Black Hat USA: Electricity for Free? The Dirty Underbelly of SCADA and Smart Meters
The days that Scada systems could hide behind obscurity are over. These systems are on internet, use common protocols of which information is widely available. On 15 July this year, the first Trojan was found that specifically queries databases that are also used by Scada systems.
This presentation starts by explaining how the power grid works. A typical network architecture has three zones. A corporate network, a DCS (), EMS (Energy Management System) or DMS (Distribution Management System) network and a network with the industrial systems on it. These networks are typically separated by firewalls. When you add smart meters to the mix they are typically connected in a similar fashion.
The formal models around SCADA security all evolve around this zoning model.
Red Tiger Security has developed a special process to do assessment of these networks, because industrial equipment starts behaving funny when scanned with standard vulnerability scanners. Automated scanning of Scada systems form the network is okay, but scanning the industrial equipment will cause outages.
Scada environments are often poorly patched because patches are known to break Scada systems. Most of the vulnerabilities discovered in these infrastructures are found in the Scada DMZ, because these systems are often not maintained by corporate IT, because they don;t know how to maintain it, but it is also not owned by the Scada engineers.
A further breakdown of the vulnerabilities found in this DMZ are found on Web Servers, Application Servers and Databases. The top four common vulnerabilities found are: configuration issues, cross site scripting, Denial of Service and information disclosure.
Most (over 62%) of the Scada systems are running on Microsoft Windows operating systems. Not a good match to the needed stability (monthly patches) and lifetime needed by Scada systems.
Interesting finds are hard to categorized. Adult content, game servers, Online dating databases and Bittorrent clients have all been found on these systems.
After exploring classical Scada system security mistakes the talk moved on to Smart Meter and Smart Grid technology.Smart Meter technology is making the same mistakes again.
First systems where designed to last for 20 years. That is a long time to not find any vulnerabilities in them. And the ability to remotely patch these systems is scary on its own.
Old vulnerabilities have a new impact when considering smart meters. E.g. data enumeration can tell criminals when somebody is vacation and when it is thus a good time to rob somebody’s home.
The software in smart meters is really vulnerable to very old classes of bugs like, e.g. ping of death.
About the speaker
Jonathan Pollet – Red Tiger Security, LLC
Jonathan Pollet, Founder and Principal Consultant for Red Tiger Security, has over 10 years of experience researching vulnerabilities and conducting field security assessments of Industrial Process Control Systems, SCADA Systems, Automated Meter Reading systems, and Smart Grid technology. After graduating from the University of New Orleans with honors and receiving a B.S. degree in Electrical Engineering, he was hired by Chevron and worked in the SCADA and Automation Team for the Upstream Exploration & Production division. Pollet designed and implemented PLC and SCADA systems for several offshore and onshore facilities.
Realizing the potential security implications of the industry moving towards TCP/IP communications in the late 1990s, and seeing a trend to connect SCADA systems to Enterprise IT networks, Pollet started investigating SCADA, Process Control Systems, and embedded devices for cyber security vulnerabilities.
Throughout his career, he has been actively involved with the IEEE, ISA, ISSA, UTC, CSIA, and other professional societies. Pollet has been involved in over 110 vulnerability assessments of plant and process control systems. He has also delivered over 75 presentations and training sessions on SCADA Systems, Critical Infrastructure Protection, and SCADA Security to the FBI, Department of Homeland Security, and several private sector security conferences. He has spoken at many conferences and workshops for government and professional organizations around the world. Pollet has also authored over 25 white papers, all specifically on the security of SCADA and embedded control systems.