Archive

Posts Tagged ‘SCADA’

The Middle East Joins the SCADA / ICS Standards Foray

April 15, 2012 1 comment

The oil rich countries in the Middle East depend on Industrial Control Systems (ICS) to run the Energy sector which is responsible in average for generating around 70-90 % of the national GDP. and ultimately providing around 40% of the world’s total energy consumption.

Since STUXNET news surfaced 18 month ago, the region has witnessed not less than 20 different information and cyber security conferences that addressed the topic and highlighted the ICS security issue as a monumental risk to the GCC region in particular.

The Kaspersky chart below show STUXNET infection rates in the GCC countries,(UAE,Saudi,Kuwait,Bahrain,Qatar and Oman).

STUXNET in Middle East

and recently the state of Qatar through the national CERT issued the region’s first national level ICS security Guidelines in Arabic as well as an English translated version. currently the document “planned to be updated annually” is not mandatory but the document’s roadmap is likely to see a change in the next few years.

You can download a copy of the English translation here (Download)

Press Coverage – Here

Advertisements

DHS: “Anonymous” Sniffing around SCADA systems

October 18, 2011 1 comment

A recently leaked DHS document (Download Here) warns that Hacktivist group “Anonymous” are considering attacking SCADA systems and Critical Infrastructures in some countries.

The document labelled as “for official use only” quotes several “twitter” posts believed to belong to Anonymous members discussing and exchanging information about SCADA projects.

” On 19 July 2011, a known Anonymous member posted to Twitter the results of browsing the directory tree for Siemens SIMATIC software. This is an indication in a shift toward interest in control systems by the hacktivist group.”

another tweet

“An anonymous individual provided an open source posting on twitter of xml and html code that queries the SIMATIC software. The individual alleged access to multiple control systems and referred to “Owning” them.2 The Twitter posting does not identify any systems where privileged levels of access to control systems have been obtained.”

My Comments:

The report insinuates that experienced Anonymous hackers can quickly gain the knowledge required to hack ICS “Industrial Control Systems” which is correct. But the report didn’t mention the fact that currently there is a gold rush amongst researchers to come up with SCADA vulnerabilities, just in the past couple of weeks anyone following the right and publicly available sources can count more than a dozen zero-day vulnerabilities out there (I mean with no patch available).couple that with high motivation and you have a dangerous formula.

Just by looking around, I am afraid to say that ICS are going to be the next target after the current wave of attacks on financial institutions “Occupy wall-street”.

Looking at the flow of events, Anonymous, LulzSec and Co. have already targeted Governments, Big corporates, Defense contractors,Banks and Stock exchanges….the next logical step down the food chain is Energy.

More on the topic:

Washington times
The register

Stuxnet: and The Truth Shall Set You Free

November 13, 2010 Leave a comment

A recent post on Symantec’s security Blog revealed a very crucial piece of information about Stuxnet, The information should definitely stop who ever is denying the fact that Stuxnet is a state sponsored “sabotage-ware” targeting a very special someone.

Symantec with the help of a Dutch Profibus expert can now prove that Stuxnet is looking for two specific Frequency converter drives one made by (Fararo Paya) of Iran and the other is (Vacon) of Finland.

stuxnet_target

stuxnet_target

Quote from Symantec’s blog: “Since our discovery that Stuxnet actually modifies code on PLCs in a potential act of sabotage, we have been unable to determine what the exact purpose of Stuxnet is and what its target was.”

“However, we can now confirm that Stuxnet requires the industrial control system to have frequency converter drives from at least one of two specific vendors, one headquartered in Finland and the other in Tehran, Iran. This is in addition to the previous requirements we discussed of a S7-300 CPU and a CP-342-5 Profibus communications module.”

and then they add: “Stuxnet monitors the current operating frequency of these motors, which must be between 807 Hz and 1210 Hz, before Stuxnet modifies their behavior. Relative to the typical uses of frequency converter drives, these frequencies are considered very high-speed and now limit the potential speculated targets of Stuxnet. We are not experts in industrial control systems and do not know all the possible applications at these speeds, but for example, a conveyor belt in a retail packaging facility is unlikely to be the target. Also, efficient low-harmonic frequency converter drives that output over 600Hz are regulated for export in the United States by the Nuclear Regulatory Commission as they can be used for uranium enrichment. We would be interested in hearing what other applications use frequency converter drives at these frequencies.”

So FACTs so far are the following:

– We are now able to describe the purpose of all of Stuxnet’s code.

– Stuxnet requires particular frequency converter drives from specific vendors, some of which may not be procurable in certain countries. ( In other words countries under international sanctions ).

– Stuxnet requires the frequency converter drives to be operating at very high speeds, between 807 Hz and 1210 Hz. (According to the US nuclear Commission – more than 600 Hz can be used in Uranium enrichment)

-While frequency converter drives are used in many industrial control applications, these speeds are used only in a limited number of applications. (Nuclear Applications is one of them).

