Archive for May, 2009

SCADA Mobile !! – They must be joking

May 28, 2009 Leave a comment

A couple of posts that I read on SCADALIST sounded the alarm inside my head, for some time now I have been following the news/reports/analysis of SCADA web/remote access that is now becoming as standard feature in nearly all the new SCADA/DCS packages.

The posts which I quote below say that Orlando’s Iron Bridge water facility, actually allowed remote “Management” not just “Monitoring and reporting” from personnel HOMES and using Mobile notebooks !!..i would certainly like to take a look at their end point security and how they secured/audited the physical security of the personnel living rooms and bedrooms.

PS: the software used (WinCC SCADA software) developed/updated by Siemens , now supports Microsoft VISTA and comes with a pre installed MS SQL server.

“The reach of our networks has grown 10 times over in the last two years, as we’ve expanded our ability to monitor and manage the whole system 24/7 from just about anywhere using WinCC SCADA software.”

“Secure remote monitoring means I can respond to a trouble call in the middle of the night by simply tapping into any of the treatment facilities from home or wherever I am. It’s amazing,” said Mecabe

Full Article (HERE)

And then an article about SCADA – Blackberries

“Ed Yachimiak is the senior SCADA analyst at a large Midwestern utility. His company operates 35 sites, each with its own PI Historian from OSIsoft that gathers and aggregates control data for enabling better-informed business decisions. This platform architecture was augmented by the addition of mobile device dashboard technology from Transpara that enables anyone anywhere to gain visibility to role-defined information 24/7. “Information on plant status and power generation schedules is available on their Blackberries whenever they request it,” Yachimiak says.”

letting the security/confidentiality issues around the blackberry and (RIM) mail infrastructure aside , the post popped up a good question and that Is
Is this information available to energy traders too? coming from the oil and gas sector..I know that some oil and gas companies allow this type of mobile reporting..But what if one of these devices got lost somewhere ( No body is talking about corporate espionage/insider traders…etc) how bad can this leaked email/info affect the oil/energy market !!

Full article (HERE)

TOP 10 SCADA Security Threats

May 25, 2009 Leave a comment

According to a Control Engineering Article published in 2007, the Top 10 SCADA/DCS threats are:

1. Inadequate policies, procedures, and culture governing control system security.
2. Inadequately designed networks with insufficient defense-in-depth.
3. Remote access without appropriate access control.
4. Separate auditable administration mechanisms.
5. Inadequately secured wireless communication.
6. Use of a non-dedicated communications channel for command and control.
7. Lack of easy tools to detect/report anomalous activity.
8. Installation of inappropriate applications on critical host computers.
9. Inadequately scrutinized control system software.
10. Unauthenticated command and control data.

NERC and The NSTB (National SCADA Test Bed) issued the following proposed mitigations and recommendations to fix and address each and every threat form the list above.. (TOP 10 Vulnerabilities Mitigations can be downloaded HERE) Thanks to NERC/NSTB.

Insider steals 9M from a california based water company

May 20, 2009 Leave a comment

I was reading a news report about how an auditor at the California Water Service Company in San Jose broke into the company’s computer system and transferred $9 million into offshore bank accounts and fled the country, or so they think.

It’s a very interesting story but what’s stopping me is that this insider was able to work at a Critical Infrastructure Company without being a US citizen nor have any legal status that allows him to actually work anywhere! . The news article mentioned that “Abdi is not a U.S. citizen and was ordered deported to Somalia in 2005“.

But what’s really funny is that they have no idea of his whereabout or if he actually left the country.

Jose Garcia the public information officer at the San Jose Police Department said ” Due to the ongoing investigation, the police department could not confirm Abdi’s legal status in this country or if he fled the country.“. how clever is that.

A colorful bonanza of possible security breaches:

– No background checking
– No security clearance
– Lack of proper financial controls over critical/financial systems
– Abdi was seen by a janitor on the night of the crime.

The Full article is HERE

CISCO and Google Going SMART

May 19, 2009 Leave a comment

Further news about IT big players entering the heavily funded SMART GRID market space, CISCO officially unveiled its first end-to-end smart grid solution and strategy (HERE) , The networks giant official press release states that :

“Cisco’s plan establishes a complete communications fabric from electrical generation to business and the home based on Internet-Protocol standards. This will build intelligence, resiliency and two-way communications into an electricity distribution system that has been traditionally fragmented”.

My Comments on the news:

– CISCO’s purchase of (Pure Networks allowed them to acquire the rights for the HNAP (Home Networks Administration Protocol) that will allow Home appliances to speak and connect seamlessly together. think about it as Upnp meeting Apple’s Bonjour.this helped them offer a complete end to end solution.

– Google’s recent Venture Investment in the much talked about , Smart Grid networking specialists SilverSpring , Signaled a genuine intention to compete in the SMART GRID lucrative space.

