Government Technology

The Stuxnet 2, Coming to a SCADA System Near You!



Smart Grids 4
Smart Grids

Hackers Target Critical Infrastructure

October 26, 2011 By

With a new Stuxnet 2  (W32.Duqu) now found and the Department of Homeland Security warning of a possible security attack by Anonymous, it probably is a good start to define some security solutions to protect these critical infrastructure targets. Breaching these supervisory control and data acquisition systems (SCADA) could bring our country’s safety and economy to their knees.

One good thing that came out of designing intelligence for the smart grid was we that had to take a look at how to securely integrate some old, transitioning and new-grid technologies into stand-alone, local or regional control centers. A big part of these control centers are SCADA systems that monitor and control industrial, infrastructure and facility-based processes. These control systems in many more areas than the power-grid facilities. They can be found in manufacturing, production, power generation, fabrication, refining, water treatment and distribution, wastewater collection and treatment, oil and gas pipelines, electrical power transmission and distribution, wind farms, civil defense sirens systems, large communication systems, buildings, airports, ships and space stations, just to name a few. Some of the debilitating security warnings that were found in the smart grid unfortunately are not limited just to power-grid SCADA infrastructure.

No matter how new or old the technology, there are tremendous concerns about how to secure these core supervisory control systems and their interconnected intelligent networks. Whether physically pulling down a mechanical switch, pushing a button on an electromechanical device or operating an intelligent smart grid from a centralized network operation center (NOC) — they all have inherent security vulnerabilities. There are those who say that we should delay any digital intelligent modernizing of our power grid.  So while moving forward, we need to do this in stages, watching security at every point.

Richard Clarkes bookCyber War warns of cyber-attacks on the smart grid but also demonstrates an existing ability to breach and take down our legacy power grid infrastructure. Simply doing nothing is not an option in securing the power grid or any critical infrastructure. Countries like India, China and Brazil are moving forward with smart-grid deployments as fast as they can. They recognize the benefits that intelligent networked systems would offer in eliminating power theft while improving their global energy cost competitiveness. They see these benefits far outweighing any catastrophic system security breach and have massive smart-grid deployment in process. So what are the real answers in addressing critical infrastructure security today? Just three things need to be done, and they need to be done simultaneously.

Evaluate Current Security Vulnerabilities

From physical security, to legacy and extended networks, there is a lot of work to be done to address critical infrastructure security. Critical infrastructure facilities can't just hunker down and hope an attack doesn't happen. From simple personal procedures to complete intrusion detection studies, the potential vulnerabilities must be targeted before they are breached. There are automated methodologies that are being developed, though, that may rapidly address these requirements.

To expedite and future-proof security evaluations, Sensus, EnerNex and the Oak Ridge National Laboratory (ORNL) are working on an advanced security demonstration project called the Automated Vulnerability Detection system (AVUD).  This project is aimed at developing a cyber-security system for smart energy meters and other advanced grid technologies. The project will use a Function Extraction (FX) technology evaluation platform developed by ORNL to find and fix security issues before they actually cause problems. The initial project is targeting advanced meter infrastructure (AMI) systems.  With millions of smart meters ready to deploy, this can't happen soon enough.

Focus on Prevention

If there was ever a security industry award for the best metaphor, the word “virus”  perfectly explains what can happen without preventive measures in systems and network security. Just like measures against colds and flu, it seems we are now beginning to focus more on prevention than detection. This is why intrusion prevention systems (IPS) are so critical in SCADA systems. IPS can securely cloak systems with frame-to-frame encryption even to the layer 2 level. This could eliminate port and application vulnerabilities right down to the device chip set. It can eliminate man-in-the-middle (MITM) spoofing/sniffing risks or denial-of-service (DoS) vulnerabilities while enabling strong security on even legacy devices.

