SANS ISC: The 'physical' layer - SANS Internet Storm Center

• SANS Site Network
  • Current Site
  • SANS Internet Storm Center
  • Other SANS Sites Help
  • Graduate Degree Programs
  • Security Training
  • Security Certification
  • Security Awareness Training
  • Penetration Testing
  • Industrial Control Systems
  • Cyber Defense Foundations
  • DFIR
  • Software Security
  • Government OnSite Training

SANS ISC InfoSec Forums

About ten years or so ago, I was very much into a BBC television series called 'Bugs' which sketched the lives of a couple of skilled high tech crime investigators. It always dealt with spectacular physical machines (think radio guided cars & airplanes) controlled by computers, because this obviously makes the dry subject a bit more vivid.

Recent history proved them right that there is something more physical out there than OSI layer 1. In many cases, the data we as security professionals need to protect has an impact on the physical lives of others. Nowhere is this division as thin as with SCADA and DCS equipment.

SCADA systems - Supervisory Control and Data Acquisition - control physical processes centrally by collecting data from measurement devices local or in remote locations. Decisionmaking is generally centralized. Distributed Control Systems (DCS) generally control more localized systems in which feedback loops are extensively used between monitoring equipment and actual physical control point.

These types of systems have always been built trying to solve a specific problem. In the case of SCADA, protocols needed to link in often remote power and utility stations to a central coördination point. Obviously, this would result in very different implementations based on geography - SCADA in densely populated Western Europe is something completely as opposed to the United States or Australia. Whereas European telcos can provide a phone link virtually everywhere, even in relatively urban areas Australia may need to resort to radio links.

Some of the many security issues with these systems include:
- Relatively obscure and less well understood protocols. We all speak FTP, SNMP and HTTP, but can we fluently chat Modbus, DNP3 or ICCP ?
- Problems fixed by SCADA don't necessarily change often and are critical and thus difficult to interrupt, resulting in very long patching delays;
- Managing remote sites over legacy links is much more expensive than doing the same over an easy to acquire internet link. Protocols are moving online.
 
During past weekend's Defcon conference, a researcher from TippingPoint discussed how fuzzing would contribute to building more secure protocols. While these research efforts are gradually helping to resolve the first of the above issues, many remain, and these are often rooted in basic security principles such as segregation and least privilege.

As SCADA/DCS security is not something that affects only the main utility providers,but also many industrial environments (ports, transport and factories), here's an overview of some great resources. Mail us if you have other ones to add to the list:

SANDIA Labs' Center for SCADA Security
US-CERT Control Systems Security Program
The NIST has a great draft 'Guide to Supervisory Control and Data Acquisition and Industrial Control Systems Security'
Digital Bond has a great SCADA security blog, publishes IDS signatures as well as a Scadapedia