03 November, 2006

More on the ABC news Water system Hack

Rich has queued me to get more detail.

I didn't respond immediately because I wanted to make some calls and get more detail. To be honest the ABC news story was close to a non event. It was significant in only two ways.

It made the news.

It involved a botnet.

It is somewhat significant in the sense that it could have interrupted water supplies. That makes it the equivalent of a major server being compromised and certainly adds to the concern factor. There were probably some potential safety issues (at least minor ones but I haven't been able to verify that) The reality is though that these types of compromises happen all the time in the IT world and more often than you might think in the SCADA world. I imagine that it would be rare to find a business network in which a similar event hasn't happened (probably several times on small systems) in the last year. SCADA systems are not any different and that is kind of the point.

These Items are speculation. It is unlikely that there were any real safety items just potentials.

Eric has been tracking these for years and has identified more than a hundred similar incidents.

(Sorry most of the way down the page)


At the present time there are approximately 120 incidents in the database and it is growing by about 10 incidents per quarter. Results from the database can be found in the following papers and presentations:

E.J. Byres, D Leversage and J. Lowe; “Who Turned Out the Lights? An Analysis of Infrastructure Cyber Attacks”, Computer Security Institute, CSI 32nd Annual Conference, Washington DC, November 14, 2005

United States Computer Emergency Readiness Team, "Control Systems Cyber Security Awareness", US Department of Homeland Security, July 2005

E.J. Byres, and J. Lowe; “The Myths and Facts behind Cyber Security Risks for Industrial Control Systems”, VDE Congress, VDE Association For Electrical, Electronic & Information Technologies, Berlin, October, 2004

E. Byres, J. Carter, A. Elramly and D. Hoffman; “Worlds in Collision: Ethernet on the Plant Floor”, ISA Emerging Technologies Conference, Instrumentation Systems and Automation Society, Chicago, October 2002

Dale quoted Alan Paller as having indication of hundreds in the same link I originally posted.

Making the news was the first real deviance from normal. Most of the time these are quietly handled internally instead if publicly disclosed. I have been involved for years in DCS security but haven't actively blogged until recently because I didn't want to make my employer a target. Now that my employer isn't susceptible to SCADA security issues I feel more free.

Making it part of a botnet was significant because it reinforces the fact that current IT issues are now also current SCADA issues.

Here is a challenge to SCADA engineers.
(one that I already know is being done in the better shops)

Stick SNORT or another IDS or even just a sniffer on your PCN. See what you find. (Hey maybe I can get dragged into the IPS/IDS flame war :0 )

No comments: