Schneier on Security
A blog covering security and security technology.
« More Hash Function Attacks |
| Speech-Activated Password Resets »
March 11, 2005
Melbourne Water-Supply Security Risk
Here's a scary hacking target: the remote-control system for Melbourne's water supply. According to TheAge:
Remote access to the Brooklyn pumping station and the rest of the infrastructure means the entire network can be controlled from any of seven main Melbourne Water sites, or by key staff such as Mr Woodland from home via a secure internet connection using Citrix's Metaframe or a standard web browser.
SCADA systems are hard to hack, but SSL connections -- at least, that's what I presume they mean by "secure internet connection" -- are much easier.
(Seen on Benambra.)
Posted on March 11, 2005 at 9:17 AM
• 8 Comments
To receive these entries once a month by e-mail, sign up for the Crypto-Gram Newsletter.
Sorry, but presumption shouldn't be an excuse to spread FUD. Security topics require more responsible journalism IMO and not idle speculation.
*X* connects the Internet *X* system, since the Internet is a hostile environment there is a higher risk of exploitation through common vulnerability than if it was on a closed system. Since *X* uses a vulnerable system by inheritance *X* then becomes vulnerable.
Nothing to see here move along...
BTW, FUD is usually spread for the "spreader's" monetary gain. (ie intent), it is more likely the opinion of an alarmist (ie paranoia). In this day and age nothing can really be discounted...
Personal computer systems are incredibly easy to hack, especially if you are motivated enough to gain physical access. The point is that the weakest link is the home computer and the associated physical security for the house (burglar alarm, anything else?) rather than the corporate style security of a "Main Melborne Water Site." A motivated attacker should have little trouble breaking into all of the residences of "key staff" and installing a keylogger and phone-home. Then the only thing to do is wait for one of them to remotely access the site.
Given that the article explicitly mentions Using Citrix's Metaframe or a standard web browser I think that we can make some deductions about the types of connections supported. Or at least those of us who have familiarity with Citrix's Metaframe.
I have used Citrix for remote access in the past. It can be implemented in several ways, but the easiest for the end user is a browser plug-in. The user goes to a website and authenticates. Authentication methods can vary and can include things like Securid tokens. When the user clicks on a link (using an SSL enabled browser) the Citrix plug-in opens an SSL connections back to the other end and opens the "window" on the client machine. It's pretty smooth technology, but Bruce is right. It's mostly SSL for security. This is still better than plain text...
Personally, I would be even more concerned that these people can control the pumping stations from anywhere. Even if they are restricted to their homes, all it takes is a remote control App on Mr Woodwards home machine and Melbourne has issues.
SCADA systems are extremely vulnerable to attack. 30 seconds of Googling turns up several anecdotes (ie: http://www.mdcbowen.org/cobb/archives/... The problem isn't the front-end, where there are centralized and standardized controls in place. At the back-end however, there are many unprotected nodes, often connected wirelessly (no physical intrusion needed) and alarmingly some let you follow the data right back to the corporate network. From the inside.
I used to work with scada systems. Most of the people deploying these have no idea about computer security. Usually the software assumes it's running on an isolated network (not even the same network as the data for the company).
A large number of the people doing scada work (and the physical network design/install) are re-trained electricians, and they don't get training about things like security.
Then, the other mindset is "don't fix it if it ain't broken". No patches. These boxes shouldn't be touched for about 5-10 years. Which means that they are going to have unpatched vulnerabilities.
I've seen how managers react to remote monitoring. They LOVE to ask for the ability to do it through the web, preferrably over http. They don't want to install a client app, they don't want to have to configure anything, they just seem to want to say that they can do it. They really don't understand the security risk from this at all.
From my experience I totally agree. Does the thought of unpatched systems at an energy company remind anyone of a recent disaster (Davis-Besse nuclear power plant in Oak Harbor, Ohio, 2003)?
Let us hope that "yesterday's generation" of SCADA systems and managers gracefully sunset and we start to see a rapid increase in demand (or regulation) for multi-factor authentication, hardened systems, etc. Too many SCADA systems are plugged into the network without any thought about data and control encryption or strong authentication.
The LogicaCMG system mentioned in the article is described in detail here:
Page 5 provides the only mention of security:
"LogicaCMG has developed Master Control to comply with the industry recommendation for security so confidence can be given that network will be as secure as possible. For users of Master Control, the integrated system provides administrator based security control that define user access according to need and authority level. Proven security such as SSL is in-built to maximise user assurance."
Proven security? Apparently if you turn on SSL your users (and systems) are safe. Funny.
More importantly, what's the industry recommendation? I just found the first draft, called a System Protection Profile for Industrial Control Systems (SPP ICS), was released only last October:
Any other pointers to industry recommendations that are already implemented? SCADA security managers better move fast before a ChoicePoint-like disaster brings in the regulators.
I agree strongly. After watching "Cyber War!" TV document released in April 2003 several (abt ten) times I'm not so convinced of SCADA systems safety.
The main topics of this document written and produced by Michael Kirk can be read at
See chapter 4: Vulnerabilities: SCADA systems (other specialists mentioned)
Document mentioned is very realistic and contains several reports about simulated attacks to air control systems etc.
The document was seen in Finnish TV in 2003 too. Barton Gellman (Wash. Post), Richard A. Clarke (you propably know), Pentagon-peoples, Ron Dick (FBI's ex-staff) and many others are being interviewed (see other persons at pbs.org).
Is it home computer or not, who is responsible for all 'mrwoodwards' family members not using a same computer and open a malicious attachments reading their e-mail. And if it is a specific workstation managed by pumping station's IT staff, is it in "100%" remote-control use only. I really hope there is SecurID-like authentication system in use. And who is using Windows Update and checking virus description files, (possible keyloggers mentioned) regularly in those machines? And spyware?
(I don't live in the USA and have no any connections to Frontline).
But watch the document online!
Schneier.com is a personal website. Opinions expressed are not necessarily those of Co3 Systems, Inc.