Because IPS is inline with the traffic flows on a network, it can shut down attempted network edge attacks, stop attacks by terminating the network connections or user/device session origination.  Attack responses can include targeting from the user account, IPS address or other attribute associated with that attacker, or blocking all access to the targeted host, service or application. It seems like an obvious first choice. Don't let the security breaches in.

Detection and Prevention a Natural  Mix

Then there is an intrusion detection system (IDS). This system is passive, watching packets of data traverse the network from a monitoring port, comparing the traffic to configured rules, and setting off an alarm if it detects anything suspicious. With Stuxnet 2  (W32.Duqu)  now a big concern, we need systems that can detect these now more serious security attack methodologies. These new attacks are now targeting information for SCADA systems used to control machinery and other key critical infrastructure operations.

Although IDS has great value, just seeing the problem is not enough. There must be system security solutions put in place to immediately react to security breaches. This is why bundling both IPS and IDS solutions together seems to be the direction many companies are taking in their security product lines, including recent corporate mergers and acquisitions.

In Conclusion

The AVUD project by Sensus, EnerNex and the Oak Ridge National Laboratory is a good sign of public-private sector cooperation in addressing critical infrastructure security. There has been too much oversight and finger pointing in the past and not enough action. Hopefully the responsible collaboration will be used as a model of how to work together in securing our critical infrastructure. This sure will be different than the “build first, then secure it” methodologies that have been so prevalent in the past. Look at security first and prepare for the future security risks. This is almost too good to believe.

Larry Karisny is the director of Project Safety.org, a smart grid security consultant, writer and industry speaker focusing on security solutions for the smart grid and critical infrastructure.


| More

Comments

Elena Boskov Kovacs    |    Commented October 26, 2011

Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Vista, Windows XP In terms of Windows SCADA solutions offered in the market, these are usually on Windows Server 2008, with client on Windows 7. I wonder have the vendors upgraded their old SCADAs to the new OS, or have they delayed it trying to win a new license.

Larry Karisny    |    Commented October 28, 2011

In talking to people who are concerned with critical infrastructure security, the new OS upgrade you are referring to may need to be Linux. There are a lot of reasons for SCADA security issues and a Windows OS is one of them.

Dr. Don Cox    |    Commented November 6, 2012

While some feel that Linux is a panacea for cyber defense, the reality is Unix-based systems are just as vulnerable as Microsoft products. If there were a wholesale conversion of the CIP ICS to Linux, beyond the prohibitive cost, I think malicious agents would expend their energies hacking into the new architectures with the same fervor as they do now against MS Windows based systems.


Add Your Comment

You are solely responsible for the content of your comments. We reserve the right to remove comments that are considered profane, vulgar, obscene, factually inaccurate, off-topic, or considered a personal attack.

In Our Library

White Papers | Exclusives Reports | Webinar Archives | Best Practices and Case Studies
Maintain Your IT Budget with Consistent Compliance Practices
Between the demands of meeting federal IT compliance mandates, increasing cybersecurity threats, and ever-shrinking budgets, it’s not uncommon for routine maintenance tasks to slip among state and local government IT departments. If it’s been months, or even only days, since you have maintained your systems, your agency may not be prepared for a compliance audit—and that could have severe financial consequences. Regardless of your mission, consistent systems keep your data secure, your age
Best Practice Guide for Cloud and As-A-Service Procurements
While technology service options for government continue to evolve, procurement processes and policies have remained firmly rooted in practices that are no longer effective. This guide, built upon the collaborative work of state and local government and industry executives, outlines and explains the changes needed for more flexible and agile procurement processes.
Fresh Ideas In Online Security for Public Safety Organizations
Lesley Carhart, Senior Information Security Specialist at Motorola Solutions, knows that online and computer security are more challenging than ever. Personal smartphones, removable devices like USB storage drives, and social media have a significant impact on security. In “Fresh Ideas in Online Security for Public Safely Organizations,” Lesley provides recommendations to improve your online security against threats from social networks, removable devices, weak passwords and digital photos.
View All

Featured Papers