FORWARD BASE B

"Pay my troops no mind; they're just on a fact-finding mission."

SCADA: Vital utilities vulnerable to hacking

Undertaken by the Dutch research lab TNO Defence, based in The Hague, the water industry study examined the security measures taken by the 10 companies that control the Netherlands’ drinking water. At issue are the Supervisory Control and Data Acquisition Systems (SCADAs) which, at a water plant, control processes like water intake, purification, quality control and pumping to homes.

A SCADA sends instructions to shopfloor machines like pumps, valves, robot arms and motors. But such systems have moved from communicating over closed networks to a far cheaper conduit: the public internet. This can give hackers a way in. Eric Luiijf of TNO Defence and his colleagues found a litany of insecure “architectural errors” in the waterworks’ SCADA networks (International Journal of Critical Infrastructure Protection, DOI: 10.1016/j.ijcip.2011.08.002).

Some firms did not separate their office and SCADA networks, allowing office hardware failures, virus infections and even high data traffic to potentially “bring down all SCADA operations”. While remote internet access to SCADAs is supposed to be possible only with strict security controls, the researchers found this was often not the case. And some water firms allowed third party contract engineers to connect laptops to their SCADA network with no proof they were running up-to-date antivirus software. Indeed, it has emerged that a US contractor logging on to check the Illinois water plant from Russia, while he was away on holiday, was behind the Illinois ‘Russian hacker’ scare.

This was compounded by news of the hack at the Texas water plant, where on 20 November a hacker named “prof” gained access to the plant’s systemsusing a three-character default password on an internet-accessed SCADA made by Siemens of Germany. “No damage was done to any machinery; I don’t really like mindless vandalism. It’s stupid and silly. On the other hand, so is connecting your SCADA machinery to the internet,” he wrote on the Pastebin website.

One of PRECYSE’s main approaches to securing systems will be “whitelisting”, a way of ensuring only authorised users obtain access. This is the opposite of the approach used by antivirus software. “Instead of hunting for malicious code, as in an antivirus blacklist, this only lets the known good guys connect,” says security engineer Sakir Sezer at Queens University Belfast in the UK. Unusual behaviour – such as attempting to extract the control codes used to drive equipment – would also mean access is blocked. Deep-packet inspection, normally used to spot copyrighted material on the net, could be harnessed to ensure no attack code is injected. Link

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: