SCADA Articles on SCADA World

Securing a system means a lot more than disconnecting it from the Internet.

2010-06-01 10:00:42views: 1097Jack Ganssle

Securing a system means a lot more than disconnecting it from the Internet.

Several people responded on-line to my article about SCADA security vulnerabilities, and others wrote directly to me. A common thread seems to be "disconnect those machines from the Internet!" While I generally agree with the sentiment, there's more to security than installing an air gap.

One reader who wishes to remain anonymous wrote: "A few interesting thoughts, first disrespect leads to carelessness, carelessness leads to very bad things happening. For example 3Mile Island was caused by a person ignoring the warning systems and halting them from scramming the reactor automatically. They said "this can't be happening". [Note from Jack: That was also true at Chernobyl - experts just didn't believe an explosion was possible, even after the event.]

"Tin whiskers on PCB's are another example - they can cause dangerous failures. This became a problem because again people became careless (letting politicians decide technical problems is always extremely dangerous), they forgot why lead tin solder existed (tin whiskers were a known problem solved by using lead-tin solders).

"Security is much the same. Before implementing any changes to a system one must decide what failures can happen with such changes. Vandalism, interference, system noise, etc, these are all contributing factors. People forget security isn't putting a chunk of armor on it or a lock box somewhere. Like 3 Mile Island, people must assume there will be unexpected failures and design workarounds. I myself assume that what I am designing is NOT going to work as expected, and I need to figure out what the failure modes will be before wasting ones employers money on it.

"I think all of us can learn from the past in this case. Even software programmers can learn from simple things like locking the door (passwords), shutting the curtains (don't broadcast an available portal), turning on the outside lights (watch for intrusion methods and let the intruders know they are being watched). These are all lessons learned over thousands of years, history only repeats itself if we forget about it. Instead of 'common' sense, I believe I would use the word "wisdom of past failures". Many people fail to learn from others mistakes and repeat them as a consequence."

The last sentence of that paragraph summarizes the history of technology: we learn from disasters, if we chose. Alas, it seems the firmware community is way behind civil engineers at such learning, though.

The airwaves this week have been full of chatter about the Google attacks. Some analysts claim these are coordinated attempts by a foreign power. I wonder if anyone is looking for similar intrusions in our SCADA infrastructure?

Lundin (R&D Manager) commented on Apr 27, 2010 3:53:54 AM
From an engineering point-of-view it is important to separate safety from security. These two words may be synonymous in English, but not in the engineering world, where they are two different terms (English conveniently has two different words, not all languages are as lucky).
Safety = how do we prevent this machine from causing havoc, personal injuries and meltdown.
Security = how do we prevent unauthorized use of the machine, how do we stop sabotage & terrorism.
The methods from achieving these two entirely different properties are not the same. They quite often collide: as an example, adding encryption to my sent data packages will make the system more secure, but perhaps less safe as it adds complexity and unpredictable data patters etc. Like when adding encryption on top of a CRC checksum, where the CRC polynomial is carefully designed by experts for least possible ressemblance of common data error patterns.
When designing for safety you try to make the systems idiot proof, while designing for security is about making them sabotage proof. I have a comical real life example of a military veichle project where we safety/industrial-minded people were involved, and as usual thought that several safety issues can be handled by adding an emergency stop. This stop was almost designed in, until some more security/military-minded person pointed out that there couldn't be any emergency stop push button on a military veichle. The enemy could just sneak up on your tank and push the big red stop button... Very safe but very unsecure.

cdhmanning Embedded designer commented on Apr 29, 2010 7:40:22 PM
I would go further than the above.
Security is not just about access, it is also about disruption.
Securing against access is almost trivial to achieve on the internet. Just run a VPN. Put all the SCADA on one VPN with nothing else on it.
This is nothing special to SCADA. Most multi-office organisations will run VPNs to hook their sites together and many will run VPNs within that to keep sensitive parts of the network partitioned from other data.
Even without a VPN it is trivial to use ssh etc to run secure end-to-end internet connections.
Within an organisation's intranet, it is simple to set up a VPN within the intranet to prevent a disgruntled accountant from fiddling with the SCADA.
Disruption is another matter. Denial of service attacks etc can slow sown or disrupt a network.


SCADA Articles

Using Free Tools To Detect Attacks On SCADA Networks
2015-05-09 14:28:25views: 1864

ICS/SCADA experts say open-source network security monitoring software is a simple and cheap way to catch hackers targeting plant operations. Operators at Natanz nuclear facility in Iran might well have caught Stuxnet before it spread and sabotaged operations at the plant if they had been watching the wires for anomalous network traffic, a pair of ICS/SCADA experts say.

Hackers gain full control of critical SCADA systems
2015-05-09 14:04:07views: 1964

Russian researchers have found vulnerabilities in industrial control systems that they say grant full control of systems running energy, chemical and transportation systems. The vulnerabilities were discovered by researchers who over the last year probed popular and high-end ICS and SCADA systems used to control everything from home solar panel installations to critical national infrastructure.

SCADA Attacks Double in 2014
2015-05-06 07:17:15views: 1731

Annual threat report from Dell Security shows not only a significant surge in the number of attacks on retail credit card systems, but industrial SCADA systems as well, which are much more likely to go unreported.
For Dell to report an annual surge in point-of-sale (POS) attacks aimed at payment card infrastructures might not be such a surprise to people who pay any attention to the news.

The Industrial Software Revolution Begins Now
2013-10-16 11:33:59views: 2311

Invensys is kicking off the conference “The Industrial Software Revolution Begins Now” and underscoring the ‘revolution’ concept with the release of its Wonderware InTouch 2014 and Wonderware System Platform 2014 software.

Integrating Video into HMI/SCADA
2012-06-29 10:19:55views: 2594

The useful integration of video with industrial control systems has been a reality for a few years, but a burst of applications and installations is on the horizon. Cheaper bandwidth, wide availability of Internet protocol (IP) cameras, and greater familiarity with industrial Ethernet networks seem to be driving user interest.

AdvancedHMI - a different approach to HMI development
2012-06-14 10:46:48views: 1857

AdvancedHMI base package is a free software used to build HMIs that display information residing in a PLC. You will find it to be one of the fastest platforms to build an HMI with. The software takes advantage of the Visual Basic .NET development environment so effort is focused on the core software and not reinventing a development environment.

Web Services and SCADA
2012-06-12 23:06:33views: 1414

Web services can be another method for connectivity to SCADA and MES systems. They can retrieve tomorrow's weather, the price of stocks or commodities, the time of sunrise and sunset, and a slew of other publicly-available resources.

SCADA virtualisation with WinCC Version 7
2011-12-21 12:01:11views: 1353

As automation solutions become increasingly complex, it follows that the effort required to maintain both hardware and software will also increase. PCs must be provided with suitable specification and operating systems to support the applications.

Cloud-Based SCADA Systems: The Benefits and Risks
2011-12-20 22:57:31views: 969

Cloud computing is a hot topic. As people become increasingly reliant on accessing important information through the Internet, the idea of storing or displaying vital real-time data in the cloud has become more commonplace. With tech giants like Apple, Microsoft, and Google pushing forward the cloud computing concept, it seems to be more than just a passing trend.

An alternative to DCS or PLC/SCADA
2011-10-04 13:46:22views: 922

Traditionally, users have had a choice between a DCS or a PLC/SCADA approach when selecting a control system for use in process control applications. A key benefit of traditional DCSs was that the suppliers took a ‘systems approach’ and it was designed for large scale applications.