CERT Research Center
What are the special vulnerabilities of SCADA systems?
SCADA systems -- Supervisory Control and Data Acquisition Systems -- were primarily designed to be devices that sat off on their own, looked at a particular thing, like a gas pipeline, or something in an oil refinery, or something like that, and simply report information back, originally over a telephone line. Now, the main vulnerabilities of SCADA systems are built from the fact that we've taken something of very limited control, and we have now connected it up to an Internet that is accessible by many other people. So more people have access to the SCADA system than was ever intended to have.
Also, to make SCADA systems cost-effective in the future, we no longer build special purpose operating systems for them. We put on standard vendor operating systems, with additional vulnerabilities that are well known. So now we have systems that are well understood, connected to the Internet, but still providing a rather critical function in the element itself.
I liken it very much to my own thermostat at home. My thermostat at home is protected, because I keep my front door locked, so no one can come in and change my heat around. If I add a wireless element to my thermostat, suddenly I can control it from my computer. I can turn the heat up when I'm at work, so the house is warm when I get home. I can understand every month exactly what my fluctuations are in temperature.
Unfortunately, because it's wireless, someone could sit outside my house, now, in the car, with a laptop, and at 4:00 in the morning turn off my heat, in the dead of winter. Or I could be away on vacation, and they could turn it off so my pipes would freeze. SCADA systems are a lot like this. We had walls around SCADA systems for a long time, and we have poked holes in those walls to give us more cost effective access to those SCADA systems, with all of the vulnerabilities that that implies.
And the trend?
If you follow the financial trend, things are going to get more and more common, not specialized, because then we can reuse all of the things that are commercially available. SCADA systems will control more and more complex operations, because, after all, a SCADA system that you put in place can do something much more easily than an operator, who has to go from place to place, can do that same function. So it's going to be involved more in our critical operations.
Center for Strategic and International Studies
There's a lot made of SCADA systems, that it's a potential target.
Let me use a model here that's a little unusual in answering the SCADA question -- the model of air attacks. Because you saw very similar arguments made by the initial strategists of air power. This new technology would allow them to fly over enemy forces and cripple economies, bring nations to their knees with just a few well-placed attacks. This is what people started thinking in about 1919.
And, of course, in the 1920s, it didn't work. In the 1940s, people tried it. It didn't work. It wasn't until the advent of nuclear weapons that the air power scenario really began to make sense, that you could think about this as a logical way to attack people. That doesn't mean that people didn't experiment with it or that they didn't try it, or that people didn't think about how to defend against it.
Now, at a much different level, we're looking at the same thing with SCADA systems and the Internet and computer networks. Right now, we aren't that interconnected. People use SCADA systems, but they use them in a whole variety of idiosyncratic matters. They buy different systems. They connect them differently. They connect differently to the physical structure. So understanding how a SCADA system works for one company doesn't give you a benefit in attacking another company. It's very difficult. And we just aren't as vulnerable as some people would make up.
Could that change over time the way air power changed over time? I think it will. And that's why we need to pay attention to what the defenses are, how we build secure networks now. But that doesn't mean that terrorists are going to be able to turn off the water supply tomorrow or that they're going to be able stop the U.S. from moving forces to Iraq. SCADA is just not as interconnected with either the physical infrastructure or with other companies' networks as people make out. So the vulnerability isn't there.
Let me give you a concrete example? People looked really hard with this Slammer worm that came up a couple weeks ago -- it came up in early February -- to see if it had affected any SCADA systems or if there were any reports of attacks on SCADA systems that led to infrastructure being crippled. Today, no reports of any successful attacks. So I'm kind of doubtful about the ability to penetrate a SCADA system, and then turn that to some real-world advantage. People can penetrate SCADA, but they have a hard time turning off the lights. ...
The reason that SCADA is particularly dangerous is that SCADA is a standard approach towards control systems that pervades everything from water supply to fuel lines. The problem is that most SCADA systems are running Microsoft operating systems, and if you are running a Microsoft operating system, you have a target painted on your forehead.
What do you mean?
Out of the box as a basic install or even with a sophisticated system operator, making Windows secure, any of the Windows varieties, Windows NT or Windows 2000, which are your common SCADA platforms, is an incredibly sophisticated and complicated task. It is not the kind of thing that you can do easily or simply, and it is not the skill base normally available to a low-end infrastructure job. It is the kind of skill base that's available at the high end of the transnational. It's the kind of thing that we bring to the table and that Joe Power Supply Company doesn't have available to them.