-Stuxnet changes the output frequencies and thus the speed of the motors for short intervals over periods of months. Interfering with the speed of the motors sabotages the normal operation of the industrial control process. (Sabotage is the purpose)

– Stuxnet’s requirement for particular frequency converter drives and operating characteristics focuses the number of possible speculated targets to a limited set of possibilities. (The Special Someone Speaks Iranian)

The original Symantec Blog post HERE

Symantec Releases a Comprehensive Report about Stuxnet

October 5, 2010 Leave a comment

Symantec released one of the most comprehensive “publicly available” reports about Stuxnet. The paper was first released in the recently concluded conference Virus Bulletin 2010.

Stuxnet Infection Stats - Symantec corporation 2010

Stuxnet Infection Stats - Symantec corporation 2010

Quoting Symantec’s blog ” We’re pleased to announce that we’ve compiled the results of many weeks of fast-paced analysis of Stuxnet into a white paper entitled the W32.Stuxnet Dossier. On top of finding elements we described in the ongoing Stuxnet summer blog series, you will find all technical details about the threat’s components and data structures, as well as high level information, including:

Attack scenario and timeline
Infection statistics
Malware architecture
Description of all the exported routines
Injection techniques and anti-AV
The RPC component
Propagation methods
Command and control feature
The PLC infector

The full report can be downloaded HERE

My Comments:

According to the report from Symantec, the infected hosts have reached nearly 100,000. which is about right.
It’s very alarming that such a high number of infections can/did take place on “supposedly” some of the world’s most mature and security oriented organizations, due to their critical nature of business. Apparently this “false security” is not limited to Iran only but to 155 countries !!!.

If we can get away from Stuxnet with just one lesson it’s the fact that direct and specially crafted attacks against critical infrastructures are real.

The damage that those few lines of code can incur in the real world is like nothing we have seen in the history of computers. A typical worm can steal your credit card information or your personal email password. But worms like Stuxnet can put critical infrastructures like a nuclear facility for instance under a threat that can deprive wide areas of land from any form of life for hundreds of years.

This worm should challenge and question our misconception that malicious programs can at best cause serious financial loss or personal information leakage, but never a human life.

Security Audit and Attack Detection Toolkit

August 5, 2009 Leave a comment

Department of Energy (DOE) is funding a project known as the (Cyber Security Audit and Attack Detection Toolkit) along with security companies like Digital Bond,tenable security and others, with the aim of releasing SCADA audit templates to be used with security scanners like Nessus, NetIQ and many others ( The templates are issued in OVAL format) see below. to compare security settings in the operating system and applications, including control system applications, to an optimal security configuration developed by the control system vendors like Areva and Emerson, participating companies and asset owners. The audit files will be made available as a paid subscription service.

– Comments:

1. I really think that the audit files “that can check your systems compatibility to NERC for instance” should be open source, free and available to the public. Specially that its a government funded program, at least available to researchers and SMEs who can add, review ,contribute and validate the compatibility checks. I believe this makes more sense than making the actual vulnerabilities and exploits available “check my previous post on nessus and Core Impact” to amateurs. on the other hand The project has a second phase and it includes releasing a tool to aggregate security events from a variety of data sources on the control system network and then correlates the security events to identify cyber attacks. I can see and understand that this is an extra mile and can be a paid service.

2. Using OVAL “Open Source” as the Audit files format is a wise choice, see the list of applicable/compatible products HERE

3. The project is a good indication that vendors are starting to be more involved in cleaning the mess.

More on the project / A fact Sheet ( Cyber Security Audit and Attack Detection Toolkit )

You can see below a list of the currently available Audit files (Source – SCADApedia)

List of Audit files

A Proposed Testbed for SCADA Systems

July 5, 2009 Leave a comment

This paper is trying to answer the need to have a SCADA “Lab” testbed for checking vulnerabilities and validating security solutions. the researchers are trying to propose a limited budget environment that imitates the main components of a SCADA system.

The proposed testbed implementation will use the likes of Emulab.org (Network Emulation Testbed) , OMNeT++( an extensible, modular, component-based C++ simulation library and framework) , both are open source communities.
Simplified Network Model

The research Paper ( A Testbed for Secure and Robust SCADA Systems ) was published in 2008. (Source ACM.org)

SCADA Stalkers and Cyber Borders

June 4, 2009 Leave a comment

I was reading a Team Cymru report called (Who is looking for your SCADA infrastructure) it reaffirms what every one in the field knows about certain countries / per region scanning certain SCADA infrastructures.

Its worrying that its practically very hard to point fingers or know for sure whether those scans from country “xyz” are deliberate or just a product of a major botnet.

So a question comes to my mind. Should a country be legally held responsible for scanning the SCADA infrastructure of another country ?

I believe that scanning SCADA systems transcends corporate espionage and profit oriented cyber crime for obvious reasons, and all due diligence should be exercised by countries to protect its infrastructure from being used to scan or infiltrate another country.

Automatically this leads to the debate about cyber borders, what should pass and what should pass with expectation of retaliations.

Most of the world is at a very early stage technologically to be able to police and enforce a cyber borders systems in which every country protects and is totally accountable for its cyber space exactly as we currently have controls over the ariel space for example.

Till we reach this level, a lot is happening and even more will happen with no one held undeniably accountable.