertheless the prime example of how systems managing our industrial and manufacturing infrastructure can be transformed into powerful tactical weapons.
Last Friday, this report came out of the Washington Post indicating a foreign…
government may have hacked into a municipal water facility in Illinois with the express goal of compromising SCADA systems:
On Nov. 8, a municipal water district employee in Illinois noticed problems with
the city’s water pump control system, and a technician determined the system
had been remotely hacked into from a computer located in Russia,
said Joe Weiss, an industry security expert who obtained a copy of an Illinois state
fusion center report describing the incident.
Two important things to take away:
- SCADA devices are everywhere
- They just weren’t made for a world where everything talks to everything else
On the first point, a short list of the things managed by hackable SCADA devices now includes:
- Transportation systems
- Oil and gas pipelines
- Water and sewage systems
- Energy systems
- Heavy manufacturing systems
Exploits in any of these areas can have profound and potentially long-lasting impacts that are just downright scary, no matter how objective and rational I try to be.
On the second point, that SCADA devices weren’t made for a world where everything talks to everything else, there are increasing concerns:
- The assumption that SCADA devices and the systems they monitor will be walled off from the rest of the world is no longer valid (again, it’s a Swiss cheese world)
- In a world where everything talks to everything, no device is “above suspicion” – SCADA devices need continuous monitoring
- The risks of SCADA devices being impacted by onboard (or closely adjacent) monitoring devices no longer outweighs the risks posed by those systems being compromised
- The onus is on SCADA manufacturers and security solution providers to work together to make sure that the systems can do their job but still be continually monitored against tampering
One thing’s sure: In a Swiss cheese world, isolation is neither and option nor a defense.
If you’re interested in how Tripwire addresses SCADA monitoring, here are some resources: How NERC Entities Can Secure Their Critical SCADA Devices with Tripwire (podcast); Shedding Light on Smart Grids and Cyber Security: New Standards to Keep Them Smart and Secure (white paper)