The National Security Agency, the U.S. agency responsible for protecting the cyber infrastructure, has many, many hundreds of pages of how to close the security holes in Windows NT. I mean, it's a huge volume of material. But the knowledge it would take even to follow their step-by-step instructions is very, very high. And so the number of vulnerabilities are extreme and the knowledge base necessary to protect it is too much for your ordinary group.
Security expert, KEMA Consulting
My very, very, very strong feeling is if and when we get hit, we will never know why we were hit. All we will know is breakers are opening, valves are closing, certain things are happening. But we won't have a clue as to why.
And I'll give you an example. This is not a cyber attack but just an example. I believe it was July '99, there was a pipe break in Bellingham, Washington. A backhoe was digging, hit a gasoline line, broke the line, spilled a couple hundred thousand gallons of gasoline in a creek, caught fire and killed, I think, maybe, about three people. I remember even seeing it on the news. As an industry, I'm not trying to belittle the industry, those things happen. We haven't marked things well enough.
It was either late November or early December of 2002, the National Transportation Safety Board issued a final report on the pipe break in Bellingham. Turns out the backhoe didn't break the line. The backhoe weakened the line. There was a gas SCADA there. The gas SCADA had about 18 to 20 minutes to take action to keep that line from breaking. It didn't. This wasn't a hack. Here was a clear case where a control system played a part in a major catastrophe. For whatever reason, I cannot tell you, for two and a half years, the industry for whatever reason was kept oblivious of the fact that a SCADA could have played a part. This wasn't a hack.
How can we, as an industry, do anything when information like that is available and we're not even made aware of it? Like I say, it was not a hack but it's obvious the control system was involved.
There are an awful lot of not just control systems suppliers, but system integrators, people that offer courses in how to use control systems. You don't have to be an owner of a company or a utility person or a refinery person or anybody else, to take these courses. You have to just pay. Because very easily, you could just be somebody who's going to be a contract engineer to do it.
What's the worst case scenario?
Don't know. The ability to get unauthorized access to these systems is well proven. I won't say well documented, because this is not something you're going to pick up a magazine and say, "Here it is," but it's well proven.
Vice President, Managed Security Services Operations, Symantec Corp.
SCADA systems have migrated over time. There was a point where most of these networks were considered to be stand-alone, where the protocols and the applications that they used were considered to be proprietary. What's happened over the last 20 years is a migration of stand-alone proprietary systems to interconnected systems, which now cannot rely on their stand-alone nature to protect them. So, even if they're running proprietary applications, they have vulnerabilities in them. And if they're not running proprietary applications, in many cases they have well-known and well-publicized vulnerabilities in them.
So, it is an area where, again, we have to invest the appropriate level of resources to protect these assets.
Why is it a special problem?
Well, SCADA systems are a cause for a concern because of the sensitivity of their operation. They control power, creation, distribution, any number of different infrastructures. So, again, an appropriate level of protection needs to be provided to these networks.
Is there enough protection being provided at this point? Or can it technically, because of the systems themselves, really be protected to the level that one believes it should be?
I believe good risk mitigation decisions can be made for SCADA systems. And I think an appropriate level of protection can be applied.
People out there are saying, "These systems are so vulnerable that they could be taken down. I think someone could take down a grid in America." From your point of view here, does something like that seem in the realm of belief?
I don't know that a catastrophic system-wide type of event can occur. Certainly, there are areas of vulnerability in the infrastructure. So, can the entire system be brought down or destroyed? I wouldn't have insight into that. I believe there are key vulnerability points, but it may be more limited than some people would imply.
Sandia National Laboratories
Tell me about how you guys use the Suki ad and describe what the Suki ad is.
The Suki ad is an EDS commercial that is very good. It talks about SCADA systems. Essentially a group of people are running around in an auto factory and they see the robots going haywire, writing something on the side of a car. They can't control it, they can't stop it, and it turns out to be [a little girl named] Suki [writing her name on the car]. And this is really the effect of a little girl somewhere in the world, probably not local, deciding to write her name on some program that she has access to.
So it's a very light, humorous way to make the point that industry really needs to consider security when they're implementing SCADA systems and real-time digital control. ...
So why is that a threat?
The real threat to small incidents like this is that they might become more numerous, and they also can be executed remotely. And so if you could do this across the country in different places, you might affect the confidence of the U.S. population on a particular sector, in a particular activity that they have to perform that's related or controlled by SCADA systems. ...
