Electric Cybersecurity Regulations Have a Serial Problem

msm1267 writes "A class of SCADA vulnerabilities discussed at a recent conference is getting attention not only for the risks they pose to master control systems at electric utilities, but also for illuminating a dangerous gap in important critical infrastructure regulations. The flaws, many of which have been patched, demonstrate how an attacker could target a non-critical, serial-based piece of field equipment at an electrical substation and knock out visibility over all of a utility’s substations. 'Where serial lines come into a master station, for instance, they won’t have the same level of protection that a TCP/IP-based connection would have,' said Michael Toecker, an ICS security consultant and engineer at Digital Bond. 'There’s a complete regulatory blind spot there in the current version of the NERC standards.' Some of the non-critical devices Crain and Sistrunk talked about at S4 rely largely on physical security to keep them safe, and are not covered by NERC regulations. Initiatives such as the Smart Grid are all about pushing intelligence away from substations and into areas where it may not be practical to have adequate physical security. 'No camera. No fence. Just a lock pick away from somebody getting at that cabinet and then affecting visibility for a huge subset of the distribution system,' Crain said."

pshaw!

somebody that knows the right spot could take a large city by shooting a few transformers with a .22 rifle

Re:pshaw!

somebody that knows the right spot could take a large city by shooting a few transformers with a .22 rifle

It just MIGHT take a bit more than a .22 and the sound of shots will garner a pretty quick response in most towns.

I see two lines of attack... 1. Shoot holes in transformers to drain them of cooling oil. This is slow and easily repaired (if it is detected and the equipment is shut down before it overheats or arcs over.) 2. Shoot insulators, taking transmission lines out of service. (Faster, and again fairly quick to fix).

#1 is going to require something larger than the .22 you suggest and #2 is going to take multiple shots.

Re:pshaw!

Like this possible practice run?

Re:pshaw!

[OzPeter]

somebody that knows the right spot could take a large city by shooting a few transformers with a .22 rifle

It just MIGHT take a bit more than a .22 and the sound of shots will garner a pretty quick response in most towns.

Who says you have to do it in town. The funny thing is that electricity is generally delivered along wires suspended from big tall visible towers that meander all over the place in the country side. And nobody out in the sticks is going o worry about a few odd shots heard in the distance during the day (or even night)

Re:pshaw!

[Ashtead]

Nevermind the sound of gunfire -- what about the sound of electrical failure (ever heard the loud SNAP of a squirrel got in the way of 11 kV?) and the quite likely subsequent electrical fire? That's going to be the difficult one to run away from...

Seems that the solution is simple enough

So... don't allow utilities to trust data from their distributed 'smart network'.

Then again, that just killed the 'smart network didn't it.

Re:Seems that the solution is simple enough

[icebike]

Serial lines don't fall into any category labeled "Smart Network"

Once the attacker can get at your serial lines, they are pretty much inside your plant. Serial runs aren't that long..

The problem come when someone tries to send this across a cheap unencrypted modem connection or some such.
If they put them on TCP/IP and send it through an encrypted link the problem is largely solved.

Re:Seems that the solution is simple enough

[PPH]

Once the attacker can get at your serial lines, they are pretty much inside your plant.

So you treat serial lines from outside as untrusted and don't use the same line for stuff inside a secure perimeter. An outside switch status could be read over an unsecure line if that line only has the authority to report that one parameter. More sensitive stuff inside the plant can't be reached from that line.

So if an external device incorrectly reports its status and its effect is determined (by an FMEA) to have a low criticality level, then who cares?

Re:Seems that the solution is simple enough

[LoRdTAW]

"Serial runs aren't that long.."