– Google and GE Partnership for the Smart Grid Plug in – Allowing you to Watch your Home appliances energy consumption online – (See my post on may 7th about the topic: IT-powerhouses-sees-the-smart-grid-as-a-booming-business)

– The US Stimulus Package will inject 11 Billion$ into the Smart Grid as research and implementation funds within the next few year

I can only say that a vulnerability in your chrome browser or IP softphone can make you loose all your money, But a vulnerability in mission critical systems running the energy sector can cause millions of people to suffer a complete blackout and perhaps human lives…are we as an IT industry ready and up to a challenge where patching might be just too late.

2003 US-Blackout

2003 US-Blackout

After Kylin-OS expect China’s very own Secure Hardware

May 18, 2009 1 comment

In today’s networked/cyber world, its perfectly normal for self-aware countries to invest in developing in-house cyber capabilities, even if you are a nation that is not mobilizing itself for cyber war, giving your critical infrastructures a good head start “security wise” by standardizing on a non-windows system is a justified and conscious decision.

Recently, Some media claims that the recent report by the washington times about the Kylin-OS (See my posts below ) is unsubstantiated and have contributed to a hype without proper researching. those claims are simply not true and misinformed.

According to this annual DoD report (Annual Report to Congress on the Military Power of the People’s Republic of China ) which has been issued every year since 2002. China is developing a secure OS and their very own secure Microprocessor among many other cyber capabilities.

according to the same DoD report, the PLA (People’s Liberation Army) is ” investing in electronic countermeasures, defenses against electronic attack (e.g., electronic and infrared decoys, angle reflectors, and false target generators), and Computer Network Operations (CNO). China’s CNO concepts include computer network attack (CNA), computer network exploitation (CNE), and computer network defense (CND). The PLA has established information warfare units to develop viruses to attack enemy computer systems and networks, and tactics and measures to protect friendly computer systems and networks. In 2005, the PLA began to incorporate offensive CNO into its exercises, primarily in first strikes against enemy networks.”

having said that, a chinese article published on May 15th claims that they are far from happy with what they have achieved over the past 5 years in terms of innovation :

“According to Ni Guangnan, China spends tens of millions of RMB each year on Linux development.
So far, five companies have been set up to develop Linux. The government invested millions of RMB to help establish them and has spent millions more supporting them. However, the only progress that seems to have been made by the Chinese companies is in product imitation, and this provides no return on such a huge investment” Full Article in English (HERE)

More DoD reports on china can be found at (

Is Risk Management a Flawed Principle ?

May 18, 2009 Leave a comment

After running several complex/sector-wide Risk analysis and assessments for several years now I became totally convinced that whatever method you follow to conduct your Risk Management (Quantitative or Qualitative ) you “at best” will end up with a reasonably good understanding of the actual risks but never a complete,comprehensive understanding.

Its simply because all risk assessment methods have something in common and thats the human beings involved throughout the process (enumerating/evaluating/conducting/checking/auditing..etc), we as humans have our natural shortcomings when it comes to judging Risks because:

– We over-react to immediate threats and under-react to long-term threats.(s1)
– We under-react to changes that occur slowly and over time.(s1)
– People exaggerate spectacular but rare risks and downplay common risks.(s2)
– people overestimate risks that are being talked about and remain an object of public scrutiny.(s2)

Sources: (s1: “Stumbling on Happiness” by Daniel Gilbert, psychology professor at Harvard, and s2: Bruce Schneier’s Beyond Fear (pages 26-27))

So I was quite content when I came across this very insightful podcast (by the CERT coordination Center ) discussing this exact issue.

The podcast argument is simply, RA as we know it is inaccurate and end up causing more problems and overseeing others. and we should go for standards/compliance checking based on accumulative experiences/best practices and bodies of knowledge.

I end by Quoting One analogy that I liked from the Podcast transcript. (the CERT podcasts are also available on iTunes)

” I kept looking for more analogies, analogies where the systems that we needed to measure for safety in the physical world we inhabit are really hard to measure.
And that took me to food safety actually. It took me to thinking about how do you know whether or not it’s okay to eat in a particular restaurant. We’ve got a real measurement problem there because you can’t measure all of the food that comes out of a kitchen, it would be completely impractical. And yet it’s really, really important to know that food is being prepared in a safe way because if you don’t prepare food safely then people can be badly hurt. And so I started thinking about what is the essence of our public health system when it comes to food safety in particular?
Restaurants actually have more similarities to the kinds of business that we encounter in the digital world than you might think. Restaurants are a tough business to be in. There’s a lot of competitive pressure in them and there’s a lot of opportunities to make mistakes. I’ll tell you the thing that people don’t leap to immediately when I give them this analogy is they don’t think about the fact that restaurants are actually constantly under attack.

