Cupfighter.net

By Jonathan Pollet

The days that Scada systems could hide behind obscurity are over. These systems are on internet, use common protocols of which information is widely available. On 15 July this year, the first Trojan was found that specifically queries databases that are also used by Scada systems.

This presentation starts by explaining how the power grid works. A typical network architecture has three zones. A corporate network, a DCS (), EMS (Energy Management System) or DMS (Distribution Management System) network and a network with the industrial systems on it. These networks are typically separated by firewalls. When you add smart meters to the mix they are typically connected in a similar fashion.

The formal models around SCADA security all evolve around this zoning model.

Red Tiger Security has developed a special process to do assessment of these networks, because industrial equipment starts behaving funny when scanned with standard vulnerability scanners. Automated scanning of Scada systems form the network is okay, but scanning the industrial equipment will cause outages.

Scada environments are often poorly patched because patches are known to break Scada systems. Most of the vulnerabilities discovered in these infrastructures are found in the Scada DMZ, because these systems are often not maintained by corporate IT, because they don;t know how to maintain it, but it is also not owned by the Scada engineers.

Read more…

By James Arlen (@myrcurial, james.arlen@pushthestack.com)

James talk is not about SCADA, it about talking about SCADA.

The security industry has discovered that SCADA systems are in fact information system and all of a sudden security professionals are talking about how they can fix the SCADA security issues.

One of the biggest pieces of FUD that is out there is: if you own the computer you own the system? This is not the case, most of the time when SCADA systems fail, the processes they control stop.

Yes, SCADA systems use control processes by using standard protocols, like modbus tcp, but that doesn’t mean that you understand what energizing coil 13 does to the actual process. If you can break the computer system, it doesn’t men you can break the process.

There are more controls in place in a manufacturing process, e.g. the safety systems that are their to prevent catastrophic from happening or the quality control systems that prevent that dodgy products get out. The most important control in place is that manufacturing is still mostly run by humans who will notice that stuff is about to go wrong.

One of the facts about big infrastructures (electrical nets and manufacturing processes) is that the people who run them count on stuff breaking down. Most of the time you don’t even notice that a major failure in these systems has occurred.

It’s not all negative…
We can understand SCADA systems and we can indeed help. In industrial systems Availability is the key element of the triad, not Integrity or Availability.

If you are going to get involved, be a student, before you become the teacher. Buy some people a cup of coffee and be prepared to put you ego behind you. Understand that these people have being doing this work for a long time and are indeed you parents age, that makes you the kid.

James shared, not for disclosure, a number of examples of IT Security bad practices that where found in the real world and make most IT Security wince and giggle at the same time. Words like rsh, solitaire and non-upgradable NT 4.0 where mentioned.

What will save us, Super Ninja’s, l337 super heros or just “Not Sucking”.

As IT Security people we need to open up, understand this stuff and make small progress that will have a big effect.