The link you gave is for RS-232. RS485/422, CAN and Profibus(a protocol running on variant of RS485) can run for hundreds or thousands of meters (using repeaters and/or optical links). They are also the most common form of fieldbus. Allen Bradley uses DeviceNet over CAN, Siemens uses Profibus and various other controller manufactures use RS422/485 and most likely run Modbus or a proprietary protocol over it.

http://en.wikipedia.org/wiki/RS-485": It offers data transmission speeds of 35 Mbit/s up to 10 m and 100 kbit/s at 1200 m."

http://en.wikipedia.org/wiki/Rs422: "The maximum cable length is 1500 m. Maximum data rates are 10 Mbit/s at 12 m or 100 kbit/s at 1200 m."

http://digital.ni.com/public.nsf/allkb/D5DD09186EBBFA128625795A000FC025: CAN Bus - 50 kbits/Sec @ 1000 meters.

http://en.wikipedia.org/wiki/Profibus: "The cable length between two repeaters is limited from 100 to 1200 m, depending on the bit rate used."

First?

I doubt it.

fa1lzors!?

gawker At most and exciting; networking test. about !Outside may also want crisco or lube. Gig in front of Preferrably with an what provides the SLING you can

Not really surprising

[ZouPrime]

I've work extensively with NERC CIP v3 - there's a BUTTLOAD of blind spots in the standard, but it's also true for PCI and others, and it will also be true for NERC CIP v5.

These regulations generally aim for basic security controls, in industries that have little to no information security culture, so they start with some basic stuff. And even this basic stuff is hard to sell and implement.

Physical access is root access

A heavy vault door is always the best way to keep someone out of your critical infrastructure.

Re:Physical access is root access

[ColdWetDog]

A heavy vault door is always the best way to keep someone out of your critical infrastructure.

Until they pry the screen away from the window with their fingernail. Windows. Always the weak link in security.

More regulation

is always a good idea, isn't it? It means more jobs, most importantly, more Officials.

There is only one sure way to prevent all threats -- the one who feels threatened should exterminate self.

Re:More regulation

[fuzzyfuzzyfungus]

Have we at least considered the possibility that treating serial lines as physically vulnerable isn't the dark path to fascist totalitarianism?

Re:More regulation

[skids]

Oh for lack of a mod point.

According to the article:

"I think Stuxnet proved that: 1) there was a case for going after industrial control systems; 2) there was an impact in going after industrial control systems; and 3) showed that the devices and protocols were a valid target,” Toecker said. “And that caused interest in the security research community and they found this place is rife with vulnerabilities, low-hanging fruit."

...so they were apparently too busy not considering the very premise that people would hack them at all (up until stuxnet) to be arsed to consider vulnerable serial lines. RS232 is dead. Long live RS232.

Re:More regulation

[ColdWetDog]

Look, will you two quit ganging up on the NSA? They've had a rough couple of months. They could use a break.

Yummm.. Low hanging fruit.

Security isn't easy on a Fieldbus.

[LoRdTAW]

TL;DR - If people can get physical access to your fieldbus network then you have much bigger problems. Network security isnt going to do squat.

These hand waving "OMG fieldbuses are weak" articles are total BS. They either have little knowledge of houw an industrial system works or they are just looking to get published for some "street cred".

The problem with field bus protocol designs is that they are designed for very low overhead and latencies. Field busses are usually designed as a simple master/slave protocol in which the master sends out a packet with a device address and a command and the slave might reply. Many are based on a multidrop serial bus like RS485/422, CAN and ProfiBus. The benefit of such a design is they use low bitrates which allows for some serious distance often hundreds or thousands of meters. It greatly simplifies wiring as you have a single serial line from an RTU/PLC/PAC snake around the machine or plant and control just about anything. They arent on a switched network like ethernet, its more like 10base-2. Anyone can tap the bus at any point and read/write it without much effort.

For example a valve might have a few commands such as open valve, close valve and valve position (meaning what is the status of the valve, open or closed). So to close the valve you simply send a packet with the address and command that says close then poll the position until you see it say closed. Some valves might let you issue a command to say open 35% and then poll until you see a position value returned of 35% open. And its not only valves but motor controllers, servo motors, encoders, pressure/temperature/strain/moisture/etc sensors, you name it.