And they’re under attack by a global threat. And those global threats are diseases and they’re global because our food supply is global. And those diseases are adaptive. They might not adapt quite as quickly as new viruses pop up on the Internet but they do change. And so I started thinking about “Well how do restaurants make sure they’re safe?” And they make sure they’re safe by really checking the processes they use to prepare food. As opposed to trying to measure the end result, they measure the process by which they achieve that result. And I think that’s the same thing we need to do for software. We need to be looking at the processes used and make sure that best practices are used in the preparation of that software. –End Quote

Keeping Cloud Computing Secure

May 17, 2009 Leave a comment

With this trend continuously on the rise ( Google Apps , , PANDA’s Security Cloud Antivirus …etc) working in the cloud means that you are sharing your information and data with the service provider as well as other customers “might as well be competitors”, I’m not implying that your security and privacy are at risk but never the less a cloud computing user must be vigilant.

In Google Apps Terms of Service I came across the limitation of liabilities section (HERE) that basically states that ” Google disavow any warranty or any liability for harm that might result from Google’s negligence, recklessness, malevolent intent, or even purposeful disregard of existing legal obligations to protect the privacy and security of user data.” ..take a minute to think about it..then continue reading

A question rises and that is : Who checks the Security of the Cloud Providers ?

in recent weeks I read many articles discussing this issue and most of them agreed that a cloud computer user must consider the following:

– Encrypt the data

– Replicate the data

– Keep detailed Security logs

– Check the service compliance with SaaS 70 and/or HIPPA if you work with medical records.

– Check the SLAs particularly the provisions of Security/Privacy.

More about the topic can be found in the following articles:

– How to Keep Cloud Computing Secure (HERE)
– Who will check the security of cloud providers? (HERE)
– The Cloud Security Alliance (HERE)

PS: I have attached a decent security guide called (Security Guidance for Critical Areas of Focus in Cloud Computing ) produced by the Cloud Security Alliance.

Your Medical Records Worth 1.2 $

May 15, 2009 Leave a comment

The Virginia Prescription Monitoring Program’s website has been hacked, The hackers copied about 8.3 Million patient records and medical prescriptions then deleted the original and the backup copies.

The records stolen included : (name,age,address,social security #, driver’s license # ).

The hackers asked for (10m $) ransom and gave the government 7 days before selling the records to the highest bidder.

-In The Register / (HERE)

-In FOX News (HERE)

It continues to amaze me how the underground economy under-price huge DBs of personal medical records , Google is offering the Google Health service “where you can post/share your medical records with your doctor/pharmacy and family (HERE)for “Free” only in return for the right to generate stats out of our anonymized data as mentioned in the service Privacy Policy : “Google will use aggregate data to publish trend statistics and associations” – Complete policy (HERE).Its not a secret that those real world stats are of interest to many governments and/or corporates.

-Quick Notes-

The new US administration has identified Digitizing of the health/medical records as a priority to lower health costs and to improve health care.

Aneesh Chopra, Virginia’s Secretary of Technology, has been tipped to serve as the nation’s (CTO) chief technology officer. some people will ask him for explanations for sure. (My question would be–Where is the offsite backup ? )

Pirated Windows 7 RC Builds Botnets

May 15, 2009 Leave a comment

According to security firm Damballa, A pirated copy of Windows 7 infected with a trojan that first appeared on the internet on April 24th. is spreading at a rate of 1600 installations/day.

the Trojan infested copy spread as quickly as several hundred new bots per hour, and controlled roughly 27,000 bots by the time Damballa took over the network’s command and control server on May 10, the firm said Tuesday.

With Damballa taking over the Command and Control Center on May 10th, the botmaster’s control is now only limited to machines infected prior to that date.

The trojan software is primarily designed to download and install other malicious packages under a “pay-per-install” scheme, under which the botmasters are paid based on the number of other pieces of malware they cause to be installed, Damballa said.

Network World article (HERE)
CNET article (HERE)
Dark Reading article (HERE)

Damballa’s BotNet Risk Calculator (HERE)

Categories: SCADA Security

Helping Power Plant Control Systems Achieve NERC CIP

May 14, 2009 Leave a comment

In a recent issue of “Power Energy News” an article featured a Guide aimed at helping Power Plants meet NERC standards.The Guide was introduced by the author as “offers suggestions from a control system engineering perspective for protecting power-generating units that are determined to be critical cyber assets”.

The Guide (HERE) suggests products like: Unified Threat Management Systems (UTMs) and Security Event Management systems (SEMs) as the perfect Install and forget solutions which is not the case for many reasons:

– UTM and SEM implementations are complex and not easy to setup and properly configure in normal IT environments, not to mention Mission Critical Environments that often include a mixture of Legacy and Modern systems, Wired and Wireless, WAN, and remotely deployed sensors.

– Early adopters already voiced their dismay that these technologies are hindering them in meeting their business objectives. So the industry experts/policy makers still need to find the right balance between security and usability.

Further Readings :
– NERC CIP standards (HERE)
– Comparison Between ( NERC CIP ) standard and (CIP 002 to 009) standard, HERE