SCADA Security Reality

For an interesting debate between a "SCADA Realist" and a "SCADA Apologist", check out this video submitted by Dale Peterson.

SCADA security is a critical problem. Consider how many of these legacy systems, operating on insecure protocols and firmware, on hardware that hasn't been available for purchase for decades, and running software for which security patches no longer exist, are running the critical infrastructure of our country.  

• transmission of oil and gas through pipelines
• water and sewage systems of major cities
• security and safety systems installed within sporting facilities
• our electricity grids
• more and more...

This list is long. 

Sure, it's going to cost billions of dollars to upgrade and replace all of this legacy equipment and reengineer the design of critical control systems.  But, consider the costs to the country's major social and political systems should we lose control of one of these critical pieces of our existence?  I look at what a simple, yet massive, flood did to the city of Calgary in 2013 - people panicked for 4 hours on the second morning and the city ran out of bottled water and bags of ice.  This is a minor inconvenience compared to the loss of our utilities that keep us safe, warm, and fed.  A destructive, targeted piece of malware is capable of taking out our electrical grid for days, and don't be naive to think that attackers are not building these viruses now because they know how vulnerable our critical infrastructure is at the moment.

I am a SCADA realist - I know how important it is to upgrade and replace as many systems as possible over the next few years.  However, the apologists will continue to tell us how costly and difficult it will be to do all this work.  They will continue to push for compensating controls - physical security, segregated networks behind a firewall, anti-virus.  What's stopping a vendor - those most at fault to keeping these horribly insecure systems running today - from introducing malware via USB or FTP, unknowingly, during routine maintenance?  
It's time to face the reality - our SCADA infrastructure needs to be upgraded now.  We need to re-prioritize our budgets and start focusing on planning out the major projects required to ensure we keep our Canadian control systems and our population safe from an unnecessary outage of some of our most vitally relied upon systems.  
 

Are Mobile Banking Apps Secure?

We have apps on our Smartphones to chat with friends, maintain our schedules, and purchase our morning coffee.  Both Apple and Android catalogue millions of apps, targeting users from all age groups and demographics, across the globe.  The convenience of having your world right at your fingertips has spawned a revolution.  People are now so in tune with their mobile lives that they simply forget that accessing some information across public Wifi connections or through untrusted apps can lead to major headaches.

Like identity theft.

Jumping on the bandwagon to attract more customers, banks recently launched mobile apps for both Smartphone platforms to ensure people can transfer money, check balances and pay bills on the go.  But, considering the vital information that is stored on a banking website, are these apps secure?

One researcherat IOActive conducted his own tests against 40 different iOS mobile banking apps and found that 70% do not support two-factor authentication and only 40% operate over SSL.  What does this mean?  Two-factor authentication consists of two of three authentication mechanisms – what you know, what you have, and who you are.  Typically, for most organizations, this includes a password (what you know), a fob with a rotating PIN (what you have), and, in highly secure areas, a fingerprint scanner (who you are).  Most banks offer 2-factor authentication into their sites by a bank card number/password combination (what you have), and a secondary secret question to verify you are who you say you are (what you know).  What’s surprising about bank mobile apps is that, it is hard to find a reputable bank that hasn’t implemented 2-factor authentication for its website, yet most haven’t bothered to include this vital need into their apps.  

SSL certificates act as a second factor in authentication, as well, because your correct password tells the banking servers that you are now a legitimate user and a public certificate is used to set up the session.  Traffic between your computer, logged into their website, is encrypted right up until their internal server.  This means, only well-intentioned hackers should be able to intercept the data in transit, obtaining important bank card, password and balance information.  The lack of secure connectivity between mobile apps and the bank is shocking – this information is sent in clear text across the public Internet where anyone can see it!  

Recently, it was reported that 8 out of 10 banking apps for mobile devices, both Android and Apple, contain major security flaws.  Credit unions were at the top of the list, with JavaScript errors one of the most predominant problems.  

Protect yourself.  The most secure thing you can do is NOT use mobile banking apps until the implementers have figured out that there is a critical need to encrypt this data and force two- or –three factor authentication for all users.  Mobile devices are inherently at higher risk for theft, loss and data capture, so running insecure apps is the worst thing you could do.  

The RoyalBank makes a statement that all transactions are guaranteed to be secure when using their mobile app.  However, this same app also allows the user to save his or her card number or username.  Even this information presents opportunity for data theft.  Read the fine print or call your bank first before using any mobile banking apps to find out about their security controls. 

Risks of Automatic Image Downloads in Gmail

This morning, as I logged into my Gmail account, I was notified that the company had decided to turn on automatic image loading for all email.  This made me wonder, isn’t this going to be a security issue?  Images contained within email are generally not embedded, but need to redirect to a specified URL located on a remote server.  Malicious users can obtain information about when you loaded an image and that the email you accessed the image from is legitimate and active, potentially spamming, phishing or attacking you with malware in subsequent email messages.  You can also give up your IP address, which can provide attackers with a close estimation of where you are located.  Any information they find regarding your whereabouts or Internet activity can be used to specially craft messages and URLs to obtain personal information or destroy your data.

So, how does Google plan to mitigate these risks for its customers?  Well, Google says that their proxy servers will host all images, preventing attackers from knowing where the email was opened from or exploiting any security vulnerabilities on the local machine due to embedded malware.  This proxy solution does not, however, prevent attackers from learning your location or whether your email address is active.  Loading images automatically also starts something called ‘read tracking’, whereby senders can tell whenever a message is read by a specific recipient.  