The problem with security on a fieldbus is not only latency (more data means higher latency between a command send and then receiving a reply) but how do you implement security in a valve? How do you make it easy to program the valve to securely talk to the master station? You still have the physical access problem if someone can get at the valve and read a key from it using a programmer. And if there was a method to program the valve with yet another password to block unauthorized programming, what if the password is leaked or forgotten? A valve could be replaced but if its part of a critical system or weighs a few tons and is in an underground vault then your in trouble. Or maybe its buried deep within a machine and requires many hours of downtime to get at and replace. You still have the human weak link of someone knowing the passwords and keys. What if a particular key for a sensor network is stolen or lost? Then you have to send a team out to reprogram every field bus device to the new key. Even if the master station could issue a command to reprogram every device on the network with a new key then physical access can still enable a malicious person(s) to sniff the new key or program new keys. Security isnt a set it and forget it process, its staying continiously vigilent and MONITORING your networks both electronically and physically. And that clasehes with the cut costs/more profit mentality of todays corporations.

So in the end all this "OMG teh networks are insecure!" handwaving is a non-problem. Fieldbus protocols arent the problem. Lazy, cheap companies who dont want to pay for physical security are the problem.

Re:Security isn't easy on a Fieldbus.

[LoRdTAW]

Ugh. I wish I had proof read that once more. your - you're always slips past me.

Re:Security isn't easy on a Fieldbus.

Too bad DNP3/SCADA isn't a fieldbus. These are geographically distributed systems that have increasing attack surface area. DNP3 is used for all kinds of things you can't put fences around, and these connections are tied back to the same master as the substations.

DNP3 is being considering for use with electric vehicle charging stations... DANGER!

Re:Security isn't easy on a Fieldbus.

[holophrastic]

No worries. Full-speed typing of intelligent arguments warrants a pass on such things.

That said, if the password is "leaked", then the valve must be faulty.

Sorry. I couldn't resist.

Re:Security isn't easy on a Fieldbus.

[Immerman]

No, Fieldbus protocols combined with lazy, cheap companies who dont want to pay for physical security are the problem. And I don't see any way to get around the latter.

And as even the summary states - as more "smarts" are pushed out to the field stations and beyond this problem is only going to get worse - good network security requires that you assume any node in the network can be compromised at any time, especially if off-site, and avoid letting that node do any more damage. Sure, you can't realistically keep some valve from being compromised, but you can design your protocols and/or processing hubs so that compromising a valve won't let you compromise the rest of the network.

Re:Security isn't easy on a Fieldbus.

[operagost]

10base2 is ethernet; it's just a physical layer tech intended for a bus rather than a star topology.

Re:Security isn't easy on a Fieldbus.

[LoRdTAW]

I was simply making a comparison for those who may be unfamiliar with a multi-drop serial bus.

Re:Security isn't easy on a Fieldbus.

if they can get access to a serial line, they can likely get access to a valve. doesnt matter what protocols/security you are running. they disconnect the wires..closed and hook up a 24 vdc to the valve...open. (depending on N.O. N.C. contact)

Re:Security isn't easy on a Fieldbus.

[Mashiki]

You want lazy, try Hitachi PLC's. Never again.

Re:Security isn't easy on a Fieldbus.

[Immerman]

Obviously. The question is, once you get access to a valve/serial line/etc, which can't be cost-effectively protected, can you potentially turn that in to control of the entire field station or utility grid?

Re:Security isn't easy on a Fieldbus.

[drinkypoo]

So in the end all this "OMG teh networks are insecure!" handwaving is a non-problem. Fieldbus protocols arent the problem. Lazy, cheap companies who dont want to pay for physical security are the problem.

While you're correct, you're slightly oversimplifying. Lazy, cheap companies who want to use a fieldbus where they really should be using a network link are also the problem. Inside of a [hopefully] secure facility, it makes perfect sense. But for extending that link to your facility across the road whose wiring goes through a publicly accessible municipal wiring cabinet, it is utterly inappropriate even if you can make the cable run. Yes, that is physical security, but it's the kind that's often neglected or passed off as unimportant.

Re:Security isn't easy on a Fieldbus.

[LoRdTAW]

"Lazy, cheap companies who want to use a fieldbus where they really should be using a network link are also the problem."