Why not use encryption authentication systems, for instance, or other IT security technology when it comes to SCADA systems?
I think that there are a number of ways that SCADA systems and information technology systems can be more secure. SCADA systems could use end-to-end authentication and encryption to stop many of the attacks that we perform. Many of the attacks that we showed at the solar facility are preventable through simple means, and we're trying to raise the awareness that those means should be instituted. It's really end-to-end system engineering for security that's required.
But are there special vulnerabilities specific to SCADA systems which would disallow that?
No. There's no reason that U.S. infrastructures could not be secured from cyber attack. This includes SCADA systems. Today, technologies are available for end-to-end encryption and authentication of signals that would prevent many of the attacks that we've demonstrated at the solar facility.
And what would that cost?
What would be entailed in securing a SCADA system and IT enterprise that supports it are really basic techniques and technologies that exist today -- firewalls, routers, anti-viral software -- that pretty much don't exist on these systems today. In addition, encryption could be added to these products at little cost to the overall system. ...
So why hasn't that happened?
I believe that industry really hasn't had a business case to look at security or implement security, and so they don't have an argument that will go to their bottom line, that the security that they need to act as SCADA systems should be added. In addition, it's very difficult to understand that because we don't have the cyber science and cyber engineering to calculate the risk and tradeoff associated with those things.
So what's it going to take? I mean, you defined a large threat, and others have too. What's it going to take before people get it?
I think that today there's a lot of awareness of IT security and the threats coming across the Internet, and so we're having a slow increase in computer security, information security for SCADA systems. However, it's not fast enough. IT technology and the implementation of that technology on our infrastructure is increasing too fast. And what it's really going to take is a cyber Pearl Harbor or some disastrous cyber effect before we implement the security that's required. ...
Regarding the potential for cyber war and what the threat is. Are SCADA systems the weak link? Is that why it's important to understand this technology?
SCADA systems are only one component of U.S. critical infrastructure. They're not the most important component, but they're one that we don't understand very well today. They're one that has difficulty applying security. We understand physical security, we know how to achieve physical security. So when we look at SCADA, we're looking at only one node in the overall security approach to U.S. critical infrastructure.
How important one point is this?
SCADA systems are an important point, just as IT infrastructure are important, because they can be affected at a distance through cyber means, and security isn't being applied today. There is no fence around a SCADA system to protect it like they have a fence physically around U.S. infrastructures.
SCADA systems are a weak link in U.S. infrastructure but it's not the only weak link. ...
How many SCADA systems are out there? How big a problem is this? Is it like major companies that you got one or two, dozens, hundreds, thousands?
SCADA systems are just about everywhere. They're being adopted to automate and make more efficient our everyday lives, they're included in most of the infrastructures. Electrical power, oil and gas, transportation use SCADA systems. In addition, manufacturing uses SCADA systems to control its assembly lines or the production of chemicals. SCADA systems are used to control the environmental controls on buildings and facilities. Even today, people with the right technical aptitude have installed smart home systems in their homes. These are SCADA systems. ...
I think that most of the U.S. infrastructures that use SCADA systems underestimate the vulnerabilities associated with those systems, particularly because they're not interested in security, they're interested in delivering a product, and security is not viewed as a part of that process. ...
Joe Weiss says there's a commonality within systems, SCADA systems, and there's also a commonality in the communication handshakes or protocol between systems, like in the electrical grid. Is that a problem, and explain what the situation is.
The commonality in SCADA systems is really the technology that they're adopting to be effective and cost-effective in our current economy, and that is Internet technologies, IP-based communications, and operating systems that are popular and are prevalent in our economy. The problem with adopting these technologies -- SCADA using these technologies to implement its command and control -- is that they're adopting not only the technology but they're adopting the broad base of vulnerabilities and adversaries that are able to take advantage of those vulnerabilities.
Weiss says also that our control centers have in almost all cases firewalls, intrusion detection, demilitarized zones, everything you could put around them to secure them. That same thing cannot be said for power plants for substations.
It has been our experience that the SCADA infrastructure is not protected to the same degree as IT infrastructure, as far as computer security and information security. I think that those techniques and technologies are being adopted today. ...
home :introduction : interviews : experts' answers : faqs : vulnerabilities : warnings?
discussion : readings & links : maps : producer's chat
FRONTLINE : wgbh : pbsi
published apr. 24, 2003
background photograph copyright © photodisc
web site copyright 1995-2013 WGBH educational foundation