Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The physical layer

Published: 2007-08-07
Last Updated: 2007-08-08 14:46:07 UTC
by Maarten Van Horenbeeck (Version: 4)
0 comment(s)

About ten years or so ago, I was very much into a BBC television series called 'Bugs' which sketched the lives of a couple of skilled high tech crime investigators. It always dealt with spectacular physical machines (think radio guided cars & airplanes) controlled by computers, because this obviously makes the dry subject a bit more vivid.

Recent history proved them right that there is something more physical out there than OSI layer 1. In many cases, the data we as security professionals need to protect has an impact on the physical lives of others. Nowhere is this division as thin as with SCADA and DCS equipment.

SCADA systems - Supervisory Control and Data Acquisition - control physical processes centrally by collecting data from measurement devices local or in remote locations. Decisionmaking is generally centralized. Distributed Control Systems (DCS) generally control more localized systems in which feedback loops are extensively used between monitoring equipment and actual physical control point.

These types of systems have always been built trying to solve a specific problem. In the case of SCADA, protocols needed to link in often remote power and utility stations to a central coördination point. Obviously, this would result in very different implementations based on geography - SCADA in densely populated Western Europe is something completely as opposed to the United States or Australia. Whereas European telcos can provide a phone link virtually everywhere, even in relatively urban areas Australia may need to resort to radio links.

Some of the many security issues with these systems include:
- Relatively obscure and less well understood protocols. We all speak FTP, SNMP and HTTP, but can we fluently chat Modbus, DNP3 or ICCP ?
- Problems fixed by SCADA don't necessarily change often and are critical and thus difficult to interrupt, resulting in very long patching delays;
- Managing remote sites over legacy links is much more expensive than doing the same over an easy to acquire internet link. Protocols are moving online.
 
During past weekend's Defcon conference, a researcher from TippingPoint discussed how fuzzing would contribute to building more secure protocols. While these research efforts are gradually helping to resolve the first of the above issues, many remain, and these are often rooted in basic security principles such as segregation and least privilege.

As SCADA/DCS security is not something that affects only the main utility providers,but also many industrial environments (ports, transport and factories), here's an overview of some great resources. Mail us if you have other ones to add to the list:

SANDIA Labs' Center for SCADA Security
US-CERT Control Systems Security Program
The NIST has a great draft 'Guide to Supervisory Control and Data Acquisition and Industrial Control Systems Security'
Digital Bond has a great SCADA security blog, publishes IDS signatures as well as a Scadapedia
DHS' Control Systems Security Program (thanks Logan!)
The UK CPNI has a page on SCADA (thanks John & Jon)
Wurldtech has an interesting SCADA blog (thanks Adrien)

One reader wrote in on the importance of information sharing through Infragard if you work with industrial control systems

Keywords:
0 comment(s)

Increase in 'numerical' spam

Published: 2007-08-07
Last Updated: 2007-08-07 20:35:18 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Readers reported e-mails containing nothing but a six digit number in the subject line, followed by an 8 character hexadecimal string as content. This type of e-mail isn't new, dating back to June 2006, when it was attributed to a Beagle variant. However, there has been a significant increase over the last 24 hours.

For those using spamassassin, the botnet plugin in addition to the helo_dynamic rules have proven to be useful in filtering out these messages. This is one example where sender profiling appears more powerful than content analysis.

Thanks to Ray, Jeff & Greg for reporting their findings and fellow handlers David and Donald for their insight. 

Keywords:
0 comment(s)

European wake-up call

Published: 2007-08-07
Last Updated: 2007-08-07 06:38:49 UTC
by Maarten Van Horenbeeck (Version: 1)
0 comment(s)

Now that everyone in the US has had a weekend of fun in the blistering Mojave desert heat, it's time for the Europeans to tag along. Tomorrow will be the start of Europe's largest security conference.

Take some notes on Kyle's Con-fu guide, and perhaps just as important, safeguard the integrity of your hardware and bring umbrellas when you head over to Berlin. The weather report shows we might be in for a little bit of water fun. See you there!

If you're into INFOSEC in Europe, you may also be interested in knowing that the EC, as part of its evaluation of ENISA (the European Network and Information Security Agency) currently has a public consultation open.

Keywords:
0 comment(s)
Diary Archives