Exactly. The reason articles like this are nonsense is because they are pointing the finger at the field bus technology when in fact it is incompetent companies or engineers. They are improperly using the technology.

"While you're correct, you're slightly oversimplifying."

The articles shouldn't be crying wolf over insecure protocols that are designed for a specific purpose. They instead should point out how these buses are being used in situations where they shouldn't be used. They should also point out how companies are cutting corners and ignoring physical security. They don't need to man the sub stations 24/7 but at least establish or hire a security firm to monitor using CCTV and alarm systems. If an alarm is triggered local police can be dispatched or at the very least a private security vehicle can take a look. Its not 100% fool proof but more realistic than forcing some clunky security layer on top of an existing protocol and figuring out how to upgrade every piece of equipment out there.

Market Forces

Why is nobody letting market forces find the solution? Instead of spending millions of dollars developing incomplete regulations, why not just make the fine for a security breach something massive, like $5 billion. Businesses will find a way to secure themselves against that exposure.

Re:Market Forces

[ColdWetDog]

Why is nobody letting market forces find the solution? Instead of spending millions of dollars developing incomplete regulations, why not just make the fine for a security breach something massive, like $5 billion. Businesses will find a way to secure themselves against that exposure.

You've got a rather ... different ... view of the concept of 'market forces'.

Modbus

[SuperTechnoNerd]

This is interesting coincidence because I am currently learning the modbus protocol over rs-485 - which is what is used in industrial control. The protocol is very old - circa 1979 and is simple, cheap, and brain-dead. Perhaps that's why its still used because it easy to implement on low power hardware (like in a microcontroller, which is what I'm currently working on). There is no security in it whatsoever, and rs-485 is used because it is differential, and immune to electrical noise. It can run over a kilometer, even more with repeaters. Modbus can be run on top of tcp/ip too. I am using it to connect various sensors around my house (weather station, fuel tank levels, electrical load, etc with local microcontrollers). I had no idea they ran the serial line outside of a building to other sites where its easily intercepted. I am actually surprised it's still used at all in critical applications..

Re:Modbus

rs485 is a physical layer. Application security comes higher up.

Re:Modbus

[SuperTechnoNerd]

Yes I know, that's why I said modbus/over rs-485. It's modbus that is not very secure.

Substations

[PPH]

The only solution is physical security. Or someone sneaks in and slaps a hunk of C4 on your transformers.

Where serial lines come into a master station,

You don't run serial lines outside of your physical security perimeter. Period. Only over some secure protocol. And where that protocol must be unpacked to talk to legacy serial equipment, the cabinet containing that short link must have physical security like locks and intrusion alarms.

Re:Substations

physical security is
too late, electrical substations have already been attacked in california, weapon of choice turns out to be automatic weapons,

http://www.dailymail.co.uk/news/article-2530879/FBI-investigates-military-style-attack-California-power-station.html

Re:Substations

[PPH]

I don't know what you mean by 'too late'. Time-wise, yes. PG&E might have been able to do something about communications redundancy. And its possible (but very expensive) to screen substations to keep people from aiming at critical hardware.

As far as cutting a hole in the fence and walking in: If you can do that to access an insecure serial line, you can manually open a valve or damage something. If that serial line runs outside of the facility, damage can be done without trespassing. So running such an insecure protocol beyond a physical security perimeter is like cutting a hole in your own fence.

My latest gripe...

[aaarrrgggh]

The new California Energy Code ("Title-24") effectively requires control networks to be connected to the internet to receive demand response ("smart grid") signals from the utility.

Only about 5% (maximum) of buildings can optimistically be expected to be able to secure this stuff; what I hear from the vendors is much closer to 0.01%; barely 5% of financial institutions and 20% of defense contractors pull it off. GSA is close to 30%.

All these various systems make it very difficult to make progress on the most sensitive systems. Hell, few people realize how much crap is on a consumer NAS device!

TCP/IP no better

[wiredlogic]

TCP/IP doesn't impose any added security unless you explicitly add it. Otherwise there's just the minor added complexity of decoding a well documented, stateful protocol.