Loading images within the proxy servers will speed up the time it takes users to open Gmail messages, and Google could cache all email images before a recipient opens the message to prevent tracking.  If Google does cache all messages, attackers could implement a denial of service attack on the company by sending millions of images to their proxy servers.  

Luckily, for those concerned with this new setting, Google has allowed users to revert back to the previous configuration whereby each user needs to load the individual email messages manually.  From a security perspective, this is a much safer option.  We already receive enough spam and phishing attempts, and each suspicious email should be scrutinized for its authenticity – we do not need to now worry about strangers figuring out that our accounts are real and where we are located! Turn off the automatic image download option if only to protect your own privacy. 

Secure Control System Network Design

When designing control system networks in a secure fashion, it is important to note the different requirements that exist between various business networks.  Control systems vary widely from corporate network resources in need for speed, reliability and uptime.  Control systems rely on real-time operations and therefore must remain highly reliable.  Business networks, on the other hand, operate over low-cost Ethernet to provide fast access to resources using TCP/IP.  SCADA systems operate between these two networks to relay information from one to the other and need specific components from each network to function.  SCADA systems must be able to operate in real-time while using TCP/IP to communicate data to the business.  

These obvious demarcation points on the network are great spots to segregate networks when developing a secure control system network design.  The SCADA system should sit on a DMZ, a security zone located between the business and control system networks.  It is not ideal to place business applications on the same network as the control systems because legacy systems within control are vulnerable to malware and malicious traffic, while operating across insecure protocols, such as Modbus.  A firewall placed on either side of the DMZ protects the control system and the business network from vulnerabilities and threats found within each.  Placement of intrusion prevention systems and other perimeter security devices between the SCADA network and each other network is best practice.  

Systems within the control system network include RTUs, PLCs, and HMI systems.  The SCADA network will also host HMI systems plus data historians, MTUs, and ICCP clients.  The network containing business applications will include popular business software programs, as well as supervisory workstations for monitoring SCADA systems. 

Placement of the control system network devices in the most secure zone, or deepest layer, is another best practice.  Traffic should flow from the higher security zone to lower zones, but not in the other direction.  Information within the control system network should be enabled through the firewall to the DMZ as needed, and the SCADA DMZ equipment should communicate through the firewall out to the business networks.  Traffic should not traverse the firewalls directly from the control networks to the business LANs.  The DMZ acts as intermediary communication center, taking in information to its systems from the control network and passing information along to the business network.  This same design must be used for any traffic that needs to reach control from the business networks.  

Set up file shares and patch management servers within the DMZ to capture information from one network before passing the authorized information along to the receiving network.  This will prevent malicious code from traversing directly to a targeted host because, theoretically, a different port and IP address should be used from the DMZ host to pass traffic.  The important considerations when designing security into control system networks is to segregate the vulnerable control network as much as possible from the highly volatile business LAN.  The DMZ acts as a buffer to double check that traffic is traveling to approved resources, and infection in the DMZ is less intrusion and detrimental than an attack of the control system resources themselves. 

Beware of CryptoLocker!

I work in the field of IT security and even I can be surprised by the creativity and ingenuity of attackers looking to make a quick dollar.  Enter CrytoLocker, a particularly nasty piece of malware that encrypts Windows –based files on both network drives and localfile systems.  The strong encryption used makes it virtually impossible for people to recovery their data unless they follow the instructions provided by the attackers asking for money in order to be provided with the decryption key.  

Victims of this ransomware usually experience the infection when unknown attachments are opened through email or through the use of infections already on the machine.  Occasionally, it is installed via drive-by downloads.  Word, Excel, PDF, and other daily-use file types (including pictures and movie files) are susceptible to this attack.  Ransomware attackers then present a screen to their victims stating that they must pay $300 in order to receive the key or their files will all be deleted forever within 72 hours.  Unfortunately, aside from losing $300, many times the decryption does not work and the files are lost anyway.  This is a very good example of why people need to backup their critical files!  

Anti-virus software is unable to prevent this malware from infecting machines, too, meaning even people who are diligent with their A/V software are vulnerable.  The most common infections have come in through email attachments, but the malware has also piggybacked on existing malware, such as Zeus.  The best way to prevent an infection in this case is the actively ensure your anti-virus is up to date and that it scans daily to circumvent the infection of these other Trojans.  

Email attachments are something people have been warned against for years, yet this is still one of the most popular avenues for infecting machines.  Phishing scams are a great way for attackers to hit hundreds of people at once, through specially crafted emails that look like they came from legitimate organizations.  Always double check that any email you receive from a shipping organization, a bank, or any other common source is legitimate.  Check the email return address to ensure that the domain is correct, and call the company to find out if what they are ‘selling’ is in fact truth.  Be aware of which company is shipping your packages so that you only pay attention to emails from them (and even then, scrutinize its content for accuracy before you click any attachments or links).  Question your bank before you respond to an email to find out whether this is their normal process for conducting business.  

CrytoLocker is a dangerous piece of malware, so protect yourself from it as best as you can.  Imagine how it would feel to be locked out of your computer, potentially never accessing your important files again.  Back up your data regularly, and unplug that backup from the network or computer when you are finished.  This is, along with current antivirus software and due diligence, is your best defense.